8.2 to 8.3 nat conversion
HI Guys ,
I have a problem in converting the static nat in fwsm to ASA 8.3 or later.
I have a fwsm which we are migrating to ASA, FWSM has a below static nat statement,
static (v123,v546) 10.10.10.0 10.10.20.0 netmask 255.255.255.0
When I see the translations in fwsm related to above the mapped address's and real address's last digit always same(like below).
sh xlate | i 10.10.20.
Global 10.10.10.201 Local 10.10.20.201
Global 10.10.10.211 Local 10.10.20.211
Global 10.10.10.204 Local 10.10.20.204
Global 10.10.10.211 Local 10.10.20.211
Global 10.10.10.204 Local 10.10.20.204
I know that is possible in 8.2 and below.
How can I convert same in 8.3 or later , I mean last digit of mapped and real address should be same while translation ?
If I use dynamic mapped address then will be different mapped address after each conn. I dont found example with static.
Thanks in advance.
We now call it Twice NAT.
object network n10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
exit
object network n10.10.20.0_24
subnet 10.10.20.0 255.255.255.0
exit
nat (v123,v456) source static n10.10.10.0_24 n10.10.10.0_24 destination static n10.10.20.0_24 n10.10.20.0_24
Here's a helpful link-
http://forum.packetbin.com/projects/CiscoASA84NATGenerator
Also look for Jouni Forss's NAT 8.3+ NAT explanation here in the forums.
Similar Messages
-
Hi,
I am looking at below NAT statement in our system, but not understanding that what it means or whats the purpose of this statement.
This NAT statement is on VPN ASA and I understand that it means ANYsource traffic on OUTSIDE interface hitting OUTSIDE interface towards destination NETWORK_OBJ_192.168.1.0_24, its source and destination will remain same.
But what’s the purpose of this statement?
nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup
ThanksHi,
With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way
object network VPN-1
subnet 192.168.1.0 255.255.255.0
object network VPN-2
subnet 192.168.2.0 255.255.255.0
nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2
This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.
Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN
The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.
- Jouni -
I've been running a FileZilla FTP server for over 2 years now. When I first got into FTPs was actually the first time I had to do port forwarding. Forward router external 21 TCP to 21 on the LAN, everything good, FTP works. A few days ago the old router died and to get a new one I went for a WRT54GH. When I set it up I also made sure to forward port 21 to the machine. Now I try accessing the FTP and after a long wait I get an error 425 cannot open data connection.
I rechecked and doublechecked - not only is the port properly forwarded, but FileZilla actually gets the request and the two negociate a little. Since I changed nothing in the FTP, and since the FTP still works fine over LAN IPs I will ofcourse blame the router!
What am I to do and how do I fix this issue?
Solved!
Go to Solution.I normally do not doublepost but I fixed it and I'm leaving this info here for future referrence to others:
It appears that - at least with the first version of the firmware - the router tampers with network packets if it sees them being sent over port 21. It changes their PASV commands' IPs to LAN, which connecting clients can't work with. Furthermore there appears to be some other obscure port opening issue once the connection is established.
In order to get around the router's arbitrary NAT conversion, one must forward external port 21 to some other internal port, for example 12345. The FTP server on the machine then has to be configured to listen to that port. This will get around the NAT issue.
For the second issue, the server's PASV mode must be given a fixed port range, for example 65000 to 65100, and in turn those ports must be forwarded to the FTP-hosting machine in the router's settings.
---Important set of notes regarding single and multiple port forwards!---
Ports forwarded before changing the LAN IP range(ex. 192.168.1.x to 192.168.0.x) MUST be unchecked, saved, and re-checked, else the rules will no longer work! Furthermore, if the SPI firewall settings are modified in any way, all port ranges(ranges, not single ports) MUST be unchecked, saved, and re-checked in order to work! As yet another note, DMZ seems to have similar issues. Not knowing about these issues can lead to unexpected results with setting up not only the FTP but also other apps that rely on forwarding, since the router will claim a set of active settings but not use it. -
N82 V30.0.013 Bluetooth and Wireless LAN problems
I am using an N82, but it looks like there are similar problems with everything using similar firmware. I didn't have any of these problems with the V20 firmware that came with the phone or after the first V20 upgrade I used.
