ASA Configuration Assistance

Answered Question
Mar 4th, 2010

Need to know what is the specific command on natting an ip to another ip via a port number.  Here is an example of what I think it should be but can't find the correct verbege.

This what I have listed which opens it up to any IP.

access-list 101 extended permit tcp any host 68.156.91.20 eq 23032

Here is what I would like to see, but I know the verbage is wrong or I am missing something more.

access-list 101 extended permit ip 74.165.236.76  255.255.255.248  68.156.91.20  255.255.255.224 eq 23032

Please assist?

I have this problem too.
0 votes
Correct Answer by Collin Clark about 6 years 10 months ago

That is exactly right. Note that when you look at the config it will replace it with this line-

access-list 101 extended permit tcp host 74.165.236.76  host 68.156.91.20 eq 23032

When you write the ACL you can either enter 255.255.255.255 or precede the IP with the keyword host.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Thu, 03/04/2010 - 09:25

Oh so close!

access-list 101 extended permit tcp 74.165.236.76  255.255.255.248  68.156.91.20  255.255.255.224 eq 23032

This is just the ACL though and you mentioned NAT. Will you be NATing from one port to another?

rbill1967 Thu, 03/04/2010 - 09:50

Yeah tried that one, but it didn't work.  It's message.

ERROR: IP address,mask <74.165.236.76,255.255.255.248> doesn't pair

Probably something wrong with the IP's mask?

Collin Clark Thu, 03/04/2010 - 11:39

Yes there is. You need to specify the subnet and not a host in it.

access-list 101 extended permit tcp 74.165.236.72  255.255.255.248  68.156.91.0  255.255.255.224 eq 23032

You can specify just a host too.

rbill1967 Thu, 03/04/2010 - 13:20

It worked in placing that information in their now.  I just need to be sure the agency can access it.  I have another one as well, trying to determine its subnet host.

You have a useful tool on getting that information faster?

rbill1967 Fri, 03/05/2010 - 07:21

One more question Collin, specifiying the subnet was easy.  Now locking it down to a specific IP, is that impossible?  Does the command look something like this?

access-list 101 extended permit tcp 74.165.236.76 255.255.255.255 68.156.91.20 255.255.255.255 eq 23032

Will this work?  Overall this is where I am trying to get to.

Correct Answer
Collin Clark Fri, 03/05/2010 - 08:04

That is exactly right. Note that when you look at the config it will replace it with this line-

access-list 101 extended permit tcp host 74.165.236.76  host 68.156.91.20 eq 23032

When you write the ACL you can either enter 255.255.255.255 or precede the IP with the keyword host.

Actions

This Discussion