8.2 to 8.3 static nat question

So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:
static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
What would this look like in 8.3?
Thanks!

Hi,
In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.
If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured
- Jouni

Similar Messages

  • Static NAT Question - Public to Inside ASA 9.1x

    Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
    I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
    Remote Public IP's: 77.88.99.11
    Local Public IP: 12.12.12.1
    Ports required:
    object-group service srvgp-stream-remote
     service-object tcp destination eq www
     service-object tcp destination eq https
     service-object tcp destionation eq 8088
     service-object tcp destination eq 1935
     service-object udp destination range 6970 9999
     service-object udp destination range 30000 65000
     service-object udp destination eq 554
    I can get this to work:
    object network server-external-ip
     host 12.12.12.1
    object network webserver
     host 192.168.1.100
     nat (dmz,outside) static server-external-ip service tcp 8088 8088
    access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
    But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
    Any help is greatly appreciated.

    With that many ports, you should use the public IP exclusively for the Webserver:
    object network webserver
    host 192.168.1.100
    nat (dmz,outside) static server-external-ip
    If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
    nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

  • Static-nat and vpn tunnel bound traffic from same private address?

    Hi guys,
    I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
    For this local host @192.168.0.250, I also have a static one-to-one private to public.
    static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
    As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
    How can I resolve this problem, without complicating the setup ?
    BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
    Phase: 1
    Type: CAPTURE
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside-50
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.0.0     255.255.255.0   mgmt-192
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group mgmt_intf in interface mgmt-192
    access-list mgmt_intf extended permit icmp any any 
    access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT-EXEMPT
    Subtype: 
    Result: ALLOW
    Config:
    nat-control
      match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
        NAT exempt
        translate_hits = 5, untranslate_hits = 0
    Additional Information:
    Phase: 9
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
    nat-control
      match ip mgmt-192 host 192.168.0.250 outside-50 any
        static translation to 216.9.50.250
        translate_hits = 25508, untranslate_hits = 7689
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
    nat-control
      match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
        static translation to 192.168.0.0
        translate_hits = 28867754, untranslate_hits = 29774713
    Additional Information:
    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 12
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 1623623685, packet dispatched to next module
    Result:
    input-interface: mgmt-192
    input-status: up
    input-line-status: up
    output-interface: outside-50
    output-status: up
    output-line-status: up
    Action: allow
    BurlingtonASA1# 
    Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
          access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
          local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
          remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
          current_peer: 216.9.62.4
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: 37CA63F1
          current inbound spi : 461C843C
        inbound esp sas:
          spi: 0x461C843C (1176273980)
             transform: esp-aes-256 esp-sha-hmac no compression 
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 77398016, crypto-map: map1
             sa timing: remaining key lifetime (kB/sec): (3914997/25972)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0x003FFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x37CA63F1 (936010737)
             transform: esp-aes-256 esp-sha-hmac no compression 
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 77398016, crypto-map: map1
             sa timing: remaining key lifetime (kB/sec): (3915000/25972)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0x00000000 0x00000001

    Hi
    intersting VPN ACL
    object-group network DM_INLINE_NETWORK_18
         network-object YYY.YYY.YYY.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_22
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
    Static NAT
    static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
    No NAT
    object-group network DM_INLINE_NETWORK_20
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
    VPN CLient Pool
    No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
    I hope this helps
    Thanks

  • NAT 8.6 multiple subnets in a single static NAT

    Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.
    Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.
    Today's configuration is this
    *** FROM ONE SUBNET TO ANOTHER ***
    object-group network REGIONAL-SOURCE
    network-object 10.1.1.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.201.0 255.255.255.0
    nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns
    What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.
    10.1.2.0/24 natted to 10.1.202.0 255.255.255.0
    10.1.3.0/24 natted to 10.1.203.0 255.255.255.0
    *** TWO MORE SUBNETS ARE NEEDED ***
    object-group network REGIONAL-SOURCE
    network-object 10.1.2.0 255.255.255.0
    network-object 10.1.3.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.202.0 255.255.255.0
    network-object 10.1.203.0 255.255.255.0
    If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.

    Hi,
    This should be no problem. It should work as you have thought.
    I tested the configurations on my own ASA
    object-group network REGIONAL-SOURCE
    network-object 10.1.1.0 255.255.255.0
    network-object 10.1.2.0 255.255.255.0
    network-object 10.1.3.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.201.0 255.255.255.0
    network-object 10.1.202.0 255.255.255.0
    network-object 10.1.203.0 255.255.255.0
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Here at the results of the "packet-tracer" to show the translations
    ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.1.100/12345 to 10.1.201.100/12345
    ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.2.100/12345 to 10.1.202.100/12345
    ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.3.100/12345 to 10.1.203.100/12345
    As you can see, everything is fine
    Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • DMZ static nat!

