2 Public Interfaces and NAT

Hello-
We currently have NW6 running BM3.7 set up with 1 public interface and 1
private interface. Our private interface is 10.1.1.1 and we are NATing
that to our public interface. We are using HTTP proxy services for all our
internet browsing---proxy being the 10.1.1.1 address. The public interface
is on a state WAN link and we are using it for internet browsing, email,
citrix and other state applications. We want to offload our email,
internet and citrix traffic onto another public intrface--which is
provided by a different ISP. I know what I need to do to change over the
email to the new ipaddress on the new interface. How do I set up BM to
route internet traffic to the new public interface? Also how do I make
sure that my citrix traffic is routed to the new interface as well? Any
help with this would be greatly appreciated.
Thanks all in advance!

You cannot arbitrarily send some type of traffic to one NIC, and the
rest to another. The outbound traffic will follow the default route.
You can have some limited control by using static routing to force
traffic to certain addresses out one NIC, but that tends to be useful
mostly with S2S VPN dedicated links.
You can also enable dynamic NAT on the LAN side of one of your internet
routers, and make reply traffic to inbound traffic from that link go
back the way it came in.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Similar Messages

Configuring New Interface and NAT on Cisco 1900 Series Router.

Hello Cisco Team,
am asking for advise on how to how setup NAT rules and overload on my 2nd interface on my cisco 1900 series router,am not sure where am getting it wrong.
my router has 2 interface, interface one has IP address 10.5.5.5X and plugs into my ASA firwall and into my switch and works just fine.
i have just configured my second Interface with a new IP 172.16.0.X- i want to NAT my new IP address to our public IP address which is 41.77.X.X
my configuration so far are as follows.
GigabitEthernet0/0 172.16.0.X YES manual up up - Not working
GigabitEthernet0/1 10.5.5.X YES NVRAM up up- this works fine
GigabitEthernet0/0/0 41.77.X.X YES NVRAM up up

Hello Jon,
Thanks for your feedback, my router configuration are as follows.
interface GigabitEthernet0/0
description WL2504
ip address 172.16.0.2 255.255.254.0
duplex auto
speed auto
interface GigabitEthernet0/1
description WAN
ip address 10.55.55.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/0/0
description LINK TO CLT INTERNET
ip address 41.X.X.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type sfp
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 41.X.X.129
ip route 41.X.X.136 255.255.255.248 10.55.55.1
ip route 192.168.0.0 255.255.255.0 10.55.55.1
access-list 1 permit 10.55.55.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
from the router interface  interface GigabitEthernet0/0- I will connect it to my wireless Controller WL 2504

SA540 - IPSec and NAT

Here's the scenario
My LAN 10.10.10.0
Local Host 10.10.10.6
Remote LAN: 192.168.201.0
Remote Host: 192.168.201.59
Trying to setup a IPSec connection between two hosts.
The other side wants to me to NAT 10.10.10.6 as 172.16.5.6
The SA540 doesn't seem to have this feature.
Is there a way to easily achieve that?
Thank you

Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)
Configure the NAT. Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255
Create a route-map called 'static-nat' and match traffic to ACL 101:
route-map static-nat
match ip address 101
Create a NAT-POOL for the public IP address (or range) you want to use to NAT to. In this case, Im NAT'ing to 172.16.17.0:
ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0
Create a NAT rule to use the route-map 'static-nat'. Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:
ip nat inside source route-map static-nat pool NAT-POOL Overload
Once you have configured the NAT you need to modify the interesting traffic. You need your 'interesting traffic'
access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255
Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
set peer <peer ip>
set transform-set <transform set>
match address 121
Apply the crypto map to the public interface and NAT on the public side:
interface GigabitEthernet0/0
ip nat outside
crypto map VPN
Configure the inside interface NAT on internal side:
interface GigabitEthernet0/1
ip address 10.9.0.0 255.255.255.0
ip nat inside
HTH

Eliminating Public Interface

I currently have a BM server that host primarily File sharing and groupwise. I have BM installed on the server and we access groupwise webaccess, SMTP, IMAP and POP via the public interface. I want to eliminate the public interface and route all traffic through our 3rd party firewall and take this server off of the internet. However when I disable the public interface and change the default route none of the services are working. I have narrowed it down to the tcpip filters. What is the best practice for eliminating this interface and making sure all traffic routes through the private interface. I do not have any of the BM modules loaded and really dont use any of the services but I think what happens is traffic comes in through the private but it is still trying to route through the public interface.

