9.0 can a dynamic nat be used over ipsec vpn?
9.0 can a dynamic nat be used over ipsec vpn?
we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL.
we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same.
Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn.
So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code.
Thanks
I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time.
Yes it seems that you need the nat ip like always. Should have just went with my gut on that.
Thanks
Similar Messages
-
HELP! Can Adobe Premier Pro be used over Citrix?
Can Adobe Premier Pro be used over Citrix? IS it possible? Has anybody tested it?
Thanks in advance,
Bryan> BUT there was no audio
Did you set your connection options for "Remote computer sound" to "Bring to this computer" ?
Cheers
Eddie
PremiereProPedia (
RSS feed)
- Over 300 frequently answered questions
- Over 250 free tutorials
- Maintained by editors like
you
Forum FAQ -
WRV210- Can't establish Remote Desktop Connection over IPSec
Hi there,
I changed the BEFVP41 with WRV220 and configure the VPN the same way, succeed to establish IPSec VPN connection with TGB VPN client with no problems but now Remote Desktop Doesn't work. I changed the firmware that didn't help. That didn't help as well, the answer is the same:The client could not connect to the remote computer. Remote connection might not be enabled or the computer might be too busy to accept new connections.The Remote connection works fine in local and with BEFVP41 (even thou I had different problems with this one) the only change is the WRV210....Did you have this issue?
Thank you
VesnaAs a sort of work around, you could configure a dhcp reservation for that pc. Leave the machine as dhcp but know that it will always "recieve" a specific address. I think the problem the WRV210 experiences in this situation, is the mac address table times out and it flushes the pc's mac to ip binding. Therefore, it does not know who to send the request for X ip address to, because it no longer has a mac to port mapping.
However, when the router has the client via DHCP, the dhcp protocol takes care of making sure the mac does not time out in the CAM table. When the lease is somewhat close to expiration, the client renews and everything works fine. You can staticly map up to 20 addresses in the WRV210 (confirmed with configuration in lab).
With this solution, your RDP sessions and port forwardings will continue to work, and your mac will never timeout of the CAM table.
Bill -
Can I dynamically display Page title over a static header image?
Is there a way to Dynamically Display Page Title Text Over my static site Header Image? here is a link so you can see what I am talking about. http://www.bridgestoprosperity.org/See-Our-Work/afghanistan/afghanistan.htm where Afghanistan would be the text to be replaced automatically on each page. Please note, currently, I must create individual headers, insert the page title in photoshop, etc. I am hoping to figure out a way for all this to happen dynamically perhaps by calling the text from the page title info.
Thank you,
AllanHi, Allan,
I realize my suggestion is off your point, and you probably have already thought of some of this, hence your question... But, rather than going the dynamic route, Why not create a Header Image without a title on it and use it as a div background image? Replace this
<img src="/See-Our-Work/afghanistan/Images/header/afghanistan-header.jpg" name="topnavbar_r1_c1" width="779" height="114" border="0" alt="bridges to prosperity: afghanistan">
with the styled div, for instance:
<div id="header"><h2>Afghanistan</h2><h3>Bridges to Prosperity: USA</h3><div>
At this point, you can use a more generic image for the background, one that does not have "Afghanistan" embedded in it, and you may style the #header thus:
#header {
width: 779px;
height: 114px;
border: 0;
background-image: url(/See-Our-Work/Images/header/header.jpg;)/* for instance */
and the header Headline styles thus:
#header h2, #header h3 {
color: white;
text-align: right;
font-family: Arial, Helvetica, sans-serif;
Then you can place your html (<h2>, <h3> etc.) in the same div, only on the "surface".
Using the tags <h2> and <h3> will maintain their usefulness to Search Engines; as hiding them in images does not.
If you still wished to vary the header image, depending on the contents of the page, you can actually control all of this from the CSS file, if you add an id attribute to the <body> of each page.
For instance, for your example page, if you did this:
<body id="afghanistan">
You could then do this in your CSS file:
#header {
width: 779px;
height: 114px;
border: 0;
body#afghanistan #header {
background-image: url(/See-Our-Work/afghanistan/Images/header/afghanistan-header.jpg);
You could then proceed to have a different background image for each page. (Not your original intention, but now possible).
<body id="pakistan"> would use a CSS style declaration like:
body#pakistan #header {
background-image: url(...pakistan-header.jpg...etc.);
I am not aware of being able to pass content (other than background images) using CSS, so I would go into each page and put the Headline in html.
But if you were using multiple background images in the header div (one image for afghanistan, another for pakistan, in my example), you can use the same <body id="afghanistan"> for ALL pages about Afghanistan, and thus have the continuity of the same image for all. Likewise, you could id all pages about Pakistan <body id="pakistan">.
