Cisco ISA 550 NAT problem

Hi all,
I have bought a Cisco ISA 550 small business firewall and I had to face to a problem when I configure the NAT.
My scenario is,
I have a mail server in my LAN which is need to be access from both inside and outside
My lan network is 192.168.0.0/24
I have a PPPoE WAN connection with a static IP
Mail server IP 192.168.0.15/ 24
There is not a DMZ zone. I need to NAT this server to my WAN IP and that WAN IP is also used
to provide internet connection to other LAN users. I could do this with my previous ADSL
router and i tried to do this with firewall but couldn't acheive the task.
Hope a help from some expert.
Thanks,
Charith

Do you want that your internal clients connect to the WAN IP and get natted to the local LAN IP?
Then open the Maintain and Operate Guide at cisco.com and search for "hairpinning".
Michael
Please rate all helpful posts

Similar Messages

Access to WAN Port 2 on an CISCO ISA 550 Firewall

Hi all
On a CISO ISA 550 Firewall i created a 2 WAN Port Failover whichs works fine. But how can access the WAN2 Port (see Attaments) from my Workstation even the WAN1 Port is up an runnig, i created also a new Zone and Firewall Rule but this dosen't work..
Thanks for your help

Upgrade Firmware...

ISA 550 Error - sdsd: http_get: Error: http_read_response failed, returned -2

Hi all,
I have a problems with my installed Cisco ISA 550 firewall
I received below error under the log messages.
     Could you be able to explain what is the reason for this message ?

Hi Bikram,
HW and SW informations are below, and i have attached two captures of two types (error, information) of logs messages what I received.
Firmware (Primary/Secondary)     : 1.2.17/1.0.3
Bootloader Version                         : 0.0.20 (dual)
PID VID                                           : ISA550-K9 V01
Plz reply me if you want any further details.
Thanks,
Charith

ISA 550 Firewall Rule - how to specify a domain (to resolve a DDNS)

I want to lock down access to an ISA 550 Firewall to 4 locations. 2 of the locations have dynamic IP addresses.
Both sites have a dynamic domain maintained at no-ip.org.
How can I enter 'name.no-ip.org' in to a firewall rule?

There is not a way to use a domain name in a firewall rule. When the traffic comes in the packets are addressed with IPs, not with domain names, so when the router looks things up it compares IP addresses.
In fact I have never seen this done, even on an enterprise device. I'm not saying nothing can do it, but it definitely isn't possible with the ISA.
Your best bet would be to try and get some static IPs for those two sites as well.
It is however possible to setup site-to-site VPNs between these devices even if some of them are using DDNS. This does require those other site's routers to support site-to-site tunnels. That way those four sites would be able to access resources behind the ISA, but no one else would, and you could still keep using the DDNS for the two dynamic sites.
Thank you for choosing Cisco,
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center
*please mark/rate helpful answers*

Performance degration with isa 550 on 100/10mbit line normal?

hi,
I installed an isa 550 on a 100/10 mbit line.
if I connect my macbook directly to the router, I got with speedtests 90mbit down, 9 mbit up - that's o.k.
with a plain vanilla isa 550 and only my macbook connected I got 70-80 mbit down, 9 mbit up, that's still o.k.
but isa connected with the rest of our network (nothing extraordinary - several macs and pcs) and configured with a few port-forwardings, that speedtest dropped to 50 mbit down and 9 mbit up.
you can see, upload-speed never changed, but download speed.
so I would like to know, is this normal, that the speed of our internet-connection declined so much with a few firewall-rules and 5 clients - is the processor of the isa to slow for this internet-line?
thx for your opinions in advance!
regards, ferdinand

Hi Olivier, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. ISA new product are really nice device, with multiple block features, to answer your question you can block specific web sites per URL, here you can see two ways to block that websites.
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3551
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3522
If you want to compare the features of both devices you can check this link. However the main difference is the 550 has 6 LAN ports, the 570 has 9 and supports more VPN tunnels.
For VPN SSL is supported without additional cost, here you can see how to configure it.
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3533
About your question regardless the Fortigate router, I have no information about it, I apologize for that.
I hope you find this answer useful,
*Please mark the question as Answered or rate it so other users can benefit from it"
Greetings,
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

Azureus Nat problem

Hey
I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
By the way will my downloads be faster when I do use a correctly configured NAT?
Samuel
PS I am not using a router just a ADSL Modem

I had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
Very frustrating!!

Open NAT problems with Xbox One .

When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?

Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .

Ps3 nat problem

why cant u get a open nat with ps3 always on moderate how do u get it to open ?

