ASA5510 NAT configuration question

Similar Messages

• NAT -LAST Question

  Dear All,
  i have the following question regarding the NAT Configuration.
  as Every One Knows we have in NAT Terminology the following Terms :-
  1- Inside Local Address, which is Private Network or which is MY LAN IP Address .
  2- Inside Global Address, which is the legitimate IP Address assigned by the NIC Or the ISP Provider, which is the Real IP Address.
  now, the 2 terms which i mention is used only in STATIC ,Dynamic , Overloading NAT.
  Now, My question is :-
  1- if i have this real IP Address assigned by my ISP, 64.202.88.20 , and i have an Internal WEB SERVER inside My Company and the WEB SITE is on it.
  i want to make NAT to let all the People from out side access this Server through NAT it self by http. how can i wrote the IP NAT COMMAND ?
  which one is the OUTSIDE LOCAL ADDRESS & which one is the OUTSIDE GLOBAL ADDRESS ?
  Please Reply .

  Thanks For your reply.
  i have only 2 question here.
  1- this will allow any one from OUTSIDE like internet, when he type in the Browser :-
  ( this IP is assign for example to this Domain www.FAS200.COM ).
  http://www.fas200.com ,
  the Request will come to this Router and there will be a translation from this Real IP address to this Internal IP Address, and the User will Not never know that there was a internal IP. is that correct ?
  2- if i have my Exchange server, and i did the MX record to map to this IP, how the command is ?
  3- what is the meaning of OUTSIDE LOCAL ADDRESS & OUTSIDE GLOBAL ADDRESS ?
  please update me .

• SAP-JEE, SAP_BUILDT, and SAP_JTECHS and Dev Configuration questions

  Hi experts,
  I am configuring NWDI for our environment and have a few questions that I'm trying to get my arms around.  
  I've read we need to check-in SAP-JEE, SAP_BUILDT, and SAP_JTECHS as required components, but I'm confused on the whole check-in vs. import thing.
  I placed the 3 files in the correct OS directory and checked them in via the check-in tab on CMS.   Next, the files show up in the import queue for the DEV tab.  My questions are what do I do next?
  1.  Do I import them into DEV?  If so, what is this actually doing?  Is it importing into the actual runtime system (i.e. DEV checkbox and parameters as defined in the landscape configurator for this track)? Or is just importing the file into the DEV buildspace of NWDI system?
  2.  Same question goes for the Consolidation tab.    Do I import them in here as well? 
  3.  Do I need to import them into the QA and Prod systems too?  Or do I remove them from the queue?
  Development Configuration questions ***
  4. When I download the development configuration, I can select DEV or CON workspace.  What is the difference?  Does DEV point to the sandbox (or central development) runtime system and CONS points to the configuration runtime system as defined in the landscape configurator?  Or is this the DEV an CON workspace/buildspace of the NWDI sytem.
  5.  Does the selection here dictate the starting point for the development?  What is an example scenarios when I would choose DEV vs. CON?
  6.  I have heard about the concept of a maintenance track and a development track.  What is the difference and how do they differ from a setup perspective?   When would a Developer pick one over the over? 
  Thanks for any advice
  -Dave

  Hi David,
  "Check-In" makes SCA known to CMS, "import" will import the content of the SCAs into CBS/DTR.
  1. Yes. For these three SCAs specifically (they only contain buildarchives, no sources, no deployarchives) the build archives are imported into the dev buildspace on CBS. If the SCAs contain deployarchives and you have a runtime system configured for the dev system then those deployarchives should get deployed onto the runtime system.
  2. Have you seen /people/marion.schlotte/blog/2006/03/30/best-practices-for-nwdi-track-design-for-ongoing-development ? Sooner or later you will want to.
  3. Should be answered indirectly.
  4. Dev/Cons correspond to the Dev/Consolidation system in CMS. For each developed SC you have 2 systems with 2 workspaces in DTR for each (inactive/active)
  5. You should use dev. I would only use cons for corrections if they can't be done in dev and transported. Note that you will get conflicts in DTR if you do parallel changes in dev and cons.
  6. See link in No.2 ?
  Regards,
  Marc

