8.2 to 8.3 nat conversion

Similar Messages

• NAT Statement translation

  Hi,
  I am looking at below NAT statement in our system, but not understanding that what it means or whats the purpose of this statement.
  This NAT statement is on VPN ASA and I understand that it means ANYsource traffic on OUTSIDE interface hitting OUTSIDE interface towards destination NETWORK_OBJ_192.168.1.0_24, its source and destination will remain same.
  But what’s the purpose of this statement?
  nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup
  Thanks

  Hi,
  With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way
  object network VPN-1
  subnet 192.168.1.0 255.255.255.0
  object network VPN-2
  subnet 192.168.2.0 255.255.255.0
  nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2
  This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.
  Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN
  The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.
  - Jouni

• WRT54GH FTP error 425

  I've been running a FileZilla FTP server for over 2 years now. When I first got into FTPs was actually the first time I had to do port forwarding. Forward router external 21 TCP to 21 on the LAN, everything good, FTP works. A few days ago the old router died and to get a new one I went for a WRT54GH. When I set it up I also made sure to forward port 21 to the machine. Now I try accessing the FTP and after a long wait I get an error 425 cannot open data connection.
  I rechecked and doublechecked - not only is the port properly forwarded, but FileZilla actually gets the request and the two negociate a little. Since I changed nothing in the FTP, and since the FTP still works fine over LAN IPs I will ofcourse blame the router!
  What am I to do and how do I fix this issue?
  Solved!
  Go to Solution.

  I normally do not doublepost but I fixed it and I'm leaving this info here for future referrence to others:
  It appears that - at least with the first version of the firmware - the router tampers with network packets if it sees them being sent over port 21. It changes their PASV commands' IPs to LAN, which connecting clients can't work with. Furthermore there appears to be some other obscure port opening issue once the connection is established.
  In order to get around the router's arbitrary NAT conversion, one must forward external port 21 to some other internal port, for example 12345. The FTP server on the machine then has to be configured to listen to that port. This will get around the NAT issue.
  For the second issue, the server's PASV mode must be given a fixed port range, for example 65000 to 65100, and in turn those ports must be forwarded to the FTP-hosting machine in the router's settings.
  ---Important set of notes regarding single and multiple port forwards!---
  Ports forwarded before changing the LAN IP range(ex. 192.168.1.x to 192.168.0.x) MUST be unchecked, saved, and re-checked, else the rules will no longer work! Furthermore, if the SPI firewall settings are modified in any way, all port ranges(ranges, not single ports) MUST be unchecked, saved, and re-checked in order to work! As yet another note, DMZ seems to have similar issues. Not knowing about these issues can lead to unexpected results with setting up not only the FTP but also other apps that rely on forwarding, since the router will claim a set of active settings but not use it.

• N82 V30.0.013 Bluetooth and Wireless LAN problems

  I am using an N82, but it looks like there are similar problems with everything using similar firmware. I didn't have any of these problems with the V20 firmware that came with the phone or after the first V20 upgrade I used.
  I find that my wireless LAN connections sometimes only let me browse a few pages before I get the "web connection timed out" message. If I change wireless LAN connection (I have two, mostly for testing purposes) I can continue browsing. Of course the same error may happen causing me to switch again. Sometimes it just works. Both have WPA set up and the passwords are clearly correct. If I use Real Player I can typically listen for as long as I like. Sometimes the connection to the server will drop for Real Player but reconnecting will work (don't have to change wireless LAN network). With the web browser it seems like the data connection is dead, not a server timing out - the message appears instantly. I think have seen the same problem once with my 3G connection, but I haven't recreated it. Could be my imagination!
  I have never had any problems with IMAP email using either the Nokia client or Profimail on either the wireless LAN connection or 3G. It leads me to believe that there is nothing wrong with the wireless LAN side of things and it may be more to do with the web browser, or perhaps just that the email clients are only talking to one server helps (DNS problems?). Has anyone experienced similar problems with an alternative browser?
  I have also found that when I get to work my bluetooth dongle doesn't connect to my phone. If I disable/enable bluetooth on my phone it will connect. I had this problem with my N80 with the first firmware I had on it and the problem went away after an upgrade.
  So, it seems that both connections are fixed by turning them off and on again.