This may sound simplistic when you read it, but it really is this
simple. The public interface only gets involved when traffic is sent
to or through it.
Filters are supposed to be applied to the public interface, and not the
private side (unless you've *really* customized them). See tip #13 at
the URL below. (Talking filters here, not exceptions).
If you have changed the default route to an address on the private
side, then packets going to the internet should not touch the public
interface at all. Since you are having a filtering issue, clearly some
things need to be checked out.
1. In filtcfg, check that no filters are applied to the private
interface, and that the filtering action is the default (deny in list,
as seen in tip #13).
2. Check routing table in TCPCON to see what the default route actually
is. Sometimes it's not what you thought you had.
3. Check routers in your network to see if some static NAT or routing
table entry might be pointing to an old public address assigned on the
BMgr server.
4. Use set tcp ip debug=1 (careful! Will see a lot of traffic, and
could crash a production server) to see all IP traffic on the server.
You can then observe packets hitting the public side and maybe see
where they are coming from. PKTSCAN.NLM would be a lot safer to use.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

IllegalAccessError when trying to create a proxy for a non-public interface

My code proxies a class that extends JDialog. Under Java5 this works fine. However when I switch to Java6 I get a java.lang.IllegalAccessError: class javax.swing.$Proxy3 cannot access its superinterface javax.swing.TransferHandler$HasGetTransferHandler exception.
I went through debugging my code to find out what went wrong. I created the included test code that shows the problem (and because the real codebase is much too big to include here).
package javax.swing;
public class SomePackageInterfaceDefiningClass {
    interface SomeInnerPackageInterface {
package javax.swing;
import java.lang.reflect.Proxy;
import java.util.ArrayList;
import java.util.Collection;
import org.apache.commons.lang.ArrayUtils;
public class NonPublicInterfaceProxyCreator {
    public static void main(String[] args) {
        // This works fine !
        doTest(WindowConstants.class);
        // This also ! The proxy class package is javax.swing as expected
        doTest(SomePackageInterfaceDefiningClass.SomeInnerPackageInterface.class);
        // JDialog implements the package visible interface
        // javax.swing.TransferHandler.HasGetTransferHandler
        Collection<Class<?>> jdInterfaces = new ArrayList<Class<?>>();
        for (Class<?> interfaze : JDialog.class.getInterfaces()) {
            jdInterfaces.add(interfaze);
        Collection<Class<?>> strippedJdialogInterfaces = new ArrayList<Class<?>>(
                jdInterfaces);
        for (Class<?> interfaze : jdInterfaces) {
            if (interfaze.getName().equalsIgnoreCase(
                    "javax.swing.TransferHandler$HasGetTransferHandler")) {
                strippedJdialogInterfaces.remove(interfaze);
        // Without the package visible interface it works !
        doTest(strippedJdialogInterfaces.toArray(new Class<?>[0]));
        // With the package visible interface it fails
        doTest(jdInterfaces.toArray(new Class<?>[0]));
    private static void doTest(Class... interfaces) {
        // Class clazz = Proxy.getProxyClass(JDialog.class.getClassLoader(),
        // interfaces);
        Class clazz = Proxy.getProxyClass(Thread.currentThread()
                .getContextClassLoader(), interfaces);
        System.out.println("Class created = " + clazz
                + " >>>> Implemented interfaces = "
                + ArrayUtils.toString(clazz.getInterfaces()));
}When I run this code under Java5 I get:
Class created = class $Proxy0 >>>> Implemented interfaces = {interface javax.swing.WindowConstants}
Class created = class javax.swing.$Proxy1 >>>> Implemented interfaces = {interface javax.swing.SomePackageInterfaceDefiningClass$SomeInnerPackageInterface}
Class created = class $Proxy2 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer}
Class created = class $Proxy2 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer}Under Java6 I get:
Class created = class $Proxy0 >>>> Implemented interfaces = {interface javax.swing.WindowConstants}
Class created = class javax.swing.$Proxy1 >>>> Implemented interfaces = {interface javax.swing.SomePackageInterfaceDefiningClass$SomeInnerPackageInterface}
Class created = class $Proxy2 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer}
Exception in thread "main" java.lang.IllegalAccessError: class javax.swing.$Proxy3 cannot access its superinterface javax.swing.TransferHandler$HasGetTransferHandler
     at java.lang.reflect.Proxy.defineClass0(Native Method)
     at java.lang.reflect.Proxy.getProxyClass(Proxy.java:504)
     at javax.swing.NonPublicInterfaceProxyCreator.doTest(NonPublicInterfaceProxyCreator.java:45)
     at javax.swing.NonPublicInterfaceProxyCreator.main(NonPublicInterfaceProxyCreator.java:38)According to the documentation the interface javax.swing.TransferHandler$HasGetTransferHandler should be visible to my class as it is located in the same package, right?
I think there must be some classloading issue when trying to access the non-public interface javax.swing.TransferHandler$HasGetTransferHandler in rt.jar.
I can not figure out what is different between my own non-public interface and Swing's javax.swing.TransferHandler$HasGetTransferHandler.
Any help would be appreciated.

