Client NAT and Source IP Sticky

How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

this is possible.
The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
Regards,
Gilles.

Similar Messages

Destination NAT and Source Nat

Hi, my network have mobile users with notebooks, and they use public smtp IP address, when they out of office, without VPN ASA works well, but when they comes back in office they should change SMTP IP back to private. I know that my task could be solved via DNS service, but for some reason I should do Dnat and Snat on ASA, please answer me, Is it posible? (Because ASA have to nat and dnat on same interface Insidem and back this traffic to Inside again
)Please see this picture, I draw my task there. Thanks!

Yes it is posible through policy nat.
here is the example.
access−list policy−nat extended permit ip host 10.1.1.20 host 5.5.5.5
global (dmz) 2 192.168.2.2
nat (inside) 2 access-list policy−nat
Hope that helps.
thanks

Client Copy - Which source client 000 or 001?

I have a new SAP Netweaver 2004s SR1 ABAP+JAVA system with the following usage types:
SRM App
SRMLac
AS Java
AS ABAP
DI
MI
All the post-installation steps have been completed (including the CTC template configurations for DI and MI). The Java, DI, and MI have been configured against client 001. Now I want to create a new production client. The J2EE_ADMIN and users associated with DI and MI exist in client 001.
I want to create a new production client 010. Should I copy the users (SAP_USER) from client 001 and the customizing data (SAP_CUST) from client 000? Or, can I copy everything from client 001? There is a lot of conflicting information in the SAP Notes in regard to which source client to use.

You should not use a transport of copies for table USR02. Use client copy profile SAP_USER or SAP_UONL (without authorization profiles and roles).
And you should never copy customizing from client 001 to build up a new client. 001 happens to be a ordinary customer client which does not get supplied with changes SAP delivers after the release date. New SAP Netweaver 2004s installations use client 001 to file the user masters needed for the JAVA part. But this does not change the fact that client 001 is a customer client and should not be used as a template.
For local client copies you could use copy profile SAP_UCUS with source client 000 and source client user master 001 in one step. This has the same result as a client copy with SAP_CUST from 000 and SAP_UONL from 001 (i.e. thet authorization profiles and roles come from 000, when you need them from 001 you can either copy the missing individually or use SAP_ PROF in a separate step).

Question about NAT Inside Source, Inside Destination, and Outside Source

I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
Gary

Hi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh

Client NAT in CSS11500

Hi,
I'm currently redesigning my portal infrastructure and as such, I need to redo a few things on my CSS. But I can't seem to find anything about Client-NAT on the CSS. I need to NAT/PAT external sessions to an inside RFC1918-address. The config below simply passes the original src.ip through and consequently the session is blocked by the firewall. So far I've been unsuccessfull in finding the proper documentation, so I'm hoping someone here can help me get started.
owner BK019TF
content BK019TF-SSL
vip address a.b.c.d
add service SSLMODULE1
port 443
protocol tcp
active
content BK019TF
redundant-index 142
advanced-balance sticky-srcip
port 4433
protocol tcp
vip address a.b.c.d
add service Misys-ben-3
add service Misys-ben-4
active
Thanks
/Ulrih

Source groups are used on CSS to NAT the source ip addresses. There could be two scenarios
1. A connection is open to the server.
In this case you need 'add destination service'.
2.The server opens the connection. In this case you need 'add service ...'
Following example will give you some idea of how to implement src NAt with CSS
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml
Thanks
Syed Iftekhar Ahmed

Client NAT - ACE

Hi All,
We are trying to configure client NAT on ACE , I have tried with the following configuration.
I want to make sure the following things
1) Whether this is a right way or not or if this is possible?
2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
class-map match-all NAT
2 match source-address 0.0.0.0 0.0.0.0
3 match destination-address 172.16.30.110 255.255.255.255
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
class NAT
nat dynamic 9 vlan 300
interface vlan 300
description Clentside interface
bridge-group 30
access-group input ALL
nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
service-policy input MOON-POLICY
no shutdown
Regards
Aslam...