  Having both routers the same IP address is a little bit confusing, but possible since each router creates it's own subnet and provides full PNAT support. Actiontec DSL modem has to have DHCP enabled since Linksys WAN (not LAN) port should be connected to one of 4 Actiontec LAN ports. Linksys should not have any configuration setup in regards of your WAN account. Just set it to dynamic address. In ohter words:
  1. RJ-11 connect to Actiontec mode/router.
  2. Actiontec modem should be configured to acquire an IP address from Verizon and to provide all authentication info to Verizon.
  3. Actiontec modem should be configured to allow clients to acquire dynamic IP addresses -- DHCP enabled.
  4. Linsys WAN (not LAN!) port should be connected to Actiontec LAN port.
  5. Linksys should be configured to acquire dynamic IP address and no authentifacations.
  6. Configure Linksys to be DHCP enabled or you can use static IP addresss if you want.
  7. Wireless devices would be connected to Linksys and on the way to the Internet addresses would go through double NAT conversions. Any wired device connected to Linksys would have similar  features. Any device connected to Linksys should be able to connect 192.168.1.1 assigned to Linksys, but not to Actiontec.
  8. To be able to connect Linksys and Actiontec would no be able to communicate unless you split 192.168.1.0/24 into smaller subnets and set specific routes in the table. But even you do so you will not be able to access 192.168.1.1 accross subnets boundary.
  Hope it helps.

• Converting to ASA rules base

  I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, I was wondering if anyone has a rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?

  Hello Glenn
  To be honest with you I do not think there is a convertion tool from that firewall to our ASA.
  I would recommend to read and analize the configuration guides for the ASA or if you have any question related to the ASA setup let us know.
  We will be more than glad to help!!
  Regards,
  Do rate all the helpful posts
  Julio

• DSL Modem and Wireless Router problems

  I started to have problems on Tuesday. 
  My Equipment is:
  Dell Precision 870 PC with a Intel Pro network card
  Apple IMAC with the Apple Lan connection
  Lynksys/Cisco E3000 (Problem started with a Linksys WRT610N router)
  Verizon (Actiontec) GT701C DSL modem
  I came down to my office and I noticed that the DSL light on my modem was not lit.  In the past
  this has ment that there is a problem in the Central Office.  Later in the day I got hold of Verizon
  tech support and we got the DSL running again with the modem connected to either computer.
  When I connect the router to the modem and the computers to the router, Dell via wire and Apple
  via wireless 5.0 GHz 802.11N inout and restart both the router and the modem, I get connectivity
  through the router and the modem but the DSL light on the modem is not lit.  After a long period
  of time the DSL light may come on then I loose connectivity. 
  Everything was working correctly til late Monday night/early Tuesday morning.
  I have reset both the modem and routers to factory defaults several time.  I have a problem when
  trying to get connectivity with the moden after setting it up again and it takes me to the Verizon
  DSL startup site.  Tech support walked me throuogh using the "192.168.1.1/verizon/redirect" and
  shutting the redirect off.  I then have connectivity as long as the router is not connected.
  I thoought the router went so I just installed a new router, the Linksys/Cisco E3000, and I still
  have the DSL light problem. 
  Solved!
  Go to Solution.

  Having both routers the same IP address is a little bit confusing, but possible since each router creates it's own subnet and provides full PNAT support. Actiontec DSL modem has to have DHCP enabled since Linksys WAN (not LAN) port should be connected to one of 4 Actiontec LAN ports. Linksys should not have any configuration setup in regards of your WAN account. Just set it to dynamic address. In ohter words:
  1. RJ-11 connect to Actiontec mode/router.
  2. Actiontec modem should be configured to acquire an IP address from Verizon and to provide all authentication info to Verizon.
  3. Actiontec modem should be configured to allow clients to acquire dynamic IP addresses -- DHCP enabled.
  4. Linsys WAN (not LAN!) port should be connected to Actiontec LAN port.
  5. Linksys should be configured to acquire dynamic IP address and no authentifacations.
  6. Configure Linksys to be DHCP enabled or you can use static IP addresss if you want.
  7. Wireless devices would be connected to Linksys and on the way to the Internet addresses would go through double NAT conversions. Any wired device connected to Linksys would have similar  features. Any device connected to Linksys should be able to connect 192.168.1.1 assigned to Linksys, but not to Actiontec.
  8. To be able to connect Linksys and Actiontec would no be able to communicate unless you split 192.168.1.0/24 into smaller subnets and set specific routes in the table. But even you do so you will not be able to access 192.168.1.1 accross subnets boundary.
  Hope it helps.

• NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above

  Hi folks,
  I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
  Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently  on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
  The  scenario that the PIX has 3 NAT groups which are mapped to 3 separate  addresses, where multiple hosts are behint the NAT / PAT.  Current  config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
  global (outside) 1 10.50.50.38
  global (outside) 2 10.50.50.39
  global (outside) 3 10.50.50.49
  nat (inside) 0 access-list no-nat-all
  nat (inside) 2 Host_1 255.255.255.255 0 0
  nat (inside) 2 Host_2 255.255.255.255 0 0
  nat (inside) 2 Host_3 255.255.255.255 0 0
  nat (inside) 1 Host_4 255.255.255.255 0 0
  nat (inside) 1 Host_5 255.255.255.255 0 0
  nat (inside) 1 Host_6 255.255.255.255 0 0
  nat (inside) 1 Host_7 255.255.255.255 0 0
  nat (inside) 3 Network_3 255.255.255.0 0 0
  ASA Config
  After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3  to the following - Also is it easier to just do this in  ASDM?  Looks pretty easy from youtube videos but rather have something  to put on the box when I arrive at site NAT wise as opposed to working  it out there!
  Define NAT Objects (outside IP addreses)
  object network NAT_1_outside_10.50.50.38
  host 10.50.50.38
  object network NAT_2_outside_10.50.50.39
  host 10.50.50.39
  object network NAT_3_outside_10.50.50.49
  host 10.50.50.49
  exit
  Define NAT Objects (inside IP addreses)
  object-group network NAT_1_Objects
  network-object Host_4 255.255.255.255
  network-object Host_5 255.255.255.255
  network-object Host_6 255.255.255.255
  network-object Host_7 255.255.255.255
  nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
  object-group network NAT_2_Objects
  network-object Host_1 255.255.255.255
  network-object Host_2 255.255.255.255
  network-object Host_3 255.255.255.255
  nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
  object-group network NAT_3_Objects
  network-object Network_1 255.255.255.0
  nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
  Any assistance with this would be appreciated.
  cheers
  Malcolm

  I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
  If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP).  Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server.  One does not worry about groups of users for this direction of nat rule.
  If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes.    So conceptually speaking allow all lan users  static nat, and then only allow group 1 hosts access to first external IP,  group 2 hosts to second external IP, and group 3 hosts to third external IP.  Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
  Am I close......... before going any further need more details on the requirements nevermind setup.

