ASA 5505 Static NAT
Hi Guys,
Me again asking for some more help, thanks.
I am trying to deploy a Polycom Access Director behind an ASA 5505 firewall and am having some problems configuring inbound NAT for this device.
Currenlty I am able to dial from an endpoint outbound through the ASA with no problem but am unable to dial into the VC endpoint by the IP address (Traffic is not hitting the Access Director)
This blog post shows what I am trying to achieve along with the ACLs that I have applied.
http://blog.networkfoo.org/2014/02/deploy-polycom-rpad-single-nic-with.html#!/2014/02/deploy-polycom-rpad-single-nic-with.html
These are my NAT Rules
nat (Wireless_LAN,VC_INFRA) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (Wireless_LAN,VC_DMZ) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.239.0 obj-10.255.239.0
nat (Wireless_LAN,VC_LAN) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (VC_INFRA,any) source static obj-10.255.243.0 obj-10.255.243.0 destination static VPNPool-Network VPNPool-Network
object network obj-10.255.222.0
nat (outside,outside) dynamic interface
object network obj-10.255.243.0
nat (outside,outside) dynamic interface
object network obj_any
nat (Wireless_LAN,outside) dynamic interface
object network obj_any-01
nat (VC_DMZ,outside) dynamic interface
object network obj_any-02
nat (VC_INFRA,outside) dynamic interface
object network obj_any-03
nat (VC_LAN,outside) dynamic interface
nat (outside,VC_DMZ) after-auto source static any any destination static interface obj-CV2RPAD1
This is my ACLs
access-list outside_access_in extended permit udp any eq 1719 object-group RPAD_SERVERS_EXT eq 1719
access-list outside_access_in extended permit udp any eq 1720 object-group RPAD_SERVERS_EXT eq 1720
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq h323
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT range 10001 13000
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT range 20002 30001
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5061
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5222
access-list outside_access_in extended permit icmp any any object-group DefaultICMP
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 20002 30001
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 16386 25386
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1719 any eq 1719
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1720 object-group DMA_SERVERS_INT eq 1720
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT eq h323
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT range 36000 61000
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 13001 15000 any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq sip any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 5070 object-group DMA_SERVERS_INT eq sip
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 30001 60000 object-group RM_SERVERS_INT eq https
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 any gt 1023
access-list dmz_access_in extended permit icmp object-group RPAD_SERVERS_EXT any object-group DefaultICMP
If I move my NAT statement as follows
no nat after-auto 1
nat (outside,VC_DMZ) 5 source static any any destination static interface obj-CV2RPAD1
I am able to dial outbound still with no issues and am also able to intiate a call inbound which partially connects. The call seems to fail at the Capabilities exchange so the RTP media stream does not start up so there is some additional troubleshooting to be done.
However moving this NAT statement has the side effect of breaking the IPSec VPN that I have configured for the Cisco VPN Client, I would like to be able to keep my VPN working and be able to do a port forwards/Static 1:1 NAT towards my RPAD.
Once this is happy and working I can then go and troubleshoot why inbound calls are failing at the cpabilities exchange.
Thanks a lot Jon, for assisted me solve this problem.
The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
How you explain that?
Similar Messages
-
ASA 5505 Static hosts cannot access outside
I'm replacing an old PIX with a second hand ASA firewall.
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet.
I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere.
Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet. If I've obscured something pertinent let me know.
Any advice would be greatly appreciated! Thanks.
: Saved
ASA Version 7.2(3)
hostname fw-1
domain-name XXXX
enable password XXXX encrypted
names
name 92.X.X.61 bb-office
name 92.X.X.128 gl-office
name 10.0.0.117 daviker-dialler_in
name 77.X.X.117 daviker-dialler_out
name 10.0.0.112 data-2_in
name 77.X.X.112 data-2_out
name 10.0.0.81 corp-1_in
name 77.X.X.81 corp-1_out
name 10.0.0.111 data-1_in
name 77.X.X.210 user_75
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 77.X.X.66 255.255.255.192
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd XXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXX
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq https
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq https
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp any host data-2_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq www
access-list inbound extended permit tcp any host corp-1_out eq pop3
access-list inbound extended permit tcp any host corp-1_out eq imap4
access-list inbound extended permit tcp any host corp-1_out eq smtp
access-list inbound extended permit tcp any host corp-1_out eq 995
access-list inbound extended permit tcp any host corp-1_out eq 465
access-list inbound extended permit tcp any host corp-1_out eq 993
access-list inbound extended permit tcp any host corp-1_out eq 8008
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq 445
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp any host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp any host 77.X.X.113 eq 445
access-list inbound extended permit tcp host bb-office host data-2_out eq 5901
access-list inbound extended permit tcp host bb-office host data-2_out eq 3690
access-list inbound extended permit tcp host bb-office host data-2_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 3389
access-list inbound extended permit tcp host 2.X.X.18 host data-2_out eq 3306
access-list inbound extended permit tcp any host data-2_out eq 3306
access-list inbound extended permit tcp host 212.X.X.7 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host data-2_out eq 3306
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 1433
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host user_75 host data-2_out eq 3690
access-list inbound extended permit tcp host user_75 host data-2_out eq www
access-list inbound extended permit tcp host user_75 host data-2_out eq 3306
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
static (inside,outside) data-2_out data-2_in netmask 255.255.255.255
static (inside,outside) 77.X.X.113 data-1_in netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 77.X.X.91 8.8.8.8
dhcpd domain cagltd.net
dhcpd auto_config outside
dhcpd address 10.0.0.20-10.0.0.40 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
username matt password XXXX encrypted
prompt hostname context
Cryptochecksum:00af76f23831b8c828fc6677c9069072
: endHi Jouni,
Thanks for the info.
