Nat'ing Lan subnet

I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)
code version is 821
name 2.2.2.2 External_IP
name 172.31.196.0 Local_xlated
I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IP

eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) MC_Local_xlated  access-list L2LVPN-POLICYNAT
  match ip inside 192.168.1.0 255.255.255.0 outside host External_IP
    static translation to MC_Local_xlated
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (External_IP [Interface PAT])
    translate_hits = 24686918, untranslate_hits = 1904674
Additional Information:
Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32668832, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
eluciasa(config)#

Similar Messages

  • PBR using dual ISP and single LAN subnet

    Hello,
    I have 2 ISP connections on the Cisco router 29121 i.e. Leased Line and PPPoe and single LAN subnet
    I want to use PBR.
    I want to allow ip traffic destined for  1.1.1.1,2.2.2.2,3.3.3.3 ( Fictitious IP) to go through Lease Line
    and all other traffic through PPPoe
    Please help me to achieve this.
    Thanks in advance.

    WoW Great Thanks  cadet alain
    It working as desired.
    This is my current config. I just want you help for last thing
    If leased line goes down, I want to direct the user to PPPoe
    However, if PPPoe, the users should NOT BE directed to leased line
    int gi0/0
    description << Leased Line >>
    ip address 100.100.100.101 255.255.255.252
    ip nat outside
    no shut
    int gi0/2
    description << LAN Subnet>>
    ip address 10.1.50.1 ip nat inside
    ip policy route-map lease
    no shut
    interface Dialer0
    ip address negotiated
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly in max-reassemblies 512
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname XXXXXXXXXXXXXXX
    ppp chap password 0 9860
    ppp pap sent-username XXXXXXXXXXXXXXX  password 0 9860
    no cdp enable
    interface GigabitEthernet0/1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no shut
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    access-list 100 permit ip 10.1.50.0 0.0.0.255
    route-map lease permit 10
    match ip address 100
    match interface gi0/0
    route-map pppoe permit 10
    match ip address 100
    match interface dialer 0
    ip nat inside source route-map lease interface gi0/0 overload
    ip nat inside source route-map pppe interface dialer 0 overload
    access-list 101 permit ip 10.10.1.50.0 0.0.0.255 host 1.1.1.1
    acess-list 101 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2
    route-map PBR permit 10
    match ip address 101
    set ip next-hop 100.100.100.102
    ip route 0.0.0.0 0.0.0.0 dialer0
    ip route 0.0.0.0 0.0.0.0 100.100.100.102

  • RV320 Additional WAN IP NAT'ing

    Hello, I have an RV 320, my initial IP allocation from my ISP was 38.122.x.x a /30 allocation. Recently I needed to NAT a device so I requested a /29 block from my ISP the new block is 38.79.x.x. The router is fully managed by ISP, they told me that the new /29 block will be configured to route to the original WAN IP of my RV320. I configured a 1to1 NAT and no luck I am unable to remotely connect to the device via the external IP.  Any assistance would be greatly appreciated.

    Jennifer,
    Thanks for the quick reply.
    You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.
    I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as
    I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy.

  • NAT'ing firewall Wiki articles gone

    http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Share_your_broadband_connection
    and
    http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Adding_advanced_features
    are empty now.
    Can some1 check why those pages are stubs now, couse i need both articles,
    or atleast to give backups if possible, since i set up my home server using those.
    Last edited by Satan666999 (2008-12-30 08:40:40)

    Google cache for the first page:
    http://74.125.77.132/search?q=cache:toh … ient=opera
    No idea why it's off the wiki though, has it got something to do with the ' in NAT'ing?

  • Problem with nat-ing on asa 5505

    i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
    Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default  inspect dns   inspect icmp   inspect ip-options   inspect netbios   inspect tftp   inspect h323 h225   inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
    what i do? plz help me?
    thanks

    Please do this, and let me know how it goes
    no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
    no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
    no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
    no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
    access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
    access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
    no object network nonat
    no access-group inside_access_out out interface inside
    no access-group outside_access_out out interface outside
    no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

