ACE 4710 A3 outbound static NAT with Port redirection

Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?

Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas?

Similar Messages

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • Static NAT with port translation

    Hello All,
    I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.
      10.1.1.2:443         10.1.1.1    2.2.2.5
    Server -------------------------- ASA --------------------- Internet router --Cloud
    Config  i am planing      
    static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
    Thanks
    JD

    Thanks Harish and Jouni,
    I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
    A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
    1. FLOW-LOOKUP - [] - Check for existing connections, if none found
    create a
    new connection.
    2. UN-NAT - [static] -
    2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
    3. ACCESS-LIST - [log] - ACL Lookup
    4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
    5. IP-OPTIONS - [] -
    6. NAT - [rpf-check] -
    7. NAT - [host-limits] -
    8. IP-OPTIONS - [] -
    9. FLOW-CREATION - [] - If everything passes up until this point a
    connection
    is created.
    10. ROUTE-LOOKUP - [output and adjacency]
    access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
    but if i go by the flow which i come to know it should be like
    access-list OUTSIDE-IN permit tcp any host eq 443
    What is your opion ?
    Thanks
    Jagdev

  • Static NAT with two outside interfaces

    I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
    here is example
    interface Fas0/0
    ip nat outside
    interface Fas0/1
    ip nat outside
    interface Vlan1
    ip nat inside
    ip nat inside source route-map rm_isp1 pool pool_isp1
    ip nat inside source route-map rm_isp2 pool pool_isp2
    all worked fine
    then i tried to add static nat
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
    and in result only last static NAT line appeared in config.
    the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

    In this scenario, we are trying to access a mail server located at
    10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
    69.1.1.1.
    With CEF Enabled
    Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
    Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
    Packet goes to 10.0.0.1. The return packet goes to the LAN interface
    first and the routing rule is determined *before* the packet is
    translated.
    Packet source IP at this point is 10.0.0.1 and destination is
    66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
    irrespective of the way it came in. Because of this, with CEF enabled
    this will not work. CEF is per-destination.
    So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
    expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
    If it gets reply packet from 71.1.1.1, it should work.
    If it gets it from 69.1.1.1, it will simply drop it as it never sent a
    packet to 69.1.1.1.
    With CEF and Fast Switching Disabled
    Same steps as above, only that the packet is sent to the process level
    to be routed. At this point, the packets will be sent out in a round
    robin fashion. One packet will go out via the Fa0/0 and the other via the
    Fa0/0. This will have a constant 50% packet loss and is also not a
    viable solution.
    So, what are you trying to achieve is not possible on Cisco router.
    HTH,
    Amit Aneja

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

  • Static nat with dual destination

    I need to configure static nat for cisco ASA 5500,
    here is the topology:
    one server (source) with ip 10.211.250.22 /28 (interface : name if dmz_virtual_account)
    will static nat to two destinations :
    1. to Internet will translated to 202.152.19.196 (Interface : name if Outside_Inet) and,
    2. to external network with  real address is 10.10.10.1 and will translated to 192.168.168.14 /29 (interface : name if dmz_external)
    Need help
    and many thanks for any advice
    Regards,
    Manao

    Hi Marvin
    my ASA's software running 8.4
    Regards,
    Manao

  • Using both Dynamic and Static NAT with two Different Internet facing Subnets

    We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
    It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
    So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
    Public IP: 192.168.1.100/24
    Internal IP: 10.0.0.100/16
    Public IP: 192.168.5.101/24
    Internal IP: 10.0.0.101/16
    interface Ethernet0/0
    description 192.168.1.0/24 Network Outside IP
    nameif outside-1
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    interface Ethernet0/1
    description 192.168.5.0/24 Network Outside IP
    nameif outside-5
    security-level 0
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    description inside 10.0.0.0/16
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.0.0
    object network serverA_o
    host 192.168.1.100
    object network serverA_i
    host 10.0.0.100
    object network serverB_o
    host 192.168.5.101
    object network serverB_i
    host 10.0.0.101
    object network 192-168-1-NAT-POOL
    range 192.168.1.50 192.168.1.239
    nat (inside,outside-1) source static serverA_i serverA_o
    nat (inside,outside-5) source static serverB_i serverB_o
    nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
    object network serverA_i
    nat (inside,outside-1) static serverA_o
    object network serverB_i
    nat (inside,outside-5) static serverB_o
    route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
    route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
    When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
    Any Suggestions?
    Thanks!

    Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
    We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
    I'm looking for a way to use both Subnets on the same ASA. 
    The Connection to the net looks like this:
    Internet -> Edge Router Layer3 VLAN Switch
    GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
    GE0/1.2 - 192.168.5.1 VLAN Tagged -^
    Layer3 VLAN Switch Firewall
    GE1 192.168.1.0/24 Untagged -> ASA Outside-1
    GE2 192.168.5.0/24 Untagged -> ASA Outside-5
    Firewall
    ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
    Hope that helps clarify.
    I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

  • ACE 4710 VIP not pingable even with "always" selected.

    Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
    probe http HTML-Site-Up_200
      description This probe is to verify HTTP operation via site-up.html check
      port 80
      interval 5
      faildetect 2
      passdetect interval 10
      request method get url /site-up.html
      expect status 200 200
      open 2
    probe icmp ICMP-Ping
      interval 5
      faildetect 2
      passdetect interval 10
    probe tcp RAW-TCP-81
      port 81
      interval 10
      faildetect 2
      passdetect interval 20
      connection term forced
      open 1
    rserver host psc-us-EQUIPprd1
      description EQUIP Prod, server 1
      ip address 10.1.1.84
      inservice
    rserver host psc-us-EQUIPprd2
      description EQUIP Prod, server 2
      ip address 10.1.1.85
      inservice
    serverfarm host EQUIPPROD
      description EQUIP Prod Server Pool
      predictor leastconns
      probe HTML-Site-Up_200
      probe ICMP-Ping
      probe RAW-TCP-81
      rserver psc-us-EQUIPprd1
        probe ICMP-Ping
        probe HTML-Site-Up_200
        probe RAW-TCP-81
        inservice
      rserver psc-us-EQUIPprd2
        probe ICMP-Ping
        probe HTML-Site-Up_200
        probe RAW-TCP-81
        inservice
    serverfarm host EQUIPPROD-CUSTOMER-81
      description EQUIP Customer Site Server Pool, port 81
      predictor leastconns
      probe RAW-TCP-81
      rserver psc-us-EQUIPprd1 81
        probe RAW-TCP-81
        inservice
      rserver psc-us-EQUIPprd2 81
        probe RAW-TCP-81
        inservice
    sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
      timeout 180
      replicate sticky
      serverfarm EQUIPPROD
    class-map type http loadbalance match-all EQUIP_81_Redirect
      2 match http header Host header-value ".*equiponline.com"
    class-map type http loadbalance match-all EQUIP_81_Redirect_Full
      2 match http header Host header-value ".*www.equiponline.com"
    class-map match-all VIP-EQUIPPROD
      2 match virtual-address 10.1.1.97 any
    policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
      class EQUIP_81_Redirect
        serverfarm EQUIPPROD-CUSTOMER-81
      class EQUIP_81_Redirect_Full
        serverfarm EQUIPPROD-CUSTOMER-81
      class class-default
        sticky-serverfarm Sticky_EQUIPPROD
    policy-map multi-match global
      class VIP-EQUIPPROD
        loadbalance vip inservice
        loadbalance policy VIP-EQUIPPROD-l7slb
        loadbalance vip icmp-reply
        nat dynamic 13 vlan 1000
    interface vlan 1000
      nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 pat

