Re: [OSL | CCIE_Security] WB1 Lab 4 Task 20

[Tarik Admani]

Thanks guys for the update,

Mike your ACL seems to be for version 8.3 and above, the lab I am working on 
has my firewall at pre 8.2 hence the ACL to the translated and not real ip 
address.

Thanks,
Tarik Admani




________________________________
 From: Mike Rojas <mike_c...@hotmail.com>
To: Tarik Admani <t_adm...@yahoo.com>; IPX Forums 
<ccie_security@onlinestudylist.com> 
Sent: Tuesday, May 28, 2013 11:13 PM
Subject: RE: [OSL | CCIE_Security] WB1 Lab 4 Task 20
 


 
Tarik, 

I added the ACL on the outside interface just like this one: 

access-list outside extended permit tcp any host 177.177.177.177 eq telnet 

Using the Telnet 0 0 outside is not enable Telnet to the ASA itself. 
When talking about the Firewall, there are two types of traffic, one is called 
NP (or to the box traffic) and the other one is the passing through. The telnet 
command only works for traffic that goes to the box and not through it. 

When there is a NAT statement and based on the order of operation of NAT, the 
Unstranslation is done first and then the packet is routed to its destination.

Here is my NAT 

nat (DMZ1,outside) source static obj-177.177.177.177 interface service TELNET 
TELNET

Hope its a bit clear. 

Mike. 



________________________________
Date: Tue, 28 May 2013 17:44:57 -0700
From: t_adm...@yahoo.com
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] WB1 Lab 4 Task 20


Hi,

The following section involves configuring static pat on ASA-1 so that all 
telnet requests to the outside interface on the ASA are redirected to a 
loopback on R7.

After cross-referencing the DSG I had to add an acl which would allow telnet 
traffic to the outside interface so that it can be redirected to R7's loopback. 

The DSG doesnt mention this but then goes through the verification steps. I 
tried to enable telnet access (telnet 0 0 outside), however the static PAT 
would fail to download policy.

I just wanted to make sure if that is the proper approach and that I am not 
doing this incorrectly.

Thanks,
Tarik


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com