• NAT configuration on PIX to ASA

  Hi,
  I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
   nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
  access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
  access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
  access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
  And, there is no "NAT (global) 0 " command in PIX for this configuration.
  How can I use this in ASA..?
  Regards,
  Ninad

  Hi,
  The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
  There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
  You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
  object network HOST-10.2.1.175
   host 10.2.1.175
  object network HOST-10.10.49.30
   host 10.10.49.30
  object network HOST-1.1.1.58
   host 1.1.1.58
  object network HOST-1.1.1.57
   host 1.1.1.57
  object network HOST-172.29.83.2
   host 172.29.83.2
  object network HOST-172.29.83.1
   host 172.29.83.1
  object network HOST-202.138.123.75
   host 202.138.123.75
  object network HOST-10.10.11.20
   host 10.10.11.20
  object network HOST-10.14.1.11
   host 10.14.1.11
  object network HOST-10.10.50.150
   host 10.10.50.150
  nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
  nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
  nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
  nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
  nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
  Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
  If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.
  Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Hope this helps :)
  - Jouni

• Configuration question on css11506

  Hi
  One of our vip with 4 local servers, currently has https. the http is redirected to https.
  Now, my client has problem which a seriel directories need use http, not https. some thing like. quistion:
       1. If there is any possible, I can configure the vip to filter the special directories and let them to use http not https. and rest pages and directories redirect to https?
       2. If not, I can make another vip to use same local servers, but, is possible to only limited to special directories? and with wild code? some like the directories are partially wild coded, something like, http://web.domain/casedir*/casenumber?
       3. if not on both option, is any way I can fix this problem?
  Any comments will be appreciated
  Thanks in advance
  Julie

  I run my Tangosol cluster with 12 nodes on 3
  machines(each machine with 4 cache server nodes). I
  have 2 important configuration questions. Appreciate
  if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to
  be in cluster so that the resources can be freed upon
  when other caches are loaded. I configured the
  <high-units> to be 10000 but I am not sure if this is
  per node or for the whole cluster. I see that the
  total number of objects in the cluster goes till
  15800 objects even when I configured for the 10K as
  high-units (there is some free memory on servers in
  this case). Can you please explain this?
  It is per backing map, which is practically per node in case of distributed caches.
  - Is there an easy way to know the memory stats of
  the cluster? The memory command on the cluster
  doesn't seem to be giving me the correct stats. Is
  there any other utility that I can use?
  Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
  I started all the nodes with the same configuration
  as below. Can you please answer the above questions
  ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  RaviBest regards,
  Robert

• Configuration Question on  local-scheme and high-units

  I run my Tangosol cluster with 12 nodes on 3 machines(each machine with 4 cache server nodes). I have 2 important configuration questions. Appreciate if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to be in cluster so that the resources can be freed upon when other caches are loaded. I configured the <high-units> to be 10000 but I am not sure if this is per node or for the whole cluster. I see that the total number of objects in the cluster goes till 15800 objects even when I configured for the 10K as high-units (there is some free memory on servers in this case). Can you please explain this?
  - Is there an easy way to know the memory stats of the cluster? The memory command on the cluster doesn't seem to be giving me the correct stats. Is there any other utility that I can use?
  I started all the nodes with the same configuration as below. Can you please answer the above questions ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  Ravi

  I run my Tangosol cluster with 12 nodes on 3
  machines(each machine with 4 cache server nodes). I
  have 2 important configuration questions. Appreciate
  if you can answer them ASAP.
  - My requirement is that I need only 10000 objects to
  be in cluster so that the resources can be freed upon
  when other caches are loaded. I configured the
  <high-units> to be 10000 but I am not sure if this is
  per node or for the whole cluster. I see that the
  total number of objects in the cluster goes till
  15800 objects even when I configured for the 10K as
  high-units (there is some free memory on servers in
  this case). Can you please explain this?
  It is per backing map, which is practically per node in case of distributed caches.
  - Is there an easy way to know the memory stats of
  the cluster? The memory command on the cluster
  doesn't seem to be giving me the correct stats. Is
  there any other utility that I can use?
  Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
  I started all the nodes with the same configuration
  as below. Can you please answer the above questions
  ASAP?
  <distributed-scheme>
  <scheme-name>TestScheme</scheme-name>
  <service-name>DistributedCache</service-name>
  <backing-map-scheme>
  <local-scheme>
  <high-units>10000</high-units>
  <eviction-policy>LRU</eviction-policy>
  <expiry-delay>1d</expiry-delay>
  <flush-delay>1h</flush-delay>
  </local-scheme>
  </backing-map-scheme>
  </distributed-scheme>
  Thanks
  RaviBest regards,
  Robert

