[c-nsp] NAT and PAT on ASA

Ryan West rwest at zyedge.com
Wed Jul 22 03:52:21 EDT 2009


Tony,

I agree that I chose the wrong wording here. It should have read, the ACL you're concerned with is inbound on the outside interface.  Otherwise, the configlet is fine.

I find the netmask option to be irrelevant, unless you're falling on obvious bit boundaries within the same class or doing NAT shifting.  I guess I'm a creature of habit and go with the path of least keystrokes.  When you're creating isakmp keys, do you type:

tunnel-group 169.254.50.50 type ipsec-l2l
tunnel-group 169.254.50.50 ipsec-attributes
 pre-shared-key BestPractices

or

isakmp key BestPractices address 169.254.50.50

They both produce the same results.  I guess the BU gave up on calling it a deprecated command, it hasn't seemed to complain since 7.2.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Tuesday, July 21, 2009 10:42 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and PAT on ASA

Ryan,

I would recommend completing your static with the appropriate netmask.

Also, ACLs can be applied in and out on an interface on ASA and PIX since 
7.0.

tv
----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Oddiraju, Kiran @ London SMC" <Kiran.Oddiraju at cbre.com>; 
<cisco-nsp at puck.nether.net>
Sent: Tuesday, July 21, 2009 1:48 PM
Subject: Re: [c-nsp] NAT and PAT on ASA


> static (inside,outside) 58.66.76.88 192.168.0.100
> show run access-group
> take note of the acl to the outside interface, ACLs are on the ASA are 
> inbound.
> access-list <myaccesslist> ext permit icmp any host 58.66.76.88 echo
> access-list <myaccesslist> ext permit tcp any host 58.66.76.88 eq www
>
> -ryan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @ 
> London SMC
> Sent: Tuesday, July 21, 2009 2:09 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT and PAT on ASA
>
> Guys,
>
>
>
> I am new to the ASA world, I have a bunch of external IP's from the ISP
> and I have an inside host that I want to access externally. How do I
> translate an inside ip (192.168.0.100) to an outside address
> (58.66.76.88) on the ASA? I should be able to ping and www from outside
> world to my inside host. Please let me know how to accomplish this.
>
>
>
> Many thanks,
>
> K
>
>
> CB Richard Ellis Limited, Registered Office: St Martin's Court,
> 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 
> 3536032.
> Regulated by the RICS and an appointed representative of CB Richard Ellis
> Indirect Investment Services Limited which is authorised and regulated by 
> the Financial Services Authority.
>
> This communication is from CB Richard Ellis Limited or one of its
> associated/subsidiary companies. This communication contains information
> which is confidential and may be privileged. If you are not the intended 
> recipient,
> please contact the sender immediately. Any use of its contents is strictly 
> prohibited
> and you must not copy, send or disclose it, or rely on its contents in any 
> way whatsoever.
> Reasonable care has been taken to ensure that this communication
> (and any attachments or hyperlinks contained within it) is free from 
> computer viruses.
> No responsibility is accepted by CB Richard Ellis Limited or its 
> associated/subsidiary
> companies and the recipient should carry out any appropriate virus checks.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list