9.0 can a dynamic nat be used over ipsec vpn?

9.0 can a  dynamic nat be used over ipsec vpn?
we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL. 
we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same. 
Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn. 
So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code. 
Thanks

I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time. 
Yes it seems that you need the nat ip like always. Should have just went with my gut on that. 
Thanks

Similar Messages

  • HELP!  Can Adobe Premier Pro be used over Citrix?

    Can Adobe Premier Pro be used over Citrix? IS it possible? Has anybody tested it?
    Thanks in advance,
    Bryan

    > BUT there was no audio
    Did you set your connection options for "Remote computer sound" to "Bring to this computer" ?
    Cheers
    Eddie
    PremiereProPedia   (
    RSS feed)
    - Over 300 frequently answered questions
    - Over 250 free tutorials
    - Maintained by editors like
    you
    Forum FAQ

  • WRV210- Can't establish Remote Desktop Connection over IPSec

    Hi there,
    I changed the  BEFVP41 with WRV220 and configure the VPN  the same way, succeed to establish IPSec VPN connection with TGB VPN client with no problems but now Remote Desktop Doesn't work. I changed the firmware that didn't help. That didn't help as well, the answer is the same:The client could not connect to the remote computer. Remote connection might not be enabled or the computer might be too busy to accept new connections.The Remote connection works fine in local and with BEFVP41 (even thou I had different problems with this one) the only change is the WRV210....Did you have this issue?
    Thank you
    Vesna

    As a sort of work around, you could configure a dhcp reservation for that pc. Leave the machine as dhcp but know that it will always "recieve" a specific address. I think the problem the WRV210 experiences in this situation, is the mac address table times out and it flushes the pc's mac to ip binding. Therefore, it does not know who to send the request for X ip address to, because it no longer has a mac to port mapping.
    However, when the router has the client via DHCP, the dhcp protocol takes care of making sure the mac does not time out in the CAM table. When the lease is somewhat close to expiration, the client renews and everything works fine. You can staticly map up to 20 addresses in the WRV210 (confirmed with configuration in lab).
    With this solution, your RDP sessions and port forwardings will continue to work, and your mac will never timeout of the CAM table.
    Bill

  • Can I dynamically display Page title over a static header image?

    Is there a way to Dynamically Display Page Title Text Over my static site Header Image? here is a link so you can see what I am talking about. http://www.bridgestoprosperity.org/See-Our-Work/afghanistan/afghanistan.htm where Afghanistan would be the text to be replaced automatically on each page.  Please note, currently, I must create individual headers, insert the page title in photoshop, etc. I am hoping to figure out a way for all this to happen dynamically perhaps by calling the text from the page title info.
    Thank you,
    Allan

    Hi, Allan,
    I realize my suggestion is off your point, and you probably have already thought of some of this, hence your question... But, rather than going the dynamic route, Why not create a Header Image without a title on it and use it as a div background image? Replace this
    <img src="/See-Our-Work/afghanistan/Images/header/afghanistan-header.jpg" name="topnavbar_r1_c1" width="779" height="114" border="0" alt="bridges to prosperity: afghanistan">
    with the styled div, for instance:
    <div id="header"><h2>Afghanistan</h2><h3>Bridges to Prosperity: USA</h3><div>
    At this point, you can use a more generic image for the background, one that does not have "Afghanistan" embedded in it, and you may style the #header thus:
    #header {
         width: 779px;
         height: 114px;
         border: 0;
         background-image: url(/See-Our-Work/Images/header/header.jpg;)/* for instance */ 
    and the header Headline styles thus:
    #header h2, #header h3 {
         color: white;
         text-align: right;
         font-family: Arial, Helvetica, sans-serif;
    Then you can place your html (<h2>, <h3> etc.) in the same div, only on the "surface".
    Using the tags <h2> and <h3> will maintain their usefulness to Search Engines; as hiding them in images does not.
    If you still wished to vary the header image, depending on the contents of the page, you can actually control all of this from the CSS file, if you add an id attribute to the <body> of each page.
    For instance, for your example page, if you did this:
    <body id="afghanistan">
    You could then do this in your CSS file:
    #header {
         width: 779px;
         height: 114px;
         border: 0;
    body#afghanistan #header {
         background-image: url(/See-Our-Work/afghanistan/Images/header/afghanistan-header.jpg);
    You could then proceed to have a different background image for each page. (Not your original intention, but now possible).
    <body id="pakistan"> would use a CSS style declaration like:
    body#pakistan #header {
         background-image: url(...pakistan-header.jpg...etc.);
    I am not aware of being able to pass content (other than background images) using CSS, so I would go into each page and put the Headline in html.
    But if you were using multiple background images in the header div (one image for afghanistan, another for pakistan, in my example), you can use the same <body id="afghanistan"> for ALL pages about Afghanistan, and thus have the continuity of the same image for all. Likewise, you could id all pages about Pakistan <body id="pakistan">.
    I hope this gives you some ideas...
    Z