• "Current Time" problem behind a NAT Configured DSL Modem

  I have a WRT54GS wireless router behind a NAT configured Alcatel Speedtouch Pro DSL modem.  I have noticed that the "Current Time:" is perpetually "Not Available".   I am speculating that it is because the NAT blocks the syncrhonization, but I'm not absolutely sure.  Can anyone confirm that this indeed could be the problem?
  If this is the case, is it possible to configure a NAT router to pass this signal?
  I would like to have the benefits of NAT, but I would also like to utilize the WRT54GS's policy feature to limit my kid's internet activity after hours.
  Thanks in advance!

  Alcatel makes a lot of SpeedTouch modems.  I cannot tell which one you have.  I assume it must be a "modem-router" rather than a true modem.
  What "Intenet connection type" are you using in the WRT54GS?  I assume it is probably DHCP or static.  Disconnect the WRT54GS and the Speedtough. Set the "Internet connection type" on the WRT54GS to "static", then set the (WAN) "Internet IP address" to an address that the SpeedTouch will see as a fixed LAN IP address, and set the "Default Gateway" to the LAN IP address of the SpeedTouch, and set the "Subnet Mask" to 255.255.255.0 , and set the "DNS server address" to your true Internet DNS server address  (you should be able to find this info in the SpeedTouch).  
  Hope this helps.
  Please let me know whether or not this worked.
  If you need more help, please state the exact model number of your modem (not the WRT54GS?

• NAT pool configuration question

  Hi all,
  I would like to know how can I compute for a wild card mask for this hosts?
  10.1.1.5 /24 - 10.1.1.8 /24
  I have created a nat pool that translates addresses above to 124.24.34.250/24 - 124.24.34.253/24
  R3#show access-list
  Extended IP access list traders
      10 permit ip 10.1.1.0 0.0.0.5 any
  R3#sh run | s nat
  ip nat pool my_traders 124.24.34.250 124.24.34.253 prefix-length 24
  ip nat inside source list traders pool my_traders
  10.1.1.5 to 10.1.1.7 works, it's only .8 that doesn't, how can I cover it?
  thanks all,

  Hi Seb,
  I was able to resolve, although I would like to know if I can further aggregate or summarize acls?
  R3#sh run | s users
  ip nat pool users 124.24.34.249 124.24.34.249 prefix-length 24
  ip nat inside source route-map my_users pool users overload
  route-map my_users permit 10
   match ip address lan
  R3#show access-list lan
  Extended IP access list lan
      10 permit ip 10.1.1.16 0.0.0.15 any (2 matches)
      20 permit ip 10.1.1.32 0.0.0.15 any (1 match)
      30 permit ip 10.1.1.64 0.0.0.63 any
      40 permit ip 10.1.1.128 0.0.0.127 any
  Also should the prefix length in the NAT statement be equal to the subnet mask of the inside local address?
  Thanks,
  Thanks,

• NAT Configuration

  During the Christmas holidays I'm going to be fine tuning our server and was thinking that the NAT service may benefit our network. We have approx. 35 windows machine accessing the Internet and normally all at once with one public IP address. So I think NAT may help resolve some issues but I have a few questions.
  Currently the server is using eth0 directly into the switch and the VPN appliance is also connected to the switch. The server dishes out IP addresses to the LAN while the VPN appliance is manually set with it's IP address. According to how NAT configs, eth0 will connect directly to the WAN port on the VPN unit and eth1 will be connected to the switch. When your setting up eth0 how is this configured? Do I manually set an IP to reflect my private LAN designation and does this now become my 'Gateway' when I'm setting up server eth1 settings.
  I'm a bit confused. Any help would be appreciated or comments on my setting up the NAT service.

