ACE & 1/2 NAT vs. Fulk NAT

I'm running into a problem with Half-NAT vs. Full-NAT conflict. I have two server farms within the same context. Both farms are in the same Server VLAN and both farms get their requrests from the same front-end client-side VLAN. For Farm1 I need FULL NAT because some of the servers make calls back to the same VIP. This works ok for me. Farm2 doesn't need FULL NAT and wants 1/2 NAT so that the client IP is visible to the servers (LDAP in this case). That's not a problem either.
My problem is that servers in Farm1 make LDAP calls to the VIP which is for Farm2. Since Farm2 is 1/2 NAT the 3-way TCP connection breaks on the SYN-ACK.
- Is there a way to configure FULL NAT for connections initiated from the FARM and only to the VIP(s) while all other connections be treated as 1/2 NAT?
- Is there an alternative method for me to do what I need?
- Would having a 2nd Server VLAN in the same context for Farm2 solve this problem? I'd rather avoid this as my VLAN/IPs could get ugly.
Thanks in advance.
Casey

Casy,
You can apply a nat policy to the server vlan only, so traffic will only be nated when the connection comes from the server vlan.
If you don't want to nat all traffic, you can use a class-map that only matches a specific destination ip.
If you need further detail let me know.
Gilles.

Similar Messages

  • ASA 8.2 - Static NAT and Dynamic NAT Policy together

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

  • Example of Manual NAT to implement NAT exemption

    Hi Everyone,
    Below is from Cisco LEarning Network site
    Referring to the Cisco ASA NAT configuration  below
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    Need to understand how below answer is correct?
    This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
    Regards
    MAhesh

    Hi Mahesh,
    Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
    In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
    The above configuration could correspond to the following on the 8.2 software
    access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NAT0
    And as you have already mentioned the 8.3+ format is
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
    Now lets look at the above "nat" statement in all of its parts
    nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
    inside = Is the source interface for the NAT as its mentioned first
    outside = Is the destination interface for the NAT its mentioned second
    source = Simply specifies that the source parameters for this NAT configuration will follow
    static = Defines that were doing a Static type of NAT
    one = Defines the real source network
    one = Defines the mapped source network
    destination = Simply specifies that the destination parameters for this NAT configuration will follow
    static = Defines that the destination is static. It can only be static
    two = Defines the mapped destination network
    two = Defines the real destination network
    And the key things to notice from the configuration.
    Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
    When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
    I am not really sure if I explained the above in the best way I could. Hope it makes any sense
    - Jouni

  • Source Nat and Destination Nat

    Is any of the above working in the ACE OR CSM module by default?
    What is an advantage of configuring destination NAT on the ACE Box?

    Hello,
    On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
    In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
    Best regards,
    Sean

  • Auto nat vs manual nat

    Some how I have ended up with multiple network objects for the same network example
    obj-192.168.1.0
    obj-192.168.1.0-1
    obj-192.168.1.0-2
    All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?

    Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
    If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
    I would for example guess that the following configuration
    object network obj-172.16.0.0-05
    subnet 172.16.0.0 255.254.0.0
    nat (inside,TM) static 172.16.0.0
    Before was this
    static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
    In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
    In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
    - Jouni

  • Destination NAT and Source Nat

    Hi, my network have mobile users with notebooks, and they use public smtp IP address, when they out of office, without VPN ASA works well, but when they comes back in office they should change SMTP IP back to private. I know that my task could be solved via DNS service, but for some reason I should do Dnat and Snat on ASA, please answer me, Is it posible? (Because ASA have to nat and dnat on same interface Insidem and back this traffic to Inside again
    )Please see this picture, I draw my task there. Thanks!

