ASA single outside IP address to an inbound NAT pool that round robins request to 2 web servers

How do I create a single outside IP address 1.2.3.4 to an inbound NAT pool that round robins request to 2 web servers?
I have 2 web server 10.0.0.1 and 10.0.0.2. They have the exact same content.
I think I start with defining the pool as an object group which contains 2 server 10.0.0.1 and 10.0.0.2
object-group network appservers
network-object host 10.0.0.1
network-object host 10.0.0.2
What to do next?
object-group network appservers
nat (inside,outside) static 1.2.3.4
gives me an error.

No, unfortunately you can't configure round robin static inbound NAT for 2 internal web servers.

Similar Messages

ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

ASA 5505: Outside Interface Becomes Inaccessible

Greetings --
I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
hostname psa-asa
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.0
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 162.134.70.20
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
    308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
    0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
    092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
    3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
    7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
    2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
    02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
    86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
    0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
    6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
    a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
    62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
    f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
    14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
    f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PSA-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
username user1 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
username user2 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
username user4 attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
username user5 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
username user6 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user7 password aEGh.k89043.2NUa encrypted privilege 0
username user7 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PSA-SSL-VPN type remote-access
tunnel-group PSA-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PSA-SSL-VPN webvpn-attributes
group-alias PSA_VPN enable
group-url https://xxx.xxx.xxx.43/PSA_VPN enable
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841

Hi,
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
logging host
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
- Jouni

ASA Class C IP addressing, routing subnet design issue, brainstorming, comments welcome!

I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.
I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).
This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.
I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
Any ideas on how to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?

I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet.
That is a surprise especially as using a different subnet than the one used to connect the ASA to the router for NAT is quite a common setup.
Anyway as we are brainstorming here are a couple of options that spring to mind. Please feel free to shoot them down
For both solutions you still have 4 x 26, the first 3 for each firewall to use as NAT and then the last /26 for the firewall interfaces + the ISP internal interface.
Option 1
======
when you allocate the IP to the firewall outside interfaces and the ISP internal interface they come out of the last /26 range but you use a /24 subnet mask. The router will arp out for all addresses within the /24 subnet but the firewalls should only answer via proxy arp for any statically mapped NAT entries that they have. They will answer because the /26 they use for NAT are within the range of their outside interface IP because that is using a /24.
Obviously because the interfaces are in the same /24 range they will be able to talk to each other wihout bouncing off the router.
Option 2
=======
pretty much the same as option 1 except the ISP router uses a /26 subnet and has routes for easch /26 NAT subnet pointing to the relevant firewall. This way you don't have as many arps being sent by the ISP router. The firewalls still have to use a /24 mask to enable them to talk with each other. And the firewalls and router still need to have IPs from the last /26.
Both would need testing and i may have missed something but i would have thought both would work.
Jon

How to stop multiple auto-switching to address bar every time I open a new tab and try to type something anywhere outside of address bar?

How to stop multiple auto-switching to address bar every time I open a new tab and try to type something anywhere outside of address bar? Like something just wants me to use that embedded search when u type something not-web-address in address bar and hit enter. And the most ridiculous thing is that it happens repeatedly on like every second, like I just move down from address bar and start typing again, but then again it switches me to address bar, and 3, 4 times like that. And the result is also that I can't see the address of that page.
I think its has something to do with my AVG antivirus, because this started the same time some AVG Nation started to appear in every new tab i open (and thats also irritating me, I read about it here on support.mozilla.org and it seems that the only solution is to completely reinstall Firefox, but I dont want to lose all my settings) but when i type something in address bar and hit enter it opens the search results in Google.
Please try to help me, I like Firefox but I must switch to Chrome until I fix this problem.
Thanks in advance

First, please update to Firefox 32. 22 is no longer support nor is it secure. Then let us know if you still have this problem. [[Update Firefox to the latest version]]

I have an Apple ID with a single e mail address. I want to set multiple addresses in the same ID. Can I? If so how?

I have an Apple ID with a single e mail address. I want to set multiple addresses in the same ID. Can I? If so how?

