ACE & 1/2 NAT vs. Fulk NAT
I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.
My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.
- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?
- Is there an alternative method for me to do what I need?
- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.
Thanks in advance.
Casey
Casy,
You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.
If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.
If you need further detail let me know.
Gilles.
Similar Messages
-
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help! -
Example of Manual NAT to implement NAT exemption
Hi Everyone,
Below is from Cisco LEarning Network site
Referring to the Cisco ASA NAT configuration below
object network one
subnet 10.1.1.0 255.255.255.0
object network two
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static one one destination static two two
Need to understand how below answer is correct?
This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
Regards
MAheshHi Mahesh,
Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
The above configuration could correspond to the following on the 8.2 software
access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
And as you have already mentioned the 8.3+ format is
object network one
subnet 10.1.1.0 255.255.255.0
object network two
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static one one destination static two two
In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
Now lets look at the above "nat" statement in all of its parts
nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
inside = Is the source interface for the NAT as its mentioned first
outside = Is the destination interface for the NAT its mentioned second
source = Simply specifies that the source parameters for this NAT configuration will follow
static = Defines that were doing a Static type of NAT
one = Defines the real source network
one = Defines the mapped source network
destination = Simply specifies that the destination parameters for this NAT configuration will follow
static = Defines that the destination is static. It can only be static
two = Defines the mapped destination network
two = Defines the real destination network
And the key things to notice from the configuration.
Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
I am not really sure if I explained the above in the best way I could. Hope it makes any sense
- Jouni -
Source Nat and Destination Nat
Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean -
Some how I have ended up with multiple network objects for the same network example
obj-192.168.1.0
obj-192.168.1.0-1
obj-192.168.1.0-2
All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
I would for example guess that the following configuration
object network obj-172.16.0.0-05
subnet 172.16.0.0 255.254.0.0
nat (inside,TM) static 172.16.0.0
Before was this
static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
- Jouni -
Destination NAT and Source Nat
Hi, my network have mobile users with notebooks, and they use public smtp IP address, when they out of office, without VPN ASA works well, but when they comes back in office they should change SMTP IP back to private. I know that my task could be solved via DNS service, but for some reason I should do Dnat and Snat on ASA, please answer me, Is it posible? (Because ASA have to nat and dnat on same interface Insidem and back this traffic to Inside again
)Please see this picture, I draw my task there. Thanks!Yes it is posible through policy nat.
here is the example.
access−list policy−nat extended permit ip host 10.1.1.20 host 5.5.5.5
global (dmz) 2 192.168.2.2
nat (inside) 2 access-list policy−nat
Hope that helps.
thanks -
Earlier this week, I posted a question in this newsgroup titled 'Clustering only
works 1 way!'
Well, it turned out that the issue was due to our firewall doing IP translation.
We turned off NAT and it seems to work now.
My configuration is:
Web Server ---> Firewall ---> Cluster of 2 App Servers
Web Server = Apache w/ WL Plug in
App Servers = WLS 5.1 SP9 (on Solaris 2.7)
I am not sure why the issue is resolved by not doing NAT in the firewall. Does
anyone know? Are the physical IP addresses of the weblogic servers stored in the
cookie? If so, that would explain it. I looked for cookies on my PC - couldn't
find any.
-Bob
Yes, the IP addresses are stored in the cookie.
The cookies are 'in-memory' cookies. You can see them by turning on 'warn me whenever
a site sends a cookie' also, Netscape 6 can display them for you. The 4 byte
IP addresses are stored as a decimal number - in betwee the first two / in the
WebLogicSession cookie.
Mike
"bob malik" <[email protected]> wrote:
>
>Earlier this week, I posted a question in this newsgroup titled 'Clustering
>only
>works 1 way!'
>
>Well, it turned out that the issue was due to our firewall doing IP translation.
> We turned off NAT and it seems to work now.
>
>My configuration is:
>
>Web Server ---> Firewall ---> Cluster of 2 App Servers
>
>Web Server = Apache w/ WL Plug in
>App Servers = WLS 5.1 SP9 (on Solaris 2.7)
>
>I am not sure why the issue is resolved by not doing NAT in the firewall.
> Does
>anyone know? Are the physical IP addresses of the weblogic servers stored
>in the
>cookie? If so, that would explain it. I looked for cookies on my PC
>- couldn't
>find any.
>
>-Bob
-
Guys,
Please could someone explain to me if all NATting is done in software and this means it is by default "processed switched"
ie
packet header re-write is done in s/w and thus has to interrupt the CPU = processed swicthed
Is that the correct way of putting it?
Also, if NAT could be done in h/w, this would mean that the CPU would not be interupted, as it would be done by an ASIC and thus the term hardware NAT?