    Output from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
        class: VIP-EQUIPPROD
          nat:
            nat dynamic 13 vlan 1000
            curr conns       : 361       , hit count        : 116690    
            dropped conns    : 5         
            client pkt count : 4815293   , client byte count: 739114009           
            server pkt count : 7281612   , server byte count: 8753101386          
            conn-rate-limit      : 0         , drop-count : 0         
            bandwidth-rate-limit : 0         , drop-count : 0         
         VIP Address:    Protocol:  Port:
         10.1.1.97    any
          loadbalance:
            L7 loadbalance policy: VIP-EQUIPPROD-l7slb
            Regex dnld status    : SUCCESSFUL
            VIP ICMP Reply       : ENABLED
            VIP State: INSERVICE
            VIP DWS state: DWS_DISABLED
            Persistence Rebalance: ENABLED
            curr conns       : 392       , hit count        : 134300    
            dropped conns    : 431       
            client pkt count : 4869950   , client byte count: 741545220           
            server pkt count : 7281612   , server byte count: 8753101386          
            conn-rate-limit      : 0         , drop-count : 0         
            bandwidth-rate-limit : 0         , drop-count : 0         
            L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
              class/match : EQUIP_81_Redirect
                LB action :
                   primary serverfarm: EQUIPPROD-CUSTOMER-81
                        state: UP
                    backup serverfarm : -
                hit count        : 12602     
                dropped conns    : 0         
                compression      : off
              class/match : EQUIP_81_Redirect_Full
                LB action :
                   primary serverfarm: EQUIPPROD-CUSTOMER-81
                        state: UP
                    backup serverfarm : -
                hit count        : 0         
                dropped conns    : 0         
                compression      : off
              class/match : class-default
                LB action: :
                   sticky group: Sticky_EQUIPPROD
                      primary serverfarm: EQUIPPROD
                        state:UP
                      backup serverfarm : -
                hit count        : 107831    
                dropped conns    : 5         
                compression      : off
          compression:
            bytes_in  : 0                          bytes_out : 0                   
            Compression ratio : 0.00%
                    Gzip: 0               Deflate: 0         
          compression errors:
            User-Agent  : 0               Accept-Encoding    : 0         
            Content size: 0               Content type       : 0         
            Not HTTP 1.1: 0               HTTP response error: 0         
            Others      : 0         
    pscaceinside01/Prod# ping 10.1.1.97
     Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
    No response received from 10.1.1.97 within last 2 sec
    No response received from 10.1.1.97 within last 2 sec
    No response received from 10.1.1.97 within last 2 sec
    No response received from 10.1.1.97 within last 2 sec
    No response received from 10.1.1.97 within last 2 sec
    5 packet sent, 0 responses received, 100% packet loss
    For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP.

  • ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

    Dears,
    I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
    which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
    - authentication-failure ignore [Only]
    OR
    - authentication-failure redirect cert-expired
    OR
    - authentication-failure ignore with authentication-failure redirect cert-expired
    Appreciate your help

    Dear Kanwalsi
    To pass only cert-expired !!! what do you think to apply the following
    parameter-map type ssl TEST
    authentication-failure ignore
    authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
    authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
    authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
    authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

  • Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

    One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
    Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
    Traffic flow as follows
    ===============
    ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                                 VIP
    Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
    Rserver 2   - 10.1.104.81c
    ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
    Configs:
    ======
    rserver host server1
      ip address 10.1.104.80
      inservice
    rserver host server2
      ip address 10.1.104.81
      inservice
    serverfarm host SFARM
      failaction purge
      probe ICMP
      rserver server1
        inservice
      rserver server2
        inservice
    access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
    access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
    parameter-map type connection UDP_TIMEOUT
      set timeout inactivity 3600
    sticky ip-netmask 255.255.255.255 address source STKY-SFARM
      serverfarm SFARM
      timeout 180
      replicate sticky
    class-map match-all CLS-SFARM
      2 match virtual-address 10.1.246.32 udp eq 1120
    class-map match-all SERVERNAT
      2 match access-list TEST-1120
    policy-map type loadbalance first-match POL-SFARM
      class class-default
        sticky-serverfarm STKY-SFARM
    policy-map multi-match POL-LB
    class CLS-SFARM
        loadbalance vip inservice
        loadbalance policy POL-SFARM
        loadbalance vip icmp-reply active
        connection advanced-options UDP_TIMEOUT
    class SERVERNAT
       nat dynamic 1 vlan 244
    int vlan 244
    ip address 10.1.246.2 255.255.255.0
    service-policy input POL-LB
    nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
      mac-sticky enable
      no icmp-guard
    no shut
    interface vlan 2506
    ip address 10.1.104.2 255.255.255.0
    service-policy input POL-LB
      mac-sticky enable
      no icmp-guard
    no shut

    I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
    portmap disable in ACE 4710
    Disabling Port Mapping
    By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
    For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

  • Static NAT to two servers using same port

    I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
    I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
    Any help would be very much appreciated.
    Thanks,
    - Mike                  

    Hi,
    Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
    On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
    I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
    But nevertheless its a possibility.
    So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
    - Jouni

  • ACE 4710 Connectivity help?