Howdy there johnzcarp,
As I understand it you want to have more than 1 email address under your Apple ID. You can have what are called Alternate Email addresses associated with your Apple ID and this article will help you get those setup:
Manage your Apple ID primary, rescue, alternate, and notification email addresses
Alternate email address
You can add one or more alternate email addresses for use with Apple services such as Game Center, FaceTime, Find My Friends, iMessage, and OS X notifications.
Go to My Apple ID (appleid.apple.com).
Select “Manage your Apple ID” and sign in.
Add an alternate address:
Select Add Email Address, then enter your alternate address. Apple will send a verification email to that address. Didn't receive the email?
Follow the instructions in the email to verify the address.
Edit an alternate address:
Select Edit next to the address, then enter the new address. Apple will send a verification email to that address. Didn't receive the email?
Follow the instructions in the email to verify the address.
Delete an alternate address: Select Delete next to the address.
Thank you for using Apple Support Communities.
Take care,
Sterling

HT2534 Can you have multiple ITunes accounts under a single e-mail address (i.e. separate accounts for my children and myself?)?

Can you have multiple ITunes accounts assigned to a single e-mail address? i.e. different Apple ID's for my kids and myself, but all assigned to my e-mail address.

No. Each account must have uniquie email address.

HT1918 US credit card with outside US address in US iTunes store?

I use a U.S credit card in U.S.iTunes store for 2 years
I moved to Taiwan this September. I also changed my Citibank billing address to Taiwan.
Unfortunately....iTunes store asked me to update my billing addrress.
But in payment information form, I can't change my address to Taiwan.
If I change my country to Taiwan, itunes store asked my to create a new Apple ID!
How to use this credit card in U.S. iTunes store?
Thank you so much!

Sorry, but you can't. Not only are you not allowed to use the US iTunes Store from outside the US - the terms of use state that you agree not to even attempt it - but to use the US iTunes Store a credit card must be both issued in by a US bank and have a US billing address.
The only iTunes Store you can use now is the Taiwanese one, for which you will need a Taiwan-issued payment method.
Regards.

How print address in Single line in Address window in Smartform

Hi All,
How print address in Single line in Address window in Smartform?
Thanks in advance.
Message was edited by: Vipin Nagpal

Hi Vipin,
if u r defining the variables for the address manually,
then u can define all the fileds in a single line in the edit mode of address window u will get the address in the single line only
if u r using the standard format
modify the address format by using the user exit:
"EXIT_SAPLSADR_001"
Check OSS Note : 454987
or in the least case u can use the address window setting to change the format and lines
May be this will help you.
Regards,
Naveen

I want the reload button to appear outside the address bar (on the left, next to the back and forward buttons), not at the extreme end of the address bar. How can I do this?

I want to re-position the reload button to appear outside the address bar (on the left, next to the back and forward buttons), not where it is at the moment, which is at the extreme end of the address bar and is a real hassle to use. How can I do this?

To move the Stop and Reload buttons to their position to the left of the location bar you can use these steps:
* Open the Customize window via "View > Toolbars > Customize"
* Drag the Reload and Stop buttons to their previous position to the left of the location bar.
* Set the order to "Reload - Stop" to get a combined "Reload/Stop" button.
* Set the order to "Stop - Reload" or separate them otherwise (Space or Separator) to get two distinct buttons.

Can't connect to a single external IP address

I'm having the same problem as this other person is having,
http://discussions.apple.com/thread.jspa?messageID=7072594
Basically, I've tried everything and I can't connect to this one IP Address: 206.212.255.34
I take the router out of the equation and I can connect just fine, connecting directly through my cable modem.
I know it's not a DNS issue as DNS is not even being used, it's a direct connection to the IP address.
In the thread above, that person couldn't connect to twitter.com and it was blocked for no apparent reason.
I can't connect to this IP address for no apparent reason.
Things I've tried:
resetting the router completely
changing the dhcp -> manual and setting the IP and using 255.255.255.0 as a subnet mask
changing the IPv6 to both alternate modes (it's presently set to link-only)
setting a DMX for my ip address
setting a static IP address for my computer
and I've tried just about everything I can think of, those are just some specifics.
anyone else having a similar or same issue?

I'm not talking about anything incoming, I'm talking about external.
My home computer -> external network across the Internet
I know how to use port mapping and DMX and all that, I know networking.
I've been trying to debug this for about 3 weeks now and I can't find a single solution.
It's only going OUT to that IP address that I can't connect, going through the airport extreme.
outbound withOUT using the router, it works just fine.
I appreciate any light you can shed on why my airport extreme is blocking my access to this single IP address, it's quite frustrating
thank you

WLC - How to block a single client MAC address?

