BGP and ASA NAT

Similar Messages

• ASA NAT when not on interface network

  We are trying to restructure our edge network.  The ASA with NATs is currently on a natural /24, as is its upstream router.  We are trying to change the ASA and router to reside on a /28 that is part of the existing /24.  In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:
  Router IP:   10.10.10.226/28, HSRP IP 10.10.10.225
  ASA IP:       10.10.10.228/28 stby 10.10.10.229
  ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)
  ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)
  ASA NATs:  10.10.10.11-.135
  From the ASA configured this way, we can ping the router IP fine.
  One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
  Should either of these methods work?
  Thanks - Paul

  Paul
  One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
  Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.
  Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.
  What exactly didn't work ?
  Jon

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• Is src and dst NAT possible in multiple rules on the ASA?

  Hello,
  We have +/- 50 customer companies that will have to enter our network via IPsec s2s VPN's and as backup the customers have the option to enter our network via a leased line. Since they can enter multiple routes we give them a source IP depending what side they enter so we know the route back internally in the network to the correct FW they entered.
  For the s2s we have to do source NAT on our side since we cannot burden all these customers with different NAT's for both the leased line and for the s2s. And we have to do destination NAT since the customers can access different DMZ systems depending on the application they connect to.
  1) source NAT can be 1 NAT rule per company (so hide NAT behind 1 IP)
  2) destination NAT is multiple rules (see below)
  At the moment we have 12 NAT rules per company since we have configured src and dst NAT in one rule to make it work.
  See example below:
  Question: How can we configure src and dst NAT in multiple rules so that we dont need 12 NAT rules per company?
  ASA cluster: single mode - Active/Standby
  asa922-4-smp-k8.bin
  asdm-731-101.bin
  Src REAL
  Src Mapped
  Dst MAPPED
  Dst REAL
  Service
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  19.19.19.90
  19.19.19.90
  19.19.19.11
  19.19.19.11
  19.19.19.90
  19.19.19.90
  19.19.19.180
  19.19.19.180
  19.19.19.83
  19.19.19.83
  19.19.19.90
  19.19.19.92
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.41
  10.10.10.41
  10.10.10.44
  10.10.10.44
  10.10.10.47
  10.10.10.47
  10.10.10.47
  10.10.10.47
  53-udp
  53-tcp
  53-udp
  53-tcp
  PoP3
  SMTP
  SMTP
  PoP3
  http
  tcp-5555
  http
  http

  Steve,
  That is my whole point.  To copy from the PC host memory to the CUDA device memory asynchronously, the host memory must be pinned.  Hence, the source and destination memory should be pinned.  Otherwise, I must copy the source memory to pinned memory I have allocated on the PC, copy it asynchronously to the CUDA device memory, process it on the CUDA device, asynchronously copy it back to the PC pinned memory, and then copy it to the destination memory.
  If you copy synchronously, it is slow as Christmas!  Therefore, you must copy the memory asynchronously, or you should not use CUDA and GPU acceleration.
  My question still stands.  Why is the source and destination memory on the PC used by Premiere Pro not pinned memory?
  Gene
  Gene A. Grindstaff
  Executive Manager, SG&I
  T: 1.256.730.6983 M: 1.256.566.5376 F: 1.256.730.8046
  E: mailto:[email protected]
  Intergraph Corporation
  19 Interpro Road
  Madison, AL 35758 USA
  www.intergraph.com/sgi<http://www.intergraph.com/sgi> |
  LinkedIn<http://www.linkedin.com/groups?gid=127267&trk=myg_ugrp_ovr> | Facebook<http://www.facebook.com/intergraph> | Twitter<http://twitter.com/intergraph

• Using both Dynamic and Static NAT with two Different Internet facing Subnets

  We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
  It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
  So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
  Public IP: 192.168.1.100/24
  Internal IP: 10.0.0.100/16
  Public IP: 192.168.5.101/24
  Internal IP: 10.0.0.101/16
  interface Ethernet0/0
  description 192.168.1.0/24 Network Outside IP
  nameif outside-1
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  description 192.168.5.0/24 Network Outside IP
  nameif outside-5
  security-level 0
  ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/2
  description inside 10.0.0.0/16
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.0.0
  object network serverA_o
  host 192.168.1.100
  object network serverA_i
  host 10.0.0.100
  object network serverB_o
  host 192.168.5.101
  object network serverB_i
  host 10.0.0.101
  object network 192-168-1-NAT-POOL
  range 192.168.1.50 192.168.1.239
  nat (inside,outside-1) source static serverA_i serverA_o
  nat (inside,outside-5) source static serverB_i serverB_o
  nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
  object network serverA_i
  nat (inside,outside-1) static serverA_o
  object network serverB_i
  nat (inside,outside-5) static serverB_o
  route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
  route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
  When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
  Any Suggestions?
  Thanks!

  Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
  We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
  I'm looking for a way to use both Subnets on the same ASA. 
  The Connection to the net looks like this:
  Internet -> Edge Router Layer3 VLAN Switch
  GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
  GE0/1.2 - 192.168.5.1 VLAN Tagged -^
  Layer3 VLAN Switch Firewall
  GE1 192.168.1.0/24 Untagged -> ASA Outside-1
  GE2 192.168.5.0/24 Untagged -> ASA Outside-5
  Firewall
  ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
  Hope that helps clarify.
  I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

• BGP and VPN

  Hi,
  We need to setup BGP network at our branch office so i wanted some of your opinions. Here is what I’m looking to setup.

  Here is what I’m looking to setup.
  2 Bandwidth providers FastE 10/100 with 4mb commit on both (multi-home)BGP.
  Routing a /27
  Usage is VPN ( 5 tunnels)and HTTP inbound and out.
  I would say a constant 30mb usage 24/7
  Not looking to go beyond 2 ISP and or 10/100
  1. How about a single  2821 Sec/K9 with 256 RAM for the route tables.
  2. Two 2811's, one 2811 with 256 RAM for the BGP and another 2811 Sec/K9 with 256 RAM for VPN.
  3. One 2811/2821 with 256 RAM for the BGP and another ASA for VPN

• ARP table clash with checkpoint and ASA firewal issue

  We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
  nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
  nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
  nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
  nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
  nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
  nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
  nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
  nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
  nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
  isxasa04/wwy-legacy# sho interface
  Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
  MAC address 442b.0330.aba2, MTU 1500
  IP address 10.121.129.X, subnet mask 255.255.255.0
  Traffic Statistics for "core-inside":
  241633 packets input, 12094352 bytes
  44788 packets output, 3032584 bytes
  109732 packets dropped
  Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
  MAC address 442b.0330.aba3, MTU 1500
  IP address 10.121.130.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN130":
  1264203 packets input, 136452168 bytes
  326080 packets output, 69216516 bytes
  794035 packets dropped
  Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
  MAC address 442b.0330.aba3, MTU 1500
  IP address 10.121.136.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN136":
  374547 packets input, 23696109 bytes
  51186 packets output, 3324895 bytes
  173500 packets dropped
  Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
  MAC address 442b.0330.ab9b, MTU 1500
  IP address 167.9.6.X, subnet mask 255.255.255.0
  Traffic Statistics for "internet-outside":
  352158 packets input, 17245425 bytes
  76888 packets output, 3872904 bytes
  12255 packets dropped
  Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
  MAC address 442b.0330.ab9c, MTU 1500
  IP address 10.121.201.X, subnet mask 255.255.255.0
  Traffic Statistics for "internet-dmz":
  237795 packets input, 12460108 bytes
  40787 packets output, 2775684 bytes
  27378 packets dropped
  Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
  MAC address 442b.0330.ab9e, MTU 1500
  IP address 10.121.140.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN140":
  386931 packets input, 18807725 bytes
  48936 packets output, 3319712 bytes
  114417 packets dropped
  We crosschecked MAC addresses and this is what we found:
  Checkpoint ARP table:
  10.121.130.101 44:2b:3:30:ab:a3 3285
  ASA ARP table:
  isxasa04/wwy-legacy# sh arp | i 10.121.130.101
  VLAN130 10.121.130.101 001a.4b06.dd45 10525
  Server real address provided by processing:
  0x001A4B06DD45
  When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
  Kevin cleared the ARP table on the Checkpoints and problem was solved;
  Later I saw this:
  isxasa04# sh int | i MAC
  MAC address 442b.0330.ab9a, MTU not set
  MAC address 442b.0330.ab9b, MTU not set
  MAC address 442b.0330.ab9c, MTU not set
  MAC address 442b.0330.ab9d, MTU 1500
  MAC address 442b.0330.ab9e, MTU not set
  MAC address 442b.0330.ab9f, MTU not set
  MAC address 442b.0330.aba0, MTU not set
  MAC address 442b.0330.aba1, MTU not set
  MAC address 442b.0330.ab98, MTU not set
  MAC address 442b.0330.ab99, MTU not set
  MAC address 442b.0330.aba2, MTU not set
  MAC address 442b.0330.aba3, MTU not set

  The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
  Sent from Cisco Technical Support iPad App

• VPN with Cisco 877 and ASA 5505

  Hi Experts
  this is my scenario :
  remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
  i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
  i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
  if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
  please i need your support to make this dream real lol.
  i will poste my configuration step by step following your help.
  many thanks.

  ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

• No DNS and Double NAT

  Hello, I've recently encountered a very frustrating bug in my system that I could use some help troubleshooting.  I've read several similar posts, some are resolved while others are not, however none of the resolutions have worked for my situation.  Here it goes:
  I have an old macbook pro, a new macbook air, a white macbook and 2 iPhone 4s's all connected to the internet via WiFi through an AirPort Extreme.  The AE is connected to a cable modem which has internet service through Cablevision in NY.  There is also an AT&T Microcell hooked up to the AE to boost my cell signal.   All of this equipment has been working flawlessly together for a long time.  Until recently.  It could have started after an update, there have been several lately on all of the equipment including the firmware in the AE.  Anyway, I'll be connected without any issues - all lights green and happy - when suddenly, the internet will drop off and the AirPort Utility will pop up and warn me that:
  1) On the "internet" icon, it will say "disconnected"  
  2) On the AE icon, it says "No DNS server and Double NAT"
  After a few minutes and nothing done on my part, the lights turn green, the internet reconnects and all is well again. 
  This happens frequently and is really beaching a nuisance.  Due to the frequency of the disconnection, I can no longer download a large file, update, or anything.  Streaming video is impossible.
  So far, I have tried bridge mode and cycled the power in the order recommended to no avail.  When I do that, the AE turns green, but the internet says "not connected".  I have also read that there might be too many IP addresses which is not sitting well with my ISP, so I disconnected everything including unplugging the Microcell.  Lastly, there are no other wireless phones or devises in the house.  All to no avail.
  I should also mention that this began occurring on my Time Capsule, which I replaced with the AE in an attempt to fix this issue. 
  Any help would be greatly appreciated.
  Joe

  Sounds very similar to what I've been trouble shooting for 2 months now, only I have DSL from AT&T and I don't see the Double NAT warning.  My last post on the problem is here. 
  My only emergency solution for getting by day to day on the internet is to unplug the AE and connect one Mac directly to the DSL modem.  There's no shared connection or WiFi.  I looked at hosting WiFi from the Mac, but the only security available with that is WEP which isn't considered secure.  Even with this set up, I think (seat of the pants) that there are quality of service problems. 
  I've replaced the Airport Extreme with 2 different new units and the DSL modem with a new unit to no avail.  The Genius Bar and Apple phone support couldn't solve this, nor have 2 calls to AT&T support and one visit from an AT&T repairman.
  I would like to know how to better test or quantify the poor quality of connection that seems to be the problem.

• VPN between IOS and ASA

  Hello my friends,
  I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
  Here are my configuration commands:
  Router:
  crypto isakmp policy 20
  encryption 3des
  auth pre-share
  hash md5
  group 2
  crypto isakmp key XXX address 103.252.AAA.AAA
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map MAP 5 ipsec-isakmp
  set transform 3DES-MD5
  match address VPN
  set peer 103.252.AAA.AAA
  ip access-list extended VPN
   permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
   permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
  ASA commands:
  sysopt connection permit-vpn
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  tunnel-group 203.167.BBB.BBB type ipsec-l2l
  tunnel-group 203.167.BBB.BBB ipsec-attributes
  pre-shared-key XXX
  access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 set transform-set 3DES-MD5
  crypto map VPN 10 match address LIST
  crypto map VPN 10 set peer 203.167.BBB.BBB
  crypto map VPN interface outside
  Do you have any idea what is wrong? Thank you a lot in advance.

  I managed to get this from the show crypto ipsec sa
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
  And  details from show crypto session detail
  Interface: GigabitEthernet0/1
  Session status: DOWN
  Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

• MP-BGP and MPLS

  Hello all,
  I've been experimenting recently with MP-BGP and MPLS. I have no issues with how it works and how to implement and have a fully working lab however I am wondering whether there is a solution that exists in order to create a full mesh without on every PE router having to specify the IP address of every other PE router in the VPNv4 configuration. So the ideal scenario would be that i could add another site to my MPLS which will receive all routes from every other site without updating any configuration at any other site.
  Thanks

  Hi Mathew,
  You can choose P1 or P2 as RR and configure a single MP-BGP session from PE devices to RR. Any new PE that you want to include will need configuraion changes on RR and the new PE alone. You dont need to add configuration on other exisitng PEs.
  You can also play around with bgp dynamic neighbor to further reduce the configuration. But I ahvent used it myself and not sure if VPNv4 is supported.
  -Nagendra

• BGP and MP-BGP

  What is difference between BGP and MP-BGP? and what is the exact application of both?