I hope this gives you some ideas...
Z -
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help! -
Hi,
I have an application that is unhappy running via dynamic NAT. The app
developers are asking me if I can turn on sticky sessions in BM's dynamic
NAT. Are there any options for tuning dynamic NAT in BM that could help?
Cheers,
DevonI just searched documentation and see that it's 5000 ports for tcp. That
will be easy to hit. The documentation says that it will just re-use the
oldest connections in a rolling fashion. I'm wondering whether that's
working properly or whether something else in the system is keeping the
state for longer.
Cheers,
Devon
>>> On 9/08/2007 at 11:21, Devon Heaphy<[email protected]>
wrote:
> Still testing, but it appears to. Part of the problem is that the
> application is very chatty and constantly opens new connections instead
> of
> using existing ones. I think the reason static NAT appears to work is
> that
> there are more source ports available for a given machine to use.
>
> Do you know the upper limit of dynamic NAT connections through BM?
>
> Cheers,
> Devon
>
>>>> On 7/08/2007 at 4:44, Craig Johnson<[email protected]> wrote:
>> In article <[email protected]>, Devon Heaphy
> wrote:
>>> I have an application that is unhappy running via dynamic NAT. The app
>>> developers are asking me if I can turn on sticky sessions in BM's
>> dynamic
>>> NAT. Are there any options for tuning dynamic NAT in BM that could
help?
>>>
>> No.
>>
>> Does it work via static NAT?
>>
>> Craig Johnson
>> Novell Support Connection SysOp
>> *** For a current patch list, tips, handy files and books on
>> BorderManager, go to http://www.craigjconsulting.com *** -
[Question] Dynamic NAT on 2 different networks
Hi,
I just want to ask if its possible to have same dynamic translation within 2 different networks like:
interface gig 0/1
1.1.1.1 255.255.255.0 (LAN Connection w/ DHCP enabled)
inteface gig 0/2
2.2.2.1 255.255.255.0 (Wireless Connection w/ DHCP enabled)
Actually, the scenario was 1.1.1.1 is my LAN connection and 2.2.2.1 are my Wireless connection.
Hope this merits their favorable response. Thanks.Hi,
Do you mean that you want both of the said LAN networks to use Dynamic NAT/PAT towards a third interface on the ASA?
If you simply want to use the same NAT/PAT address for 2 different networks on the ASA then you can use the following configurations as example
These are PAT translations to a single IP address. Using a NAT Pool would change the configurations slightly.
For ASA software 8.2 and below
global (outside) 100 3.3.3.1
nat (inside) 100 1.1.1.0 255.255.255.0
nat (wireless) 100 2.2.2.0 255.255.255.0
Where
outside,inside and wireless = Interface "nameif" on the ASA firewall
100 = Is just an ID number for the NAT configuration. You can use other one also
For ASA software 8.3 and after
object-group network PAT-SOURCE-NETWORKS
network-object 1.1.1.0 255.255.255.0
network-object 2.2.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
nat (wireless,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
Where
PAT-SOURCE-NETWORKS = Is an "object-group" where you can define the source networks for the NAT/PAT rule
Hope this helps Please if you found the information helpfull
Feel free to ask more if this didnt answer your question.
- Jouni -
Help with dynamic NAT and CSM 4.4 and ASA 8.3
Hello
I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
Failed to generate delta config
The following commands have not been recognized by the Configuration Parser:
==========================
(inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
Traffic comes from inside and has to leave the outside with the changed source IP.
I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
Thanks
PatrickMatty
Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
ip access-list extended PBX_SUBNET
permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.
Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
Jon -
Dynamic NAT (1841 & n00b)
Hi all. (waiting for TAC support to register me)
I'm trying to find information on setting up a Dynamic NAT for my 1841 using the SDM. I know how to do the static NATs and they seem to work fine. However, our Japan office would like Dynamic NAT. Where can I find info on how to set this up?
I have a range of server addresses on my network (E0) from 10.1.10.16 to 10.1.10.40/24. The addressing I have for these on the "outside" (E1) is 172.25.1.16 to 172.25.40/16.
I tried to set this up, but it seemed that the router duplicated all of my server addresses and my systems weren't happy.
Thanks for any assistance.
BCOK.
I had to attach it since it's too long to post.
Thanks for any insight. The router for the Japan office is 172.25.1.1. -
Dynamic NAT on selected machines
Hi
What is the best way to setup dynamic NAT if I only wanted it to function on
a group of 30 workstations.