• NAT ASA5512 8.6(1)2 in and out

  Hello Everyone,
  This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.
  In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.
  On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.
  ASA Version 8.6(1)2
  hostname AdminASA
  domain-name
  enable password encrypted
  passwd encrypted
  names
  interface GigabitEthernet0/0
  shutdown
  no nameif
  security-level 0
  no ip address
  interface GigabitEthernet0/1
  nameif Outside
  security-level 0
  ip address 76.320.333.43 255.255.255.224
  interface GigabitEthernet0/2
  nameif Inside
  security-level 100
  ip address 10.1.99.1 255.255.255.0
  interface GigabitEthernet0/3
  nameif P2P
  security-level 100
  ip address 10.2.99.2 255.255.255.0
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns server-group DefaultDNS
  domain-name corp.centermh.org
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network DeltaNetwork
  subnet 10.1.96.0 255.255.255.0
  object network GunnisonNetwork
  subnet 10.1.97.0 255.255.255.0
  object network MiamiNetwork
  subnet 10.1.98.0 255.255.255.0
  object network NuclaNetwork
  subnet 10.1.93.0 255.255.255.0
  object network TellurideNetwork
  subnet 10.1.94.0 255.255.255.0
  object network AdminPhoneSystem
  host 10.1.99.225
  description Inside IP Address of Admin Phone System
  object network DeltaPhoneSystem
  host 10.1.96.225
  description Internal IP Address of Delta Phone System
  object network AdminPhonePublic
  host 76.320.333.48
  description Public IP Address of Admin Phone System
  object network FastTrackPhone
  host 234.213.124.81
  description FastTrack SIP Trunk Authtication IP Address
  object network FastTrackMonitor
  host 290.230.195.8
  description FastTrack Monitoring server
  object network DeltaPhonePublic
  host 76.320.333.51
  description Public IP Address of Delta Phone System
  object-group icmp-type ICMP-All
  icmp-object echo
  icmp-object echo-reply
  icmp-object information-reply
  icmp-object information-request
  icmp-object time-exceeded
  icmp-object timestamp-reply
  icmp-object timestamp-request
  icmp-object traceroute
  icmp-object alternate-address
  icmp-object conversion-error
  icmp-object mask-reply
  icmp-object mask-request
  icmp-object mobile-redirect
  icmp-object parameter-problem
  icmp-object redirect
  icmp-object router-advertisement
  icmp-object router-solicitation
  icmp-object source-quench
  icmp-object unreachable
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All
  access-list Local_access_in extended permit ip any any
  access-list MPLS_access_in extended permit ip any any
  access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip
  access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All
  access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip
  access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All
  pager lines 24
  logging enable
  logging asdm informational
  mtu Outside 1500
  mtu Inside 1500
  mtu P2P 1500
  mtu management 1500
  ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
  nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp
  nat (P2P,Outside) after-auto source dynamic any interface
  nat (Inside,Outside) after-auto source dynamic any interface
  access-group Outside_access_in in interface Outside
  access-group Inside_access_in in interface Inside
  access-group P2P_access_in in interface P2P
  access-group global_access global
  route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6
  route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1
  route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1
  route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1
  route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
  route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1
  route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1
  route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2
  route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2
  route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2
  route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2
  route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2
  route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.1.99.0 255.255.255.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.1.99.0 255.255.255.0 Inside
  ssh 192.168.1.0 255.255.255.0 management
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 128.138.140.44 prefer
  webvpn
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  username privilege 15
  username privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  contact-email-addr
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 8
    subscribe-to-alert-group configuration periodic monthly 8
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  Hi,
  If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
  You have this
  nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
  Yet you have this "object network" and "route"
  object network DeltaPhoneSystem
  host 10.1.96.225
  route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
  So seems to me that your NAT configuration should be
  nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
  Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
  object network DeltaPhoneSystem
  host 10.1.96.225
  nat (P2P,Outside) static 76.320.333.51
  object network AdminPhoneSystem
    host 10.1.99.225
    nat (Inside,Outside) static 76.320.333.48
  Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
  If the ISP has configured one public subnet between its gateway device and your ASA and routed the other subnet(s) towards the ASAs "Outside" interface IP address then there is no problem.
  If the ISP has configured both (or all) public subnets on their gateway interface (others as "secondary" subnets) then you will (to my understanding) run into a problem with ARP with nonconnected networks on the ASA.To correct this you would require you to either change the setup to the first option with the ISP or update your ASA software to 9.0(2) or possibly 9.1(2) to get access to the command "arp permit-nonconnected"
  Here is the section from the patch notes that also explains the commands purpose
  ARP cache additions for non-connected subnets
  The ASA ARP cache only contains entries from directly-connected subnets  by default. You can now enable the ARP cache to also include  non-directly-connected subnets. We do not recommend enabling this  feature unless you know the security risks. This feature could  facilitate denial of service (DoS) attack against the ASA; a user on any  interface could send out many ARP replies and overload the ASA ARP  table with false entries.
  You may want to use this feature if you use:
  •Secondary subnets.
  •Proxy ARP on adjacent routes for traffic forwarding.
  We introduced the following command: arp permit-nonconnected.
  Also available in 8.4(5).
  If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
  https://supportforums.cisco.com/docs/DOC-31116
  Hopefully the above helps with your problem
  Please do remember to mark the reply as the correct answer if it answered your question.
  Ask more if needed
  - Jouni

• NAT support - how to obtain the public IP address?