  • NAT to another subnet with another BM server

    setting up a GWGuardian server with 2 groupwise systems...
    i successfully NAT local groupwise to GWGuardian...
    now having trouble with the other Groupwise system
    this groupwise system is on different subnet with a different Bordermanager
    server
    this bordermanager server handles the NAT to the groupwise system...
    when i changed the NAT to the GWGuardian server... nothing happens...
    no email goes through and the NAT doesn't reponse to pings
    this site with the different BM and groupwise is in different city...
    and connected by a cisco router
    i would like to know if this can work...
    thanks

    both LANs have there own BM servers...
    connected by the Cisco routers through the internet...
    at both sites...
    there is BM, GW, there own subnets and own public IP addresses....
    both BM handles NAT to the mail servers...
    setup GWGuardian...
    have to change the NAT to the GWguardian workstation...
    GWguardian handles all the external emails comes in the email server and
    send all good email to the GWserver
    the remote place...
    i am trying to Static NAT public address(public address of mail server) to
    private address of GWguardian server...
    the GWguardian server is located on a different subnet with different BM
    server...
    GWguardian has ability to have 2 gw server on it...
    we want to have both GW servers using GWguardian as the mail gateway
    but the static NAT doesn't seem to work for the remote place..
    thanks for your fast response...
    sorry for not explaining it correctly... i hope this explains it more

  • NAT between 2 subnets

    Hello, 
    I have subnets (LAN A and LAN B) on each side of an 819 router:
    G0: IP=10.1.1.3/24 (LAN A)
    F0: IP=172.16.0.3 (LAN B)
    On each of these networks, there is an existing DFGW address programmed into the devices (PLC's) as 10.1.1.1 and 172.16.0.1 respectively.
    I want PLC's on each subnet to talk to each other without sending packets to DFGW's.
    On LAN A, I would like the PLC-A to feel like it is communicating directly with G0 IP address when in fact that packet gets sent out F0 with F0's IP to PLC-B. PLC-B responds to the F0 address (as it is in the same subnet) and the return packet gets Nat's back to the G0 IP address.
    Is this doable? I think it is but I am struggling with implementing both port forwarding and NAt translations (double NAT)?
    Thanks! Look forward to someone with some expertise in this area to help me out.

    Is there any document you are aware of that simplifies some of the nat operations?
    You seem to understand it pretty well to be honest :-)
    There are two types of NAT, dynamic and static. Both your statements are static. This one -
    ip nat inside source static tcp 10.33.5.2 502 10.64.41.196 502 extendable
    needs to be a static because the traffic is arriving on the outside interface. You see this sort of statement quite often in configurations or something like it.
    This one -
    ip nat outside source static 10.64.41.194 10.33.5.80 add-route
    is a lot less commonly used. Ideally what we wanted to do was do a dynamic NAT from outside to inside and change the outside IP to the router's inside interface IP.
    But unfortunately IOS only supports this type of NAT ie. dynamic NAT overload from inside to outside and we are going outside to inside so we couldn't use it.
    It has always been a but annoying that it doesn't because it would have made your setup and others simpler.
    So we had to use the above and you have to add a route because of the reasons I explained in my previous post. It's basically the order that IOS does things in which direction.
    That was why I was asking about which side initiated the connection because if it had been the PLC on the inside we could have used a dynamic NAT statement for it's IP as it went outside because it is supported and a static NAT statement (different from the one you have now) for PLC on the outside.
    But as the flow was always outside to inside we couldn't.
    NAT and what you can do with it can get complicated. And the NAT used on ASA firewalls is a completely different syntax than IOS NAT.
    Here is a link to doc on IOS NAT that is a good overview -
    http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html
    unfortunately in my browser the pictures aren;t showing but they may in yours.
    If you have any specific questions, then please feel free to ask.
    Glad you got it working.
    Jon

