ASA 8.2(1) Global and NAT statements, natting certain internal hosts

Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet.  We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic.  I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
Thoughts on how to accomplish this?  Thanks!

Hi,
To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
So the above is probably the type of configuration you have at the moment?
For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
global (outside) 2 1.1.1.1
nat (inside) 2 10.10.10.1
nat (inside) 2 10.10.10.2
nat (inside) 2 10.10.10.3
If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
Without seeing the configurations I dont think I can say much more.
Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
Active translations on the firewall you can show with the command
show xlate
It does have a lot of additional parameters after the "xlate" if you want to have more specific output
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

Similar Messages

  • Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

    Hi:
    Need your great help for my new ASA 5505 (8.4)
    I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.29.8.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 177.164.222.140 255.255.255.248
    ftp mode passive
    clock timezone GMT 0
    dns server-group DefaultDNS
    domain-name ABCtech.com
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 172.29.8.0 255.255.255.0
    object service RDP
    service tcp source eq 3389
    object network orange
    host 172.29.8.151
    object network WAN_173_164_222_138
    host 177.164.222.138
    object service SMTP
    service tcp source eq smtp
    object service PPTP
    service tcp source eq pptp
    object service JT_WWW
    service tcp source eq www
    object service JT_HTTPS
    service tcp source eq https
    object network obj_lex
    subnet 172.29.88.0 255.255.255.0
    description Lexington office network
    object network obj_HQ
    subnet 172.29.8.0 255.255.255.0
    object network guava
    host 172.29.8.3
    object service L2TP
    service udp source eq 1701
    access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
    access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended deny tcp any any eq 135
    access-list inside_access_in extended deny tcp any eq 135 any
    access-list inside_access_in extended deny udp any eq 135 any
    access-list inside_access_in extended deny udp any any eq 135
    access-list inside_access_in extended deny tcp any any eq 1591
    access-list inside_access_in extended deny tcp any eq 1591 any
    access-list inside_access_in extended deny udp any eq 1591 any
    access-list inside_access_in extended deny udp any any eq 1591
    access-list inside_access_in extended deny tcp any any eq 1214
    access-list inside_access_in extended deny tcp any eq 1214 any
    access-list inside_access_in extended deny udp any any eq 1214
    access-list inside_access_in extended deny udp any eq 1214 any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any eq www
    access-list inside_access_in extended permit tcp any eq www any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
    89
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
    w
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
    tps
    access-list outside_access_in extended permit gre any host 177.164.222.138
    access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
    01
    access-list outside_access_in extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list inside_access_out extended permit ip any any
    access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
    .88.0 255.255.255.0
    access-list inside_in extended permit icmp any any
    access-list inside_in extended permit ip any any
    access-list inside_in extended permit udp any any eq isakmp
    access-list inside_in extended permit udp any eq isakmp any
    access-list inside_in extended permit udp any any
    access-list inside_in extended permit tcp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static orange interface service RDP RDP
    nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
    lex route-lookup
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
    WW
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
    _HTTPS
    nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
    nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
    route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Guava protocol nt
    aaa-server Guava (inside) host 172.29.8.3
    timeout 15
    nt-auth-domain-controller guava
    user-identity default-domain LOCAL
    http server enable
    http 172.29.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 173.190.123.138
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
    ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
    P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.29.8.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcprelay server 172.29.8.3 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy ABCtech_VPN internal
    group-policy ABCtech_VPN attributes
    dns-server value 172.29.8.3
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Tunnel_User
    default-domain value ABCtech.local
    group-policy GroupPolicy_10.8.8.1 internal
    group-policy GroupPolicy_10.8.8.1 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username who password eicyrfJBrqOaxQvS encrypted
    tunnel-group 10.8.8.1 type ipsec-l2l
    tunnel-group 10.8.8.1 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 10.8.8.1 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    tunnel-group ABCtech type remote-access
    tunnel-group ABCtech general-attributes
    address-pool ABC_HQVPN_DHCP
    authentication-server-group Guava
    default-group-policy ABCtech_VPN
    tunnel-group ABCtech ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 173.190.123.138 type ipsec-l2l
    tunnel-group 173.190.123.138 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 173.190.123.138 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect ftp
      inspect netbios
    smtp-server 172.29.8.3
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6a26676668b742900360f924b4bc80de
    : end

    Hello Wayne,
    Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
    I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
    Regards,
    Julio
    Security Trainer

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • ASA5505 SOHO public ip range and nat head ache

    Hello
    Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully  setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
    LAN > ASA5505 > VDSL Modem > ISP
    the range they have given us is
    Number of IP addresses: 8
    IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
    Subnet mask: 255.255.255.248
    Subnet in slash notation: XX.XX.XXX.40 /29
    Network address: XX.XX.XXX.40
    XX.XX.XXX.41
    XX.XX.XXX.42
    XX.XX.XXX.43
    XX.XX.XXX.44
    XX.XX.XXX.45
    XX.XX.XXX.46 Router
    Broadcast address: XX.XX.XXX.47
    Router address: XX.XX.XXX.46
    i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
    we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
    Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
    any info or advice would be gratefully received.
    regards
    C.