Hi Sir,
On a WLC (software version 4.1.185.0), how to block a single client MAC address?
I thought of using the SECURITY -> Disabled Clients. Is it right?
There are currently 250 users connected to the WLC. MAC Filtering is not a scalable solution because as I understand it, we have to specify all the legitimate MAC addresses in the local database.
Thank you.
B.Rgds,
Lim TS

Hi Lim,
As you have discovered, the Mac filtering on the WLC is an Allow (based on Mac address) rather than what you need which is a Deny (based on Mac address). I have not tried this feature but I think you are on the right track in using the Exclusion List (Blacklist) feature. Have a look;
Use SECURITY > AAA > Disabled Client then click New or MONITOR > Clients then click Disable to navigate to this page.
This page allows you to manually Exclusion List (blacklist) a client by MAC address.
Add the MAC Address and an optional Client Description for the client to be disabled.
Note When you enter a client MAC address to be disabled, the Operating System checks that the MAC address is not one of the known Local Net clients ( Local Net Users), Authorized clients ( MAC Filtering), or Local Management users ( Local Management Users) MAC addresses. If the entered MAC address is on one of these three lists, the Operating System does not allow the MAC address to be manually disabled.
Hope this helps! Let us know.
Rob

ASA 5505 (8.3+): Problems getting internal server NAT'd properly

I have an internal VOIP voicemail/presence server I want accessible from outside my internal network. Connecting internally works great, but when a user tries connecting from outside, there's no availability. When I try to use NAT, the voicemail-to-email service can't reach our cloud email service.
We have a /28 public IP address range. The ASA is our external device, the WAN side is .220, with our ISP's gateway set at .222. I've tried NATting the server to a .217 address, but that's when things go wrong.
With the current config, our VM-to-email works. Here's some snippets of my config:
ASA Version 9.0(3)
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.220 255.255.255.248
object network OUTSIDE
host xxx.xxx.xxx.220
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network VMSERVER
host 192.168.200.59
object network VMSERVER_PUBLIC
host xxx.xxx.xxx.217
object service VMSERVER_Bitmessage
service tcp source eq 8444 destination eq 8444
description Bitmessage
object service VMSERVER_XMPP_client
service tcp source eq 5222 destination eq 5222
description Extensible Messaging and Presence Protocol (client)
object service VMSERVER_XMPP_server
service tcp source eq 5269 destination eq 5269
description Extensible Messaging and Presence Protocol (server)
object service VMSERVER_HTTP
service tcp source eq 8080 destination eq 8080
object-group service VMSERVER
service-object object VMSERVER_Bitmessage
service-object tcp-udp destination eq 5222
service-object tcp-udp destination eq 5269
service-object object VMSERVER_HTTP
access-list INBOUND extended permit object-group VMSERVER any4 object VMSERVER
no arp permit-nonconnected
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_XMPP_client VMSERVER_XMPP_client no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_XMPP_server VMSERVER_XMPP_server no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_Bitmessage VMSERVER_Bitmessage no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_HTTP VMSERVER_HTTP no-proxy-arp
object network INSIDE
nat (inside,outside) dynamic interface
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.222 1
It seems to me that it's a NAT issue, but I could be wrong. If I try adding a static route for the public address for the server, the VM-to-email stops working. And, the presence server still doesn't work externally.
Any help is appreciated,
LaneR

Packet tracer output to mapped (public) address:
ASA# packet-tracer input outside tcp 1.1.1.1 8080 xxx.xxx.xxx.217 8080 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network VMSERVER
nat (inside,outside) static xxx.xxx.xxx.217
Additional Information:
NAT divert to egress interface inside
Untranslate xxx.xxx.xxx.217/8080 to 192.168.100.59/8080
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any any eq 8080
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd332f78, priority=13, domain=permit, deny=false
hits=1, user_data=0xc922afc0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=8080, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc7668a30, priority=1, domain=nat-per-session, deny=true
hits=1294404, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x
0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb250c18, priority=0, domain=inspect-ip-options, deny=true
hits=837081, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbbc8378, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=697, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network VMSERVER
nat (inside,outside) static xxx.xxx.xxx.217
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd333dc0, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xcaaa0950, cs_id=0x0, use_real_addr, flags=0x0, proto
col=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.100.59, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc7668a30, priority=1, domain=nat-per-session, deny=true
hits=1294406, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x
0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb227388, priority=0, domain=inspect-ip-options, deny=true
hits=858219, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 856605, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Actually using a browser and port 8080, no access...