  • ASA 8.2 - Static NAT and Dynamic NAT Policy together

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

  • Dynamic NAT parameters

    Hi,
    I have an application that is unhappy running via dynamic NAT. The app
    developers are asking me if I can turn on sticky sessions in BM's dynamic
    NAT. Are there any options for tuning dynamic NAT in BM that could help?
    Cheers,
    Devon

    I just searched documentation and see that it's 5000 ports for tcp. That
    will be easy to hit. The documentation says that it will just re-use the
    oldest connections in a rolling fashion. I'm wondering whether that's
    working properly or whether something else in the system is keeping the
    state for longer.
    Cheers,
    Devon
    >>> On 9/08/2007 at 11:21, Devon Heaphy<[email protected]>
    wrote:
    > Still testing, but it appears to. Part of the problem is that the
    > application is very chatty and constantly opens new connections instead
    > of
    > using existing ones. I think the reason static NAT appears to work is
    > that
    > there are more source ports available for a given machine to use.
    >
    > Do you know the upper limit of dynamic NAT connections through BM?
    >
    > Cheers,
    > Devon
    >
    >>>> On 7/08/2007 at 4:44, Craig Johnson<[email protected]> wrote:
    >> In article <[email protected]>, Devon Heaphy
    > wrote:
    >>> I have an application that is unhappy running via dynamic NAT. The app
    >>> developers are asking me if I can turn on sticky sessions in BM's
    >> dynamic
    >>> NAT. Are there any options for tuning dynamic NAT in BM that could
    help?
    >>>
    >> No.
    >>
    >> Does it work via static NAT?
    >>
    >> Craig Johnson
    >> Novell Support Connection SysOp
    >> *** For a current patch list, tips, handy files and books on
    >> BorderManager, go to http://www.craigjconsulting.com ***

  • [Question] Dynamic NAT on 2 different networks

    Hi,
    I just want to ask if its possible to have same dynamic translation within 2 different networks like:
    interface gig 0/1
    1.1.1.1 255.255.255.0 (LAN Connection w/ DHCP enabled)
    inteface gig 0/2
    2.2.2.1 255.255.255.0 (Wireless Connection w/ DHCP enabled)
    Actually, the scenario was 1.1.1.1 is my LAN connection and 2.2.2.1 are my Wireless connection.
    Hope this merits their favorable response. Thanks.

    Hi,
    Do you mean that you want both of the said LAN networks to use Dynamic NAT/PAT towards a third interface on the ASA?
    If you simply want to use the same NAT/PAT address for 2 different networks on the ASA then you can use the following configurations as example
    These are PAT translations to a single IP address. Using a NAT Pool would change the configurations slightly.
    For ASA software 8.2 and below
    global (outside) 100 3.3.3.1
    nat (inside) 100 1.1.1.0 255.255.255.0
    nat (wireless) 100 2.2.2.0 255.255.255.0
    Where
    outside,inside and wireless = Interface "nameif" on the ASA firewall
    100 = Is just an ID number for the NAT configuration. You can use other one also
    For ASA software 8.3 and after
    object-group network PAT-SOURCE-NETWORKS
    network-object 1.1.1.0 255.255.255.0
    network-object 2.2.2.0 255.255.255.0
    nat (inside,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
    nat (wireless,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
    Where
    PAT-SOURCE-NETWORKS = Is an "object-group" where you can define the source networks for the NAT/PAT rule
    Hope this helps Please if you found the information helpfull
    Feel free to ask more if this didnt answer your question.
    - Jouni

  • Help with dynamic NAT and CSM 4.4 and ASA 8.3

    Hello
    I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
    Failed to generate delta config
    The following commands have not been recognized by the Configuration Parser:
    ==========================
    (inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
    So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
    How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
    Traffic comes from inside and has to leave the outside with the changed source IP.
    I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
    Thanks
    Patrick

    Matty
    Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
    1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
    2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
    3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
    ip access-list extended PBX_SUBNET
    permit ip 10.1.1.0 0.0.0.255 any      <-- note the last octet of the wildcard mask is 255.
    Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
    Jon

  • Dynamic NAT (1841 & n00b)

    Hi all. (waiting for TAC support to register me)
    I'm trying to find information on setting up a Dynamic NAT for my 1841 using the SDM. I know how to do the static NATs and they seem to work fine. However, our Japan office would like Dynamic NAT. Where can I find info on how to set this up?
    I have a range of server addresses on my network (E0) from 10.1.10.16 to 10.1.10.40/24. The addressing I have for these on the "outside" (E1) is 172.25.1.16 to 172.25.40/16.
    I tried to set this up, but it seemed that the router duplicated all of my server addresses and my systems weren't happy.
    Thanks for any assistance.
    BC

    OK.
    I had to attach it since it's too long to post.
    Thanks for any insight. The router for the Japan office is 172.25.1.1.