    Yes it is posible through policy nat.
    here is the example.
    access−list policy−nat extended permit ip host 10.1.1.20 host 5.5.5.5
    global (dmz) 2  192.168.2.2
    nat (inside) 2 access-list policy−nat
    Hope that helps.
    thanks

  • NAT vs. no NAT

              Earlier this week, I posted a question in this newsgroup titled 'Clustering only
              works 1 way!'
              Well, it turned out that the issue was due to our firewall doing IP translation.
              We turned off NAT and it seems to work now.
              My configuration is:
              Web Server ---> Firewall ---> Cluster of 2 App Servers
              Web Server = Apache w/ WL Plug in
              App Servers = WLS 5.1 SP9 (on Solaris 2.7)
              I am not sure why the issue is resolved by not doing NAT in the firewall. Does
              anyone know? Are the physical IP addresses of the weblogic servers stored in the
              cookie? If so, that would explain it. I looked for cookies on my PC - couldn't
              find any.
              -Bob
              

              Yes, the IP addresses are stored in the cookie.
              The cookies are 'in-memory' cookies. You can see them by turning on 'warn me whenever
              a site sends a cookie' also, Netscape 6 can display them for you. The 4 byte
              IP addresses are stored as a decimal number - in betwee the first two / in the
              WebLogicSession cookie.
              Mike
              "bob malik" <[email protected]> wrote:
              >
              >Earlier this week, I posted a question in this newsgroup titled 'Clustering
              >only
              >works 1 way!'
              >
              >Well, it turned out that the issue was due to our firewall doing IP translation.
              > We turned off NAT and it seems to work now.
              >
              >My configuration is:
              >
              >Web Server ---> Firewall ---> Cluster of 2 App Servers
              >
              >Web Server = Apache w/ WL Plug in
              >App Servers = WLS 5.1 SP9 (on Solaris 2.7)
              >
              >I am not sure why the issue is resolved by not doing NAT in the firewall.
              > Does
              >anyone know? Are the physical IP addresses of the weblogic servers stored
              >in the
              >cookie? If so, that would explain it. I looked for cookies on my PC
              >- couldn't
              >find any.
              >
              >-Bob
              

  • Hardware NAT vs Software NAT

    Guys,
    Please could someone explain to me if all NATting is done in software and this means it is by default "processed switched"
    ie
    packet header re-write is done in s/w and thus has to interrupt the CPU = processed swicthed
    Is that the correct way of putting it?
    Also, if NAT could be done in h/w, this would mean that the CPU would not be interupted, as it would be done by an ASIC and thus the term hardware NAT?
    Also, can anyone tell me what platforms support h/w NATting.
    I can see the 6500 with sup32 does
    Does the 73xx platform?
    Many thx indeed, and if anyone has any related tech-notes on this, could they please post?
    Many thx,
    Ken

    packet header re-write is done in s/w and thus has to interrupt the CPU = processed swicthed
    Is that the correct way of putting it?
    >> yes, that would be a correct way of putting it.
    Also, if NAT could be done in h/w, this would mean that the CPU would not be interupted, as it would be done by an ASIC and thus the term hardware NAT?
    Also, can anyone tell me what platforms support h/w NATting.
    I can see the 6500 with sup32 does
    Does the 73xx platform? not sure
    >> Sup720 with PFC3a or above will do HW NAT/PAT.
    Please rate helpful posts.

  • WRT54G V6 - XBOX 360 Moderate NAT - NEED Open NAT

    Ok, I have seen a post in response to wanting Open NAT on the WRT54G V6 wireless router. The response was as follows: ******************** 192.168.1.1 (default IP address). Leave the username field blank and in the password type “admin” (if you have not changed the password). When the linksys configuration page loads up fully …..click on the tab that says Application and Gaming. When the page loads up fully u can specify the ports that needs to be forwarded for your Xbox. Make sure that before forwarding the ports u assign a static IP address for your Xbox in the same range as that of your router. Specify the sane IP address in the port forwarding page. Also set the MTU of the router to 1365. Try forwarding the ports 88 and 3374. ******************* HOWEVER... I have multiple XBOX's behind the router so I don't believe doing port forwarding will be of any help here will it???? Is there a newer Linksys Wireless router that will allow us to configure Open NAT??? Is there a third part firware that can update the WRT54G V6 so that it can utilize Open NAT??? Desparately need to get 3 or 4 XBOX 360's working behind this thing in open NAT mode. Thanks in advance!!!

    well..in this case , you should go to "Applications and Gaming" and instead of "Port Forwarding" .. you should try "Port Trigerring" .. enter the required numbers .. no need to assign a static ip add to any of the x-boxes ..