Inside to outside many to 1 hide mode nat

Hello
I'm new to ASA configurations and needing some help with a configuration on a 5555-X running 8.6 code. I need to allow multiple network ip ranges from my inside network to multiple subnets on the outside so that the outside systems only see incoming traffic from one ip address and it can not be from the ip address of the outside interface. I was able to do this with a zone-based firewall and IOS nat statements but having difficulty doing the same thing in ASA's os.

Hi ,
Its is pretty simple and straight forward , for your requirement you need to use ,
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283
Information About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.
Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.
Figure 27-10 Dynamic PAT
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).
NAT understanding
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address
HTH
sandy.

ASA 5510, 8.4(4)1 totally confused NAT

I'll try to keep this simple. I've spent about 18 hours researching, searching and experimenting, and that's an honest figure, I kept track of my time so far.
I need to run an inside server on our inside network but have the outside be able to reach it via 3 specific ports and protocols.
I had HOPED to use objects and groups to accomplish this and not have to redefine this server or host 3 times and run 3 or more NAT statements as that totally defeats the concept and purpose of objects, doesn't it? But the NAT statement seems to refuse to deal with GROUPS. I can put a single SERVICE, or a single port in the NAT, but I can't get a single NAT line under a single object - this server, to take multiple ports that are not a range.
Here's the need - I'll define each thing first to keep it simple and straight (at least in my head):
Interface that faces or sits on the dirty Internet is named "WAN" (why I do not know but it is and it's too complex to change it now)
WAN, the outside interface, has an IP address of 1.1.1.66
Our provider has given us 16 public hosts or addresses we can use.
(1.1.1.67 is on the failover ASA for this same interface.)
My server on the inside LAN is 10.10.10.70
I need to use a DIFFERENT address as I need to keep it apart from the 1.1.1.66 and 1.1.1.67 used on the 5510 pair WAN interface.
I want to use a specific Internet address of 1.1.1.68 for outside to access the server sitting on 10.10.10.70 on the inside.
BUT, I want access for UDP 500, UDP 4500 and ESP only, nothing else.
The idea is this - something on the outside, meaning on the Internet, needs my server on the inside so hits the WAN interface at this IP address of 1.1.1.68 UDP port 500 or 4500 or ESP to get to my server on the LAN inside.
The ASA has to notice traffic on UDP 500, 4500 and ESP aimed at 1.1.1.68 and translate it to the SAME ports on 10.10.10.70.
So I need a NAT that will say traffic hitting 1.1.1.68 UDP 500 or UDP 4500 or ESP should be forwarded to 10.10.10.70 UDP 500, or UDP 4500 or ESP.
The server needs to respond back of course!
So very simple it's done all the time. "port forwarding" and a static NAT - that server always would be found at 1.1.1.68 if you were outside looking in and it would also always go out as that address. but inside we know it as 10.10.10.70
I can seem to get NAT to take if I use a single service or define a single service, but when I create a service group that has UDP 500, UDP 4500 and ESP in it, it won't recognize any group - it pukes if I say any word except SERVICE in the NAT statement.
This is one way I've tried, but then 8.3 and later don't seem to like this and the word "source" is killing me and I can't find reference to it anywhere.
object service VPN-4500
service udp destination eq 4500
object service VPN-500
service udp destination eq isakmp
object-group service mygroup
service-object object VPN-4500
service-object object VPN-500
(I also now have ESP in there but that's of no consequence as it won't even work with just these two)
object network servernetworkobject
host 10.10.10.70
description my server
object network vpn-out
host 1.1.1.68
description second IP address to use when aiming at my server
nat (inside,WAN) source static servernetworkobject WANsecondIP service mygroup mygroup
where servernetworkobject is the name I've defined for the network object in the ASA and WANsecondIP is the address I want to use defined as a network object and mygroup is the group I created that contains the 3 services or ports.
Those aren't real names or addresses so it's not really that corny in the configuration, I just cleaned it up for public use
ALL examples I find on the web, including Cisco sites, look a lot like this, but then I also see it must be defined with the network object itself and that's different than the samples on the Cisco sites! I'm SO confused.... Object should simplify this in spades, instead it's making it a lot harder and making the configuration a whole lot bigger and more clumsy.