  • GRE Tunnel/NAT with multiple subnets and interfaces

    So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
    Here is the situation...
    We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
    We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
    Essentially what we had/have and how it was configured is as follows:
    Site A
    Edge Router - x.x.x.x /24 BGP announcement
    x.x.x.y/27 that is within the /24 that we need at site b
    GRE tunnel configuration
    interface tunnel0
      ip address 10.x.x.1 255.255.255.252
      tunnel source <router edge IP>
      tunnel destination <site b router edge ip>
      keepalive 10 3
    static route for site a public ip to bring it to site b via GRE tunnel
    ip route x.x.x.y 255.255.255.224 10.x.x.2
    Site B
    Edge Router - y.y.y.y /24 BGP announcement
    Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
    2 Vlans (1 for site a ip space, 1 for site b ip space)
    int vlan 50
    ip address x.x.x.1 /27
    int vlan 51
    ip address y.y.y.129 /25
    Trunk port for the VLANs going down to an ASA
    int g1/1
      swi mode trunk
      swi trunk native vlan 51
      swi tru all vlan 50,51
      swi tru en dot1q
    Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
    int e0/0
     nameif outside
     sec 0
     ip address y.y.y.130 /25
    int e0/0.50
     nameif outsideold
     sec 0
     ip address x.x.x.2 /27
     vlan 51
    int e0/1
      nameif inside
      sec 100
      ip address 192.168.y.1 /24
    int e0/1.60
      nameif insideold
      sec 100
      ip address 192.168.x.1 /24
      vlan 60
    A static route using the new ip space on the native outside interface...
    route 0 0 y.y.y.129
    And then I have some nat rules which is where I think things go a little haywire...
    object network obj-y.y.y.0-24
      subnet y.y.y.0 255.255.255.0
     nat (inside,outside) dynamic interface
    object network obj-x.x.x.0-24
      subnet x.x.x.0 255.255.255.0
     nat (insideold,outside) dynamic interface
    object network obj-y.y.y.135-160
      range y.y.y.135 y.y.y.160
    object network obj-192.168.y.135-160
      range 192.168.y.135 192.168.y.160
      nat (inside,outside) static obj-y.y.y.135-160
    object network obj-x.x.x.10-20
      range x.x.x.10 x.x.x.20
    object network obj-192.168.x.10-20
      range 192.168.x.10 192.168.x.20
      nat (insideold,outsideold) static obj-x.x.x.10-20
    From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
    object network obj-192.168.x.10-20-2
      range 192.168.x.10 192.168.x.20
      nat (insideold,outside) static obj-x.x.x.10-20
    There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
    Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
    1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
    2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
    3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
    4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
    A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
    B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
    C. Confirmed local windows machine firewall was off and not blocking anything.
    D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
    So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
    Any suggestions / lessons would be greatly appreciated.

    is this still a problem?

  • Creating NAT for multiple subnets

    Hello I want to create a 1 NAT for 5 sub networks on a windows 2008 machine the sub networks are; 192.168.224.0/27 192.168.224.32/27 192.168.224.64/27 192.168.224.96/27 192.168.224.128/27 I intend to have a server on the 192.168.224.0/27 sub network. After
    installing 2 network cards on the server, 1 for the private addressing scheme and 1 for the external network address and installing RRAS I am wondering how nodes on the other sub networks will find their way out to the external network, will RRAS take care
    of that? or is it not possible to have only 1 NAT for several sub networks?

      It is possible, but I would think that you would need six NICs in the server - one for the public connection and one for each private subnet.
      It sounds as if you want to implement VLANs. If you do, RRAS does not so that.
    Bill

  • VMW Fusion 4.1 breaks 1 host LAN subnet

    Testing VMware Fusion 4.1 on '09 MacBook Pro Lion 10.7.2 to run a Lion 10.7.2 guest for testing. When Fusion is running, regardless of VM on, suspended or stopped, it sometimes has (not yet consistantly reproduceable) killed Exchange mail in the host (mail.app or MS 02k11) and kills any new access to one particular local subnet (yet all other LAN and WAN subnets are fine) from host wired etnernet LAN (guest VM running bridged, wifi, totally separate / firewalled from host wired LAN). Quit Fusion and, bam, all works again. Repeatable back & forth, and after reboot with nothing else running. Can't even ping subnet on router. Even stranger: if shared server volumes from affected subnet are mounted in host before starting Fusion they stay mounted and fully accessible for read/write yet their whole subnet can no longer be pinged, no new connection to server from host can be established.
    Tried changing lots of network settings in host, Fusion and guest VM, seems to make no difference: The simple act of starting Fusion.app breaks host access to just the 1 local subnet. Quitting Fusion.app restores it.
    Anyone got any ideas what causes this, maybe something simple I've overlooked? TIA.

    Sorry to hear that.
    But Apple have probably broken it when they added the MobileMe and modified the Wide-Area Bonjour code.
    However, I can report that Back-to-My-Mac does work on the AEBS. If you already a MM subscriber, you can use that to get back to the AirDisk.

  • RV130 router : Unable to modify LAN subnet mask

    Hi every one,
    I'm using a cisco router RV130, which runs the latest firmware (1.0.1.3), and when
    I set an IP address to the LAN interface, I can't choose the subnet mask greater than /24.
    The scrolling list proposes only these values :
    255.255.255.0
    255.255.255.128
    255.255.255. .. and so on to 255.255.255.252
    The issue is that the customer's lan address is 172.17.0.0/16 (255.255.0.0)
    Any clue ?
    Thierry

    Please see the attached Word Document for how to create a case online. Please make sure your CCOID is associated with the Product and/or the contract. This will prevent any issue when creating a case. If there is an issue with the association, the 1-866-606-1866 number will put you in touch with the people to assist in the association to your CCOID. Hope this helps.