  Multiprotocol Extensions for BGP (MBGP), sometimes referred to as Multiprotocol BGP or Multicast BGP and defined in IETF RFC 4760, is an extension to Border Gateway Protocol that allows different types of addresses (known as address families) to be distributed in parallel. Whereas standard BGP supports only IPv4 unicast addresses, Multiprotocol BGP supports IPv4 and IPv6 addresses and it supports unicast and multicast variants of each. Multiprotocol BGP allows information about the topology of IP Multicast-capable routers to be exchanged separately from the topology of normal IPv4 unicast routers. Thus, it allows a multicast routing topology different from the unicast routing topology. Although MBGP enables the exchange of inter-domain multicast routing information, other protocols such as the Protocol Independent Multicast family are needed to build trees and forward multicast traffic.
  Multiprotocol BGP is also widely deployed in case of MPLS L3 VPN, to exchange VPN labels learned for the routes from the customer sites over the MPLS network, in order to distinguish between different customer sites when the traffic from the other customer sites comes to the PE router for routing.

• Cisco NX-OS and ASA Software Checker

  Hi,
  I'm sorry if I post this in the wrong section.
  Currently we have a few Nexus switches and ASA Firewall in our network and I would like to check if there's any critical bug on the running OS/firmware on those devices.
  May I know if Cisco has page to verify on this?

  Bug Search Tool is what you want to use: 
  https://tools.cisco.com/bugsearch
  You can also ask in the forums for those platforms.
  This forum is to discuss specific bugs.

• Guide or instruction about build and config NAT for network.

  Hey everybody. I’m having learn CCNA CISCO, I have a problem when I build a network, a network required that: Construct and build a topo network have 4 Router, 6 Switch, 8 PC, auto set and config IP address for communication between equipment in your topo network. Give some suggest : 3->4 IP front, 1 range 4 IP route, 2 range 8 IP route, 1 range 16 IP route. Les’t raise, give method and config NAT for it network with: Static NAT, Dynamic NAT, PAT and NAT co-ordinate.
  Please give some guide or instruction me about that lab, Thank very much

  Hey all here is a topo (model) network I do by myself and I have cofig NAT for it. Please see, check, fix error or guide me to fix error if it have error. Thank very much.
  As a subject I have propose use a IP range is 200.200.5.1/27
  b/Static NAT for IP PC8 192.16.6.1 to become IP 200.200.5.1 with a Network outside.
  Router3(config)#ip nat inside source static 192.168.1.2 200.200.5.1
  Router3(config)#interface fa 1/0
  Router3(config-if)#ip nat inside
  Router3(config-if)#interface s 0/0
  Router3(config-if)#ip nat outside
  a/ Accept PC in LAN 192.168.5.1/24 go out internet, this IP will be nat by IP range 200.200.5.1-> 200.200.5.6 (IP 200.200.5.1 have use for Static NAT but we can reuse).
  Router3(config)#access-list 1 permit 192.168.5.0 0.0.0.255
  Router3(config)#ip nat pool natdong 200.200.5.1 200.200.5.6 netmask 255.255.255.248
  Router3(config)#ip nat inside source list 1 pool natdong
  Router3(config)#interface fa 0/0
  Router3(config-if)#ip nat inside
  Router3(config-if)#interface s 0/0
  Router3(config-if)#ip nat outside
  c/ Accept PC in 2 LAN 192.168.1.0/24 and 192.168.2.0/24 go out internet, this IP range will be NAT by IP range 200.200.5.33-> 200.200.5.48 (16 Ip address)
  Router3(config)#access-list 1 permit 192.168.1.0 0.0.0.255
  Router3(config)#access-list 1 permit 192.168.2.0 0.0.0.255
  Router3(config)#ip nat pool natpat 200.200.5.33 200.200.5.48 netmask 255.255.255.224
  Router3(config)#ip nat inside source list 1 interface serial 0/0 overload
  Router3(config)#ip nat inside source list 1 pool natpat overload
  Router3(config)#interface fa 0/0
  Router3(config-if)#ip nat inside
  Router3(config)#interface fa 1/0
  Router3(config-if)#ip nat inside
  Router3(config-if)#interface s 0/0
  Router3(config-if)#ip nat outside
  [b]Note: My ability of English is not good so please sympathize for spelling mistake[/b]

• Meaning of one-arm setup and src nat

  I've worked previously on CSS platform and recall deploying one-arm mode, which simply meant connecting the appliance via single physical trunk link.
  In terms of the ace some docos and ANM seem to suggest that one-arm requires src nat, if true why is that unless one-arm now translates to one-vlan?.
  btw i know about asymetric routing and src nat, but what i'm failing to get is how that relates to one-arm.
  thanks

  Hello Ajaz,
  generally the convention is to call one arm those setups where both client and servers, for a certain loadbalanced service (so VIP), belong to the same VLAN, see for example how it's defined here:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples
  not sure whether the definition has changed over time, I would guess that it can be intended in the physical sense (single link) so as you do, or in the logical sense, where 2 VLANs would represent 2 arms even if the physical connectivity is provided through just one link. From my experience, in the LB field the logical interpretation is prevalent.
  Thanks,
  Francesco