  No offense, but I think it's clear you're a bit confused.
  We have approx. 35 windows machine accessing the Internet and normally all at once with one public IP address. So I think NAT may help resolve some issues
  If you have 35 machines sharing a single public address you're already using NAT. Therefore either the issues you're having aren't related to NAT at all, or they are NAT-related but having your server run NAT isn't going to resolve them.
  It isn't yet clear to me what the issues are that you're trying to resolve. Can you elaborate?
  Given what you've said so far:
  Currently the server is using eth0 directly into the switch and the VPN appliance is also connected to the switch.
  OK, makes sense so far...
  The server dishes out IP addresses to the LAN while the VPN appliance is manually set with it's IP address.
  OK, this makes sense, too - pretty standard so far.
  According to how NAT configs, eth0 will connect directly to the WAN port on the VPN unit and eth1 will be connected to the switch
  OK, this is where it breaks down. Why do you plan to connect eth0 to the WAN port of the VPN? Typically the VPN server will have one WAN port and one LAN port, but it may be able to run on a single link
  When your setting up eth0 how is this configured?
  How is what configured?
  Do I manually set an IP to reflect my private LAN designation and does this now become my 'Gateway' when I'm setting up server eth1 settings.
  You've lost me completely here. What device are you configuring here?
  Do you already have the VPN in place? Is that already operating?
  If so, why do you see the need to change this?

• ACE NAT configuration - is it possible to use a different source PAT IP per rserver in a serverfarm?

  Hi,
  I've a quick question regarding using PAT (port address translation) on an ACE module specifically for the purpose of load-balancing requests to a cluster of Exchange CAS servers.
  Each CAS server needs to see requests from the same source IP which can be achieved by using source NAT / PAT but due to the scale of this Exchange deployment a single NAT pool with one PAT'd IP will not provide enough ports (i.e. there may well be more than ~64,000 ports required at any one time).
  Is it possible to configure PAT on the ACE so that each individual rserver will see requests from a unique source PAT address, i.e., each rserver sees a different source PAT IP, i.e., in order to provide ~64,000 ports per source PAT IP <-> CAS server pair as opposed to ~64,000 ports shared between all the CAS servers?
  If so, does anyone have any configuration examples (based on a single-armed configuration)?
  TIA

  Hi Tia,
  I don't think we can do this. We can easily configure a different nat pool per serverfarm but not per rserver.
  --Olivier

• NAT Pool question

  I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
  As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address.  When the rServer responds, it sends traffic back through the ACE via the sNat.  How exactly does this work?  I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way?  How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way.  And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet?  Just trying to understand so we can make good design decisions.

  Tbone,
  When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
  If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
  If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
  Let me know if this helps with your understanding or if you have more questions.
  Best regards
  Jim

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• Time capsule IP settings / NAT / DHCP / questions

  I'm trying to set up a Time Capsule in my apartment, to use as a wireless router with several apple computers. I've been using an Airport Express in the past. I'm having problems setting up the computers to get individual IP addresses, not in conflict with each other, while still receiving the Internet signal.
  My DSL comes with a stable IP address which I have assigned to the Capsule, along with associated subnet mask, router address (the router in the building from the service provider, which is working fine), and DNS server addresses.
  Trouble is, if I set my capsule to assign IPs through DHCP or share a signal IP, it shows blinking amber on reboot. Strangely, as a bridge, with one computer assigned the same IP I'm able to get the internet, but if I want to use more than one computer, I get an error message about IP duplication. I'm also wondering about double NAT (which I'm not as familiar with). ANother question is whether to plug into the WAN or LAN port. The airport setup seems to want me to use the WAN port (and says that no ethernet plugged in there is a problem). Is it?
  Finally, I was wondering if I can use my old airport express to extend my range and/or network a second printer in the other room. Do the two routers need to be connected by an ethernet cable? Can the airport express be remotely set up to use the same network the Time Capsule is plugged into from the wall?
  Many thanks for anybody's help with this.