    Hello
    the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
    debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
    the nat rules i have are
    nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
    access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq 902
    port-object eq www
    port-object eq https
    thanks for the help

  • Cisco ASA 5510 Natting 2 internal ip to 1 public ip

    Hi Guys,
    I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
    As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
    My current configuration for nat 1 internal ip to 1 public ip:
    static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 172.16.101.11 21 netmask 255.255.255.255  dns
    Thank you for your help.
    Cheers
    Tommy

    Yes it is possible . See if this helps.  I'm not in front of my ASA right now, but I think this is the old and new way.  If you are actually using the interface address, you might need to use the "interface" keyword
    Pre 8.3
    static (inside,outside) tcp 1.1.1.1 80 192.168.1.100 8080 netmask  255.255.255.255
    static (inside,outside) tcp 1.1.1.1 8080 192.168.1.101 8080 netmask  255.255.255.255
    static (inside,outside) tcp 1.1.1.1 25 192.168.1.102 25 netmask  255.255.255.255
    8.3 and Later
    object network obj-192.168.1.100
      host 192.168.1.100
      nat (inside,outside) static 1.1.1.1 service tcp 8080 80
    object network obj-192.168.1.101
      host 192.168.1.101
      nat (inside,outside) static 1.1.1.1 service tcp 8080 8080
    object network obj-192.168.1.102
      host 192.168.1.102
      nat (inside,outside) static 1.1.1.1 service tcp 25 25
    If you are using the interface address--
    static (inside,outside) tcp interface 80 192.168.1.100 8080 netmask  255.255.255.255
    static (inside,outside) tcp interface 8080 192.168.1.101 8080 netmask  255.255.255.255
    static (inside,outside) tcp interface 25 192.168.1.102 25 netmask  255.255.255.255
    8.3 and Later
    object network obj-192.168.1.100
      host 192.168.1.100
      nat (inside,outside) static interface service tcp 8080 80
    object network obj-192.168.1.101
      host 192.168.1.101
      nat (inside,outside) static interface service tcp 8080 8080
    object network obj-192.168.1.102
      host 192.168.1.102
      nat (inside,outside) static interface service tcp 25 25

  • Cisco ASA and Internal Hosted Website

    I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app  is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working.  The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works.  Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80.  Any ideas? I have tried several suggestions i found on the web, but none have worked.
    Thanks
    Nick

    Hi,
    The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
    You might for example have this configuration
    object network WEB-SERVER
    host 10.0.0.3
    nat (inside,outside) static interface service 80 80
    This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
    I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
    If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
    So you could try this configuration on the ASA
    object network PUBLIC-IP
    host
    object network WEB-SERVER
    host 10.0.0.3
    object network LAN
    subnet
    nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
    The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
    You would also perhaps needs to add this command
    same-security-traffic permit intra-interface
    This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
    You can check the current configuration with the command
    show run same-security-traffic
    Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
    Hope this helps
    Let me know how it goes
    - Jouni

  • Route between global and non-global zones

    Hi Folks,
    I haven't been able to find an answer to this question searching the archives, so I'll try here. My global zone gets her IP (10.153.197.n) via DHCP, and I've had to use 192.168.1.n addresses for the non global zones. Is there a simple route statement I can issue to allow communication between the global and non global zones? I'm running Solaris 10 x86 03/2005.
    Thanks very much,
    -Adam vonNieda

    If you're only interested in passing traffic between the global zone and the non-global zones, just add a virtual interface to the global zone.
    For example, in the global zone:
    ifconfig ce0:4 plumb 192.168.1.x netmask + broadcast + up
    Then you will be able to pass traffic between the global and non-global zones.
    If you're looking for the global zone to proxy traffic between the non-global zones and the rest of the network, take a look at http://balance.sf.net

  • 2 Public Interfaces and NAT

    Hello-
    We currently have NW6 running BM3.7 set up with 1 public interface and 1
    private interface. Our private interface is 10.1.1.1 and we are NATing
    that to our public interface. We are using HTTP proxy services for all our
    internet browsing---proxy being the 10.1.1.1 address. The public interface
    is on a state WAN link and we are using it for internet browsing, email,
    citrix and other state applications. We want to offload our email,
    internet and citrix traffic onto another public intrface--which is
    provided by a different ISP. I know what I need to do to change over the
    email to the new ipaddress on the new interface. How do I set up BM to
    route internet traffic to the new public interface? Also how do I make
    sure that my citrix traffic is routed to the new interface as well? Any
    help with this would be greatly appreciated.
    Thanks all in advance!

