Static NAT

Unanswered Question
rajbhatt Wed, 08/15/2007 - 22:18

Hi,

You can use time based access lists for control

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018

but nat cannot be done based on time instead u could try using policy nat if that solves ur purpose using

source and destination address but here time based access lists will not be supported

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042553

Raj

Jon Marshall Wed, 08/15/2007 - 23:09

Hi

As previous poster said you cannot do NAT based on time but it would be relatively easy to write a script that logs onto your firewall, clears the xlate for that static and then sets up a different static translation.

Jon

Jon Marshall Thu, 08/16/2007 - 04:44

Hi

I will try and dig one out that i did a while back to do a similiar sort of thing.

Couple of questions

1) Are you familiar with Tcl/TK

2) Are you familiar with Perl

Do you have a linux/unix box to run the script from or will it be a windows box.

Jon

Jon Marshall Thu, 08/16/2007 - 05:04

Okay, no problem. As it's windows it might take a bit of time to dig out so bear with me.

Jon

srue Fri, 08/17/2007 - 19:40

You can install perl on windows (aka activeperl). You will also need the Windows version of the net::telnet & net::telnet::cisco modules. Adjust passwds and IP accordingly. Once you have the script working, just schedule it using windows.

=================================

#!/usr/bin/perl -w (adjust this accordingly)

use Net::Telnet::Cisco;

$passwd = 'telnet_passwd';

$enable_passwd = 'enable_passwd';

$pix = '192.168.1.1';

{

my $session = Net::Telnet::Cisco->new(Host => $pix, Timeout => 30);

$session->prompt('/[\$%#>] $/');

$session->login('pix', $passwd);

$session->enable($enable_passwd);

$session->cmd("conf t\nno static (inside,outside) 10.10.10.10 10.10.10.10\nstatic (inside,outside) 11.11.11.11 10.10.10.10");

}

==============

i've never configured a PeRL script to use ssh, but i suppose its possible.

Actions

This Discussion