  • Creating LAN subnets

    Hi,
    I have a LAN using IP range 192.168.1.x. I am currently using a Cisco 857 ADSL router to provide internet access to all the PC's in the LAN.
    I want to change the network so that IP addresses are separated into different departments, eg 192.168.10.x, 192.168.20.x. Each different network would be able to access the internet, mail server and the file server etc, but would not have access to each other.
    Could this be achieved using ACL's on my existing router? The Cisco router only has 4 ports, would I need to purchase an additional router, or layer 3 switch to do this?
    Thanks
    Nick

    Hi,
    It's true, the 850 series only supports one vlan. :(
    You would have to put a Layer3 switch behind it, and create a separate subnet connecting it to the cisco 857 (either by VLAN/SVI or routed port).
    On the L3 switch create different VLANs and SVI's for your clients. Assign different ports to the desired Client VLANs.Communication between the VLANs can be limited by ACL's applied to the SVIs.
    On the L3 switch point a default route towards the Cisco857, and dont forget to set appropriate routes on your Cisco 857 pointing back to the Layer 3 Switch.
    hth
    Ingo

  • Need some help with a fundamental concept of nat'ing/routing

    I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
    Here is a snippet of the ruleset:
    interface GigabitEthernet0/1.40
    description Production Servers Network
    vlan 40
    nameif Production
    security-level 40
    ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
    access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
    nat (Production) 0 access-list no-nat
    Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks  coming in via the Production interface will NOT be Nat'ed.
    My next question is will that traffic be routed through that interface Production using  the original IP addresses, or will that traffic NOT be routed anywhere?
    I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

    Thanks for responses, but they confuse me more.
    It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
    From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced  from the 192.168.3.0 network to reach the 192.168.20.0 network.
    However, this is not what is currently happening in the networks, as far as I have been told.
    Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
    1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
    2. More complete code:
    object-group network network_vpn
    description VPN IP's
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.3.0 255.255.255.0
    access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
    access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
    access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
    access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
    access-list no-nat extended permit ip 192.168.2.0  255.255.255.0 172.20.0.0 255.255.0.0
    access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
    access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
    access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
    access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
    nat (Production) 0 access-list no-nat
    nat (Production) 0 access-list Production_nat0_inbound outside
    nat (Production) 1 172.20.0.0 255.255.0.0
    Use the 3rd last line in the access-list no-nat commands as an example.
    As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
    3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

  • Virtual Exchange & NAT'ing

    A virtual server currently has Exchange installed on it with load balancing on our network. Each NIC has its own IP address and they want one external address for it to NAT to.  Looking at our ASA, we can't overlap addresses...meaning I get an error when I try to NAT 2 internal addresses to 1 external.  How can this be accomplished?

    What version do you have? It can be done with an special configuration on 8.2. If you are in version 8.3 or higher you may want to look at Many to Few NAT configuration.
    Mike

  • (semi-urgent) RVS4000 and multiple (same port) NAT'ing

    Hello -
    I have a client who has one Internet connection and 2 different internal SMTP servers.  Is there a way to NAT public mail/SMTP to each one?  We have two public IPs.
    Thanks

    Hello Jeff,
    Unfortunately the RVS4000 does not support One to One NAT. This restricts the router to only being able to use one of the IP addresses you have.
    If you are intrested in a router that supports this feature, I recommend one of the following:
    RV042
    RV120W
    RV220W

Maybe you are looking for

  • Issue with Document Splitting

    HI All, After I activated Document Splitting, I have posted an Invoice(F-43). It has splitted correctly. 31 Vendor      PC1  20,000 Dr 31 Vendor      PC2  10,000 Dr 40  Exp A/c1  PC1   20,000 40  Exp A/c2  PC2   10,000 When I'm making payment through

  • How do you rotate a pdf document in preview?

    There is a book where the double pages are turned. How do you rotate them so that you can read them in preview?

  • Spry Master Detail from two HTML tables?

    I'm trying to use two spry tables generated from html on the same page.I would like to set up an advaned master detail region where the "tbl_adrs" (contains Multiple addresses) references the "tbl_provider" (contains a provider name and the unique id

  • Light Room 3 and Photoshop Elements 9-saving

    When I am in LR and choose "edit in PSE" it takes me to PSE with my LR edits and a duplicate is created in LR.  WHen I am done in PSE and want to save it is not showing my PSE edits in LR.  What am I doing wrong?

  • How can I upgrade my current Mac OS (on 10.5.8) to latest version

    Hi, I have been trying to find some solutions to upgrade my current Mac OS x10.5.8 to the latest version and I was told my the Apple Retailer store in Singapore that there is no way to upgrade the software and was advised to buy a new MacBook. is it