  • ACE 4710 A3 outbound static NAT with Port redirection

    Hi
    I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
    I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
    When I try to configure this:
    ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
    I get the error: Error: Invalid real port configured for NAT static
    Any ideas what it means anyone?

    Right. Forget about the previous question. I have an update.
    I get this output on show nat policies at the moment:
    NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
    ID:64 Static port translation
    Real addr:172.21.7.11 Real port:26 Real interface:18
    Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
    Netmask:255.255.255.255
    where x.x.x.x - is the Public, external IP address on the ACE.
    I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
    Something is telling me I am looking at it from a wrong direction altogether.
    This is the config I have at the moment:
    access-list 130 line 20 extended permit ip any any
    access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
    class-map match-any Class_Port26
    2 match access-list Source_NAT
    policy-map multi-match Policy_Port26_Static
    class Class_Port26
    nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
    interface vlan 107
    ip address 172.21.7.2 255.255.255.240
    peer ip address 172.21.7.1 255.255.255.240
    access-group input 130
    service-policy input Policy_Port26_Static
    no shutdown
    No server farms, no load balancing. Just that.
    Any ideas?

  • ACE and static NAT

    Hello
    I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
    I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
    I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
    I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
    I analyzed three examples at the and of this document. My questions:
    1. how do i choose if it's source or destination NAT ?
    2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
    3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
    4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
    5. Could anybody give me a simple example of static DNAT ? (or any links?)
    Thanx

    Destination nat is equivalent to loadbalancing to one server.
    I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
    Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
    For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
    By the way, I don't see anything wrong with it.
    Those commands are in A1 and also the new A2 release.
    ACE is really a loadbalancer with some firewall features and not the opposite.
    This is why pure nating functions are not straightfoward to configure.
    Gilles.

  • ACE: Transparent NAT feasibility

    Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
    All ideas welcome.

    BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
    Gilles

  • NAT problems on a L3 3650 switch

    So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE
    This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT
    My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):
    Switch#ping 8.8.8.8 source 192.168.122.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
    Packet sent with a source address of 192.168.122.1 
    Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
    Switch#
    *Nov 10 14:27:04.145: NAT: ICMP id=1->1025
    *Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
    *Nov 10 14:27:04.210: NAT: ICMP id=1025->1
    *Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]
    Running Config:
    ! Last configuration change at 13:51:06 UTC Mon Nov 10 2014
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service compress-config
    hostname Switch
    boot-start-marker
    boot system switch all flash:packages.conf
    boot-end-marker
    vrf definition Mgmt-vrf
    address-family ipv4
    exit-address-family
    no aaa new-model
    switch 1 provision ws-c3650-48ps
    ip routing
    ip dhcp excluded-address 192.168.122.1
    ip dhcp pool Pool14
    import all
    network 192.168.122.0 255.255.255.0
    dns-server 165.211.29.1
    default-router 192.168.122.1
    domain-name my.domain
    crypto pki trustpoint TP-self-signed-1875358754
    diagnostic bootup level minimal
    spanning-tree mode pvst
    spanning-tree extend system-id
    hw-switch switch 1 logging onboard message level 3
    redundancy
    mode sso
    class-map match-any non-client-nrt-class
    policy-map port_child_policy
    class non-client-nrt-class
    bandwidth remaining ratio 10
    interface GigabitEthernet0/0
    vrf forwarding Mgmt-vrf
    no ip address
    negotiation auto
    interface GigabitEthernet1/0/46
    description conf GW
    no switchport
    ip address 165.211.28.194 255.255.255.192
    ip nat outside
    interface GigabitEthernet1/0/47
    switchport access vlan 2
    spanning-tree portfast
    spanning-tree bpduguard enable
    interface GigabitEthernet1/0/48
    switchport access vlan 2
    spanning-tree portfast
    spanning-tree bpduguard enable
    interface Vlan1
    no ip address
    shutdown
    interface Vlan2
    ip address 192.168.122.1 255.255.255.0
    ip nat inside
    ip nat inside source list 61 interface GigabitEthernet1/0/46 overload
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip route 0.0.0.0 0.0.0.0 165.211.28.193
    access-list 61 permit 192.168.122.0 0.0.0.255
    line con 0
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    login
    line vty 5 15
    login
    wsma agent exec
    profile httplistener
    profile httpslistener
    wsma agent config
    profile httplistener
    profile httpslistener
    wsma agent filesys
    profile httplistener
    profile httpslistener
    wsma agent notify
    profile httplistener
    profile httpslistener
    wsma profile listener httplistener
    transport http
    wsma profile listener httpslistener
    transport https
    ap group default-group
    end
    I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results