  Hi
  I am developing an instant messenger in which users can start a conversation with another user through obtaining the IP address of the intended recipient from a mySQL database on the web server.
  This works fine within a local network. However, the address in the database upon user login is the private IP address within the LAN and not the global address - consequently my software cannot be used outside the LAN currently.
  Is it possible to use a method within the java.net library to send the public (global) address of the client to a server? And if so, how can I handle the ability to receive a reply from the server (which would arrive at the public IP the message was sent from, ie. the NAT firewall) so that it is delivered to the correct port and private IP on the client?
  Joe Barber

  If the server is on the public internet and the client is on a private network the server will see the public address and port, and can get it from a connected socket. Unfortunately if the nat box uses DHCP there is no guarantee that this will be the same next time, so persisting that value in a database is not a good idea. If both the client and server are behind nat gateways, they cannot directly establish calls. The better choice for these kind of systems is to run the server on the public internet on a well known address and have your clients connect to the server.
  You will find lots of discussion on the difficulties of nat and p2p on this forum and by looking in google.

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• Conversion factor plant or any other organizational unit wise

  Dear Experts,
  Is it posible to maintain the conversion factor between base unit and alter nate unit plant or any other organizational unit wise?
  Please suggest.
  Rgds

  Dear
  what you haver to do is:
  Go to MM02...
  If say you Base UOM is EA and you want to maintain Carton as Alternate UOM...
  then give EA in Base UOM ...Now click on additional data-Click on Unit of Measure Tab---Here you maintain your conversion factor for EA and Carton...
  If at all you are at client level, then also no issues as there are maintained at Masters level.
  These data are maintained at Client level.
  Regards
  Utsav

• RFUMSV00 currency conversion with plants abroad

  I have plants abroad activated and wish to use execute the abap in the currency of the tax return by setting the nat. currency instead of local currency flag. My question is which currency exchange type does it use to execute this and which date does it use for the currency conversion. Is there an OSS or implemenation link which explains this
  thanks for any help

  Hello,
  Please have a look at note 175141. The reporting of the tax advance
  with RFUMSV00 is done in Local Currency. Amounts in Second or Third
  Currency do not play a role. Also: The transaction currency and the
  exchange rate are used during posting to determine the amounts in Local
  Currency
  Exceptions are when the 'Plants Abroad' configuration is used.
  => selection button 'National Currency Instead of Local Currency'.
  Please review also notes 1055835 and 1026865 in case of
  specific country.
  Hope this helps,
  regards
  Ray

• SIP ALG / SIP NAT Traversal

  I have a 2900 series router running IOS version 15.1(4).  I am trying to connect 3rd party sip softphones to a 3rd party SIP Call controller on the inside.  With low-cost firewall/gateways, I normally enable the SIP ALG feature and it will dynamically open the UDP ports for a SIP conversation for the duration of it and then close them.  Does cisco IOS firewall have a SIP ALG feature and how do I configure it?  Any guidance is much appreciated. 
  Eddie

  Im trying to connect a SIP softphone (on the outside) to a IP PBX on the inside.  I am seeing postings that say that "ip nat service sip" is the command that enables that feature, and others say that it breaks it.  So far my testings shows that it does break it.  Ultimately I want my outside softphone to register to the Phone system as an external IP address.  It seems like SIP normally relays the internal IP address and the ALG router will make the translation on outbound and send it to the right source. 

