May 21, 2012

Posts Comments

Static Policy Pat

July 29, 2008 By 1 Comment

I had to blog this out mostly because its one of those things that I have done before but said to myself, “Huh?” when I came across it again.

So here is the short form:

I want to policy Static PAT so that when 10.2.2.2 telnets to the interface of the ASA it is redirected to 10.1.1.2.

You begin with the access-list: 

access-list TELNET permit tcp host 10.1.1.2 eq 23 host 10.2.2.2
Initially thats what gets my mind spinning becuase its not the access-list to permit the traffic its the access-list to define the mapping for the static.  Here is the rest.

Define the static and tie it to the ACL: 

static (i,o) tcp interface 23 access-list TELNET
Allow telnet in: 
access-list OUTSIDE_IN permit tcp any any eq 23



access-group OUTSIDE_IN in int outside
That does it.  Strange huh?  Oh well! It works.

Related Posts:

  • No Related Posts
Filed Under: CCIE Security, IE Labs

Comments

  1. Kaj says:
    July 31, 2008 at 2:49 pm

    On PIX/ASA 7.0(1) and higher, if you are using “no nat-control” there is no need to create static translations. ACLs are enough. Similarly inside hosts do not need nat translations to send traffic out.

    Reply

Speak Your Mind

*