[c-nsp] NAT and PAT on ASA

Ziv Leyes zivl at gilat.net
Wed Jul 22 05:09:06 EDT 2009


I think both of you have a point here, no need to fight...

I also tend to adopt habits that make me type less, but not before I make sure to get the desired result and not some awkward cisco bad interpretation to what I mean...

I prefer to not use the "proper" way to save configurations
copy running-config startup-config
copy running config tftp
when I can simple do
wr
wr net
and get exactly the same results

What is curious is why do the IOS keep telling me that the "wr net" command will be deprecated and keeps working, for ten years already?

So, as I said, you're both right, type as less as you can, but always keep in mind the consequences that this might have.

Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: Wednesday, July 22, 2009 10:52 AM
To: Tony Varriale; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and PAT on ASA

Tony,

I agree that I chose the wrong wording here. It should have read, the ACL you're concerned with is inbound on the outside interface.  Otherwise, the configlet is fine.

I find the netmask option to be irrelevant, unless you're falling on obvious bit boundaries within the same class or doing NAT shifting.  I guess I'm a creature of habit and go with the path of least keystrokes.  When you're creating isakmp keys, do you type:

tunnel-group 169.254.50.50 type ipsec-l2l
tunnel-group 169.254.50.50 ipsec-attributes
 pre-shared-key BestPractices

or

isakmp key BestPractices address 169.254.50.50

They both produce the same results.  I guess the BU gave up on calling it a deprecated command, it hasn't seemed to complain since 7.2.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Tuesday, July 21, 2009 10:42 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and PAT on ASA

Ryan,

I would recommend completing your static with the appropriate netmask.

Also, ACLs can be applied in and out on an interface on ASA and PIX since 
7.0.

tv
----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Oddiraju, Kiran @ London SMC" <Kiran.Oddiraju at cbre.com>; 
<cisco-nsp at puck.nether.net>
Sent: Tuesday, July 21, 2009 1:48 PM
Subject: Re: [c-nsp] NAT and PAT on ASA


> static (inside,outside) 58.66.76.88 192.168.0.100
> show run access-group
> take note of the acl to the outside interface, ACLs are on the ASA are 
> inbound.
> access-list <myaccesslist> ext permit icmp any host 58.66.76.88 echo
> access-list <myaccesslist> ext permit tcp any host 58.66.76.88 eq www
>
> -ryan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @ 
> London SMC
> Sent: Tuesday, July 21, 2009 2:09 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT and PAT on ASA
>
> Guys,
>
>
>
> I am new to the ASA world, I have a bunch of external IP's from the ISP
> and I have an inside host that I want to access externally. How do I
> translate an inside ip (192.168.0.100) to an outside address
> (58.66.76.88) on the ASA? I should be able to ping and www from outside
> world to my inside host. Please let me know how to accomplish this.
>
>
>
> Many thanks,
>
> K
>
>
> CB Richard Ellis Limited, Registered Office: St Martin's Court,
> 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 
> 3536032.
> Regulated by the RICS and an appointed representative of CB Richard Ellis
> Indirect Investment Services Limited which is authorised and regulated by 
> the Financial Services Authority.
>
> This communication is from CB Richard Ellis Limited or one of its
> associated/subsidiary companies. This communication contains information
> which is confidential and may be privileged. If you are not the intended 
> recipient,
> please contact the sender immediately. Any use of its contents is strictly 
> prohibited
> and you must not copy, send or disclose it, or rely on its contents in any 
> way whatsoever.
> Reasonable care has been taken to ensure that this communication
> (and any attachments or hyperlinks contained within it) is free from 
> computer viruses.
> No responsibility is accepted by CB Richard Ellis Limited or its 
> associated/subsidiary
> companies and the recipient should carry out any appropriate virus checks.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





More information about the cisco-nsp mailing list