But the Q is , as mentioned, there is already inbound ACL on outside interface which will be processed 1st, ?
On Fri, Apr 26, 2013 at 10:20 AM, Samarth Chidanand <[email protected]>wrote: > Hi Mike,**** > > ** ** > > See the answer below from the DSG. It’s states use global ACL’s, implies > more than one ACL.**** > > ** ** > > ** ** > > ** ** > > ** ** > > Task 12: Manual static identity NAT on ASA-3**** > > - Create a loopback on R2 with an IP address of 222.222.222.222/32. > Configure static identity NAT such that only outside users can ping that IP > address. Use *global ACLs* to allow access.**** > - Advertise the new loopback into RIPv2 on R2 and create appropriate > static routes on R4 and R5.**** > > * * > > *Task-12:Solutions* > > *Step 1: * Configure Loopback on R2 and advertise into RIP.**** > > int lo222**** > > ip add 222.222.222.222 255.255.255.255**** > > router rip**** > > network 222.222.222.0**** > > ** ** > > *Step 2: * Configure Static routes on R4 and R5.**** > > ** ** > > R5**** > > ip route 222.222.222.222 255.255.255.255 100.100.35.105**** > > ** ** > > R4**** > > ip route 222.222.222.222 255.255.255.255 200.100.34.104**** > > ** ** > > *Step 3: * Configure objects on ASA3**** > > ** ** > > object network R2_Loop222**** > > host 222.222.222.222**** > > ** ** > > * * > > *Step 4: * Configure Manual identity NAT on ASA3**** > > ** ** > > nat (dmz1,outside-1) source static R2_Loop222 R2_Loop222**** > > ** ** > > nat (dmz1,outside-2) source static R2_Loop222 R2_Loop222**** > > ** ** > > *Step 5: * Configure global ACL’s**** > > ** ** > > access-list GLOBAL permit ip any object R2_Loop222**** > > access-list GLOBAL permit ip object R2_Loop222 any**** > > ** ** > > *Verification*** > > * * > > *Step 1:* Verify Manual NAT entries (Section-1). Entry 5 and 6 of section > 1.**** > > ** ** > > Manual NAT Policies (Section 1)**** > > <SNIP>**** > > 5 (dmz1) to (Outside-1) source static R2_Loop222 R2_Loop222**** > > translate_hits = 0, untranslate_hits = 0**** > > Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32*** > * > > 6 (dmz1) to (Outside-2) source static R2_Loop222 R2_Loop222**** > > translate_hits = 0, untranslate_hits = 0**** > > Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32*** > * > > <SNIP>**** > > ** ** > > ** ** > > *Step 2:* Telnet from Lo222 to R4 and R5 and perform basic ping tests.**** > > ** ** > > R2#telnet 45.45.45.4 /source-interface lo222**** > > Trying 45.45.45.4 ... Open**** > > ** ** > > R4#sh users**** > > Line User Host(s) Idle Location**** > > 0 con 0 idle 00:04:58**** > > *514 vty 0 idle 00:00:00 222.222.222.222*** > * > > ** ** > > Interface User Mode Idle Peer Address**** > > ** ** > > R4#exit**** > > ** ** > > [Connection to 45.45.45.4 closed by foreign host]**** > > R2#ping 4.4.4.4 so lo 222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:**** > > Packet sent with a source address of 222.222.222.222**** > > !!!!!**** > > ** ** > > R2#ping 45.45.45.5 so lo 222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:**** > > Packet sent with a source address of 222.222.222.222**** > > !!!!!**** > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms**** > > ** ** > > ** ** > > ** ** > > ** ** > > R2#telnet 100.100.35.5 /source-interface lo222**** > > Trying 100.100.35.5 ... Open**** > > ** ** > > ** ** > > R5#show users**** > > Line User Host(s) Idle Location**** > > 0 con 0 idle 00:04:00**** > > *514 vty 0 idle 00:00:00 222.222.222.222*** > * > > ** ** > > Interface User Mode Idle Peer Address**** > > ** ** > > R5#ping 222.222.222.222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 222.222.222.222, timeout is 2 seconds:** > ** > > !!!!!**** > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms**** > > R5#exit**** > > ** ** > > [Connection to 100.100.35.5 closed by foreign host]**** > > R2#**** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mike Rojas > *Sent:* Friday, April 26, 2013 7:27 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Workbook1 Task 12**** > > ** ** > > Hi, > > This task says that you need to allow the traffic from the outside to the > loopback 222.222.222.222/32 on R2. The problem comes when it says that I > need to allow this using the Global ACL. There was already a Global ACL > configured but also, there are 2 access list on ASA3 used to allow traffic > inbound from outside at a previous task. > > The problem is that even if I allow that traffic on the global ACL, it is > not going to work, as the interface ACL is processed first than the Global > ACL. > > Is there something that I am doing wrong? > > Another question that comes up is that, for every object that needed to 2 > NATs for both outside interfaces, I created the Object and then another > object with the same host and created the NAT there. Just checking if that > is correct. > > Finally, on a task I read, you can re-used the object for the Access > list....well, I reused every Object that I could :P so I dont know if > previous that task, I needed to create a new object for the ACLs. > > Mike. **** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
