Re: [OSL | CCIE_Security] Workbook1 Task 12

[Mike Rojas]

Then the Global One.. sorry for the typo there..

First interface then global. 

Mike 

Date: Fri, 26 Apr 2013 13:19:05 +0800
Subject: Re: [OSL | CCIE_Security] Workbook1 Task 12
From: dalsbeh...@gmail.com
To: s...@ipexpert.com
CC: mike_c...@hotmail.com; ccie_security@onlinestudylist.com

But the Q is ,

as mentioned, there is already  inbound ACL on outside interface which will be 
processed 1st, ?


On Fri, Apr 26, 2013 at 10:20 AM, Samarth Chidanand <s...@ipexpert.com> wrote:

Hi Mike,
 See the answer below from the DSG. It’s states use global ACL’s, implies more 
than one ACL.
  
  
Task 12: Manual static identity NAT on ASA-3
Create a loopback on R2 with an IP address of 222.222.222.222/32. Configure 
static identity NAT such that only outside users can ping that IP address. Use 
global ACLs to allow access.
Advertise the new loopback into RIPv2 on R2 and create appropriate static 
routes on R4 and R5. 
Task-12:SolutionsStep 1:  Configure Loopback on R2 and advertise into RIP.
int lo222ip add 222.222.222.222 255.255.255.255
router ripnetwork 222.222.222.0
 Step 2:  Configure Static routes on R4 and R5.
 R5
ip route 222.222.222.222 255.255.255.255 100.100.35.105 
R4ip route 222.222.222.222 255.255.255.255 200.100.34.104
 Step 3:  Configure objects on ASA3
 object network R2_Loop222
host 222.222.222.222 
 Step 4:  Configure Manual identity NAT on ASA3
 nat (dmz1,outside-1) source static R2_Loop222 R2_Loop222
 nat (dmz1,outside-2) source static R2_Loop222 R2_Loop222
 Step 5:  Configure global ACL’s
 access-list GLOBAL permit ip any object R2_Loop222
access-list GLOBAL permit ip object R2_Loop222 any 
Verification 
Step 1: Verify Manual NAT entries (Section-1). Entry 5 and 6 of section 1. 
Manual NAT Policies (Section 1)
<SNIP>5 (dmz1) to (Outside-1) source static R2_Loop222 R2_Loop222
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32
6 (dmz1) to (Outside-2) source static R2_Loop222 R2_Loop222
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32
<SNIP> 
 Step 2: Telnet from Lo222 to R4 and R5 and perform basic ping tests.
 
R2#telnet 45.45.45.4 /source-interface lo222
Trying 45.45.45.4 ... Open
 R4#sh users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:04:58*514 vty 0               
 idle                 00:00:00 222.222.222.222
   Interface    User               Mode         Idle     Peer Address
 R4#exit
 [Connection to 45.45.45.4 closed by foreign host]
R2#ping 4.4.4.4 so lo 222
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 222.222.222.222!!!!!
 R2#ping 45.45.45.5 so lo 222
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:
Packet sent with a source address of 222.222.222.222!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  
  
R2#telnet 100.100.35.5 /source-interface lo222
Trying 100.100.35.5 ... Open
  
R5#show users    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:04:00
*514 vty 0                idle                 00:00:00 222.222.222.222
   Interface    User               Mode         Idle     Peer Address
 R5#ping 222.222.222.222
 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 222.222.222.222, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#exit 
[Connection to 100.100.35.5 closed by foreign host]
R2# 
  
From: ccie_security-boun...@onlinestudylist.com 
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Mike Rojas

Sent: Friday, April 26, 2013 7:27 AM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Workbook1 Task 12
 Hi, 

This task says that you need to allow the traffic from the outside to the 
loopback 222.222.222.222/32 on R2. The problem comes when it says that I need 
to allow this using the Global ACL. There was already a Global ACL configured 
but also, there are 2 access list on ASA3 used to allow traffic inbound from 
outside at a previous task. 


The problem is that even if I allow that traffic on the global ACL, it is not 
going to work, as the interface ACL is processed first than the Global ACL. 

Is there something that I am doing wrong? 

Another question that comes up is that, for every object that needed to 2 NATs 
for both outside interfaces, I created the Object and then another object with 
the same host and created the NAT there. Just checking if that is correct. 


Finally, on a task I read, you can re-used the object for the Access 
list....well, I reused every Object that I could :P so I dont know if previous 
that task, I needed to create a new object for the ACLs. 

Mike. 

_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com