This link should help.
NAT Problems on games consoles and computers
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Linksys Cisco WVC210 Network Camera - Problem

Hello Cisco Members,
I have problem with one Linksys Cisco WVC210 Network Camera.
When I Power ON, the PowerLED blinking, other 3 GreenLED light and on LCD Display have nothing.
I make 30 seconds push resset button, 30 seconds power OFF and havent result. When I connect it to
Router with DHCP, this camera can not take IP Address... I do not understand where is a problem with
this camera.
I write here to get a fix of this problem.
Regards,
Vivendi

Try power on and after 90 seconds go to the Browser and type in 192.168.1.99 (assuming you are on the 192.168.1.xx LAN network) and see if you are able to get to the firmware page, if yes try reload the firmware, if you are not then I would recommend returning the product by getting in touch with Cisco's Tech Support and get an RMA number and instructions on returning the product and get a replacement.
Alan.

Xbox360 WRT54GS ver. 6 NAT problems

my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6

for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
CamZ

Route or NAT problem?

Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
        hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.1.15       255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...

I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
        hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.15.6.0       255.255.254.0   inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
        hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
        hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
        hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
        hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
        hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
        src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
        hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
        dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Cisco ISA 500 Series - Intervlan routing via 801.2q (Router on a stick)

Hello to everyone,
I am considering the ISA 550 for a customer who has multiple VLANs on his network. In order to avoid purchase a layer3 switch, I was thinking that we could perhaps create a 802.1q trunk link from a switch to the ISA500 and perform Inter-VLAN routing through that. In addition, we would use access lists to prevent communications between specific VLANs.
My question is if this setup model can be done on the ISA 550. I haven't used it before, so I am not sure if it can support this setup.
Any information or help is much appreciated.
Many thanks,
Chris.

Chris, ISA550 can support the configuration you described.

ASA5512 iOS 9.3 inside nat problem

Hi,
I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
interface GigabitEthernet0/0
description #### Connect TO Internet ####
nameif outside
security-level 0
ip address 37.10.1.2 255.255.255.248
interface GigabitEthernet0/1
description #### Connect TO Core Switch ####
nameif inside
security-level 100
ip address 10.78.61.1 255.255.255.0
access-list outside-in extended permit ip any any
access-group outside-in in interface outside
access-group outside-in in interface inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_Ser
host 10.88.61.10
object network obj_Ser_WAN
host 37.10.1.3
nat (inside,outside) source static obj_Ser obj_Ser_WAN
object network obj_any
nat (inside,outside) dynamic 37.10.1.4
same-security-traffic permit intra-interface
Thanks
Afzal

Hi,
Try this NAT:-
nat (inside,inside) source static obj_Ser obj_Ser_WAN
Thanks and Regards,
Vibhor Amrodia

ISA 550 Bandwidth Management.

I wanted to know an automated or manual method of bandwidth management for ISA 550 with 1.2.x.x firmware. I currently have 30 nodes on a 2mbps link and if one host starts downloading others are left with very little or no bandwidth at all. Is there a way I can regulate this automatically or manually?

Sounds like Ciscomax got you fixed up. Also wanted to mention, should the need arise, you can do bandwidth throttling. We do this in some circumstances on Guest Wireless networks to prevent guests from hogging to much bandwidth. So, for example, if you wanted to limit bandwidth on a GuestWiFi to 512K/128K, you would do the following.
From within the ISA500 Config Utility, select Networking on the left
Expand QoS and select General Settings
Select to Enable WAN QoS and select Save
Expand WAN QoS and select Traffic Selector (Classification)
Select Add
Class Name:                   G-WiFi (In)
Source Address:                        Any
Destination Address:      Guest_Network
Select OK
Select Add (again)
Class Name:                   G-WiFi (Out)
Source Address:                        Guest_Network
Destination Address:      Any
Select OK
Select Save
Select QoS Policy Profile under QoS, WAN QoS in the Networking section on the left
Select Add
Policy Name: G-WiFi (In)
Select the Inbound Traffic radio button
Select Add
Select G-WiFi (In) from the Class drop down menu
DSCP Marking: None
CoS Marking:     7
Rate-limiting:      512
Select OK
Select OK
Select Add (again)
Policy Name: G-WiFi (Out)
Select the Outbound Traffic radio button
Select Add
Select G-WiFi (Out) from the Class drop down menu
Queue:               Q1
DSCP Marking: None
Rate-limiting:      128
Select OK
Select OK
Select Save

Cisco ASA5505 multiple public ip nat problem

Hello,
I've been having weird problem with static nat.
First have to say that i've been searching answer for this and not yet found...
I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
Config:
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008
host 192.168.1.10
object network w2008
nat (inside,outside) static 83.x.x.27
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object w2008
access-group outside_access_in in interface outside
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
What trick i need to do with ASA to get this working?

Here is the command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
Apology, didn't know that you are running that version that supports this new command.
The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.

Cisco ISA 550 NAT problem

Similar Messages

Maybe you are looking for