Configuring PAT/NAT in cisco routers

hello, first sorry for my bad english
i just wanted to know how configuring PAT (port address translation)
like this :?
amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
or not?
2nd question i have is:
when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
and the last question for now is:
how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
i hope i was clear enough, tanks a lot!

Hi Tiger,
1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
2) Coming to your 2nd question
"ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
"ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
3) Coming to your last question
For dynamic PAT you just need to configure overload command at the end of your nat statement.
This link will give you a very broad and nice picture of how NAT can be configured in different situation
http://www.cisco.com/warp/public/556/12.html#6
HTH
Ankur

Similar Messages

Configuring PAT for VoIP got a Turn Up today!!!

Good Morning all,
I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.
I'm using a ASA 5505, and below is my Show Run:
------------------ show running-config ------------------
: Saved
ASA Version 8.3(2)
hostname ECSASA-5505
domain-name hostedatandvoice.local
enable password <removed>
passwd <removed>
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Ethernet0/0
description COMCAST
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec EnterCloud Solutions ASA
banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.
banner motd EnterCloud Solutions ASA Applicance. Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.
banner motd Contact [email protected] for additional help or support.
banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name hostedatandvoice.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Internet
subnet 0.0.0.0 0.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service NTP
service tcp source eq 123 destination eq 123
description Time Clock
object network STATIC-PAT
subnet 192.168.1.0 255.255.255.0
object network VPN-Pool
subnet 190.168.10.0 255.255.255.240
description VPN IP Address
object network SSL-VPN-POOL
description SSL-VPN-POOL
object network SSL-VPN-POOL1
object network SSL-VPN-NET1
subnet 192.168.10.0 255.255.255.240
object network outside_to_inside_VoIP
host 192.168.1.8
object-group network PRIVATE-LAN
network-object 192.168.1.0 255.255.255.0
object-group network SSL-VPN-NETWORKS
description SSL VPN NETWORKS
object-group network VPN-NETWORK
network-object object SSL-VPN-NET1
access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp
access-list ECSSLVPN remark Allow VPN Access to LAN
access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK
object network STATIC-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x1
route inside 192.168.10.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=ESCASA-5505
ip-address x.x.x.x
keypair ECS-KP
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 59203f51
    308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105
    05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609
    2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648
    86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476
    6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330
    33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535
    3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138
    35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374
    65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6
    972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1
    f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2
    08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d
    de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301
    01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
    04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d
    0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648
    86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd
    0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee
    8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce
    e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0
    a1f15a01 4ba8960a ec9771bb
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2 8.8.1.1
dhcpd domain hostedatandvoice.local
dhcpd address 192.168.1.12-192.168.1.130 inside
dhcpd dns 4.2.2.2 8.8.1.1 interface inside
dhcpd domain hostedatandvoice.com interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 199.249.224.123 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ECSSLVPN
default-domain value hostedatandvoice.local
split-dns value hostedatandvoice.com
address-pools value VPN-Pool
webvpn
svc ask enable default webvpn
username khayes password <removed> privilege 15
username mharrell password <removed> privilege 15
username bdillard password <removed> privilege 15
username skonti password <removed> privilege 15
tunnel-group ECSSLVPN type remote-access
tunnel-group ECSSLVPN general-attributes
address-pool VPN-Pool
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:977f2a92875a8c744753124c94adbb09
: end

Kenneth,
If that's the case you can use a range of port and create a NAT using your outside interface IP.
object network CUCM_Private
host 10.10.10.10
object service Range_1024_65535
service udp source range 1024 65535
object service SIP_range
service tcp source range 5060 5061
nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535
nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range
access-list outside_access_in permit tcp any object CUCM_Private eq 5060
access-list outside_access_in permit tcp any object CUCM_Private eq 5061
access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535
Take in consideration that I am using different IP address, please use the correponding IP's.
Hope it helps,
Juan Lombana

Difference between setting up a vpn with windows 7 and cisco routers

Hi.I was wondering what the main difference Is between setting up a vpn with windows 7 or configuring It on cisco routers.
When you setup the vpn on windows 7 or xp do the client and server pc's take care of the encryption and decryption whereas configuring vpn on routers , the encryption and decryption Is done solely by the routers?
If I want to setup a connection where an IP In the same Internal lan Is assigned to the client pc I'm guessing I'd have to use a router configuration.
Thanks

Thank you for the response, lucky for me there was another option. Threatened to cancel with the ISP on the NAT side unless they assigned us a public static ip/gateway/subnet. They ended up doing that and the VPN connected as soon as the changes were made in the Linksys.