  The airport setup seems to want me to use the WAN port (and says that no ethernet plugged in there is a problem). Is it?
  Yes you want the DSL modem plugged into the WAN port.
  Does your DSL require PPPoE? If so, after configuring the Time Capsule to get a connection using PPPoE... ensure that you DISABLE PPPoE on each of your computers. Only one device should be handling PPPoE.
  Finally, I was wondering if I can use my old airport express to extend my range and/or network a second printer in the other room.
  Yes as long as you configure the Time Capsule to work in an 802.11g compatible mode AND you configure both the Time Capsule and AirPort Express (AX) to wirelessly connect using WDS.
  Do the two routers need to be connected by an ethernet cable?
  No

• ASA 5505 VPN configuration question

  I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
  The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
  Thanks for any help
  Thanks much

  Hi Kevin
  Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
  Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
  Regards

• Closed loop configuration question

  I have a motor(with encoder feedback) attached to a linear actuator(with end limit switches).
  The motor has a commercially bought servo drive for control. 
  The servo drive will accept either a step/direction (2 seperate TTL
  digital pulse train inputs) or an analog -10 to 10vdc input for
  control. 
  The purpose is to drive a linear actuator(continiously in and out) in
  closed loop operation utilizing a ( (SV) Setpoint variable)value from a
  file converted to a frequency to compare with an actual ( (PV) Position
  variable) measured frequency.
  I have created and experimented with individual vi's allows analog
  control and digital pulse train control (thankfully with the help of
  examples). 
  Before I pose my question, I would like to make the following
  observations:  It is my understanding that Closed loop control
  means that I dont need to know an exact position at which to drive, but
  constant comparision of PV and SV through PID applictation. 
  Without getting into any proprietery information I can say that the
  constant positioning of the linear actuator will produce a latency of 2
  to 3 seconds based on the time the actuator moves to a new position and
  when the PV will change.  While experimenting with the analog
  input, i noticed imediate response to motor velocity, but after the
  motor is stopped, position is not held in place.  However, while
  experimenting with the Digital pulse train input, I noticed that the
  servo drive can only accept one command at one time; if, halfway
  through a move, position error produces a response to move the linear
  actuator in the opposite or different direction, the origional move
  must finish first. 
  Can anyone recommend the proper configuration for the closed loop control i have described?
  If I can make the system work with the servo drive/motor I plan to use
  the simple (pci 6014) daq card with the Analog out, or utilize the
  digital out.
  If I cant get this to work, we do have a pxi with 7344 motion card(I
  would like to exhaust all efforts to use the PCI 6014 card).
  Depending on where I go from here, I planned to use the PID vi's for the loop control.
  Thanks,
  Wayne Hilburn

  Thanks for the reply
  Jochen.  I realize there is a built-in latency with windows but I
  think the I/O control would be ok.  A change in actuator position
  will not result in an immediate change in process variable;  Is
  there a way to measure the latency or is it calculated?  A
  satisfactory reaction time could be from 1 to 1.5 sec.
  Use of the PCI-6014 is to supply the control output to the servo
  drive/amp, and not to drive the motor itself.  As stated earlier,
  while using the 6014 board, I have the choice of digital or analog
  output.
  Currently I am at a point where I must choose which configuration,
  analog control or digital control(in the form of digital pulse train),
  (i am inserting from first message)
  While experimenting with the analog
  input, i noticed imediate response to motor velocity, but after the
  motor is stopped, position is not held in place.  However, while
  experimenting with the Digital pulse train input, I noticed that the
  servo drive can only accept one command at one time; if, halfway
  through a move, position error produces a response to move the linear
  actuator in the opposite or different direction, the origional move
  must finish first.  .
  I dont claim to understand all the limitations with the
  specific boards, however, i am using an approach that is showing me the
  characteristics(a couple are listed in the above paragraph)  of
  the hardware and software configurations.
  So I am really back to my origional question;  Which configuration
  would be better for closed loop control, analog or digital pulse train?
  Thanks,
  Wayne Hilburn