Hi Aslam,
yes it's possible in a quite simple way, I see some errors in your configuration :
You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".
To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.
This should work as you want :
class-map match-all CLIENT-TO-AVS-VIP
2 match virtual-address 172.16.30.110 tcp eq www
policy-map multi-match MOON-POLICY
class CLIENT-TO-AVS-VIP
loadbalance vip inservice
loadbalance policy MOON_AVS_CLIENT
loadbalance vip icmp-reply
nat dynamic 9 vlan 300
remember that an instruction like
"2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.
You can check some other scenarios on source nat here :
http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html
Hope this helps.
Alberto

ACE 4710 client NAT (outgoing)

Hi Experts,
     I have a ace 4710 set as load balancing http and https only, seems working fine.
     Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
our configuration is as below,
two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
Thanks,
BQ

Here are a few things you could try
1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
changeto
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
2.service-policy input remote-access
do you have a management Vlan interface defined if so add to that interface
3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
VIP1:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 80
VIP2:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 443
Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
show service-policy client-vips detail
HTH

Load Balance Reverse Poxy using ACE and HTTP Header Sticky

Dear all,
I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
How to implement it ( I'l apreciate a little example about it).
Which values I need for OFFSET and LENGHT fields.
Can you help me please?
Thanks a lot!!

Hi Cesar.
Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
I don't need to insert anything.
The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
Hop it will clarify the question!

Data load problem - BW and Source System on the same AS

Hi experts,
Im starting with BW (7.0) in a sandbox environment where BW and the source system are installed on the same server (same AS). The source system is the SRM (Supplier Relationship Management) 5.0.
BW is working on client 001 while SRM is on client 100 and I want to load data from the SRM into BW.
Ive configured the RFC connections and the BWREMOTE users with their corresponding profiles in both clients, added a SAP source system (named SRMCLNT100), installed SRM Business Content, replicated the data sources from this source system and everything worked fine.
Now I want to load data from SRM (client 100) into BW (client 001) using standard data sources and extractors. To do this, Ive created an InfoPackage in one standard metadata data source (with data, checked through RSA3 on client 100 source system). Ive started the data load process, but the monitor says that no Idocs arrived from the source system and keeps the status yellow forever.
Additional information:
BW Monitor Status:
Request still running
Diagnosis
No errors could be found. The current process has probably not finished yet.
System Response
The ALE inbox of the SAP BW is identical to the ALE outbox of the source system
and/or
the maximum wait time for this request has not yet run out
and/or
the batch job in the source system has not yet ended.
Current status
No Idocs arrived from the source system.
BW Monitor Details:
0 from 0 records
but there are 2 records on RSA3 for this data source
Overall status: Missing messages or warnings
- Requests (messages): Everything OK
o Data request arranged
o Confirmed with: OK
- Extraction (messages): Missing messages
o Missing message: Request received
o Missing message: Number of sent records
o Missing message: Selection completed
- Transfer (IDocs and TRFC): Missing messages or warnings
o Request IDoc: sent, not arrived ; Data passed to port OK
- Processing (data packet): No data
Transactional RFC (sm58):
Function Module: IDOC_INBOUND_ASYNCHRONOUS
Target System: SRMCLNT100
Date Time: 08.03.2006 14:55:56
Status text: No service for system SAPSRM, client 001 in Integration Directory
Transaction ID: C8C415C718DC440F1AAC064E
Host: srm
Program: SAPMSSY1
Client: 001
Rpts: 0000
System Log (sm21):
14:55:56 DIA 000 100 BWREMOTE D0 1 Transaction Canceled IDOC_ADAPTER 601 ( SAPSRM 001 )
Documentation for system log message D0 1 :
The transaction has been terminated. This may be caused by a termination message from the application (MESSAGE Axxx) or by an error detected by the SAP System due to which it makes no sense to proceed with the transaction. The actual reason for the termination is indicated by the T100 message and the parameters.
Additional documentation for message IDOC_ADAPTER 601 No service for system &1, client &2 in Integration Directory No documentation exists for message ID601
RFC Destinations (sm59):
Both RFC destinations look fine, with connection and authorization tests successful.
RFC Users (su01):
BW: BWREMOTE with profile S_BI-WHM_RFC (plus SAP_ALL and SAP_NEW temporarily)
Source System: BWREMOTE with profile S_BI-WX_RFCA (plus SAP_ALL and SAP_NEW temporarily)
Someone could help ?
Thanks,
Guilherme

Guilherme
I didn't see any reason why it's not bringing. Are you doing full extraction or Delta. If delta extraction please check the extractor is delta enabled or not. Some times this may cause problems.
Also check this weblog on data Load errors basic checks. it may help
/people/siegfried.szameitat/blog/2005/07/28/data-load-errors--basic-checks
Thanks
Sat