I find that my wireless LAN connections sometimes only let me browse a few pages before I get the "web connection timed out" message. If I change wireless LAN connection (I have two, mostly for testing purposes) I can continue browsing. Of course the same error may happen causing me to switch again. Sometimes it just works. Both have WPA set up and the passwords are clearly correct. If I use Real Player I can typically listen for as long as I like. Sometimes the connection to the server will drop for Real Player but reconnecting will work (don't have to change wireless LAN network). With the web browser it seems like the data connection is dead, not a server timing out - the message appears instantly. I think have seen the same problem once with my 3G connection, but I haven't recreated it. Could be my imagination!
I have never had any problems with IMAP email using either the Nokia client or Profimail on either the wireless LAN connection or 3G. It leads me to believe that there is nothing wrong with the wireless LAN side of things and it may be more to do with the web browser, or perhaps just that the email clients are only talking to one server helps (DNS problems?). Has anyone experienced similar problems with an alternative browser?
I have also found that when I get to work my bluetooth dongle doesn't connect to my phone. If I disable/enable bluetooth on my phone it will connect. I had this problem with my N80 with the first firmware I had on it and the problem went away after an upgrade.
So, it seems that both connections are fixed by turning them off and on again.Having both routers the same IP address is a little bit confusing, but possible since each router creates it's own subnet and provides full PNAT support. Actiontec DSL modem has to have DHCP enabled since Linksys WAN (not LAN) port should be connected to one of 4 Actiontec LAN ports. Linksys should not have any configuration setup in regards of your WAN account. Just set it to dynamic address. In ohter words:
1. RJ-11 connect to Actiontec mode/router.
2. Actiontec modem should be configured to acquire an IP address from Verizon and to provide all authentication info to Verizon.
3. Actiontec modem should be configured to allow clients to acquire dynamic IP addresses -- DHCP enabled.
4. Linsys WAN (not LAN!) port should be connected to Actiontec LAN port.
5. Linksys should be configured to acquire dynamic IP address and no authentifacations.
6. Configure Linksys to be DHCP enabled or you can use static IP addresss if you want.
7. Wireless devices would be connected to Linksys and on the way to the Internet addresses would go through double NAT conversions. Any wired device connected to Linksys would have similar features. Any device connected to Linksys should be able to connect 192.168.1.1 assigned to Linksys, but not to Actiontec.
8. To be able to connect Linksys and Actiontec would no be able to communicate unless you split 192.168.1.0/24 into smaller subnets and set specific routes in the table. But even you do so you will not be able to access 192.168.1.1 accross subnets boundary.
Hope it helps. -
I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, I was wondering if anyone has a rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?
Hello Glenn
To be honest with you I do not think there is a convertion tool from that firewall to our ASA.
I would recommend to read and analize the configuration guides for the ASA or if you have any question related to the ASA setup let us know.
We will be more than glad to help!!
Regards,
Do rate all the helpful posts
Julio -
DSL Modem and Wireless Router problems
I started to have problems on Tuesday.
My Equipment is:
Dell Precision 870 PC with a Intel Pro network card
Apple IMAC with the Apple Lan connection
Lynksys/Cisco E3000 (Problem started with a Linksys WRT610N router)
Verizon (Actiontec) GT701C DSL modem
I came down to my office and I noticed that the DSL light on my modem was not lit. In the past
this has ment that there is a problem in the Central Office. Later in the day I got hold of Verizon
tech support and we got the DSL running again with the modem connected to either computer.
When I connect the router to the modem and the computers to the router, Dell via wire and Apple
via wireless 5.0 GHz 802.11N inout and restart both the router and the modem, I get connectivity
through the router and the modem but the DSL light on the modem is not lit. After a long period
of time the DSL light may come on then I loose connectivity.
Everything was working correctly til late Monday night/early Tuesday morning.
I have reset both the modem and routers to factory defaults several time. I have a problem when
trying to get connectivity with the moden after setting it up again and it takes me to the Verizon
DSL startup site. Tech support walked me throuogh using the "192.168.1.1/verizon/redirect" and
shutting the redirect off. I then have connectivity as long as the router is not connected.
I thoought the router went so I just installed a new router, the Linksys/Cisco E3000, and I still
have the DSL light problem.
Solved!
Go to Solution.Having both routers the same IP address is a little bit confusing, but possible since each router creates it's own subnet and provides full PNAT support. Actiontec DSL modem has to have DHCP enabled since Linksys WAN (not LAN) port should be connected to one of 4 Actiontec LAN ports. Linksys should not have any configuration setup in regards of your WAN account. Just set it to dynamic address. In ohter words:
1. RJ-11 connect to Actiontec mode/router.
2. Actiontec modem should be configured to acquire an IP address from Verizon and to provide all authentication info to Verizon.
