ACE 4710 A3 outbound static NAT with Port redirection
Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?
Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas?
Similar Messages
-
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
Static NAT with port translation
Hello All,
I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443, I am thinking that following configuration should be fine, can anyone comment on it.
10.1.1.2:443 10.1.1.1 2.2.2.5
Server -------------------------- ASA --------------------- Internet router --Cloud
Config i am planing
static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
Thanks
JDThanks Harish and Jouni,
I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
10. ROUTE-LOOKUP - [output and adjacency]
access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
but if i go by the flow which i come to know it should be like
access-list OUTSIDE-IN permit tcp any host eq 443
What is your opion ?
Thanks
Jagdev -
Static NAT with two outside interfaces
I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
here is example
interface Fas0/0
ip nat outside
interface Fas0/1
ip nat outside
interface Vlan1
ip nat inside
ip nat inside source route-map rm_isp1 pool pool_isp1
ip nat inside source route-map rm_isp2 pool pool_isp2
all worked fine
then i tried to add static nat
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
and in result only last static NAT line appeared in config.
the solution was to use interface's IPs instead of names. that helped but isn't that a bug?In this scenario, we are trying to access a mail server located at
10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
69.1.1.1.
With CEF Enabled
Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
Packet goes to 10.0.0.1. The return packet goes to the LAN interface
first and the routing rule is determined *before* the packet is
translated.
Packet source IP at this point is 10.0.0.1 and destination is
66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
irrespective of the way it came in. Because of this, with CEF enabled
this will not work. CEF is per-destination.
So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
If it gets reply packet from 71.1.1.1, it should work.
If it gets it from 69.1.1.1, it will simply drop it as it never sent a
packet to 69.1.1.1.
With CEF and Fast Switching Disabled
Same steps as above, only that the packet is sent to the process level
to be routed. At this point, the packets will be sent out in a round
robin fashion. One packet will go out via the Fa0/0 and the other via the
Fa0/0. This will have a constant 50% packet loss and is also not a
viable solution.
So, what are you trying to achieve is not possible on Cisco router.
HTH,
Amit Aneja -
Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
BrianHi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian -
Static nat with dual destination
I need to configure static nat for cisco ASA 5500,
here is the topology:
one server (source) with ip 10.211.250.22 /28 (interface : name if dmz_virtual_account)
will static nat to two destinations :
1. to Internet will translated to 202.152.19.196 (Interface : name if Outside_Inet) and,
2. to external network with real address is 10.10.10.1 and will translated to 192.168.168.14 /29 (interface : name if dmz_external)
Need help
and many thanks for any advice
Regards,
ManaoHi Marvin
my ASA's software running 8.4
Regards,
Manao -
Using both Dynamic and Static NAT with two Different Internet facing Subnets
We have two Class C Public Address subnets. We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B). Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet. So they are receiving packets on their (A) Address, though replying to them with a (B) address.
It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound.
So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool.
Public IP: 192.168.1.100/24
Internal IP: 10.0.0.100/16
Public IP: 192.168.5.101/24
Internal IP: 10.0.0.101/16
interface Ethernet0/0
description 192.168.1.0/24 Network Outside IP
nameif outside-1
security-level 0
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
description 192.168.5.0/24 Network Outside IP
nameif outside-5
security-level 0
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
description inside 10.0.0.0/16
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
object network serverA_o
host 192.168.1.100
object network serverA_i
host 10.0.0.100
object network serverB_o
host 192.168.5.101
object network serverB_i
host 10.0.0.101
object network 192-168-1-NAT-POOL
range 192.168.1.50 192.168.1.239
nat (inside,outside-1) source static serverA_i serverA_o
nat (inside,outside-5) source static serverB_i serverB_o
nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
object network serverA_i
nat (inside,outside-1) static serverA_o
object network serverB_i
nat (inside,outside-5) static serverB_o
route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
Any Suggestions?
Thanks!Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
We have a Single ISP, though have 2 separate non-Contiguous Class C Addresses from them. We host some Servers on one subnet and some on the other.