Load balancing weirdness using NAT and same-metric route

Hi.
I'm trying to set up a double-WAN load-balancing scenario:
I decided to attempt the "multiple same-metric routes with NAT" approach so I went for the example used in the IOS NAT Load-Balancing for Two ISP Connections Configuration Guide [1].
I decided to use an upside-down Cisco 871-SEC/K9: use Vlan1 and Vlan2 for the routers and Fa4 for the LAN. I am hoping this is not an issue.
There is this weirdness with some connections, particularly FTP. I pinpointed the problem to the following scenario: if I do a couple of pings to 100.1.1.1 using the FastEthernet4 as the source address, this is what I get in the logs:
=== PING 1 ECHO REQUEST ===
*Mar 3 04:38:43.521: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan1), routed via RIB
*Mar 3 04:38:43.521: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14152]
*Mar 3 04:38:43.521: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan1), g=10.129.124.1, len 60, forward
*Mar 3 04:38:43.521: ICMP type=8, code=0
=== PING 1 ECHO REPLY ===
*Mar 3 04:38:45.589: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19824]
*Mar 3 04:38:45.589: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:45.589: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:45.589: ICMP type=0, code=0
=== (something else) ===
*Mar 3 04:38:52.353: RT: SET_LAST_RDB for 0.0.0.0/0
OLD rdb: via 10.129.124.33, Vlan2
NEW rdb: via 10.129.124.1, Vlan1
=== PING 2 ECHO REQUEST ===
*Mar 3 04:38:52.353: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan2), routed via RIB
*Mar 3 04:38:52.353: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14159]
*Mar 3 04:38:52.353: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan2), g=10.129.124.33, len 60, forward
*Mar 3 04:38:52.353: ICMP type=8, code=0
=== PING 2 ECHO REPLY ===
*Mar 3 04:38:53.029: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19825]
*Mar 3 04:38:53.029: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:53.033: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:53.033: ICMP type=0, code=0
In the section "Ping 2 Echo Request" line 2 shows the NAT translating the packet to the address for the first provider but line 3 shows it routing it through the second one.
In this case, the ICMP packet goes through but it is problematic if the ISP restricts the service by source-address (like RPF) or there is some acceleration mechanism inside the provider cloud, other than just plain routing.
What am I missing? Here is the relevant part of the configuration. I deliberately disabled CEF to be able to debug the messages, but I *think* this may be altering the actual router behavior. This router does not have a "debug ip cef packet" command.
no ip cef
ip dhcp pool lan-side
import all
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
domain-name doublewan.local
dns-server 8.8.8.8 8.8.4.4
lease infinite
ip domain name doublewan
interface FastEthernet0
!doesn't appear on running-config: vlan 1 is the default access vlan
!switchport access vlan 1
interface FastEthernet1
switchport access vlan 2
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface FastEthernet4
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
interface Vlan1
ip address 10.129.124.2 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
interface Vlan2
ip address 10.129.124.35 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
ip route 0.0.0.0 0.0.0.0 Vlan1 10.129.124.1
ip route 0.0.0.0 0.0.0.0 Vlan2 10.129.124.33
ip nat inside source route-map nat1 interface Vlan1 overload
ip nat inside source route-map nat2 interface Vlan2 overload
ip access-list standard acl4-nexthop-vlan1
permit 10.129.124.1
ip access-list standard acl4-nexthop-vlan2
permit 10.129.124.33
route-map nat2 permit 10
match ip address 102
match ip next-hop acl4-nexthop-vlan2
match interface Vlan2
route-map nat1 permit 10
match ip address 101
match ip next-hop acl4-nexthop-vlan1
match interface Vlan1
control-plane
Of course, there is some configuration pending for redundancy and stuff.
Thanks a lot in advance.
[1] http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html

Hello.
This might be a bug in debug command or the IOS (without ip cef) you use; as routing is done before NAT (inside to outside).
To make sure it works fine with ip cef, just enable strict uRPF (or just ACL) on .1 and .33 interfaces and see if you see any packet sent over wrong interface.
PS: please check "sh ip cef 100.1.1.1"; I guess ip cef would tell you "per-destination sharing".