    Hello Paul, 
    1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.
    2) Ip routing is enabled on the switch as you can see on my configuration
    3)Switch#sh sdm prefer 
    Showing SDM Template Info
    This is the Advanced (low scale) template.
      Number of VLANs:                                 4094
      Unicast MAC addresses:                           32768
      Overflow Unicast MAC addresses:                  512
      IGMP and Multicast groups:                       4096
      Overflow IGMP and Multicast groups:              512
      Directly connected routes:                       16384
      Indirect routes:                                 7680
      Security Access Control Entries:                 1536
      QoS Access Control Entries:                      3072
      Policy Based Routing ACEs:                       1024
      Netflow ACEs:                                    768
      Wireless Input Microflow policer ACEs:           256
      Wireless Output Microflow policer ACEs:          256
      Flow SPAN ACEs:                                  512
      Tunnels:                                         256
      Control Plane Entries:                           512
      Input Netflow flows:                             8192
      Output Netflow flows:                            16384
      SGT/DGT entries:                                 4096
      SGT/DGT Overflow entries:                        512
    These numbers are typical for L2 and IPv4 features.
    Some features such as IPv6, use up double the entry size;
    so only half as many entries can be created.

  • What is solution of nat failover with 2 ISPs?

    Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
    Problem is acl on nat statement?
    If you config about this.
    access-l 101 permit tcp any any www -->www traffic to ISP1
    access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
    access-l 102 permit tcp any any mail -->mail packet to ISP2
    access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
    ip nat inside source list 101 interface s0 overload
    ip nat inside source list 102 interface s1 overload
    In this case is links of ISP1 and ISP2 are UP.
    when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
    please advice solution about this
    TIA

    Hi,
    If you have two serial links connecting to two diff service provider , then you can try this .
    access-l 101 permit tcp any any www
    access-l 102 permit tcp any any mail
    route-map isp1 permit 10
    match ip address 101
    set interface s0
    route-map isp2 permit 10
    match ip address 102
    set interface s1
    ip nat inside route-map isp1 interface s0 overload
    ip nat inside source route-map isp2 interface s1 overload
    ip nat inside source list 103 interface s0 overload
    ip nat inside source list 104 interface s1 overload
    ip route 0.0.0.0 0.0.0.0 s0
    ip route 0.0.0.0 0.0.0.0 s1 100
    In case if any of the link fails , automatically the other traffic would prefer the other serial.
    I have not tried the config , just worked out the config on logic .pls go through and try if possible
    pls see the note2 column
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
    Hope it helps
    regards
    vanesh k