    Hi Experts,
    I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.
    I did configure the inside with a PAT
    object network INSIDE
       subnet 192.168.200.0 255.255.255.0
       nat (inside,outside) dynamic interface
    That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.
    I went on configuring the DMZ static nat like this
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    object network DMZ_GLOBAL
    host 1.1.1.2
    object network DMZ_MAILEDGE_SERVER
    nat (dmz,any) static DMZ_GLOBAL
    I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.
    Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,
    access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER
    Then did my pings started going through for me to reach the server.
    I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.
    Please someone should tell me I am getting it all wrong and let me know what i did wrongly!
    Thanks
    Teddy
    OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
    So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
    Services like:
      dns 53, 193
      smtp 25
    My question is, do i place the access list to permit these service from outside to dmz like this below ?
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
                                                                      OR THIS
    access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
    Which direction would be more appropriate to go via?
    Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
    Thanks for your advice in advance.
    I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
    Cheers!
    Teddy

    Hi,
    The NAT configurations seem just fine but I would configure them the Static NAT a bit differently (doesnt mean you have to though)
    What I would do is simply state the public IP address in the NAT configuration rather than configure "object network" for the public IP address too
    Your configuration is
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    object network DMZ_GLOBAL
    host 1.1.1.2
    object network DMZ_MAILEDGE_SERVER
    nat (dmz,any) static DMZ_GLOBAL
    My version would be
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    nat (dmz,any) static 1.1.1.2
    The simple reason for me would be keeping the "object network" amount at minimum and the fact that we dont need to reference the public IP address in any ACL configurations usually.
    What you originally saw happening with the configurations 1 and 2 configured is to be expected. You will always need the configuration 3 which is the ACL to allow the traffic from the "outside".
    If the "outside" interface doesnt have any ACL configured then it relies on the "security-level" alone which should be "0". This usually means that no traffic can enter from "outside" to any other interface on the ASA because all the other interfaces are above "security-level 0" and traffic is only allowed from HIGHER -> LOWER when there is NO ACLs. So the natural step to allow this traffic is to configure ACL with the appropriate rules and attach it to the "outside" interface.
    Hope this helps
    Please remember to mark a reply as the correct answer if it has answered your question.
    Naturally ask more if your question wasnt answered.
    - Jouni

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

  • Static NAT and IPSec VPN

    This maybe stupid but may somebody help on this.
    Site A --- Internet --- Site B
    An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
    But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
    May someone advise me how to overcome this? Thanks.

    Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

  • What is the maximun number of static NAT in ASA

    Hello everybody,
    someone know how many sessions of static nat can configure in cisco ASA ???
    thank you for you response...

    Hi,
    That question really depends....The answer is very simple thou, the amount of xlates is not limited. What really limits yourself is either PAT (Which allows 64000 xlates for each IP you use to do PAT) or the amount of connections.
    As far as Static NATs go, there is no limit. You can create as much as you want, but eventually doing a sum of all the resources  (inspections, ACLs, QoS etc) will increase the use of the memory.
    So, bottom line, you will not get an error that says, static NAT cannot be created.... you will get eventually an error related to memory.
    Mike

  • ACE and static NAT

    Hello
    I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
    I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
    I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
    I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
    I analyzed three examples at the and of this document. My questions:
    1. how do i choose if it's source or destination NAT ?
    2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
    3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
    4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
    5. Could anybody give me a simple example of static DNAT ? (or any links?)
    Thanx

    Destination nat is equivalent to loadbalancing to one server.
    I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
    Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
    For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
    By the way, I don't see anything wrong with it.
    Those commands are in A1 and also the new A2 release.
    ACE is really a loadbalancer with some firewall features and not the opposite.
    This is why pure nating functions are not straightfoward to configure.
    Gilles.

  • NATTing Question version 9.x

    Hello,
    I have two external ISP interfaces and need help with some nat questions.
    I have a webserver that I wish to advertise out both interfaces.
    The issue I'm having is exactly how to do it on the ASA with version 9.x code
    ISP 1:  9.9.9.0
    ISP 2: 8.8.8.0
    object network webserver
    host 7.7.7.7
    nat (dmz,isp1) static 9.9.9.9
    nat (dmz,isp2) static 8.8.8.8
    I can't seem to get this working. I'm new to this code but the old code was so much easier with this....

    Hi,
    You wont be able to configure the Static NAT towards both ISP with a single NAT configuration. More specifically, you wont be able to configure 2 NAT statements under the same "object network"
    You should configure it like this
    object network WEBSERVER-ISP1
    host 7.7.7.7
    nat (dmz,isp1) static 9.9.9.9
    object network WEBSERVER-ISP2
    host 7.7.7.7
    nat (dmz,isp2) static 8.8.8.8
    If you want to read a bit about the new NAT format that was introduced from 8.3 onwards then you could have a look at a document I wrote here on the CSC
    https://supportforums.cisco.com/docs/DOC-31116
    Here is also another great document for someone that knows the old format but wants to know the corresponding new format
    https://supportforums.cisco.com/docs/DOC-9129
    I agree that the old NAT configuration format in some situations was a lot simpler and you potentially created a lot simpler configuration. In larger environments and more special setups I do think that the new NAT configuration format is far more simpler/safer to configure and provides more flexibility. There are some issues with it that I still dont have clear answer to but for the most part it seems to work just fine.
    Hope this helps
    - Jouni

