Static Policy Pat « Globalconfig.net

July 29, 2008
Posted by bcarroll

Static Policy Pat

I had to blog this out mostly because its one of those things that I have done before but said to myself, “Huh?” when I came across it again.

So here is the short form:

I want to policy Static PAT so that when 10.2.2.2 telnets to the interface of the ASA it is redirected to 10.1.1.2.

You begin with the access-list:

access-list TELNET permit tcp host 10.1.1.2 eq 23 host 10.2.2.2

Initially thats what gets my mind spinning becuase its not the access-list to permit the traffic its the access-list to define the mapping for the static. Here is the rest.

Define the static and tie it to the ACL:

static (i,o) tcp interface 23 access-list TELNET

Allow telnet in:

access-list OUTSIDE_IN permit tcp any any eq 23

access-group OUTSIDE_IN in int outside

That does it. Strange huh? Oh well! It works.

1 Comment

Posted Under CCIE Security IE Labs

1 Comments

Kaj
July 31, 2008

On PIX/ASA 7.0(1) and higher, if you are using “no nat-control” there is no need to create static translations. ACLs are enough. Similarly inside hosts do not need nat translations to send traffic out.

Studying for Cisco Certifications or Just Making Stuff Work!

Static Policy Pat

1 Comments

Leave a comment

Categories

Archives