CLIENT of the source system in the Transfer Rules

Hi,
Can I get the CLIENT of the source system dynamically in the Transfer Rules (and assign it to an InfoObject)?
I have a generic extractor from a R/3 source system. The table in the source system & the extract structure the DataSource both contain MANDT, but its not coming in the RSO2 screen (which, if I'm not wrong, is how it should be).
I need the CLIENT info. in my BW data targets. I do not want to hardcode this value in Trans Rules as the client in Dev & Prod is different for my R/3 sys.
If I can't get it directly from the DataSource, is there any way I can get it from any system field using routine?
If I'm not wrong - SYST-MANDT in the Formulas will give me only my BW CLIENT.
Thanks in advance for your help.
Regards,
Melwyn

hi,
i think if your bw dev and prod client is different you can try in transfer rules
if sy-mandt = xxx. ( bw dev client number)
result = 'yyy'. (source system dev)
else.
result = 'zzz'. (source system prod)
endif.
or enhance the extract structure/ append structure with zz field for mandt and field in user exit zxrsau01 with sy-mandt
or if use infoobject 0LOGSYS, populate in transfer rules with result = g_s_minfo-logsys.
hope this helps.

How to improve client handover and roaming between AP's

Improving client Handover and roaming between APs
There are a few standards and methodologies available to use to improve handover of clients between APs. Most are focused on VOIP technologies, but it must always be remembered that we cannot control the client Handover (especially with legacy clients) we can only encourage them. Some Standards and methods work well for some environments and some do not - test the recommendations extensively before implementing in a live Production environment. It must also be noted that all settings take effect immediately once applied, however from a client perspective it might need to re-associate for the changes to take effect client side.
As with everything else in IT, if a perfect method/solution existed there would only be one - try them all and keep the best.
The Standards and Definitions
802.11k
IEEE 802.11k allows a device to quickly identify nearby APs that are available for roaming. When the signal strength of the current AP weakens and the device needs to roam to a new AP, it will already know the best candidate AP with which to connect to.
802.11r
IEEE 802.11r specifies fast Basic Service Set (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources to occur in parallel.
When a device roams from one AP to another on the same network, 802.11r streamlines the authentication process. BSS allows a devices to associate with APs more quickly. Coupled with 802.11k's ability to quickly identify the target AP, BSS's faster association method may enhance application performance.
Handoff Assist
The AP monitors the RSSI for every associated client. If the RSSI for a specific client falls below "low-rssi-threshold" and continues to fall for the "rssi-falloff-wait-time", then the AP will send a de-auth to the client.
The de-auth is meant to kick the client away from the current AP and get it to re-authenticate to a nearby AP. This will have the effect of helping a client handover between 2 APs.
BUT (Big But), if the client gets de-authed and takes a while to re-authenticate (if it even does re-authenticate automatically after a de-auth), then this will have the effect of destroying communication instead of helping it -- mostly found with legacy clients.
Remove Lower Transmit Rates
Removing lower transmit rates is a way to promote better roaming, BUT not all clients respond well, or even respond to it.
The practice is that the basic rates are a subset of the transmit rates. If you only want to allow speeds 9 and up, you would select only the transmit rates of 9 and up, and the basic rates of 9 and 11. If a legacy client expects the rates of 1 and 2 it will not connect.
Local Probe Threshold
Local probe Threshold prevents a client from connecting to an AP with a too low a signal - helps more with initial connection than roaming.
The local probe threshold parameter is not supposed to force clients to roam as soon as they pass near an access point with a good signal, but rather to NOT hold on to an access point with a weak signal (avoiding sticky clients).
PMK Caching
Defined by 802.11i and is a technique available for authentication between a single AP and a station. If a station has authenticated to an AP, roams away from that AP, and comes back, it does not need to perform a full authentication exchange. Only the 802.11i 4-way handshake is performed to establish transient encryption keys.
Opportunistic Key Caching (OKC)
Is a similar technique to PMK, but not defined by 802.11i, for authentication between multiple APs in a network where those APs are under common administrative control. An Aruba deployment with multiple APs under the control of a single controller is one such example. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys
Implementation and Configuration
802.11k
802.11k is configured in your VAP profile. Tick the option to “Advertise 802.11k”. There after set the Handover Trigger Feature Settings.
Tick the “Enable Handover Trigger feature” and then set RSSI threshold by specifying the -dBm level at what the hand over trigger should be sent to the client
802.11r
802.11r is configured under SSID of your VAP profile. Tick the option to “Advertise 802.11r”
HandofF Assist
Station Handoff Assist is enabled in RF Optimization under the RF Management section of AP configuration.
Tick the “Station Handoff Assist” option to enable it, next set the Low RSSI Threshold – the threshold determines above what level no deauth gets sent
Lower Transmit Rates
Transmit rates can be adjusted in the Advanced tab of SSID under your VAP profile.
Remember that the basic rates are a subset of the transmit rates. If you only want to allow speeds 9 and up, you would select only the transmit rates of 9 and up, and the basic rates of 9 and 11
Local Probe threshold
Local Probe threshold can be adjusted in the advanced tab of SSID under your VAP profile.
Depending on the density of your APs consider values between 20 and 40 -- 40 being aggressive in an AP dense area.
Deny Broadcast Probes
Denying Broadcast Probes can cause problems with Roaming especially if the SSID is hidden – leave option disabled.