I was considering putting these workstations into a seperate subnet, but
doesn't dynamic nat pick up all subnets on the private interface?
Any Ideas?
Thanks
Peter HPeter,
> What is the best way to setup dynamic NAT if I only wanted it to function on
> a group of 30 workstations.
> I was considering putting these workstations into a seperate subnet, but
> doesn't dynamic nat pick up all subnets on the private interface?
indeed, this won't work.
You can use NAT for everyone, and then regulate the access with packet
filters. It's a limitation of the Netware nat, indeed.
Caterina
Novell Support Connection Volunteer Sysop -
Execute Dynamic SQL statement using procedure builder
i want to execute a dynamic SQL statment using procedure builder not using forms
because my statement depending on a variable table name
i know that i can do that from forms using
FORMS_DDL('SQL_STAT');
but i wanna to use the procedure builder
which function i should use and how?
please explain in example if you don't mind.
thanksHi,
You can very well use DBMS_SQL Package supplied by Oracle for doing this.
Search for DBMS_SQL in OTN. You will get all info regarding this.
Regards.
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by itslul:
i want to execute a dynamic SQL statment using procedure builder not using forms
because my statement depending on a variable table name
i know that i can do that from forms using
FORMS_DDL('SQL_STAT');
but i wanna to use the procedure builder
which function i should use and how?
please explain in example if you don't mind.
thanks<HR></BLOCKQUOTE>
null -
How to create Exchange dynamic distribution list using multivalue extension custom attribute
I am trying to create a dynamic distribution list using an ExtensionCustomAttribute. I am in hybrid mode with Exchange 2013. The syntax I have is this:
New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {(ExtensionCustomAttribute2 -eq 'NH')}
This works correctly on-prem. But hosted always results in an empty list. I can see in dirsync the attribute is in the hosted environment, but for whatever reason, the distribution group gets created but always come up null.
If I create a group looking at the single valued attributes, such as CustomAttribute6 -eq 'Y', it works correctly on-prem and hosted.
If anyone has any suggestions I would appreciate it.I don't think I provided enough information about the problem. Let me add some and see if it makes sense.
I have an Exchange 2013 on-premise configured in hybrid mode with Office365. For testing purposes, I have 2 users, Joe and Steve, one with the mailbox on-prem, and the other with the mailbox in the cloud. Each of them has CustomAttribute6 = 'Y'
and ExtensionCustomAttribute2 = 'NH'. Dirsync shows these users and these attributes are synced between on-prem and cloud.
Using on-prem Exchange powershell, I run the following command:
New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (CustomAttribute6 -eq 'Y')}
This correctly finds the 2 users when I query for them as follows:
$DDG = Get-DynamicDistributionGroup DG_NH
Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter | FT alias
So I then delete this DG, and recreate it this time looking at the multi-value attribute ExtensionCustomAttribute2, as follows:
New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (ExtensionCustomAttribute2 -eq 'NH')}
Replaying the query above, I can see this also works fine and finds my two users.
Next I open a new powershell and connect to Office 365 and repeat the process there.
New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (CustomAttribute6 -eq 'Y')}
This correctly finds the 2 users when I query for them.
And then delete the group and recreate it using the multi-value attribute:
New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (ExtensionCustomAttribute2 -eq 'NH')}
When I run the query this time it produces no result. Every test I try results in an empty group if I am using a multi-valued attribute in the search criteria in the cloud. If I use single valued attribute, it works fine.
I really need to be able to get multi-valued DDG's working in the cloud. If anyone has done this and has any suggestions, I would appreciate seeing what you did. And if this is the wrong forum to port this, if you can point me to a more suitable
forum I will report there.
Thanks,
Richard -
How to configure inbound ruleset in dynamic nat.
Hi ,
I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.
How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.
Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it.
Public IP: 10.10.10.28
Private IPs:
172.16.101.115
172.16.101.116
172.16.101.117
172.16.101.118
172.16.101.119
172.16.101.120
access-list Web_nat permit ip host 172.16.101.115 any
access-list Web_nat permit ip host 172.16.101.116 any
access-list Web_nat permit ip host 172.16.101.117 any
access-list Web_nat permit ip host 172.16.101.118 any
access-list Web_nat permit ip host 172.16.101.119 any
access-list Web_nat permit ip host 172.16.101.120 any
nat (firewall-dmz) 1 access-list Web_nat
global (firewall-outbound) 1 10.10.10.28
access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.
access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.Hi,
I am not sure what you are attempting to configure here.
But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"
This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.
Static NAT will essentially use up one public IP address for just the single local host/server.
Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.