3. Actiontec modem should be configured to allow clients to acquire dynamic IP addresses -- DHCP enabled.
4. Linsys WAN (not LAN!) port should be connected to Actiontec LAN port.
5. Linksys should be configured to acquire dynamic IP address and no authentifacations.
6. Configure Linksys to be DHCP enabled or you can use static IP addresss if you want.
7. Wireless devices would be connected to Linksys and on the way to the Internet addresses would go through double NAT conversions. Any wired device connected to Linksys would have similar features. Any device connected to Linksys should be able to connect 192.168.1.1 assigned to Linksys, but not to Actiontec.
8. To be able to connect Linksys and Actiontec would no be able to communicate unless you split 192.168.1.0/24 into smaller subnets and set specific routes in the table. But even you do so you will not be able to access 192.168.1.1 accross subnets boundary.
Hope it helps. -
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
MalcolmI cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup. -
NAT ASA5512 8.6(1)2 in and out
Hello Everyone,
This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.
In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.
On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.
ASA Version 8.6(1)2
hostname AdminASA
domain-name
enable password encrypted
passwd encrypted
names
interface GigabitEthernet0/0
shutdown
no nameif
security-level 0
no ip address
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 76.320.333.43 255.255.255.224
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 10.1.99.1 255.255.255.0
interface GigabitEthernet0/3
nameif P2P
security-level 100
ip address 10.2.99.2 255.255.255.0
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corp.centermh.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DeltaNetwork
subnet 10.1.96.0 255.255.255.0
object network GunnisonNetwork
subnet 10.1.97.0 255.255.255.0
object network MiamiNetwork
subnet 10.1.98.0 255.255.255.0
object network NuclaNetwork
subnet 10.1.93.0 255.255.255.0
object network TellurideNetwork
subnet 10.1.94.0 255.255.255.0
object network AdminPhoneSystem
host 10.1.99.225
description Inside IP Address of Admin Phone System
object network DeltaPhoneSystem
host 10.1.96.225
description Internal IP Address of Delta Phone System
object network AdminPhonePublic
host 76.320.333.48
description Public IP Address of Admin Phone System
object network FastTrackPhone
host 234.213.124.81
description FastTrack SIP Trunk Authtication IP Address
object network FastTrackMonitor
host 290.230.195.8
description FastTrack Monitoring server
object network DeltaPhonePublic
host 76.320.333.51
description Public IP Address of Delta Phone System
object-group icmp-type ICMP-All
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object alternate-address
icmp-object conversion-error
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All
access-list Local_access_in extended permit ip any any
access-list MPLS_access_in extended permit ip any any
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu P2P 1500
mtu management 1500
ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp
nat (P2P,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group P2P_access_in in interface P2P
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6
route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1
route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.99.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.1.99.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.140.44 prefer
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
username privilege 15
username privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endHi,
If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
You have this
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Yet you have this "object network" and "route"
object network DeltaPhoneSystem
host 10.1.96.225
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
So seems to me that your NAT configuration should be
nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
object network DeltaPhoneSystem
host 10.1.96.225
nat (P2P,Outside) static 76.320.333.51
object network AdminPhoneSystem
host 10.1.99.225
nat (Inside,Outside) static 76.320.333.48
Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
If the ISP has configured one public subnet between its gateway device and your ASA and routed the other subnet(s) towards the ASAs "Outside" interface IP address then there is no problem.
If the ISP has configured both (or all) public subnets on their gateway interface (others as "secondary" subnets) then you will (to my understanding) run into a problem with ARP with nonconnected networks on the ASA.To correct this you would require you to either change the setup to the first option with the ISP or update your ASA software to 9.0(2) or possibly 9.1(2) to get access to the command "arp permit-nonconnected"
Here is the section from the patch notes that also explains the commands purpose
ARP cache additions for non-connected subnets
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•Secondary subnets.
•Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
Also available in 8.4(5).
If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
https://supportforums.cisco.com/docs/DOC-31116
Hopefully the above helps with your problem
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni -
NAT support - how to obtain the public IP address?
Hi
I am developing an instant messenger in which users can start a conversation with another user through obtaining the IP address of the intended recipient from a mySQL database on the web server.