    I'm using an ACE 4710 in a new datacenter, with the following setup:
    2/4 physical ethernet interfaces port channeled into port-channel 1
    2/4 physical ethernet interfaces port channeled into port-channel 2
    I have the following vlans defined:
    1001 - admin     - interface ip: 10.53.136.70
    400 - client side - interface ip: 10.53.136.100
    500 - server side - interface ip: 192.168.128.1
    999 - fault tolerance - interface ip: 192.168.11.2
    My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server.  For example, if I ssh to 10.53.136.102, it times out.  (10.53.136.102 should get nat'd to 192.168.128.2)
    Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
    I'm thinking there is either something wrong with the port-channels, or the access lists.  On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
    Any thoughts?
    Thanks,
    Brent

    I've attached the two contexts which we are using.  The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
    From the load balancer, I am able to ping the real server ips in the 192.168. ip range.  The 4710 recognizes that they are in service.
    I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
    Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going.  Once I accomplish that, I will work on high availability.  I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
    Thanks,
    Brent

  • Who needs the ACLs and static NAT?

    I came apon a job whose network layout is kind of tricky. Here is the skinny:
    2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
    All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
    Now heres what I am trying to accomplish:
    The customer wants to be able to telnet into one machine in the private network from her house.
    Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
    Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
    I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
    Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
    Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!

    I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
    Here's what I have right now:
    SBC router is configured to allow Telnet traffic in.
    The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
    Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in.

  • Static NAT and same IP address for two interfaces

    We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
    static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
    static (production,Outside) 10.10.10.10  access-list production_nat_static_1
    Thanks for any help.
    Jeff

    Hi Jeff,
    Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • CSS v ACE 4710 Performance Comparison

    Am trying to verify performance figures for a CSS 11503 EOL replacement using ACE 4710
    Trying to comapre apples with apples (is a CSS SSL TPS the same as a ACE 4710 TPS etc...)
    Pulling figures from data sheets, release notes etc I have only come up with the following
    Is there any further figures available for the ACE 4710 to fill in the blanks in table?
    Am sure that ACE 4710 smokes the CSS but have to do the due diligence
    <TR style="HEIGHT: 30pt" mcestyle="height: 30pt;">
    <TD style="WIDTH: 170pt; HEIGHT: 30pt" height=40 width=226 mcestyle="width: 170pt; height: 30pt;"> Metric</TD>
    <TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> CSS 11503
    (1xSSL Module)
    <TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> ACE 4710</TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Transactions per second</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 1,400/sec</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">7,500/sec</TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - RSA operations per second</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 4,000/sec</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Bulk encryption (ARC4)</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 256 Mbps</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Maximum concurrent connections</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 40,000</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Compression </TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 500 Mbps</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">2 Gbps</TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Sticky Table</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 128K entries</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L4 connections/sec</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 22,500</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
    <TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
    <TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L7 connections/sec</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 10,000</TD>
    <TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 
    thanks,
    Sez

    Have reposted this msg, as table format garbled by forum
    Sez

Maybe you are looking for

  • Touchpad no longer scrolls screen. Using bars area on rhs of touchpad used to scroll screen.

    After following PC Mag article on speeding up a very slow PC. I find I am now unable to scroll using my touchpad. Although this is not a major problem, it is bothersome when using the laptop where a mouse can't be used. All the other functions of the

  • Sending mail to current user

    Hi All, I want to send the failure mail to the currently log in user. I know how to send the mail for a perticular user,but my requirement was i want to send the mail to the currently logged in user. Is there any way for this.Please help. Thanks, Rav

  • How to use iPhone with a new network

    I received a new iPhone 3G S 8GB from a friend in US. The problem is the phone is configured with A T & T. I have recharged the battery upon receving it but it failed to display the phone menu. It only displays emergency call and the iTunes and USB c

  • How to access Support for BEA Weblogic?

    Hi, I want to log a case to oracle with regards to BEA weblogic. How do I do it? I tried logging in to My Oracle support as well as Oracle Metalink with my user id and password and it seems like I'm not a valid user. I have a CSI which I vaguely reme

  • A bit of Advice about iwork and office

    Sorry if this is maybe the wrong forum, but it was to 'general' for the iwork forum. I am going to purchase a macbook and of course i am going to work for school with it. Now I have one problem. As a Windows user I can only work with office so iwork