Also, can anyone tell me what platforms support h/w NATting.
I can see the 6500 with sup32 does
Does the 73xx platform?
Many thx indeed, and if anyone has any related tech-notes on this, could they please post?
Many thx,
Kenpacket header re-write is done in s/w and thus has to interrupt the CPU = processed swicthed
Is that the correct way of putting it?
>> yes, that would be a correct way of putting it.
Also, if NAT could be done in h/w, this would mean that the CPU would not be interupted, as it would be done by an ASIC and thus the term hardware NAT?
Also, can anyone tell me what platforms support h/w NATting.
I can see the 6500 with sup32 does
Does the 73xx platform? not sure
>> Sup720 with PFC3a or above will do HW NAT/PAT.
Please rate helpful posts. -
WRT54G V6 - XBOX 360 Moderate NAT - NEED Open NAT
Ok, I have seen a post in response to wanting Open NAT on the WRT54G V6 wireless router. The response was as follows: ******************** 192.168.1.1 (default IP address). Leave the username field blank and in the password type “admin” (if you have not changed the password). When the linksys configuration page loads up fully …..click on the tab that says Application and Gaming. When the page loads up fully u can specify the ports that needs to be forwarded for your Xbox. Make sure that before forwarding the ports u assign a static IP address for your Xbox in the same range as that of your router. Specify the sane IP address in the port forwarding page. Also set the MTU of the router to 1365. Try forwarding the ports 88 and 3374. ******************* HOWEVER... I have multiple XBOX's behind the router so I don't believe doing port forwarding will be of any help here will it???? Is there a newer Linksys Wireless router that will allow us to configure Open NAT??? Is there a third part firware that can update the WRT54G V6 so that it can utilize Open NAT??? Desparately need to get 3 or 4 XBOX 360's working behind this thing in open NAT mode. Thanks in advance!!!
well..in this case , you should go to "Applications and Gaming" and instead of "Port Forwarding" .. you should try "Port Trigerring" .. enter the required numbers .. no need to assign a static ip add to any of the x-boxes ..
-
ACE 4710 A3 outbound static NAT with Port redirection
Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas? -
Hello
I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
I analyzed three examples at the and of this document. My questions:
1. how do i choose if it's source or destination NAT ?
2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
5. Could anybody give me a simple example of static DNAT ? (or any links?)
ThanxDestination nat is equivalent to loadbalancing to one server.
I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
By the way, I don't see anything wrong with it.
Those commands are in A1 and also the new A2 release.
ACE is really a loadbalancer with some firewall features and not the opposite.
This is why pure nating functions are not straightfoward to configure.
Gilles. -
ACE: Transparent NAT feasibility
Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
All ideas welcome.BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
Gilles -
NAT problems on a L3 3650 switch
So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE
This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT
My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):
Switch#ping 8.8.8.8 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
Switch#
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]
Running Config:
! Last configuration change at 13:51:06 UTC Mon Nov 10 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Switch
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
vrf definition Mgmt-vrf
address-family ipv4
exit-address-family
no aaa new-model
switch 1 provision ws-c3650-48ps
ip routing
ip dhcp excluded-address 192.168.122.1
ip dhcp pool Pool14
import all
network 192.168.122.0 255.255.255.0
dns-server 165.211.29.1
default-router 192.168.122.1
domain-name my.domain
crypto pki trustpoint TP-self-signed-1875358754
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
redundancy
mode sso
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
interface GigabitEthernet1/0/46
description conf GW
no switchport
ip address 165.211.28.194 255.255.255.192
ip nat outside
interface GigabitEthernet1/0/47
switchport access vlan 2
spanning-tree portfast
spanning-tree bpduguard enable
interface GigabitEthernet1/0/48
switchport access vlan 2
spanning-tree portfast
spanning-tree bpduguard enable
interface Vlan1
no ip address
shutdown
interface Vlan2
ip address 192.168.122.1 255.255.255.0
ip nat inside
ip nat inside source list 61 interface GigabitEthernet1/0/46 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 165.211.28.193
access-list 61 permit 192.168.122.0 0.0.0.255
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
ap group default-group
end
I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same resultsHello Paul,
1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.
2) Ip routing is enabled on the switch as you can see on my configuration
3)Switch#sh sdm prefer
Showing SDM Template Info
This is the Advanced (low scale) template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 4096
Overflow IGMP and Multicast groups: 512
Directly connected routes: 16384
Indirect routes: 7680
Security Access Control Entries: 1536
QoS Access Control Entries: 3072
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Wireless Input Microflow policer ACEs: 256
Wireless Output Microflow policer ACEs: 256
Flow SPAN ACEs: 512
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT entries: 4096
SGT/DGT Overflow entries: 512
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created. -
What is solution of nat failover with 2 ISPs?
Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
Problem is acl on nat statement?
If you config about this.
access-l 101 permit tcp any any www -->www traffic to ISP1
access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
access-l 102 permit tcp any any mail -->mail packet to ISP2
access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
ip nat inside source list 101 interface s0 overload
ip nat inside source list 102 interface s1 overload
In this case is links of ISP1 and ISP2 are UP.
when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
please advice solution about this
TIAHi,
If you have two serial links connecting to two diff service provider , then you can try this .
access-l 101 permit tcp any any www
access-l 102 permit tcp any any mail
route-map isp1 permit 10
match ip address 101
set interface s0
route-map isp2 permit 10
match ip address 102
set interface s1
ip nat inside route-map isp1 interface s0 overload
ip nat inside source route-map isp2 interface s1 overload
ip nat inside source list 103 interface s0 overload
ip nat inside source list 104 interface s1 overload
ip route 0.0.0.0 0.0.0.0 s0
ip route 0.0.0.0 0.0.0.0 s1 100
In case if any of the link fails , automatically the other traffic would prefer the other serial.
I have not tried the config , just worked out the config on logic .pls go through and try if possible
pls see the note2 column
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
Hope it helps
regards
vanesh k -
ASA 5505 NAT rules blocking inside traffic
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
Embarq : Network xxx.xxx.180.104
Gateway: xxx.xxx.180.105
Subnet Mask: 255.255.255.248
Our Static IP's: xxx.xxx.180.106 to xxx.xxx.180.110
Cisco Pix for VPN tunnels : xxx.xxx.180.107 outside IP
used for DataBase Servers : 100.1.0.2 Inside IP/ Gateway 2
Cisco ASA 5505: xxx.xxx.180.106 outside IP
all other traffic : 100.1.0.1 Inside IP/ Gateway 1
Inside Network: 100.1.0.0/24
Application Server: 100.1.0.115 uses Gateway 1
BackUp AppSrvr: 100.1.0.116 uses Gateway 1
DataBase Server: 100.1.0.113 uses Gateway 2
BackUp DBSrvr: 100.1.0.114 uses Gateway 2
Cobox/Receiver: 100.1.0.140
BackUp Cobox: 100.1.0.150
Workstation 1: 100.1.0.112
Workstation 2: 100.1.0.111
Network Speaker1,2,3,4: 100.1.0.125 to 100.1.0.128
Future Workstations: 100.1.0.0/24
1. Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
2. All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
3. All Workstations/Network Speakers need to be able to communicate with all four servers, and the Cobox/Receiver.
4. The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login securely and edit their account info.
5. The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule created NAT'ing them to xxx.xxx.180.109.
A. The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside IP address.
B. The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
6. The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
A. The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
B. The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
7. Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
8.
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 100.1.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.180.106 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object udp
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
static (inside,outside) xxx.xxx.180.109 access-list inside_nat_static_1
static (outside,inside) 100.1.0.115 access-list outside_nat_static_1
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 100.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 100.1.0.5-100.1.0.15 inside
dhcpd dns 71.0.1.211 67.235.59.242 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
call-home reporting anonymous
Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
: end
no asdm history enableOK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
In the meantime I will Close and Rate this post for now so others can get this info also.
If we have any further issues after the upgrade, then I will open a new post.
Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.
Maybe you are looking for
-
After Getting Error on Screen Changing the same screen data
Hi, I am populating error message in module pool program . I want to edit the fields in the same screen currently it is nor allowing . I use the CHAIN and ENDCHAIN also . In my module pool screen i selecting some records if records contains differe
-
Problem while downloading data to text file using GUI_DOWNLOAD FM
Hi, When we download the data using the GUI_DOWNLOAD FM into the text file tab delimeted(table is built dynamically), Its coming in this format as shown below Field1 Fileld2 Field3 1 2 3 However I want it in this way Field1 Fileld2 Field
-
okay i have a wrt54g version 6 router, with 1.02.2 firmware, and no matter what i do, i cant get the NAT type on the ps3 to get to 2, its always 3, so i cant play some games online, ive tried forwarding the ports with dmz off and UPnP off, and ive tr
-
[HELP] Transferring music
I transfered my iTunes to a flash drive and am planning on putting it on my new Mac, I did it like this : I simply drag and dropped my music from Itunes (by album) to the flash drive (left of iTunes), when I plug my flash drive into my new computer w
-
MXF issues on CS6 (Premiere and Media Encoder)
Hello all, In our station workflow we use Sony XDCAM (DV25). Until last week we were running PPro CS5 without any problems with the MXF files. Since the upgrade (skipped 5.5) we have serious issues with this wrapper. Importing takes ages, espescially