This works fine within a local network. However, the address in the database upon user login is the private IP address within the LAN and not the global address - consequently my software cannot be used outside the LAN currently.
Is it possible to use a method within the java.net library to send the public (global) address of the client to a server? And if so, how can I handle the ability to receive a reply from the server (which would arrive at the public IP the message was sent from, ie. the NAT firewall) so that it is delivered to the correct port and private IP on the client?
Joe BarberIf the server is on the public internet and the client is on a private network the server will see the public address and port, and can get it from a connected socket. Unfortunately if the nat box uses DHCP there is no guarantee that this will be the same next time, so persisting that value in a database is not a good idea. If both the client and server are behind nat gateways, they cannot directly establish calls. The better choice for these kind of systems is to run the server on the public internet on a well known address and have your clients connect to the server.
You will find lots of discussion on the difficulties of nat and p2p on this forum and by looking in google. -
DMVPN Hub and Spoke behind NAT device
Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile ciscoHi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT." -
Conversion factor plant or any other organizational unit wise
Dear Experts,
Is it posible to maintain the conversion factor between base unit and alter nate unit plant or any other organizational unit wise?
Please suggest.
RgdsDear
what you haver to do is:
Go to MM02...
If say you Base UOM is EA and you want to maintain Carton as Alternate UOM...
then give EA in Base UOM ...Now click on additional data-Click on Unit of Measure Tab---Here you maintain your conversion factor for EA and Carton...
If at all you are at client level, then also no issues as there are maintained at Masters level.
These data are maintained at Client level.
Regards
Utsav -
RFUMSV00 currency conversion with plants abroad
I have plants abroad activated and wish to use execute the abap in the currency of the tax return by setting the nat. currency instead of local currency flag. My question is which currency exchange type does it use to execute this and which date does it use for the currency conversion. Is there an OSS or implemenation link which explains this
thanks for any helpHello,
Please have a look at note 175141. The reporting of the tax advance
with RFUMSV00 is done in Local Currency. Amounts in Second or Third
Currency do not play a role. Also: The transaction currency and the
exchange rate are used during posting to determine the amounts in Local
Currency
Exceptions are when the 'Plants Abroad' configuration is used.
=> selection button 'National Currency Instead of Local Currency'.
Please review also notes 1055835 and 1026865 in case of
specific country.
Hope this helps,
regards
Ray -
SIP ALG / SIP NAT Traversal
I have a 2900 series router running IOS version 15.1(4). I am trying to connect 3rd party sip softphones to a 3rd party SIP Call controller on the inside. With low-cost firewall/gateways, I normally enable the SIP ALG feature and it will dynamically open the UDP ports for a SIP conversation for the duration of it and then close them. Does cisco IOS firewall have a SIP ALG feature and how do I configure it? Any guidance is much appreciated.
EddieIm trying to connect a SIP softphone (on the outside) to a IP PBX on the inside. I am seeing postings that say that "ip nat service sip" is the command that enables that feature, and others say that it breaks it. So far my testings shows that it does break it. Ultimately I want my outside softphone to register to the Phone system as an external IP address. It seems like SIP normally relays the internal IP address and the ALG router will make the translation on outbound and send it to the right source.
-
NTSC 24p conversion for PAL project
I've got a "conversion" issue I'm wondering if I can get some help with.
I'm working on a project primarily shot in PAL DV, though there are a handful of tapes shot 24p advanced NTSC. I've already captured all of the footage (everything is at Photo Jpeg resolutions to save drive space. The NTSC 24p footage was captured at 29.97- this is how it appears on the tape). Now I'm wondering the easiest and most efficient way of working with the NTSC and PAL footage together in the same PAL timelines.
I spoke with Graeme Nattress today and he suggested recapturing and removing the pulldown with Cinema Tools which I don't really know how to do. I'm sure it's basic and do-able, but if I can avoid recapturing all of the NTSC footage, I'd like to.
So, I figure I can convert the NTSC footage to PAL via Compressor or the Nattress convertor, but as far as I understand, I won't be able to preserve the tape source timecode. This is an issue for me, since I've captured everything at low - photo jpeg- resolutions, and will have to return to the master tapes for onlining.
If I've gotta deal with recapturing or with potentially eye-matching all of the NTSC footage when we got to online, so be it. If there's another- that'd be better obviously. Any other thoughts or suggestions would be really appreciated.
Many thanks, and happy new year.