Well, you nailed it again. I did find a little feature in the ASDM that is called "public server". It appeared to be similar to what I wanted to do.
I followed what you advised there, but experimented in the ASDM as well and found that it matched what I was doing manually, including being able to use the port group I'd created.
Odd that it's done there and not in NAT as I'd prefer to not translate ALL ports and protocols but ONLY those directly related to my project as in my mind if the others aren't even translated at all, then if the access list is bad or off or somehow removed or modified, no big deal as the NAT or PAT would not translate those other ports so nothing could get to the server anyway, it wouldn't know where to find it!
So to me, doing this ALL through NAT is far more secure, safer. If it can't find the server, it can't touch the server. This method of doing it is more like putting the server on display but locking the windows. You can see it, you can get translated to and from it, but we'll not let you touch it. Look, but don't touch. I'd rather say "ha ha ha - you can't even see it! You don't even know it exists!
And this is even MORE odd because if it was a SINGLE protocol or port, say it was a WEB server, I could NAT the address and tell it port 80 to port 80 and pretty much be done. But since it's more than 1 port, because it's 2 ports, I can't do it in NAT. Well, I could by defining TWO objects, I could call it "server1 ip x.x.x.x port 80 port 80" and then define a second object "server2 ip x.x.x.x port 443 port 443" for example.
And I can define both objects just like that, sort of, and I can NAT each address/port to the SAME object, but I can't do it with a single object and single NAT. I could if it was a PORT RANGE, making this even more odd that Cisco won't allow 2 ports.
So I can create 2 objects, point BOTH objects to the exact same IP address or server, then NAT the same addresses, but a different port using 2 NAT, or I can NAT using a range like 80-443 for example and be done with it in a single object, single NAT. But since the two ports aren't contiguous, I can't do it at one NAT even with an object group.
And that's what threw me - there is absolutely no logic in that! There's no logic in allowing me to define multiple ports using a range, allowing me to create and define two objects, both of which point to the same IP/server and do it that way, and I can create an object group with multiple ports, but the NAT won't use the group. That's rather bizarre to me.
So I have the second outside IP address defined as an object, and I have the server NIC address defined as an object,
I have the ports each defined, and then a group defined using the port objects,
Later there is an access list like this that will use the ports group:
access-list WAN_access extended permit object-group vpn-ports any object vpn_gateway
Then below that, there is:
object network vpn_gateway
nat (inside,WAN) static vpn-out
access-group WAN_access in interface WAN
This is how the ASDM put it, not in the same order as you had it, and not how I was putting things manually but the way things are ordered in the configuration is still a mystery to me with all the this before that and so on.
I think what helped to confuse me was all of the other posts and articles on the web speaking to this same sort of topic - and the fact that a lot of them had the versions mixed up. I'd read a question where someone had 8.3 or later, but a response would come back which I later discovered wasn't for that version but was for 8.2 for example. Then I'd read posts about doing this exact same thing in 8.2 and someone would pop in and toss a totally different code into the mix which I later discovered was part for 8.2 and part for 8.3 and wouldn't work at all because of the mixing. So bottom line, too much of what's out there on this exact topic is not correct, or not TOTALLY correct, because people are failing to READ what the original question posted had as the VERSION Amazing how folks coming in to help fail to catch the VERSION the person with the question is running and they continue on as if the world is using the same version they are. (I see that on our car forum daily - no one bothered to read that it was a 6 cylinder and not a V8 so they go on as if they have it covered....wrong engine folks ;-) )
Thanks - it isn't kicking errors, I've not had a chance to TEST yet, but it does seem to make sense now and your response makes sense compared to what I know now.
(Now to figure out how to add a second subnet to the existing server for internal use without confusing things!)

ASA single outside IP address to an inbound NAT pool that round robins request to 2 web servers

Similar Messages

Maybe you are looking for