Hi, thank you for the helpful guidance. I have a basic question, if the device roam from one AP to another AP with the same SSID. Is there a need of re-authentication given a) the network uses EAP based authentication; b) the network uses MAC address authentication. If there is no need of EAP re-authentication, how the 802.11 keys are moved to the new AP. Thank you very much if you could help me clarify my thought.

Problems with NAT and UDP

hi Everyone,
I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
when I receive traffic through those ports, I see the following in
show ip nat translations | include 14000
udp 64.7.136.227:1038     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1040      192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1041     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1043      192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1044     192.168.100.26:14000 67.163.252.29:62564    67.163.252.29:62564
udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
Any help is greatly appreaciated.
Aleks

Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
(d) port on the same router:
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:50183 xxx.xxx.xxx.xxx:50183
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:50891 xxx.xxx.xxx.xxx:50891
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
tcp 64.7.136.227:6667     192.168.100.199:6667 xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
the only difference is that this one gets properly assigned to the requested port, whereas these rules
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
udp 64.7.136.227:1038     192.168.100.26:14000 67.163.252.29:62564     67.163.252.29:62564
udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
udp 64.7.136.227:1040       192.168.100.26:14000 67.163.252.29:62564   67.163.252.29:62564
Basically how do I get the three rules to behave the same way as the one on top does...
Thank you,
Aleks

Configuring Doc Path (and Source Path) for default JDeveloper library

hi
Sometimes a default JDeveloper library as no Doc Path (or Source Path) configured.
Adding a project library with only a Doc Path (or/and Source Path) configured (so no Class Path) can make the relevant API documentation more easily available in JDeveloper,
see http://www.consideringred.com/files/oracle/img/2011/library-doc-path-20110529.png
- (q1) Why has the "WebLogic 10.3 Remote-Client" library no Doc Path configured by default?
- (q2) Are somehow/somewhere source files available (maybe only of "API related"/non-implementation classes) for the "WebLogic 10.3 Remote-Client" library, so these can be configured in a library Source Path, to make the API documentation even more easily accessible in JDeveloper?
many thanks
Jan Vervecken

Thanks for your reply John.
John Stegeman wrote:
... At least some of the classes' javadocs are [url http://download.oracle.com/docs/cd/E21764_01/apirefs.1111/e13941/toc.htm]here ...
As I write in my initial post, I am able to add a project library with only a Doc Path configured (as shown in library-doc-path-20110529.png),
to "Oracle Fusion Middleware Oracle WebLogic Server MBean Javadoc 11g Release 1 (10.3.5) Part Number E13945-05 "
at http://download.oracle.com/docs/cd/E21764_01/apirefs.1111/e13945/
So, questions (q1) about a default Doc Path configuration and question (q2) about source files (similar to ADF) remain.
regards
Jan

NAT and Routed Network with Two ISP's on one router

I'm sure this has been done covered many times, but I am not finding it.
I have two ISP connections.
With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
Everything on 192.168.100.x should use NAT and go out ISP-B
I have tried
ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
route-map ISP-B permit 10
match ip address 101
match interface GigabitEthernet0/1
set ip next-hop 100.0.0.1
route-map ISP-A permit 10
match ip address 111
match interface Multilink1
set ip next-hop 1.1.1.1
The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
HTH

Client NAT and Source IP Sticky

Similar Messages

Maybe you are looking for