ASA 5525X - Multiple outside addresses PAT to one inside address
Hi
I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
Object NAT is configured as follows:
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
Can anyone help?
Thanks
Paul
Thanks Jouni
Output below:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Obj-192.168.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Additional Information:
NAT divert to egress interface dmz
Untranslate 194.168.208.72/443 to 192.168.1.20/2000
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Obj-192.168.1.20-1 eq 2000
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-skinny
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect skinny
service-policy global_policy global
Additional Information:
Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Obj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7479639, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Similar Messages
-
ASA 5525X - Multiple Outside Interface
Hello,
Question:
I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
- Outside2 - ISP2 - IP 2.2.2.2
I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
Tks.
RafaelYes Rafael, it possible.
you need to configure SLA monitoring on ASA for the ISP failover.
And for the VPN add the second ISP ip as a back up peer on the remote device.
on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
In case if you need any assistance regarding the configuration let me know.
Configuration should look something like this:
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet1
nameif backup
security-level 0
ip address 10.250.250.2 255.255.255.248
access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto map outside_map 20 match address outside_crypto_1
crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto isakmp enable backup
crypto isakmp enable outside
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key cisco123
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Important Information:
===============================================
** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
** I hope this will answer your query.
Thanks
Jeet -
How to configure multiple IP addresses on one NIC?
Hi,
I just installed a OVM Server in version 3.2.1 and the according VMManager. Now i wanted to try to configure the Server/Server Pool. Now i come across a problem, which was already a big problem in OVM 2 while configuring the Networks.
All our OVM Servers have three NICs in them. One is for VMs and Management, the others are for connection to our SAN (Dell PowerVault MD 3220i). My problem is, that due to the network setup, the two NICs for storage need two IP addresses in two different networks each. This shouldn't be a problem, because usually in linux all you have to do is configure something like eth1:1. I remember having huge trouble configuring it in our OVM 2 cluster up to the point where I had to write a shell script to configure the second IP.
Anyways, I have configured two of the storage networks on eth1 and eth2 of the VM Server. Now i cannot configure any more IP addresses, because eth1 and eth2 are not available anymore for configuration in a third network. I really hoped that it would be possible in OVM 3 to configure multiple IP addresses. And probably it is only my lack of knowledge of how to configure it.
So any advice is well appreciated.
Thanks!
Regards,
Marek HubatkaYou should be able to do this by using "VLAN Groups".
http://docs.oracle.com/cd/E35328_01/E35332/E35332.pdf
Check out the VLAN groups section. You must great the VLAN groups before you can assign them to interfaces. -
Multiple email address with one server account
Why can't Mail have multiple email addresses on one email account? Like Thunderbird calls them Identities. As I remember, Outlook also supports this. I like Mail but it seems rather dated and clunky in this respect.
I am using mainly IMAP so maybe I should switch to Thunderbird but I do still have some old messages in pop accounts in Mail.You can have multiple accounts, but only one "identity." Configure new mail accounts for all the different email addresses you may have. They can each have different configurations, different servers, etc. as well as be individually made active or inactive. All incoming mail will funnel into a single Inbox, but you can use rules to transfer incoming mail to separate mailboxes based on the account.
What you cannot have are distinct "personalities."
Bear in mind that Mail is intended for a single user and the vast number of single users only have one email account. I actually have four different email addresses but three of them are set to forward mail to the account I use with Mail. Mail works quite well with IMAP, POP, and Outlook mail accounts. -
how do I add multiple email addresses i have received (+ -900) to my address book instead of having to do it one by one?
Grab them all and drag them to the Address Book.
Roger -
How do I copy multiple email addresses from one email sent TO me into a new message?
How do I copy multiple email addresses from an email sent to me into a new message?
Are they in the body of the mail?
Hold your finger down in that mail until the little blue bubble pops up. One of the options should be to select all. Choose that and all will be hilighted. then a pop up comes up to copy, choose that, open your destination and hold your finger down to get the paste dialogue. -
In my address book, I have contacts that have multiple email addresses. (ex: home and work) I have created a smart group off of the company name in the contact. When I send emails, I want it to go to both email address listed in the contact. Is there a way to make this happen? Or do I have to have a separate contact for each email address?
I will agree with you on this one. Version 31 and all the fixes so far are a mess. Since I have been here answering questions for a little more than a year now I have learned to wait to upgrade until all the dust settles. I see no end to the dust storm version 31 has caused. I am still on version 24.6 and plan on staying there for the duration. At least until the developers comes to their senses and put out a working product.
-
Pick one of the multiple email address of a contact!
Hi,
In the current app that I am working on, the user is presented with the address book. Let's say the contact that is selected has multiple email addresses - Home, Work1, Work2 (in this order).
How can the app know which one the user picks? Let's say the user wants to select the Work2 address.
The code below has a for-loop that cycles thru all the values. I want to compare the value of mobileLabel to the value that the user selected in the AddressBook picker - how is that passed on to the app?
ABMultiValueRef emailProperty = ABRecordCopyValue(person, kABPersonEmailProperty);
NSString* email=@"";
NSString* mobileLabel;
for (CFIndex i = 0; i < ABMultiValueGetCount(emailProperty); i++)
mobileLabel=(NSString*)ABMultiValueCopyLabelAtIndex(emailProperty, i);
NSLog(@"mobileLabel = <%@>", mobileLabel);
// if ([mobileLabel isEqualToString:@"_$!<Mobile>!$_"])
// if ([mobileLabel isEqualToString:@"_$!<Home>!$_"])
email=(NSString*)ABMultiValueCopyValueAtIndex(emailProperty,i);
NSLog(@"email: <%@>", email);
self.emailFromPicker = email;
break;
[email release];It's given to you in the delegate method.