  • DMZ static nat Pt II

    OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
    So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
    Services like:
      dns 53, 193
      smtp 25
    My question is, do i place the access list to permit these service from outside to dmz like this below ?
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
                                                                      OR THIS
    access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
    Which direction would be more appropriate to go via? I have done both ways but no result.
    Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
    Thanks for your advice in advance.
    I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
    Cheers!
    Teddy

    Hi,
    If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"
    So I would presume in your case the ACL to use would be this
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
    To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.
    I would imagine you have atleast the following in the output
    access-group outside_access_in in interface outside
    If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command
    packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8
    Also the very basic configurations to add if not yet added would be
    policy-map global_policy
    class inspection_default
      inspect icmp error
      inspect icmp
    Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.
    If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.
    - Jouni

  • VPN Server under Static NAT. Any advices?

    Hi there,
    Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!

    We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
    Posted by WebUser Cisco NetPro from Cisco Support Community App

  • Configure static NAT for range of ports

    Hi,
    I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
    As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
    ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
    ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
    ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
    ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
    and so on...
    Is this the correct way to do it, or is there another better way?
    Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
    ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
    ip nat inside source list NAT_ACL pool PATPOOL overload     
    ip access-list standard NAT_ACL
     remark PAT to outside
     permit 192.168.1.0 0.0.0.255
     exit
    My question with this is will the static NAT work if I already have NAT overload configured as above?
    Thanks for the help in advance.
    Austin
    PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

    I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to. 
    I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
    ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
    In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
    Hopefully this information useful to others. 

  • Static NAT to IP that is not local to ASA?

    All, I have a doubt about a configuration I am requesting.  I know just a little about ASA myself, but am working with a contractor on this project and he is not sure this can be done or not.
    My applciation is this:
    - ASA with internet and some public IP. 
    - Exisiting internal LAN of 10.10.10.0/24. 
    - New voice VLAN 10.10.100.0 on L3 SGE switch doing inter-vlan route between 10.10.100.0/24 and 10.10.10.0/24 via 10.10.10.1 (ASA internal interface)
    - ASA will have static route to 10.10.100.0/24 via 10.10.10.254 (data VLAN interface on my L3 switch)  This much is a known working configuration for me to allow voice and data vlans to route and require very little of firewall contractor.
    Now I need static NAT of a public IP to my IP PBX on 10.10.100.1.  The doubt I have is if they try to configure this the ASA will not want to make a NAT to 10.10.100.1 because that network does not exist anywhere in the ASA config.
    Is there a way to make this work or will it be required/better to use an extra interface no the ASA and make it 10.10.100.0/24 and have the ASA do inter-vlan routing instead of the switch?
    Thanks in advance,
    Brandon

    The inside static route is now working, thank you.  Back to my original question about static NAT.  I just need a public IP to pass all traffic to an internal IP that is on the 10.10.100.0/24 network not directly conencted to the ASA.  I am thinking this would be the command:
    static (outside,inside) 10.10.100.1 222.222.222.222 netmask 255.255.255.255
    Does that seem correct and can you provide an example of what the ACL would look like?  I want to just allow all traffic now for the purpose of remote IP phones and some admin and mobile apps using various ports.  Once it is tested working I will let the firewall vendor layer security on.
    Thanks again,
    Brandon

  • Static NAT to two servers using same port

    I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
    I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
    Any help would be very much appreciated.
    Thanks,
    - Mike                  

    Hi,
    Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
    On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
    I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
    But nevertheless its a possibility.
    So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
    - Jouni

Maybe you are looking for

  • In Lightroom 4, is it possible to change the resolution when exporting to Facebook?

    Is it possible to change the resolution when exporting a photo to Facebook using either the regular plugin or Jeffrey Friedl's plugin?  I can't seem to do it; I only have control over the image dimensions, not the resolution and the dimensions, as yo

  • TS1424 New iTunes card, already been redeemed.

    I tried to redeem a new iTunes card, I get a message that it has already been redeemed.  It was in a sealed pack with the scratch off seal intact, what happened?

  • Lock records command

    Hi all, I have a scenario where i have to lock the lookup table records for editing. So that other users cannot edit the record. I am processing the lock record command for records which are not locked by other session (LOCK_BY_OTHER_SESSION). Lets s

  • Character set / Meta

    Can anyone help me with a character-issue? I want the following line to appear in the header of the generated html-page : <META http-equiv="Content-Type" content="text/html" charset="ISO-8859-1"> Swedish characters does appear OK in the html-body but

  • Custom validation rules

    Using adf/bc with jdev 10.1.3.3. I've created a custom validation rule class according to the instructions in the adf guide. In that class, I've defined just one property, along with its getters/setters. I've registered my rule in the business compon