I don't agree completely. What you're telling is true, don't get me wrong. It's the Error that I get from Java that troubles me.
To resolve the classloading question, I changed my code as follows:
package javax.swing;
import java.lang.reflect.Proxy;
import java.util.ArrayList;
import java.util.Collection;
import org.apache.commons.lang.ArrayUtils;
public class NonPublicInterfaceProxyCreator {
    public static void main(String[] args) {
        // This works fine !
        doTest(WindowConstants.class);
        doTest2(WindowConstants.class);
        // This also ! The proxy class package is javax.swing as expected
        doTest(SomePackageInterfaceDefiningClass.SomeInnerPackageInterface.class);
        doTest2(SomePackageInterfaceDefiningClass.SomeInnerPackageInterface.class);
        // JDialog implements the package visible interface
        // javax.swing.TransferHandler.HasGetTransferHandler
        Collection<Class<?>> jdInterfaces = new ArrayList<Class<?>>();
        for (Class<?> interfaze : JDialog.class.getInterfaces()) {
            jdInterfaces.add(interfaze);
        Collection<Class<?>> strippedJdialogInterfaces = new ArrayList<Class<?>>(
                jdInterfaces);
        for (Class<?> interfaze : jdInterfaces) {
            if (interfaze.getName().equalsIgnoreCase(
                    "javax.swing.TransferHandler$HasGetTransferHandler")) {
                strippedJdialogInterfaces.remove(interfaze);
        // Without the package visible interface it works !
        doTest(strippedJdialogInterfaces.toArray(new Class<?>[0]));
        doTest2(strippedJdialogInterfaces.toArray(new Class<?>[0]));
        // With the package visible interface it fails
        doTest(jdInterfaces.toArray(new Class<?>[0]));
        doTest2(jdInterfaces.toArray(new Class<?>[0]));
    private static void doTest(Class... interfaces) {
        ClassLoader contextClassLoader = Thread.currentThread()
                .getContextClassLoader();
        System.out.println("Classloader that creates proxy = " + contextClassLoader);
        try {
            Class clazz = Proxy.getProxyClass(contextClassLoader, interfaces);
            System.out.println("Class created = " + clazz
                    + " >>>> Implemented interfaces = "
                    + ArrayUtils.toString(clazz.getInterfaces()));
        } catch (Throwable e) {
            e.printStackTrace();
    private static void doTest2(Class... interfaces) {
        ClassLoader contextClassLoader = JDialog.class.getClassLoader();
        System.out.println("Classloader that creates proxy = " + contextClassLoader);
        try {
            Class clazz = Proxy.getProxyClass(contextClassLoader, interfaces);
            System.out.println("Class created = " + clazz
                    + " >>>> Implemented interfaces = "
                    + ArrayUtils.toString(clazz.getInterfaces()));
        } catch (Throwable e) {
            e.printStackTrace();
}And here is the result when I run it on Java 1.6:
Classloader that creates proxy = sun.misc.Launcher$AppClassLoader@11b86e7
Class created = class $Proxy0 >>>> Implemented interfaces = {interface javax.swing.WindowConstants}
Classloader that creates proxy = null
Class created = class $Proxy1 >>>> Implemented interfaces = {interface javax.swing.WindowConstants}
Classloader that creates proxy = sun.misc.Launcher$AppClassLoader@11b86e7
Class created = class javax.swing.$Proxy2 >>>> Implemented interfaces = {interface javax.swing.SomePackageInterfaceDefiningClass$SomeInnerPackageInterface}
Classloader that creates proxy = null
java.lang.IllegalArgumentException: interface javax.swing.SomePackageInterfaceDefiningClass$SomeInnerPackageInterface is not visible from class loader
     at java.lang.reflect.Proxy.getProxyClass(Proxy.java:353)
     at javax.swing.NonPublicInterfaceProxyCreator.doTest2(NonPublicInterfaceProxyCreator.java:64)
     at javax.swing.NonPublicInterfaceProxyCreator.main(NonPublicInterfaceProxyCreator.java:18)
Classloader that creates proxy = sun.misc.Launcher$AppClassLoader@11b86e7
Class created = class $Proxy3 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer}
Classloader that creates proxy = null
Class created = class $Proxy4 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer}
Classloader that creates proxy = sun.misc.Launcher$AppClassLoader@11b86e7
java.lang.IllegalAccessError: class javax.swing.$Proxy5 cannot access its superinterface javax.swing.TransferHandler$HasGetTransferHandler
     at java.lang.reflect.Proxy.defineClass0(Native Method)
     at java.lang.reflect.Proxy.getProxyClass(Proxy.java:504)
     at javax.swing.NonPublicInterfaceProxyCreator.doTest(NonPublicInterfaceProxyCreator.java:51)
     at javax.swing.NonPublicInterfaceProxyCreator.main(NonPublicInterfaceProxyCreator.java:41)
Classloader that creates proxy = null
Class created = class javax.swing.$Proxy6 >>>> Implemented interfaces = {interface javax.swing.WindowConstants,interface javax.accessibility.Accessible,interface javax.swing.RootPaneContainer,interface javax.swing.TransferHandler$HasGetTransferHandler}As you can see, I get an IllegalArgumantException telling me that my interface I try to proxy is not visible for JDialog's classloader, as I would expect. Remark that Java tells me that JDialog's classloader is null. Strange, isn't is?
However I get an IllegalAccessError when I try to proxy TransferHandler$HasGetTransferHandler from my own classloader.
Any reason why the error is different?

