Cisco asa traffic flow with destination nat

Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
Rajesh

The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
     If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
     If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
     Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
     Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
   -or-
     Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
     If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston

Similar Messages

Cisco ASA 8.2. Destination NAT (network - network)

Hi Guys,
Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
For example, will destination NAT like this work:
static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
Etc.
Thanks.

Hello,
Yes, that is possible.. In fact that is the way it works.
Regards,
Julio

Cisco asa traffic flow

Hi,
Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
For eg: session > acl > xlate > etc...
Are these checking different in both of the above scenarios ?

Hi Felipe,
But i do see find difference while reading the below URL.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
I would like to know how is the traffic flow from outside to inside and inside to outside.
Hope you go it...
regards
rajesh

Cisco ASA 5520 Failover with DMZ

I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
PRIMARY ASA
Primary-ASA# sh run failover
failover
failover lan unit primary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Primary - Active
Active time: 69648 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
     Interface outside (184.61.38.254): Normal
     Interface inside (192.168.218.252): Normal
     Interface dmz (192.168.215.254): Normal (Waiting)
     Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Primary-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
STANDBY ASA
Standby-ASA# sh run failover
failover
failover lan unit secondary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Standby-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Other host: Primary - Active
Active time: 70110 (sec)
      slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
     IPS, 6.0(3)E1, Up
Standby-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
Does anyone see something I might be missing? I am at a loss...

I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

Cisco ASA image verification with SHA-512 hashes

where are the SHA-512 values provided for the
Cisco ASA image verification example -> verify disk0:/asa915-k8.bin
CCO Hash SHA-512: 84f099d63e85c24bf0f541f2d9c342b466ee6224887dd4979e806aab9c0665)
CCO provides only MD5 (yes, there is a way to calculate MD5 hash), where are the SHA-512 hashes ?
br fasbasoft-534

The SHA-512 hashes would be for other (non-image) files that you are trying to verify where you have their SHA-512 hash value.
As you note, only the MD5 values are posted on cisco.com so you simply need to use the "verify /md5" option.

Cisco ASA 5505 - problem with negotiating IP address from PPPoE

Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: >>VLAN pro pripojeni do internetu<<
        MAC address f44e.05d0.6c17, MTU 1492
        IP address unassigned
Traffic Statistics for "OUTSIDE":
        28 packets input, 1307 bytes
        31 packets output, 721 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec, 3 bytes/sec
      1 minute output rate 0 pkts/sec, 1 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
        Interface number is 15
        Interface config status is active
        Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf     State       Last Chg
22298      2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

Cisco ASA 5505 VPN with iPhone

Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.

Hi,
I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
Like I said, it's a free add-on from IBM Lotus for all licensed Domino users.

Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDE

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

Cisco ISE Process Flow with Active Directory

Hi guys,
Today I did a lab and see this note at Authentication Policy Interface. This note is:
Note: For authentications using PEAP, LEAP, EAP-FAST or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, requests will be rejected.
Then I thought that the best way to configure authetication policy for Flex Auth: Dot1x (with Active Directory) > MAB (Internal Endpoint) > CWA (Guest and other user) will be using EAP-TLS authentication protocol.
Is this possible using another protocol instead of EAP-TLS (which is required client certificate has already been installed)? Would you mind helping me to reslove the problem? And the network authentication method at end user side will be?
Any help will be much appreciated.

Please refer the Supported Authentication Protocols ( including PEAP ) , database and authentication types from below
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1266680

Problem with Destination NAT or IPFW

Hi everyone.
First of all the description:
First Server Enabled services: AFP, DHCP, FIREWALL, NAT, NFS, OPEN DIRECTORY REPLIC, RADIUS AND SMB. (this server was connected with 2 links of internet, being the gateway for all LAN; 1 link is for navigate which is faster/dynamic ip[I already execute a nat.sh to fix to distribute the internet locally], the other is a static ip to redirect to my internal site)
Second Server Enabled Services: AFP, DNS, ICAL, NETBOOT, NFS, OPEN DIRECTORY MASTER, PRINT, SMB, SOFT. UPDT AND WEB.
My problems:
I Have a Wiki page (Web) internal up and running site, which can be accessed internally by 10.10.0.4 or andromedadincao.com.br.
When I try from a external access in www.andromedadincao.com.br it redirect to 201.90.64.34( this ip is a static bought on...).
The problem is that my gateway server (first) can't redirect to my stable and internal ip (10.10.0.4, that was up and running).
What I need to do? NAT config? Firewall config? Please tell me step by step, 'cause isn't so easy.
Thanks for help.