• NTSC 24p conversion for PAL project

  I've got a "conversion" issue I'm wondering if I can get some help with.
  I'm working on a project primarily shot in PAL DV, though there are a handful of tapes shot 24p advanced NTSC. I've already captured all of the footage (everything is at Photo Jpeg resolutions to save drive space. The NTSC 24p footage was captured at 29.97- this is how it appears on the tape). Now I'm wondering the easiest and most efficient way of working with the NTSC and PAL footage together in the same PAL timelines.
  I spoke with Graeme Nattress today and he suggested recapturing and removing the pulldown with Cinema Tools which I don't really know how to do. I'm sure it's basic and do-able, but if I can avoid recapturing all of the NTSC footage, I'd like to.
  So, I figure I can convert the NTSC footage to PAL via Compressor or the Nattress convertor, but as far as I understand, I won't be able to preserve the tape source timecode. This is an issue for me, since I've captured everything at low - photo jpeg- resolutions, and will have to return to the master tapes for onlining.
  If I've gotta deal with recapturing or with potentially eye-matching all of the NTSC footage when we got to online, so be it. If there's another- that'd be better obviously. Any other thoughts or suggestions would be really appreciated.
  Many thanks, and happy new year.
  Nate Smith
  System:
  G5 Dual 2ghz
  2 gb memory
  Final Cut Pro 4.5
  2 external 250 gb Lacie firewire drives

  Welcome to the forum Nate!
  The only way I can think of that would preserve the TC would be to edit the 29.97 footage directly into the PAL sequence... Never tried this and wonder about bugs in the area surrounding the recapture, but it should recapture OK... I'd do a test of this to make sure the workflow will work OK... I'll also add that the NTSC footage will look pretty rough in the offline res probably when played back (and rendered each time you want to use it) in the PAL offline sequence... but that may not be such an issue. If it is, then you'll have to do what Graeme suggested first, then eyball it all in the online session as you've guessed. OR maybe just put it in twice on top of itself. Lower video track being the NTSC directly cut in, and upper track being the "transformed" version of the same. Delete V2 when you recapture...
  In any event, you'll still need to do what Graeme suggests for the Online session. His plugin will make the time needed to change the NTSC to PAL go a lot faster than using Compressor... and removing the pulldown pattern in Cinema Tools is a snap actually. It's just a matter of importing the shot needed, then selecting remove pulldown pattern from the file menu. Read the instructions on page 192 of CT's Help, it's really easy to do... Be sure that the footage is shot 24P and not 24PA.. if PA you'll want to recapture it removing the advanced pulldown pattern on the fly with FCP and you won't need to use CT at all in this scenario, just Compressor or Graeme's plugin to change that 24p to PAL...
  HTH
  Jerry

• UDP Nat Traversal Issue

  Hey folks, have a 5505 with sec+ behind some public IP's for an Avaya remote VoIP SIP application on Android/iOS mobile. No SBC at current time and trying to get the app through a 5505 for both UDP/RTP and TCP (presence, chat, etc). All TCP ports seem to be following the NAT translation just fine, but my RTP streams are having an issue (no audio in either direction). All TCP traffic for the same mobile voip application is working just great via NAT (this traffic goes to an internal server with an object in the ASA titled UC-Server). Ironically, Avaya video conferencing and the same style of NAT also works just fine for RTP via NAT. 
  The voip app guide says 54000-54500 for the RTP stream and that this should be forwarded internally to the IP phone system (IP-Office is our object in the ASA) when hitting the public IP dedicated to external VoIP (object of UC-Public). I have attached a wireshark of the outside interface (inbound & outbound traffic) of the RTP traffic on the 5505. I also have a screenshot of the nat rule on the GUI side and CLI side.
  Here's the kicker, we created a NAT rule identical to the 54000-54500 rule but with the other side of the conversation (9578 on this call example) and audio was perfect in both directions. However, we noticed that depending on how the remote voip client is connected to the internet (whether on 4g or wifi, etc) the other side of the port range (not the 54000-54500) can change by a large margin. I really don't want to just snag all possible ports moving in the other direction as they change dynamically and by a wide range.
  I am not sure why the existing NAT statement is not working and the return traffic wont just follow the open socket?

  I am still confused on why creating the "client side" nat rule would cause any effect on this scenario? The ASA should be seeing the return port traffic on the 54000-54500 range. When comparing other wireshark traffic to this, the flow is setup proper and the port direction wireshark shows is proper as well. 
  Thoughts?