A typical Static NAT configuration is this
static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
Where
inside = is the interface behind which the host is
outside = is the interface towards which the host is NATed
1.1.1.1 = is the public NAT IP address for the host
10.10.10.10 = is the local IP address of the host
A typical Static PAT configuration is this
static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
Where
tcp = specifies the protocol for which the Static PAT configured
interface = specifies that we will be using the public IP address of the destination interface "outside" as the public IP address for this single Port Forward.
80 = first "80" specifies the public port visible to users behind the destination interface
80 = second "80" specifies the actual local port on which the local host is listening on
Hope this helps
- Jouni -
Dynamic file name using FTP adapter
I was trying the dynamic filename scenario taking help from Michal's blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2664. [original link is broken] [original link is broken] [original link is broken] [original link is broken]
If I check the 'adapter specific properties' in both sender and receiver file adapter,then in output I am getting the output filename as same as input filename without using the UDF.
When I used the UDF in mapping,it had absolutely no effect. I am not clear what is the use of the UDF. please let me know where to use the UDF and how to use it.
Thanks
Smith1. In the mapping program that you are using populate the filename coming from the source into the target in any of the fileds.
2.Sender adapters can write adapter-specific attributes to the message header; these can then be evaluated at configuration time.You can get dynamic filename in UDF in msg mapping....just in ID in comm channel select adapter specific attributes -> filename.....then whatever dynamic name you will create in UDF will be the target filename.....
3. To change the adapter-specific attributes of the message header by using message mappings, you access the <b>required classes of the mapping API by using a mapping runtime constant.</b>
To access the classes DynamicConfiguration and DynamicConfigurationKey by using the mapping runtime constant DYNAMIC_CONFIGURATION, use the method getTransformationParameters() of the container object.
You donot need to hard code the value of the filename in the file adapter for your interface.
In SXMB_MONI, when you see the pipeline services you would see that the value of the filename is populated in the message payload. -
Dynamic Page that uses javascript to run an executable on the client's pc
I have an .exe file on a shared network that has to be called and executed from portal. The below code works as standalone but not from a dynamic page or an HTML portlet. Any ideas?
<html>
<script language="javascript" type="text/javascript">
function runApp()
var shell = new ActiveXObject("WScript.shell");
shell.run('"c:/CstatsWeeklyreport.exe"',1,true);
</script>
<body>
<input type="button" name="button1" value="Run Notepad" onClick="runApp()" >
</INPUT>
</body>
</html>Thanks D, but that's not what I'm looking for. That changes which application a file opens with when you download it. That's not what I need for this situation. Here's a little more detail.
The clients will have an application on their hard drive; it can be any application, even a custom application that they developed themselves. Then, they open a web page with a listbox full of items. Depending on which item they select, a query will return a file path to the .exe file itself. The .exe file resides on the client's hard drive, not on the server. So they're not downloading anything. Depending on the filepath returned by the query, the browser needs to start the process and open the .exe file for them.
So let's say I have developed a simple text editor called Tedit. I have a file on my hard drive - "C:\TextEditor\bin\debug\TEdit.exe". When they click the open button, that file path is returned from the database. Then the javascript is called to start the process and open that program.
Again, nothing is getting downloaded, the application resides on the user's hard drive and there is no file to associate it with.
This can be done in IE using an ActiveX control. And it used to be possible in Firefox using the nsIFile or nsIProcess objects. But since FF15 that's not available anymore, so the javascript throws an error telling them that their permission is denied.
What I need, is a javascript that will launch the .exe file from the user's hard drive without downloading anything.
Maybe you are looking for
-
HOW TO ACHIEVE THIS IN BEX REPORT ?
Hi I have a query like below: Indicator---Month---Volume-- Revenue A--201101-10Tonnes----710USD A--201102-20Tonnes----2000USD Because of some selections in our query,It always displays data from beginning of year to present month(August). Now require
-
I am a student and I bought my macbook pro at a best buy, am I still eligible for the $100 on free apps? If so, how would i get access to it?
-
Error message when deleting Business transaction: Activity in CRM
Hi All, I am trying to delete a couple of Activities from CRM (Production system) and encounter two error message: "Enter a Business Partner" and "Administration header not found." I have tried three ways to delete/archive the activity numbers in the
-
what happened is that my internet connection was not good so i downloaded .ipsw file from a torrent but now i cannot get it to update my ipad because ios 5.0.1 is out i tried copying files to ipad updates in the itunes folder but it still asked me to
-
Very very simple method return question
Using a UML tool, the following code has been generated for a method called getScores. //getScores public String[] getScores(int nCount) //your code goes here return null; }Can I just clarify what this method is returnin