You have 2 Internet connections maybe from different ISPs connected to the first machine, one give you a static public IP and one is giving you a dynamic public IP?
These two are on one Interface en0 and the LAN is on en1?
Or how do you connect to the LAN? A third interface?
More than one Internet interface will probably complicate things for NAT redirect/forwarding.
And If web services on the first machine use the same ports as the wiki on the second it gets even tougher.
Otherwise if using a different port for WiKi editing the NAT conf to forward a port in/on/from the first machine public IP to the second machine port and IP could work. Of course depending on the first machine public IP configurations.
This tool might still work : http://www.jamiegriffin.com/gdog/thenatural/
Anyhow using a dual WAN router/firewall would probably be much easier/better.

Cisco ASA 5545-x with asa911-smp-k8.bin. What ASDM recommended???

At your earliest convenience, please advise what version for asdm works best?

ASDM 7.3(1) is recommended for your platform running the version you mentioned.
It's the recommended release for most current ASA hardware and software combinations - reference the ASA Compatibility document.

Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)

hi all,
I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000). I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
Do you think it will simulate 20MB bandwidth? Or any other suggestion? Please add any comment, thanks to all.

Hi Nicholas,
You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
Please do rate if the given information helps.
By
Karthik

CIsco ASA 5505 and VPN licenses

Hi,
Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
How those licenses are counted? Will I need a license per one IPSec SA?
If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
Thank you.
Regards,
Alex

Alex,
In an ASA 5505, it should say something like this...when you do sh ver.
VPN Peers : 25
It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
Its a per tunnel license.
Rate this, if it helps!
Gilbert

Tools use to monitor cisco asa

Hi all,
I just roll out a cisco asa 5540 and use it as a SSL vpn concentrator.
Can i know what tools you use to monitor the cisco ASA, eg account with most number of login attempts, number of fail attempts etc
TIA!

You can look at Cisco Prime Collaboration Assurance if you're willing to upgrade to 10.0; they have started providing a free Standard license. They of course hope to upsell you to Advanced but the goal is for Standard to be an alternative to RTMT. There are also a plethora of ecosystem partners with product offerings in the Developer Marketplace.
Please remember to rate helpful responses and identify helpful or correct answers.

Cisco ASA 8.4 Destination Nat

Hi,
I am facing problem in implemnting NAT on cisco 8.4
the senerio is
Inside interface network 10.10.10.0/24
and 10.118.0.0/16 is also routed towards inside network
Other network 192.168.10.0/24 is routed via outside interface.
My requirement is to NAT the 192.168.10.2(real IP) to 10.10.10.2(mapped ip) so that when users from inside network(10.118.0.0/16) will come they will access the 10.10.10.2 instead of the real Ip(192.168.10.2)
So I used
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
but the connection is not working but with show nat I am getting hits on the NAT statement.
cap test ethernet-type arp interface inside real-time
1: 23:29:05.684199 arp who-has 10.10.10.2 tell 10.10.10.1
2: 23:29:09.687998 arp who-has 10.10.10.2 tell 10.10.10.1
I have also enabled the proxyarp on the inside interface but still the connection was not working.
Any help will be much appreciated...
Packet tracer output
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
NAT divert to egress interface Extranet
Untranslate
10.10.10.2/80 to 192.168.10.2/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit tcp any object obj-192.168.10.2
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
Static translate 10.118.60.44/12345 to 10.118.60.44/12345
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 35428108, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Extranet
output-status: up
output-line-status: up
Action: allow

Hi,
You current NAT configuration
nat (inside,Extranet) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2
Basicly does so that when the network 10.118.0.0/16 tries to access the host 10.10.10.2/32 the source network 10.118.0.0/16 wont be translated but the host 10.10.10.2/32 will be untranslated to 192.168.10.2/32
So when someone on your local network tries to connect to 10.10.10.2/32 the router connected to the ASA will naturally use ARP to resolve the IP/MAC pair. I would check on that router if the ARP table shows the 10.10.10.2. If it doesnt then naturally the connection will fail.
I am not sure if you had a typo there (or I just understood you wrong) where you said that the router should know the real IP of 192.168.10.2 because with this configuration it specifically DOESNT know that IP address as the ASA seems to be NATing it to 10.10.10.2/32 which I guess would be part of the connected network between ASA and the router.
- Jouni

Cisco asa traffic flow with destination nat

Similar Messages

Maybe you are looking for