  • ASA 5505 NAT rules blocking inside traffic

    Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
    Embarq :          Network                                      xxx.xxx.180.104
    Gateway:                                                             xxx.xxx.180.105
    Subnet Mask:                                                     255.255.255.248
    Our Static IP's:                                                    xxx.xxx.180.106 to xxx.xxx.180.110
    Cisco Pix for VPN tunnels :                              xxx.xxx.180.107  outside IP
        used for DataBase Servers :                        100.1.0.2  Inside IP/ Gateway 2
    Cisco ASA 5505:                                               xxx.xxx.180.106  outside IP
        all other traffic :                                              100.1.0.1  Inside IP/ Gateway 1
    Inside Network:                                                 100.1.0.0/24
    Application Server:                                          100.1.0.115 uses Gateway 1
    BackUp AppSrvr:                                             100.1.0.116 uses Gateway 1
    DataBase Server:                                            100.1.0.113 uses Gateway 2
    BackUp DBSrvr:                                               100.1.0.114 uses Gateway 2
    Cobox/Receiver:                                               100.1.0.140
    BackUp Cobox:                                                 100.1.0.150
    Workstation 1:                                                   100.1.0.112
    Workstation 2:                                                   100.1.0.111
    Network Speaker1,2,3,4:                                 100.1.0.125 to 100.1.0.128
    Future Workstations:                                        100.1.0.0/24
    1.           Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
    2.           All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
    3.           All Workstations/Network Speakers need to be able to communicate with all four servers, and   the Cobox/Receiver.
    4.          The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login  securely and edit their account info.
    5.          The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule  created NAT'ing them to xxx.xxx.180.109.
          A.          The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside    IP address.
          B.          The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    6.          The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
          A.          The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
          B.           The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    7.          Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
    8.         
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 100.1.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.180.106 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_4
    protocol-object icmp
    protocol-object udp
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object icmp
    protocol-object udp
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
    access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
    access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
    access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
    access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
    static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
    static (inside,outside) xxx.xxx.180.109  access-list inside_nat_static_1
    static (outside,inside) 100.1.0.115  access-list outside_nat_static_1
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 100.1.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 100.1.0.5-100.1.0.15 inside
    dhcpd dns 71.0.1.211 67.235.59.242 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
    : end
    no asdm history enable

    OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
    In the meantime I will Close and Rate this post for now so others can get this info also.
    If we have any further issues after the upgrade, then I will open a new post.
    Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

Maybe you are looking for

  • After Getting Error on Screen Changing the same screen data

    Hi, I am populating error message  in module pool program . I want to edit the fields in the same screen currently it is nor allowing . I use the CHAIN  and ENDCHAIN also . In my module pool screen i selecting some records if records contains differe

  • Problem while downloading data to text file using GUI_DOWNLOAD FM

    Hi, When we download the data using the GUI_DOWNLOAD FM into the text file tab delimeted(table is built dynamically), Its coming in this format as shown below Field1  Fileld2  Field3 1     2      3 However I want it in this way Field1  Fileld2  Field

  • Wrt54g router and ps3

    okay i have a wrt54g version 6 router, with 1.02.2 firmware, and no matter what i do, i cant get the NAT type on the ps3 to get to 2, its always 3, so i cant play some games online, ive tried forwarding the ports with dmz off and UPnP off, and ive tr

  • [HELP] Transferring music

    I transfered my iTunes to a flash drive and am planning on putting it on my new Mac, I did it like this : I simply drag and dropped my music from Itunes (by album) to the flash drive (left of iTunes), when I plug my flash drive into my new computer w

  • MXF issues on CS6 (Premiere and Media Encoder)

    Hello all, In our station workflow we use Sony XDCAM (DV25). Until last week we were running PPro CS5 without any problems with the MXF files. Since the upgrade (skipped 5.5) we have serious issues with this wrapper. Importing takes ages, espescially