29
Jul

Static Policy Pat

Written by Brandon Carroll  |  under CCIE Security, IE Labs

Welcome back!

I had to blog this out mostly because its one of those things that I have done before but said to myself, “Huh?” when I came across it again.

So here is the short form:

I want to policy Static PAT so that when 10.2.2.2 telnets to the interface of the ASA it is redirected to 10.1.1.2.

You begin with the access-list:

access-list TELNET permit tcp host 10.1.1.2 eq 23 host 10.2.2.2

Initially thats what gets my mind spinning becuase its not the access-list to permit the traffic its the access-list to define the mapping for the static.  Here is the rest.

Define the static and tie it to the ACL:

static (i,o) tcp interface 23 access-list TELNET

Allow telnet in:

access-list OUTSIDE_IN permit tcp any any eq 23

access-group OUTSIDE_IN in int outside

That does it.  Strange huh?  Oh well! It works.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

COMMENTS

  1. Kaj July 31, 2008 2:49 pm

    On PIX/ASA 7.0(1) and higher, if you are using “no nat-control” there is no need to create static translations. ACLs are enough. Similarly inside hosts do not need nat translations to send traffic out.

Leave a feedback:

Name (required)

Email (required)

Website

Comments

2008 (c) GlobalConfig.net, Using the Minimalistic Theme : Powered by WordPress

Switch to our mobile site