- (BOOL)personViewController:(ABPersonViewController *)personViewController shouldPerformDefaultActionForPerson:(ABRecordRef)person property:(ABPropertyID)property identifier:(ABMultiValueIdentifier)identifierForValue
Parameters
personViewController
The sender.
person
The person personViewController is displaying.
property
The property whose value the user selected.
valueIdentifier
When property is a multivalue property, the value the user selected.
See the +ABPersonViewControllerDelegate Protocol Reference+.
Message was edited by: xnav -
How do I send to contacts multiple email addresses at one time?
I have several contacts who ask that emails be sent to multiple emails address at the same time. How do I do that without creating additional cards for each email address?
Are you entering the addressees into Mail individually or are they included as part of an Address Book group? If you are using a group, I believe you will need to have multiple cards per individual.
If you are typing the addressees into Mail's "To:" and "Cc:" boxes, you can select among multiple addresses on one contact card just as you would select among multiple people with the same first name; just repeat for each address. -
Setting up one contact with multiple email addresses-i.e Family & Friends
Would like to setup one contact " Family & Friends " and show multiple email addresses - such as 20 or 30 addresses - can this be done >??
I the Ipad contact app does not handle groups. However, there are apps such as Mail2Group. They have both free (lite) and more fully featured version.
-
The email comes up when I press the "Submit" button but the email to field is blank.
Hi,
What is the separator character between two email addresses? Is it a comma (,) semicolon(;) or something else?
According to the mailto URI scheme (RFC 6068), you need to use a comma (,) to separate multiple email addresses.
You can see the third example in the following Wikipedia page.
mailto - Wikipedia, the free encyclopedia
Would you double check the mailto value in your PDF form? -
Adding Multiple Email Addresses in one field
Dear Staff,
My staff submit progress reports that include two separate fields:
Their own email address is requested so the staff member could receive a receipt of their progress report
The email address of the recepient of the progress report requested, as well. We would like to include multiple email address in that field because often, multiple individuals need to receive the progress report.
Is there a work-around to including multiple email addresses or is this something you must accomplish on the development side?That is unfortunate but I hope this request catalyzes a remedy for this issue in the future. Thank you for your swift reply, Randy... well-appreciated. Happy New Year!
-
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Multiple Public IP's on one physical interface for devices behind Router.
Hi guys, I am trying to find information on applying multiple IP addresses to a router
basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address. but still on the same LAN network.
Could someone help me out and point me in the right direction with a sample configI agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
HTH
Rick -
Can't get Internet working on ASA 5525X
Hello
i have a ASA 5525x
im in testing proccess and cant make internet routing working
im routing between 2 private ip cuz outside interface is connected to the lab switch.
im able to ping anything from ASDM als i tried packet tracer using the ip that assigned to the end-user and it is working fro asa but not on the win7 machine .
after enabing logging on asa i got asa teardown the icmp connection (when trying to ping 8.8.8.8)
any ideas why ?
ASA Version 9.0(2)
hostname MIKUNI-LA-ASA1
enable password nsi9HaIu8epX9MzI encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.30.200.100 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
banner motd
banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!
boot system disk0:/asa902-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit intra-interface
object network internet
host 172.30.200.100
pager lines 24
logging enable
logging trap errors
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source dynamic any interface dns
route outside 0.0.0.0 0.0.0.0 172.30.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15
username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15
class-map inside-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map inside-policy
class inside-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect ip-options
inspect ipsec-pass-thru
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e8f3db05e9bce814811bac225d27ded8
: enddidnt work
Itried clean configuration but its still same thing cant get to the internet thru firewall
from asa i can ping everything but from end-user side it show DNS is not responding and i can not ping the outside interface on ASA
ASA Version 9.0(2)
hostname MIKUNI-LA-ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!
boot system disk0:/asa902-smp-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
object network Internet
subnet 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console warnings
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Internet
nat (any,OUTSIDE) dynamic interface dns
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface OUTSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15
username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8659ad01179820e90e68d3725961dc2c
Maybe you are looking for
-
How do I use a bluetooth headset with garageband?
How do I use a bluetooth headset with garageband? I can't get it to work after many tries.
-
I have already pressed and held down the options key during start up but I can only select the HD drive (which is what I want) but I can't specify which folder to start up in (I accidently pressed 9 before instead of 10.4) and now I can't revert back
-
Can not print song lists for jewel case with windows
I have PC with Windows 7 and have downloaded the latest version of I Tunes and still can not print out a list of songs that will fit into a jewel case. The songs print all over one another in a garbled mess. Any suggestions on how to fix this? I h
-
Can EM12c Cloud Control agent be installed in a solaris zone?
Can EM12c Cloud Control agent be installed in a solaris zone? If so, are Solaris 8 and Solaris 9 zones supported? thanks
-
EXECUTE IMMEDIATE ERROR ..
Kidnly somebody suggest me how to wirte below query in execute immediate in pl/sql block as it throwing below error CREATE OR REPLACE PROCEDURE LBA_NORTH AS BEGIN execute immediate ( 'CREATE TABLE LBA_ALERT(DATE_CRT,DIST_MSISDN,FOS_MSISDN,RT_COUNT,RT