    You cannot arbitrarily send some type of traffic to one NIC, and the
    rest to another. The outbound traffic will follow the default route.
    You can have some limited control by using static routing to force
    traffic to certain addresses out one NIC, but that tends to be useful
    mostly with S2S VPN dedicated links.
    You can also enable dynamic NAT on the LAN side of one of your internet
    routers, and make reply traffic to inbound traffic from that link go
    back the way it came in.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • ASA Modular Policy Framework - Global vs. Interface

    I understand from the Cisco documentation that a service-policy applied to an interface on an ASA 5500 series firewall, will override the default global service-policy.  However, I am not clear on whether it will override the entire global service-policy, or only the parts where they overlap.  In other words, would the resulting service-policy on the interface in question be just what was applied in the service-policy on the interface, completely replacing the global service-policy?  Or, would it be a combination of the global and interface service-policies, with the interface one taking precedence where they overlap?
    if I wanted an interface to have the same service-policy as the global service-policy plus on other item, can I just add the one item in a service-policy that I apply to the interface, or do I have to replicate all the items from the global policy, plus the one additional item, and apply that to the interface.
    Thank you.

    Hi,
    Interface  service policies take precedence over the global service policy for a  given feature. For example, if you have a global policy with FTP  inspection, and an interface policy with TCP normalization, then both  FTP inspection and TCP normalization are applied to the interface.  However, if you have a global policy with FTP inspection, and an  interface policy with FTP inspection, then only the interface policy FTP  inspection is applied to that interface.
    Here is a doc for detailed study:
    http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html
    Hope this clears out your doubt.
    Thanks,
    Varun

  • How to log strings stored in Station Globals and/or PreUUT values?

    Hi all,
    I have a Station Global that is persistent across all UUTs in a particular PC. I have also created a custom PreUUT dialog to obtain user input that applies to the upcoming UUT (I pass this user input to the UUT by storing it in a File Global). Both the Station Global and the File Global store a string.
    What is a good way to log these strings into the ATML report and SQL database?
    Currently, the best solution I can think of is:
    Create a LabVIEW VI that takes a string input and passes it straight through to the output
    Pass the Station Global (or the File Global) into the VI input
    Assign the VI output to Step.Result.ReportText
    This seems rather cumbersome though. Is there a simpler way to achieve this? (i.e. is there a built-in TestStand action that logs a variable directly into the report?)
    In case it's important, I'm using TestStand 2013 SP1 and I'm using the default report templates: tr5_horizontal.xsl for ATML, and C:\Program Files\National Instruments\TestStand 2013\Components\Models\TestStandModels\Database\SQL Server Create Generic Recordset Result Tables.sql for SQL.
    Thanks!
    Solved!
    Go to Solution.

    JKSH,
    You can handle this with the Additional Results functionality in TestStand, which can be configured in the settings for an existing step, or as a standalone step type. We have an example of this in the TestStand Fundamental Example series here: http://www.ni.com/product-documentation/52354/en/#toc3   (Look for section 3, "Adding Custom Data to a Report"
    I hope it helps, and let us know if we can do anything else to help!
    Daniel E.
    TestStand Product Support Engineer
    National Instruments

  • Parent (Global) and Current (Navigation) on the Same Page

    Hello,
    I am using the managed metadata feature in a SharePoint 2013 publishing site.  I am trying to layout my navigation as shown in the diagram below.  I can not find a publishing master page that implements this parent child relationship.  My
    top navigation is use the markup:
    <PublishingNavigation:PortalSiteMapDataSource ID="topSiteMap" runat="server" EnableViewState="false" SiteMapProvider="GlobalNavigationSwitchableProvider" StartFromCurrentNode="false" StartingNodeOffset="0"
    ShowStartingNode="false" TrimNonCurrentTypes="Heading"/>
    <SharePoint:AspMenu ID="TopNavigationMenu" runat="server" EnableViewState="false" DataSourceID="topSiteMap" AccessKey="&lt;%$Resources:wss,navigation_accesskey%&gt;"
    UseSimpleRendering="true" UseSeparateCss="false" Orientation="Horizontal" StaticDisplayLevels="1" AdjustForShowStartingNode="true" MaximumDynamicDisplayLevels="1" SkipLinkText=""/>
    I have tried using the same markup, using a different StartingNodeOffset and SiteMapProviders, for the side menu with no success.
    Thanks,
    Bob