I didn't have icmp traffic allowed, so I knew ping wouldn't be working. I was testing using http.
I have enabled icmp and dhcp clients can ping outside. Static nat clients can't ping outside. Static clients also cannot use outbound http.
As suggested, I have run some packet traces.
From a static nat client on the ASA:
fw-1# packet-tracer input inside tcp 10.0.0.81 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Static translate corp-1_in/0 to corp-1_out/0 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1759, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 1
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
This looks fine to me, but as I say, an outbound tcp port 80 connection from the actual machine on 10.0.0.81 fails.
Here is a similar trace from a dhcp client to the same destination:
fw-1# packet-tracer input inside tcp 10.0.0.20 80 173.203.209.67 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (77.74.111.66 [Interface PAT])
translate_hits = 990, untranslate_hits = 226
Additional Information:
Dynamic translate 10.0.0.20/80 to 77.74.111.66/1 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1771, packet dispatched to next module
Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 5
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
I can see the difference in the NAT translation section. A real outbound tcp port 80 connection from the actual machine on 10.0.0.20 works fine.
Finally, for the sake of comparison, I ran a similar packet trace using a static nat IP on the old PIX firewall:
old-fw-1# packet-tracer input inside tcp 10.0.0.117 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Static translate daviker-dialler_in/0 to daviker-dialler_out/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1006075, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 78.X.X.69 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 572133
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Outbound traffic from static nat hosts on the old PIX firewall works fine. One glaring difference is that the PIX is inspecting http traffic, but surely this is a red herring. Another difference is that the old and new firewalls have different gateways / default routes & different outside IP addresses. As the new ASA firewall (and its dhcp hosts) can talk to the outside world quite happily I don't think this is relevant.
I wondered whether it might be down to the difference in the inside (255.255.255.0) and outside (255.255.255.192) subnets. The set up is the same on the PIX, but I wondered whether some other line of config might be required on the ASA to handle it. I adjusted the subnet of the inside interface on the ASA to match the outside one (both 255.255.255.192) but it didn't make any difference.
So I'm puzzled! -
MS NLB with ASA and Static NAT from PUP to NLB IP
Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
ChrisAlso If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris -
ASA 5505:Static Routing and Deny TCP connection because of bad flag
Hi Everybody,
I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
%PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
thanks!
EDIT: On the schema, The interface of the main asa is 172.16.18.148...Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.
-
Public Pool, 2 ASAs, Static NAT ...
I am looking for help on a mixture of Routing and Switching and Firewalling ...
So I have a router connected to the ISP ... the router is also connected to a switch. Into that switch I have pugged two ASAs. A 5505 and 5520.
I was given a /27 (255.255.255.224), 30 address block from the ISP. Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.
Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
I was trying to debate if I could possibly model this in GNS3.
PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.
Thanks so much for the help,
Matt
CCNP, CCDP, CCIP, ASA SpecialistCan I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
--> YES you can
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
--> YES, the ASA will send out an ARP to tell the router that it has that particular static address
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
--> NO, you don't have to segment the /27 into /28 -
ASA 5505: unable to ping external hosts
Hi,
I have a LAN behind ASA 5505, interface NAT/PAT is configured.
External interface is configured for PPPoE.
Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
icmp permit any inside
icmp permit any outside
access-list outside_access_in extended permit icmp any any
Protocol inspections and fixups are default.
When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
Where 202.xx.yy.zz is IP of external interface of ASA.
This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
Any help will be highly appreciated.
Thank you.