Public Interface not responding after second node is started in the cluster

Hi
Has anyone ever experienced the public interface not responding between nodes in the cluster (ping, ssh, scp) after the second nodeapps is started in the cluster?
This is a new install so all I have installed so far is the base release of CRS 10.2.0. This is on Solaris10. The vipca failed during the installation, however I was able to proceed and manually add the nodeapps using srvctl add nodeaps -n -o -A.
It seems after the second node is started I loose all connectivity to the public interfaces and to my default gateway.
Also I'm getting the following messages sometimes after I try and stop the nodeapps and start them back up.
CRS-1006: No more members to consider
CRS-0215: Could not start resource 'ora.node1.vip'.
Any suggestions on where I should start troubleshooting?
Thanks

Do you have default GW?
It can connects with GW, can't it?
Check metalink
CRS-0215: Could not start resource 'ora..vip' [ID 356535.1]
CRS-1006: No more members to consider when starting service [ID 465364.1]
Good Luck

Possibility of adding the 3rd interface as a 2nd Public interface?

Is it possible, with VPN 3030, to configure the 3rd interface (which is labeled as "External" and, is usually used for "management", I assume) as another Public interface? So that two different kinds of VPN connections can be physically separated....
Any help and pointers will be much appreciated! -Bill

Hi Aamir,
I am having problem to understand the use of External interface of VPN3000.
Does it mean I can have a VPN3000 with two Providers? Public interface terminates to ISP 1 and External interface terminates to ISP 2 ?
Regarding the routing (only one default gateway) does it mean the following traffic flow ?
1. Incoming traffic from ISP 1 will go to the Public interface and outgoing traffic will go through the same Public interface.
1. Incoming traffic from ISP 2 will go to the External interface , but outgoing traffic will go through Public interface.
Thanks,
Engel

ASA5505 SOHO public ip range and nat head ache

Hello
Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40
XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router
Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
any info or advice would be gratefully received.
regards
C.