    Hi,
    According to your post, my understanding is that you wanted to create Parent (Global) and Current (Navigation) on the Same Page.
    You can make quicklaunch work contextually like structural nav quicklaunch using Managed Metadata navigation. Please refer to:
    Managed Metadata Navigation - How do you make quicklaunch work contextually like structural nav quicklaunch?
    In addition, you can used JQuery and CSS to achieve staticlevel left navigation in SharePoint 2013.
    Here is a similar thread for your reference:
    http://social.technet.microsoft.com/forums/sharepoint/en-US/54edc501-0594-49e3-86b2-40ecf72bc68e/show-2-level-hierarchy-in-managed-navigation-menucurrent-navigation-in-sharepoint-2013
    More information:
    Overview of managed navigation in SharePoint Server 2013
    Best Regards,
    Linda Li
    Linda Li
    TechNet Community Support

  • Internal DNS server and NAT routing issue.

    Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
    We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
    Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
    The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
    Thanks

    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
    The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

  • Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem

    I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module).  It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical.  All of the threads I found on this forum and on many others suggested this was not possible, but it is.  What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink). 
    The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear:  http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
    The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
    Click RFC 1483 Transparent Bridging then click on Apply.
    (see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
    To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot. 
    In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP).  Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
    1.  Disconnect the power from both the modem and the Airport Extreme.
    2.  Disconnect the Ethernet cable between the two devices
    3.  Restore power to the 2 devices and allow them to fully reboot.  For the ActionTec M1000, this is indicated when the lights stop blinking.  (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge.  You will NOT have an Internet connection until the AEBS is reconnected.)  The AEBS will be blinking yellow.
    4.  Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
    Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
    Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything. 
    Does anyone think or know if it will make a difference?
    Message was edited by: Bud Shaw

    Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
    Does anyone think or know if it will make a difference?
    No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other.  What works is best.
    In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
    In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc.

  • When creating a custom SearchPlugin, is it possible to add more code such as uppercase conversion of the SearchText and IF statements that change the URL depending on what is typed?

    When creating a custom SearchPlugin, is it possible to add more code such as uppercase conversion of the searchTerms and IF statements that change the URL depending on the searchTerms? Every time I try to add something firefox doesn't want to add it as a search plugin. I need to create a more powerful search tool for personal use.

    I've found some external software applications that will do it, so that leads me to believe its not possible within ID CC.

  • I was using my wifi last night when I got an error message stating my ip address had been taken over.  Then safari stopped working and i can no longer access the internet. I looked at my ip address and it states 000.000.000....can someone please help?

    I was using my wifi last night when I got an error message stating my ip address had been taken over.  Then safari stopped working and i can no longer access the internet. I looked at my ip address and it states 000.000.000....can someone please help?

    Sounds like a bogus pop up. In any case power down your Mac, your modem, your router. Then power back up in 1 minute sequence; modem, router, Mac.

Maybe you are looking for

  • Issue In Material Master Creation.

    Hi All, We are migrating from ECC 5.0 to ECC 6.0. We have created a Test system  in 6.0 which is replica of our existing Production system in 5.0. I have checked relevant config settings everything is ok. While doing testing we observed following iss

  • Problem with internationalization

    Hi, I'm trying to create an application in which you can choose the language. I've read the trail on the internationalization and I managed to have some results. In fact, for the moment, I have a window with flags when I launch the application, and w

  • RDP to Windows Teminal Services 2012

    Hi A third party has set up our environment and we could do with a bit of ABC (dummies guide) to overcome some frustrating challenges. A.  We have a network connection at a remote site.   Any PC (Windows 7) connecting to it and then trying to RDP int

  • PSE 8 is not recognizing my RAW files from Canon T21 camera

    This week I bought a new camera, Canon T2 i (550D), and also upgraded from PSE 7 to PSE8. The PSE prgram does not recognize RAW files from the Canon T2i camera. However, it does recognize the RAW files shot with the previous Canon Rebel XTi camera. I

  • Logic Pro, MacBook Pro (unibody) and M-Audio Midiman Midisport 8x8/s

    Can anyone tell if if they have gotten Logic Pro running on a MacBook Pro (unibody) to work with the M-Audio Midiman Midisport 8x8/s MIDI interface? I can't seem to get AMS to see the interface. If I boot into Vista using bootcamp, it works fine. If