AlexAlex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside
or icmp inspection instead of acl.
policy-map global_policy
class inspection_default
inspect icmp
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH
Jorge -
ASA 5505 NAT rules blocking inside traffic
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
Embarq : Network xxx.xxx.180.104
Gateway: xxx.xxx.180.105
Subnet Mask: 255.255.255.248
Our Static IP's: xxx.xxx.180.106 to xxx.xxx.180.110
Cisco Pix for VPN tunnels : xxx.xxx.180.107 outside IP
used for DataBase Servers : 100.1.0.2 Inside IP/ Gateway 2
Cisco ASA 5505: xxx.xxx.180.106 outside IP
all other traffic : 100.1.0.1 Inside IP/ Gateway 1
Inside Network: 100.1.0.0/24
Application Server: 100.1.0.115 uses Gateway 1
BackUp AppSrvr: 100.1.0.116 uses Gateway 1
DataBase Server: 100.1.0.113 uses Gateway 2
BackUp DBSrvr: 100.1.0.114 uses Gateway 2
Cobox/Receiver: 100.1.0.140
BackUp Cobox: 100.1.0.150
Workstation 1: 100.1.0.112
Workstation 2: 100.1.0.111
Network Speaker1,2,3,4: 100.1.0.125 to 100.1.0.128
Future Workstations: 100.1.0.0/24
1. Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
2. All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
3. All Workstations/Network Speakers need to be able to communicate with all four servers, and the Cobox/Receiver.
4. The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login securely and edit their account info.
5. The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule created NAT'ing them to xxx.xxx.180.109.
A. The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside IP address.
B. The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
6. The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
A. The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
B. The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
7. Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
8.
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 100.1.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.180.106 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object udp
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
static (inside,outside) xxx.xxx.180.109 access-list inside_nat_static_1
static (outside,inside) 100.1.0.115 access-list outside_nat_static_1
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 100.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 100.1.0.5-100.1.0.15 inside
dhcpd dns 71.0.1.211 67.235.59.242 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
call-home reporting anonymous
Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
: end
no asdm history enableOK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
In the meantime I will Close and Rate this post for now so others can get this info also.
If we have any further issues after the upgrade, then I will open a new post.
Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now. -
ASA 5505 - Cannot ping outside natted interface
Hello,
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
Thank you in advance
the config are:
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name domain
enable password ********** encrypted
passwd ************ encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.88.188.122 255.255.255.248
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name domain
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
access-list outside_in extended permit tcp any host 172.88.188.123 eq www
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 172.88.188.128
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:865943aa325eb75812628fec3b1e7249
: endYou are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Hairpinning would look like this in your scenario.
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255 -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)
Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful -
Nat/pat asa 5505 asdm ver 8.4
hi all,
i have a problem with portfoarwarding on asa 5505.
i have this situation:
internet ---> pubblic ip address-> router albacom -- 10.0.0.15 ---> -nat farward port 80--10.0.0.1 -outside -firewall asa -inside - 192.168.0.1------------server web 192.168.0.99
the server is not in dmz but it's on the lan network
my user must connect from internet, with any browser http://albacom_pubblic_address and router albacom and then asa firewall must nat and farward the port 80 on server web 192.168.0.99
any idea or tutorial
ths, best regardsHi Luca,
On the ASA, you would need the following:
object network server_ip
host 192.168.0.99
object service tcp_80
service tcp destination eq 80
nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80
That would port forward all the request coming on port 80 on the outside interface of the firewall, to your internal server on port 80.
Hope that helps
Thanks,
Varun -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C. -
How to set up NAT for two servers using same port with ASDM ASA 5505
Hi there,
We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
Outside user enters FQDN:5004 and this translates to Database server # 1 as 192.168.1.40:5003
and
Outside user enters FQDN:5003 and this translates to Database server # 1 as 192.168.1.38:5003
If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
Thanks in advance,
JamesI would create two objects and use object NAT
object network Obj_5004
host 192.168.1.40
object network Obj_5004
nat (inside,outside) static service tcp 5003 5004
object network Obj_5003
host 192.168.1.38
object network Obj_5003
nat (inside,outside) static service tcp 5003 5003
Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen
Maybe you are looking for
-
I am trying to use this function in my CVI code to configure a PXIe-4154 to make measurement based on software trigger. niDCPower_ConfigureSoftwareEdgeMeasureTrigger I saw this RUN TIME ERROR when I execute the code. Error code -1074118587 ... the re
-
Why does my site not appear correctly on other computers?????
I made a website for the gallery I manage. address is 12spsg.com When making the site with CS4 it looked fine on both computers I was working on but now the left sidebar is appearing in the middle of the screen, the top menu bar is not all one row th
-
Valuated SIT: Batch related error
Hi Experts We use valuated SIT functionality. The material moved is non-batch managed in supplying plant and it is batch managed in receiving plant. Due to this, when attempted to do PGI, getting the error "Enter Batch" (Message M7 018). This error
-
Query Builder - Path and Object name for instance ..
Hello, how to get the Object Name of an Instance "InstanceX" and the Path of the Object with query Builder .. Thanks
-
When I upgraded to Windows 8.1 my hp laptop created a @outlook.com account. Now it requires me to enter the last password i used to access the computer. I don't recall even setting one up. Tried to start up in safe mode, it won't allow that. Please h