  • Dynamic NAT on selected machines

    Hi
    What is the best way to setup dynamic NAT if I only wanted it to function on
    a group of 30 workstations.
    I was considering putting these workstations into a seperate subnet, but
    doesn't dynamic nat pick up all subnets on the private interface?
    Any Ideas?
    Thanks
    Peter H

    Peter,
    > What is the best way to setup dynamic NAT if I only wanted it to function on
    > a group of 30 workstations.
    > I was considering putting these workstations into a seperate subnet, but
    > doesn't dynamic nat pick up all subnets on the private interface?
    indeed, this won't work.
    You can use NAT for everyone, and then regulate the access with packet
    filters. It's a limitation of the Netware nat, indeed.
    Caterina
    Novell Support Connection Volunteer Sysop

  • Execute Dynamic SQL statement using procedure builder

    i want to execute a dynamic SQL statment using procedure builder not using forms
    because my statement depending on a variable table name
    i know that i can do that from forms using
    FORMS_DDL('SQL_STAT');
    but i wanna to use the procedure builder
    which function i should use and how?
    please explain in example if you don't mind.
    thanks

    Hi,
    You can very well use DBMS_SQL Package supplied by Oracle for doing this.
    Search for DBMS_SQL in OTN. You will get all info regarding this.
    Regards.
    <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by itslul:
    i want to execute a dynamic SQL statment using procedure builder not using forms
    because my statement depending on a variable table name
    i know that i can do that from forms using
    FORMS_DDL('SQL_STAT');
    but i wanna to use the procedure builder
    which function i should use and how?
    please explain in example if you don't mind.
    thanks<HR></BLOCKQUOTE>
    null

  • How to create Exchange dynamic distribution list using multivalue extension custom attribute

    I am trying to create a dynamic distribution list using an ExtensionCustomAttribute.  I am in hybrid mode with Exchange 2013.  The syntax I have is this: 
    New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {(ExtensionCustomAttribute2 -eq 'NH')} 
    This works correctly on-prem.  But hosted always results in an empty list.  I can see in dirsync the attribute is in the hosted environment, but for whatever reason, the distribution group gets created but always come up null.
    If I create a group looking at the single valued attributes, such as CustomAttribute6 -eq 'Y', it works correctly on-prem and hosted.  
    If anyone has any suggestions I would appreciate it.

    I don't think I provided enough information about the problem.  Let me add some and see if it makes sense.
    I have an Exchange 2013 on-premise configured in hybrid mode with Office365.  For testing purposes, I have 2 users, Joe and Steve, one with the mailbox on-prem, and the other with the mailbox in the cloud.  Each of them has CustomAttribute6 = 'Y'
    and ExtensionCustomAttribute2 = 'NH'. Dirsync shows these users and these attributes are synced between on-prem and cloud.
    Using on-prem Exchange powershell, I run the following command:
    New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (CustomAttribute6 -eq 'Y')} 
    This correctly finds the 2 users when I query for them as follows:
    $DDG = Get-DynamicDistributionGroup DG_NH
    Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter | FT alias
    So I then delete this DG, and recreate it this time looking at the multi-value attribute ExtensionCustomAttribute2, as follows:
    New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (ExtensionCustomAttribute2 -eq 'NH')} 
    Replaying the query above, I can see this also works fine and finds my two users.
    Next I open a new powershell and connect to Office 365 and repeat the process there.
    New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (CustomAttribute6 -eq 'Y')} 
    This correctly finds the 2 users when I query for them.
    And then delete the group and recreate it using the multi-value attribute:
    New-DynamicDistributionGroup -Name "DG_NH" -RecipientFilter {((RecipientType -eq UserMailBox) -or (RecipientType -eq MailUser) -and (ExtensionCustomAttribute2 -eq 'NH')} 
    When I run the query this time it produces no result.  Every test I try results in an empty group if I am using a multi-valued attribute in the search criteria in the cloud.  If I use single valued attribute, it works fine.
    I really need to be able to get multi-valued DDG's working in the cloud.  If anyone has done this and has any suggestions, I would appreciate seeing what you did.  And if this is the wrong forum to port this, if you can point me to a more suitable
    forum I will report there.
    Thanks,
    Richard

  • How to configure inbound ruleset in dynamic nat.

