- Posts: 12
- Thank you received: 0
disjointed external static ip's on same ASA5505?
- blacksunshine
- Topic Author
- Offline
- New Member
so for each ip/port, you need one 'static' command, one 'access-list' and one 'access-group'?
where I think I am having trouble understanding is I am trying figure out what are the commands and what are the variables...not having any familiarity with all of the different cisco commands, it all get's jumbled up in that empty space in my skull...
so on the first command:
[code:1]static (inside,outside) xxx.yyy.238.241 192.160.1.50 netmask 255.255.255.255[/code:1]
static is a command, inside and outside are vlan name variables, the first ip is the static ip on the outside that we want to use for incoming traffic, the second ip isthe internal ip and then the netmask is...well...the netmask.. ...right?
on the second command:
[code:1]access-list outside_access_in extended permit ip any host xxx.yyy.238.241[/code:1]
'access-list' is a command, stating we are creating a new access list named 'outside_access_in', extended...ok, this is where I start losing comprehension....
From what I have read, extended refers to...ok, here is where I start getting confused.....I think I am sidetracking myself on something inconsequential...but need some kind of understanding as to what this does.....
here is what I am using to decipher:
articles.techrepublic.com.com/5100-10878_11-1058307.html
that 'extended' is sidetracking me....
I don't know what to think about the last command:
[code:1]access-group outside_access_in in interface outside[/code:1]
- blacksunshine
- Topic Author
- Offline
- New Member
- Posts: 12
- Thank you received: 0
here is a good definition of what 'extended' means along with it's alternative:
A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.
another question is that everything I have found so far says you have to assign a number to the acl when you create it instead of the name...is that just because I am finding old school info and the newer stuff lets you create alpha names instead of numbering?
Yes. One thing here to note is that the net mask is not necessarily the one you used for your private range (say 192.160.1.50/24). Up to my understanding, it defines the internal range of IPs that you want to map to. In this case only one IP: 192.160.1.50 hence we use /32 (255.255.255.255).so on the first command:
[code:1]static (inside,outside) xxx.yyy.238.241 192.160.1.50 netmask 255.255.255.255[/code:1]
static is a command, inside and outside are vlan name variables, the first ip is the static ip on the outside that we want to use for incoming traffic, the second ip isthe internal ip and then the netmask is...well...the netmask.. ...right?
Regrading the access-group command:
[code:1]access-group outside_access_in in interface outside[/code:1]
This binds the ACL outside_access_in with the outside interface. The in keyword tells the outside interface/vlan to use the ACL for checking incoming traffic. In other words, the command says: "Hey, interface outside, you use the outside_access_in ACL for checking packets that are entering you"
A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.
Ya, Thats a good start. Note here that there might be differences in the in the syntax between router commands and ASA commands. So always make sure that you are reading the right material for the right equipment.
Another question is that everything I have found so far says you have to assign a number to the acl when you create it instead of the name...is that just because I am finding old school info and the newer stuff lets you create alpha names instead of numbering?
I'm not on my ASA right now, so can't check if numbers work. But I'm sure that names will work as I've tried it. Since your just starting on the ASA road. I recommend reading the official stuff from Cisco:
www.cisco.com/en/US/products/ps6120/prod...ion_guides_list.html
This way you are sure of what your getting and getting at.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
- blacksunshine
- Topic Author
- Offline
- New Member
- Posts: 12
- Thank you received: 0
- blacksunshine
- Topic Author
- Offline
- New Member
- Posts: 12
- Thank you received: 0
can I have the 'inside' range set to 192.168.0.0 and then the routed ip that I am working with be pointed inside to an ip on a totally different subnet, ie say pointing it to something within 192.168.1.0?
or does the mapping have to be within the same subnet inside?