Hello
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https
thanks for the help

Cisco 1841 with 2 public WAN IP's and NAT

OK currently the network is setup as follows:
Zyxel SHDSL Router --> Linksys Router --> 10/100 Switch --> PC's
x.x.x.145/28__________x.x.x.146/28____________________192.168.1.0/24
The Linksys router is running inbound one-to-many PAT (eg. x.x.x.146:80 --> 192.168.1.10:8080)
I'm looking to replace the setup with a Cisco 1841 router. Now normally I would configure the DSL interface as unnumbered to the internal LAN interface and use my public IP addys on this segment then passing through a PIX to NAT into private IP addys.
The problem I have is I want the 1841 to be an all in one box performing DSL, Firewall and NAT functions.
Now I thought I would configure the DSL as unnumbered to FastEthernet0/0 adding a secondary IP address of x.x.x.146/28. Interface configured as NAT outside.
Interface FastEthernet0/1 was configured with 192.168.1.1/24 with NAT inside and connected to the switch.
The problem was is that the FastEthernet0/0 interface line protocol was down as there was no need to connect it to anything.
I then tried assigning the dialer interface a static IP of x.x.x.145/28 and x.x.x.146/28 as a secondary IP running NAT outside. I tried again but during boot up the router said you cant assign a secondary IP to the dialer interface.
So my question is, how would you recommend setting up the interfaces to enable the router to have both x.x.x.145 and 146/28 as public IP's and NAT x.x.x.146:80 to 192.168.1.10:8080?
Any help much appreciated.

Answers:
1) DSL is terminating in the 1841 on a SHDSL WIC
2) No
3) IP is negotiated
4) Below is a config which I believe should work. Any recommended amendments?
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname trackgw
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
no ip dhcp use vrf connected
username cisco privilege 15 secret xxx
controller DSL 0/0/0
mode atm
line-term cpe
dsl-mode SHDSL symmetric annex B
line-rate AUTO
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface ATM0/0/0
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
encapsulation ppp
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password 0 password
ppp ipcp dns request
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip nat inside source list nat-acl interface Dialer1 overload
ip nat inside source static tcp 192.168.1.10 8080 x.x.x.146 80
ip access-list extended nat-acl
permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
logging synchronous
login local
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
login local
transport input telnet
scheduler max-task-time 5000
end

Remote Access VPN and NAT inside interface

Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
Mahesh

Hi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.50.1    255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar

Track public classes, interfaces and methods by ID

Hi All,
I'm wondering whether there is a tool to assign a unique ID to classes, interfaces and methods (eg. within Javadoc) and track these IDs.
The reason I'd need such a feature is that I'd like to do requirements tracking in an easy but complete way. I have a document containing functional specifications (with IDs) and on the other side there is the source code; where the javadoc of the public methods and classes is my software specification. What I now want to do is make a link between the IDs in the functional spec to the IDs in the sofware spec (ie. the source code).
Does anybody know of such a tool (commercial or not)?
Thanks,
Daniel

I'm a bit confused as to whether or not I understand you correctly. Please tell me if the following pseudocode is somewhat like the solution you are looking for:
class MethodFunctionality {
   private Class methodClass;
   private String methodSignature;
   private List methodFunctions;
    *   Returns true if the method is used for the specified
    *   requirement, false otherwise.
   public boolean fulfills(int requirementId) {
      if methodFunctions.contains(requirementId)
         return true;
      else
         return false;
   public String getMethodSignature() {
      return this.methodSingature;
   public Class getMethodClass() {
      return this.methodClass;
    *   Returns an array with IDs of each functional
    *   requirement covered by the method.
   public int[] getCoverage() {
      return this.methodFunctions;
class ClassFunctionality {
   private Map methodDetails;
   private List classFunctions;
   public MethodFunctionality getMethodDetails(String methodSignature) {
      return (MethodFunctionality) this.methodDetails.get(methodSignature);
    *   Returns true if the class is used for the specified
    *   requirement, false otherwise.
   public boolean fulfills(int requirementId) {
      if classFunctions.contains(requirementId)
         return true;
      else
         return false;
    *   Returns an array with IDs of each functional
    *   requirement covered by the class.
   public int[] getCoverage() {
      return this.classFunctions;
}Mapping classes and methods to functionality like this would both allow you to query each class and method for all the functional requirements they claim to cover and would allow you to collect all classes and methods involved for a particular functional requirement.