I'm looking for a way to use both Subnets on the same ASA.
The Connection to the net looks like this:
Internet -> Edge Router Layer3 VLAN Switch
GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
GE0/1.2 - 192.168.5.1 VLAN Tagged -^
Layer3 VLAN Switch Firewall
GE1 192.168.1.0/24 Untagged -> ASA Outside-1
GE2 192.168.5.0/24 Untagged -> ASA Outside-5
Firewall
ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
Hope that helps clarify.
I could try to post some sanitized Configs of my PIX and ASA if needed. But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. -
ACE 4710 VIP not pingable even with "always" selected.
Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
probe http HTML-Site-Up_200
description This probe is to verify HTTP operation via site-up.html check
port 80
interval 5
faildetect 2
passdetect interval 10
request method get url /site-up.html
expect status 200 200
open 2
probe icmp ICMP-Ping
interval 5
faildetect 2
passdetect interval 10
probe tcp RAW-TCP-81
port 81
interval 10
faildetect 2
passdetect interval 20
connection term forced
open 1
rserver host psc-us-EQUIPprd1
description EQUIP Prod, server 1
ip address 10.1.1.84
inservice
rserver host psc-us-EQUIPprd2
description EQUIP Prod, server 2
ip address 10.1.1.85
inservice
serverfarm host EQUIPPROD
description EQUIP Prod Server Pool
predictor leastconns
probe HTML-Site-Up_200
probe ICMP-Ping
probe RAW-TCP-81
rserver psc-us-EQUIPprd1
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
serverfarm host EQUIPPROD-CUSTOMER-81
description EQUIP Customer Site Server Pool, port 81
predictor leastconns
probe RAW-TCP-81
rserver psc-us-EQUIPprd1 81
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2 81
probe RAW-TCP-81
inservice
sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
timeout 180
replicate sticky
serverfarm EQUIPPROD
class-map type http loadbalance match-all EQUIP_81_Redirect
2 match http header Host header-value ".*equiponline.com"
class-map type http loadbalance match-all EQUIP_81_Redirect_Full
2 match http header Host header-value ".*www.equiponline.com"
class-map match-all VIP-EQUIPPROD
2 match virtual-address 10.1.1.97 any
policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
class EQUIP_81_Redirect
serverfarm EQUIPPROD-CUSTOMER-81
class EQUIP_81_Redirect_Full
serverfarm EQUIPPROD-CUSTOMER-81
class class-default
sticky-serverfarm Sticky_EQUIPPROD
policy-map multi-match global
class VIP-EQUIPPROD
loadbalance vip inservice
loadbalance policy VIP-EQUIPPROD-l7slb
loadbalance vip icmp-reply
nat dynamic 13 vlan 1000
interface vlan 1000
nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 patOutput from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
class: VIP-EQUIPPROD
nat:
nat dynamic 13 vlan 1000
curr conns : 361 , hit count : 116690
dropped conns : 5
client pkt count : 4815293 , client byte count: 739114009
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.1.1.97 any
loadbalance:
L7 loadbalance policy: VIP-EQUIPPROD-l7slb
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 392 , hit count : 134300
dropped conns : 431
client pkt count : 4869950 , client byte count: 741545220
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
class/match : EQUIP_81_Redirect
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 12602
dropped conns : 0
compression : off
class/match : EQUIP_81_Redirect_Full
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
class/match : class-default
LB action: :
sticky group: Sticky_EQUIPPROD
primary serverfarm: EQUIPPROD
state:UP
backup serverfarm : -
hit count : 107831
dropped conns : 5
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
pscaceinside01/Prod# ping 10.1.1.97
Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP. -
ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures
Dears,
I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
- authentication-failure ignore [Only]
OR
- authentication-failure redirect cert-expired
OR
- authentication-failure ignore with authentication-failure redirect cert-expired
Appreciate your helpDear Kanwalsi
To pass only cert-expired !!! what do you think to apply the following
parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302 -
Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710
One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
VIP
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
inservice
rserver server2
inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
class SERVERNAT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shutI see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services, -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
ACE 4710 Connectivity help?
