[c-nsp] NAT and PAT on ASA

Tony Varriale tvarriale at comcast.net
Wed Jul 22 11:20:23 EDT 2009 

I still use the old command sometimes...hehe.

The mask is important in the PIX/ASA as I've demonstrated....especially for 
a person that is new to the area.

Another great example is you put a host mask on a 1 to 1 static but you use 
the block mask for a global pool.  I've seen tons of people get confused 
with that.

tv
----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, July 22, 2009 2:52 AM
Subject: RE: [c-nsp] NAT and PAT on ASA


Tony,

I agree that I chose the wrong wording here. It should have read, the ACL 
you're concerned with is inbound on the outside interface.  Otherwise, the 
configlet is fine.

I find the netmask option to be irrelevant, unless you're falling on obvious 
bit boundaries within the same class or doing NAT shifting.  I guess I'm a 
creature of habit and go with the path of least keystrokes.  When you're 
creating isakmp keys, do you type:

tunnel-group 169.254.50.50 type ipsec-l2l
tunnel-group 169.254.50.50 ipsec-attributes
 pre-shared-key BestPractices

or

isakmp key BestPractices address 169.254.50.50

They both produce the same results.  I guess the BU gave up on calling it a 
deprecated command, it hasn't seemed to complain since 7.2.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Tuesday, July 21, 2009 10:42 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and PAT on ASA

Ryan,

I would recommend completing your static with the appropriate netmask.

Also, ACLs can be applied in and out on an interface on ASA and PIX since
7.0.

tv
----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Oddiraju, Kiran @ London SMC" <Kiran.Oddiraju at cbre.com>;
<cisco-nsp at puck.nether.net>
Sent: Tuesday, July 21, 2009 1:48 PM
Subject: Re: [c-nsp] NAT and PAT on ASA


> static (inside,outside) 58.66.76.88 192.168.0.100
> show run access-group
> take note of the acl to the outside interface, ACLs are on the ASA are
> inbound.
> access-list <myaccesslist> ext permit icmp any host 58.66.76.88 echo
> access-list <myaccesslist> ext permit tcp any host 58.66.76.88 eq www
>
> -ryan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @
> London SMC
> Sent: Tuesday, July 21, 2009 2:09 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT and PAT on ASA
>
> Guys,
>
>
>
> I am new to the ASA world, I have a bunch of external IP's from the ISP
> and I have an inside host that I want to access externally. How do I
> translate an inside ip (192.168.0.100) to an outside address
> (58.66.76.88) on the ASA? I should be able to ping and www from outside
> world to my inside host. Please let me know how to accomplish this.
>
>
>
> Many thanks,
>
> K
>
>
> CB Richard Ellis Limited, Registered Office: St Martin's Court,
> 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No.
> 3536032.
> Regulated by the RICS and an appointed representative of CB Richard Ellis
> Indirect Investment Services Limited which is authorised and regulated by
> the Financial Services Authority.
>
> This communication is from CB Richard Ellis Limited or one of its
> associated/subsidiary companies. This communication contains information
> which is confidential and may be privileged. If you are not the intended
> recipient,
> please contact the sender immediately. Any use of its contents is strictly
> prohibited
> and you must not copy, send or disclose it, or rely on its contents in any
> way whatsoever.
> Reasonable care has been taken to ensure that this communication
> (and any attachments or hyperlinks contained within it) is free from
> computer viruses.
> No responsibility is accepted by CB Richard Ellis Limited or its
> associated/subsidiary
> companies and the recipient should carry out any appropriate virus checks.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list