    Hi ,
    I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.
    How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.
    Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it. 
    Public IP: 10.10.10.28
    Private IPs:
    172.16.101.115
    172.16.101.116
    172.16.101.117
    172.16.101.118
    172.16.101.119
    172.16.101.120
    access-list Web_nat permit ip host 172.16.101.115 any
    access-list Web_nat permit ip host 172.16.101.116 any
    access-list Web_nat permit ip host 172.16.101.117 any
    access-list Web_nat permit ip host 172.16.101.118 any
    access-list Web_nat permit ip host 172.16.101.119 any
    access-list Web_nat permit ip host 172.16.101.120 any
    nat (firewall-dmz) 1 access-list Web_nat
    global (firewall-outbound) 1 10.10.10.28
    access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.
    access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.

    Hi,
    I am not sure what you are attempting to configure here.
    But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"
    This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.
    Static NAT will essentially use up one public IP address for just the single local host/server.
    Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.
    A typical Static NAT configuration is this
    static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
    Where
    inside = is the interface behind which the host is
    outside = is the interface towards which the host is NATed
    1.1.1.1 = is the public NAT IP address for the host
    10.10.10.10 = is the local IP address of the host
    A typical Static PAT configuration is this
    static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
    Where
    tcp = specifies the protocol for which the Static PAT configured
    interface = specifies that we will be using the public IP address of the destination interface "outside" as the public IP address for this single Port Forward.
    80 = first "80" specifies the public port visible to users behind the destination interface
    80 = second "80" specifies the actual local port on which the local host is listening on
    Hope this helps
    - Jouni

  • Dynamic file name using FTP adapter

    I was trying the dynamic filename scenario taking help from Michal's blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2664. [original link is broken] [original link is broken] [original link is broken] [original link is broken]
    If I check the 'adapter specific properties' in both sender and receiver file adapter,then in output I am getting the output filename as same as input filename without using the UDF.
    When I used the UDF in mapping,it had absolutely no effect. I am not clear what is the use of the UDF. please let me know where to use the UDF and how to use it.
    Thanks
    Smith

    1. In the mapping program that you are using populate the filename coming from the source into the target in any of the fileds.
    2.Sender adapters can write adapter-specific attributes to the message header; these can then be evaluated at configuration time.You can get dynamic filename in UDF in msg mapping....just in ID in comm channel select adapter specific attributes -> filename.....then whatever dynamic name you will create in UDF will be the target filename.....
    3. To change the adapter-specific attributes of the message header by using message mappings, you access the <b>required classes of the mapping API by using a mapping runtime constant.</b>
    To access the classes DynamicConfiguration and DynamicConfigurationKey by using the mapping runtime constant DYNAMIC_CONFIGURATION, use the method getTransformationParameters() of the container object.
    You donot need to hard code the value of the filename in the file adapter for your interface.
    In SXMB_MONI, when you see the pipeline services you would see that the value of the filename is populated in the message payload.

  • Dynamic Page that uses javascript to run an executable on the client's pc

    I have an .exe file on a shared network that has to be called and executed from portal. The below code works as standalone but not from a dynamic page or an HTML portlet. Any ideas?
    <html>
    <script language="javascript" type="text/javascript">
    function runApp()
    var shell = new ActiveXObject("WScript.shell");
    shell.run('"c:/CstatsWeeklyreport.exe"',1,true);
    </script>
    <body>
    <input type="button" name="button1" value="Run Notepad" onClick="runApp()" >
    </INPUT>
    </body>
    </html>

    Thanks D, but that's not what I'm looking for. That changes which application a file opens with when you download it. That's not what I need for this situation. Here's a little more detail.
    The clients will have an application on their hard drive; it can be any application, even a custom application that they developed themselves. Then, they open a web page with a listbox full of items. Depending on which item they select, a query will return a file path to the .exe file itself. The .exe file resides on the client's hard drive, not on the server. So they're not downloading anything. Depending on the filepath returned by the query, the browser needs to start the process and open the .exe file for them.
    So let's say I have developed a simple text editor called Tedit. I have a file on my hard drive - "C:\TextEditor\bin\debug\TEdit.exe". When they click the open button, that file path is returned from the database. Then the javascript is called to start the process and open that program.
    Again, nothing is getting downloaded, the application resides on the user's hard drive and there is no file to associate it with.
    This can be done in IE using an ActiveX control. And it used to be possible in Firefox using the nsIFile or nsIProcess objects. But since FF15 that's not available anymore, so the javascript throws an error telling them that their permission is denied.
    What I need, is a javascript that will launch the .exe file from the user's hard drive without downloading anything.

Maybe you are looking for