I'm using an ACE 4710 in a new datacenter, with the following setup:
2/4 physical ethernet interfaces port channeled into port-channel 1
2/4 physical ethernet interfaces port channeled into port-channel 2
I have the following vlans defined:
1001 - admin - interface ip: 10.53.136.70
400 - client side - interface ip: 10.53.136.100
500 - server side - interface ip: 192.168.128.1
999 - fault tolerance - interface ip: 192.168.11.2
My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server. For example, if I ssh to 10.53.136.102, it times out. (10.53.136.102 should get nat'd to 192.168.128.2)
Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
I'm thinking there is either something wrong with the port-channels, or the access lists. On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
Any thoughts?
Thanks,
BrentI've attached the two contexts which we are using. The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
From the load balancer, I am able to ping the real server ips in the 192.168. ip range. The 4710 recognizes that they are in service.
I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going. Once I accomplish that, I will work on high availability. I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
Thanks,
Brent -
Who needs the ACLs and static NAT?
I came apon a job whose network layout is kind of tricky. Here is the skinny:
2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
Now heres what I am trying to accomplish:
The customer wants to be able to telnet into one machine in the private network from her house.
Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
Here's what I have right now:
SBC router is configured to allow Telnet traffic in.
The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in. -
Static NAT and same IP address for two interfaces
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
static (production,Outside) 10.10.10.10 access-list production_nat_static_1
Thanks for any help.
JeffHi Jeff,
Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
CSS v ACE 4710 Performance Comparison
Am trying to verify performance figures for a CSS 11503 EOL replacement using ACE 4710
Trying to comapre apples with apples (is a CSS SSL TPS the same as a ACE 4710 TPS etc...)
Pulling figures from data sheets, release notes etc I have only come up with the following
Is there any further figures available for the ACE 4710 to fill in the blanks in table?
Am sure that ACE 4710 smokes the CSS but have to do the due diligence
<TR style="HEIGHT: 30pt" mcestyle="height: 30pt;">
<TD style="WIDTH: 170pt; HEIGHT: 30pt" height=40 width=226 mcestyle="width: 170pt; height: 30pt;"> Metric</TD>
<TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> CSS 11503
(1xSSL Module)
<TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> ACE 4710</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Transactions per second</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 1,400/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">7,500/sec</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - RSA operations per second</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 4,000/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Bulk encryption (ARC4)</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 256 Mbps</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Maximum concurrent connections</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 40,000</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Compression </TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 500 Mbps</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">2 Gbps</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Sticky Table</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 128K entries</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L4 connections/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 22,500</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L7 connections/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 10,000</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">
thanks,
SezHave reposted this msg, as table format garbled by forum
Sez
Maybe you are looking for
-
After following PC Mag article on speeding up a very slow PC. I find I am now unable to scroll using my touchpad. Although this is not a major problem, it is bothersome when using the laptop where a mouse can't be used. All the other functions of the
-
Hi All, I want to send the failure mail to the currently log in user. I know how to send the mail for a perticular user,but my requirement was i want to send the mail to the currently logged in user. Is there any way for this.Please help. Thanks, Rav
-
How to use iPhone with a new network
I received a new iPhone 3G S 8GB from a friend in US. The problem is the phone is configured with A T & T. I have recharged the battery upon receving it but it failed to display the phone menu. It only displays emergency call and the iTunes and USB c
-
How to access Support for BEA Weblogic?
Hi, I want to log a case to oracle with regards to BEA weblogic. How do I do it? I tried logging in to My Oracle support as well as Oracle Metalink with my user id and password and it seems like I'm not a valid user. I have a CSI which I vaguely reme
-
A bit of Advice about iwork and office
Sorry if this is maybe the wrong forum, but it was to 'general' for the iwork forum. I am going to purchase a macbook and of course i am going to work for school with it. Now I have one problem. As a Windows user I can only work with office so iwork