Nate Smith
System:
G5 Dual 2ghz
2 gb memory
Final Cut Pro 4.5
2 external 250 gb Lacie firewire drivesWelcome to the forum Nate!
The only way I can think of that would preserve the TC would be to edit the 29.97 footage directly into the PAL sequence... Never tried this and wonder about bugs in the area surrounding the recapture, but it should recapture OK... I'd do a test of this to make sure the workflow will work OK... I'll also add that the NTSC footage will look pretty rough in the offline res probably when played back (and rendered each time you want to use it) in the PAL offline sequence... but that may not be such an issue. If it is, then you'll have to do what Graeme suggested first, then eyball it all in the online session as you've guessed. OR maybe just put it in twice on top of itself. Lower video track being the NTSC directly cut in, and upper track being the "transformed" version of the same. Delete V2 when you recapture...
In any event, you'll still need to do what Graeme suggests for the Online session. His plugin will make the time needed to change the NTSC to PAL go a lot faster than using Compressor... and removing the pulldown pattern in Cinema Tools is a snap actually. It's just a matter of importing the shot needed, then selecting remove pulldown pattern from the file menu. Read the instructions on page 192 of CT's Help, it's really easy to do... Be sure that the footage is shot 24P and not 24PA.. if PA you'll want to recapture it removing the advanced pulldown pattern on the fly with FCP and you won't need to use CT at all in this scenario, just Compressor or Graeme's plugin to change that 24p to PAL...
HTH
Jerry -
Hey folks, have a 5505 with sec+ behind some public IP's for an Avaya remote VoIP SIP application on Android/iOS mobile. No SBC at current time and trying to get the app through a 5505 for both UDP/RTP and TCP (presence, chat, etc). All TCP ports seem to be following the NAT translation just fine, but my RTP streams are having an issue (no audio in either direction). All TCP traffic for the same mobile voip application is working just great via NAT (this traffic goes to an internal server with an object in the ASA titled UC-Server). Ironically, Avaya video conferencing and the same style of NAT also works just fine for RTP via NAT.
The voip app guide says 54000-54500 for the RTP stream and that this should be forwarded internally to the IP phone system (IP-Office is our object in the ASA) when hitting the public IP dedicated to external VoIP (object of UC-Public). I have attached a wireshark of the outside interface (inbound & outbound traffic) of the RTP traffic on the 5505. I also have a screenshot of the nat rule on the GUI side and CLI side.
Here's the kicker, we created a NAT rule identical to the 54000-54500 rule but with the other side of the conversation (9578 on this call example) and audio was perfect in both directions. However, we noticed that depending on how the remote voip client is connected to the internet (whether on 4g or wifi, etc) the other side of the port range (not the 54000-54500) can change by a large margin. I really don't want to just snag all possible ports moving in the other direction as they change dynamically and by a wide range.
I am not sure why the existing NAT statement is not working and the return traffic wont just follow the open socket?I am still confused on why creating the "client side" nat rule would cause any effect on this scenario? The ASA should be seeing the return port traffic on the 54000-54500 range. When comparing other wireshark traffic to this, the flow is setup proper and the port direction wireshark shows is proper as well.
Thoughts?
Maybe you are looking for
-
I have forgotten my password to get on to wi-fi
I just had to replace my Verizon router and I cannot get back on to the network on my iPad1. Under settings, my usual wi-fi network address is not there. There is a new network address that shows up, but it does not recognize my password. How can I g
-
Premiere Pro CC crash on video import
updated drivers, etc. Started crashing after I installed Audition. Worked before that Fault bucket , type 0 Event Name: APPCRASH Response: Not available Cab Id: 0 Problem signature: P1: Adobe Premiere Pro.exe P2: 8.1.0.81 P3: 5426694c P4: devenum.dl
-
I just upgraded my wireless plan and my phone today. I added my husband to my account with family plan. He has a pay-as-you go plan and had recently bought a $30 refill card for his phone. Since he will be on my plan as soon as the new phones get he
-
Hi, I'm thinking of getting the 13" MBP with the 320M graphics but would first like to know if it can display a resolution of 1920*1200 when connected to an external dell monitor.
-
Trouble opening older iPhoto libraries
I am using iPhoto '08; 7.1.5. I categorize my photos into libraries by year. The oldest is 2006, then 2007, and now 2008. I opened my 2006 library and tried to open a picture. It became full size on the screen and then turned to a black background wi