Exception Declaration and the Public Interface

What is the connection between a method , exception declaration ( throw ) and public interface. Does every method has an implicit public interface ?? Is list of thrown exceptions, part of a method’s public interface ?

sagararya wrote:
So, how do we know that some method throws an exception that we have to catch?Via the throws clause.
[http://java.sun.com/docs/books/tutorial/essential/exceptions/index.html]
Just as a method must specify what type and how many arguments it accepts and
what is returned, the exceptions that a method can throw must be declared (unless the
exceptions are subclasses of RuntimeException). Also those that are subclasses of Error need not be declared.
The list of thrown exceptions
is part of a method’s public interface.Ah, now I see what you mean. Where did you read that? I don't recall having ever heard the phrase "public interface" used like that.
The above paragraph is from the book, Osborne_Java, written by James Kussow.. Ok.
Can anybody explain me the 4th line in the above paragraph, starting from "The list of thrown exceptions ... "
The list of thrown exceptions is part of a method’s public interface.
The throws keyword is used as follows to list the exceptions that a method can throw:What part do you not understand? Read the tutorial I linked, and if something is still not clear, ask your specific question.
Personally I think the phrase "public interface" is misleading here. If that's what you're hung up on, don't be. It doesn't mean "public" in the sense of Java's "public" access modifier. It just means the list of exceptions is part of what callers of the method know about it.
EDIT: Oops. Too late.
Edited by: jverd on Jun 25, 2008 8:31 AM

Guest Public Network behind 10.4 Server running DHCP and NAT

I am wondering if it is possible to use APE's guest networking capabilities while still using OS 10.4 server and my DHCP and NAT servers? Is there a way to set the Airport to run its own DHCP NAT and have everything routed correctly?
Or do I still need to use two separate Airports in order to have a public and private network at my home.

I figured it out. I just deiced to run a double NAT configuration

ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
    30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
    0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
    355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
    aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
    f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
    0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
    78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
    0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
    0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
    02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
    d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
    e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
    5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
    781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

Hi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan

Public LAN and WAN Addresses

Hi Guys
I am slightly confused about public lan and wan ips. We have a circuit that was installed a few months ago as a backup failover but we now want to start using it so I phoned my ISP for the public range for that circuit.
Now our internal IP subnet is a 192.168.150.xx
I was expecting the ISP to provide me with one public range maybe a /30 so I can assign an public ip to my routers external interface and PAT to that address.
The ISP instead gave me a public LAN and WAN address range both of which are public IPs. Can anyone explain what these are where in my type of network will they fit it
Thanks

As Peter says it is worth talking to your ISP but LAN addresses are usually simply another public IP block you are free to use however you want.
You don't have to use them and you certainly don't need to allocate them to physical devices on your LAN. The ISP doesn't really care how you use them either, they will simpy route traffic to those address to your edge device (see below for more details).
They can be useful if you host a lot of servers/applications accessible from the internet for example.
It does depend on the devices you have ie.
LAN -> firewall -> ISP router
in the above you use the WAN addressing for the link between the firewall and the ISP router and then you can just use the LAN address range for NAT on your firewall. Non of the LAN IPs need to be actually assigned to any interface
LAN -> firewall -> router -> ISP router
here you have your own router on the outside of the firewall. The WAN addressing would be used between your router and the ISP router. The LAN addressing would be used for the firewall to your router connection and any spare IPs can be used for NAT (usually done on the firewall).
Note that usually the LAN addressing is a larger subnet than the WAN addressing and as you say the WAN addressing is usually a /30. So the ISP uses one of the IPs from the WAN range and you use the other.
If you have been allocated LAN addresses then the ISP will route traffic to these addresses to the WAN IP you have used so make sure you use the WAN IP on either -
a) in the first example above the outside interface of your firewall
or
b) in the second example above the outside interface of your router, the one connecting to the ISP router.
Hope that makes sense.
Jon

2 Public Interfaces and NAT

Similar Messages

Maybe you are looking for