NAT overload is not working when i configure Double NAT for VPN

I have Cisco 2921 router with OS version 15.1(4)M1.
the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
Double NAT translation
ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
Nonat
access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
VPN encrypted traffic over the tunnel
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Problem:
as soon as i apply Double NAT translation command the NAT overload stop working and client cannot reach to the internet
the router partial configuration is as below
REACH-R01(config)#do sh run
Building configuration...
Current configuration : 19233 bytes
! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname REACH-R01
boot-start-marker
boot-end-marker
card type t1 0 0
logging buffered 51200 warnings
no aaa new-model
clock timezone MST -7 0
clock summer-time MST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.250 192.168.20.255
ip dhcp pool CISCO_PHONES
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
option 150 ip 192.168.20.254
no ip domain lookup
ip domain name reach.local
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
multilink bundle-name authenticated
isdn switch-type primary-ni
trunk group PRI
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3180627716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3180627716
revocation-check none
rsakeypair TP-self-signed-3180627716
voice-card 0
dsp services dspfarm
voice service voip
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
voice translation-rule 1
rule 5 /^7804981231/ /401/
voice translation-rule 2
rule 5 // /7804981231/
voice translation-profile DID_INBOUND
translate called 1
voice translation-profile DID_OUTBOUND
translate calling 2
license udi pid CISCO2911/K9 sn FGL1540114P
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module ism 0
hw-module pvdm 0/0
username test test
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-6,24
no ip ftp passive
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
description COMPUGEN
set peer 33.33.33.33
set transform-set ESP-AES256-SHA
match address 115
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Outside Interface To the Internet
ip address dhcp
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-TUNNEL
interface ISM0/0
ip unnumbered GigabitEthernet0/1.20
service-module ip address 192.168.20.2 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 192.168.20.254
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.10
description VLAN 10 DATA VLAN
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/1.20
description VLAN 20 VOICE VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.30
description VLAN 30 WIRELESS VLAN
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
trunk-group PRI
no cdp enable
interface Vlan1
no ip address
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:CME8.6/GUI
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
ip route 192.168.20.2 255.255.255.255 ISM0/0
ip access-list extended outside_access_in
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any host 22.22.22.22 eq 1723
permit tcp any host 22.22.22.22 eq 3389
permit tcp any host 22.22.22.22 eq smtp
permit tcp any host 22.22.22.22 eq 443
permit tcp any host 22.22.22.22 eq domain
permit udp any host 22.22.22.22 eq domain
permit tcp any host 22.22.22.22 eq 123
permit icmp any host 22.22.22.22 unreachable
permit icmp any host 22.22.22.22 echo-reply
permit icmp any host 22.22.22.22 packet-too-big
permit icmp any host 22.22.22.22 time-exceeded
permit icmp any host 22.22.22.22 traceroute
permit icmp any host 22.22.22.22 administratively-prohibited
permit icmp any host 22.22.22.22 echo
permit tcp any host 22.22.22.22 eq 987
permit tcp any host 22.22.22.22 eq 47
permit gre any host 22.22.22.22
permit udp any host 22.22.22.22 eq isakmp
permit esp any host 22.22.22.22
access-list 23 permit any
access-list 101 deny   ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Solution: Support forums team

I have the same problem also. Restarting isn't helping and the auto lock/unlock button is on. Plus a couple of time when I turn it on it is asking if I want to power off. That is when I push the button on the front to wake it up. Not the power button on top. I have an IPAd 2. Worked fine before the update.

Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
                                                     Allocation
        Resource         Current       Peak        Min        Max       Denied
-- outputs omitted for brevity --
proxy-connections             0      16358      16358      16358      17872
ssl-connections rate          0        626        626        626      23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo

Securing Telnet access on Cisco routers (access class)

Dear All,
In all my network i have cisco catalyst switch and cisco routers deployed in my WAN. In cisco routers, it was activated an ACL to secure telnet access to WAN devices. only 3 hosts (remote) were autorized to access these devises. I need to modify this secuirty to have access from the LAN (locally).
The ACL was implmented in all routers, and activated using access class in.
in there any idea without changing more the configuration and only tell the router to apply this ACL for WAN and not access for the LAN ?
Thanks for your help,
Best regards,

Hi,
here is the ip int brief.
thanks
CISCO1841#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES NVRAM up up
FastEthernet0/1 192.168.2.1 YES NVRAM up up
ATM0/0/0 unassigned YES NVRAM up up
Dot11Radio0/1/0 unassigned YES NVRAM up up
Dot11Radio0/1/0.1 192.168.2.129 YES NVRAM up up
Dot11Radio0/1/0.2 192.168.3.1 YES NVRAM up up
NVI0 unassigned NO unset up up
Virtual-Access1 unassigned YES unset up up
Dialer1 151.16.203.203 YES IPCP up up

Transcoding on cisco routers

Hi,
Can we make transcoding in cisco gateways like IAD, 2800, 2900 series routers independently from the CUCM or CMExpress? I mean there is an IP PBX and there is service provider. There is no cucm or cm express. Router is working like IP2IP gateway. If the calls are coming to the router G711 and pbx is accepting only G729 so is there a way to make transcoding and change the codec to G729 on the router?
Thanks.

Unified Border Element Transcoding Configuration Example
http://www.cisco.com/en/US/partner/products/sw/voicesw/ps5640/products_configuration_example09186a008092d6b3.shtml
Above link is the way you would need to do this.
HTH
java
If this helps, please rate
www.cisco.com/go/pdihelpdesk

Policy Nat on cisco router

Hi Dears.
I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be 10.193.115.11 but our local subnet is
10.103.70.0/24. our local subnet is also access to internet.
local subnet: 10.10.3.70.0/24
peer local subnet: 10.193.128.11/23
i think that i must be do policy nat.
1. ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
2. ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
3.ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
And i have also PAT Nat for local user.
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
is this configuration rigth?
please write your comment.
thanks.

ok. thanks.
at last our configuration is that:
access-list 100 deny ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
for vpn traffic:
ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
you said that this configuration is help me for my aim.
thanks again.

Question about configuration of NAT on ASA

Hi all,
I have ASA config with DHCP and its providing IP to users.
ASA is connected to 3550 switch it has direct connection or say default static route
From 3550 switch connection goes to Router and it does the NAT and has connection to outside world.
My question is do i need to configure the NAT inside and global (outside ) on the ASA or not?
As per my understanding NAT is done by router which has connection to ISP.
Thanks
Mahesh

Hi Jennifer,
Thanks for replied.
I tested like this config the NAT on ASA
then as per your reply run the command no nat-control as ASA ver is 8.4
But nat config is still there in ASA.
I did sh xlate it shows
ciscoasa# sh xlate
27 in use, 371 most used
PAT Global 192.168.11.2(33396) Local 192.168.1.5(57177)
PAT Global 192.168.11.2(61657) Local 192.168.1.5(57176)
PAT Global 192.168.11.2(52259) Local 192.168.1.5(57175)
PAT Global 192.168.11.2(30453) Local 192.168.1.5(57174)
I did clear xlate still there is output from the sh xlate
My question is how we test that ASA is nating or not ?
Which commands can tell us that ASA is doing NAT ?
Thanks
MAhesh

Facing issue in using SNMPV3 on Cisco Routers

Hi,
Actually, i am trying to implement SNMPV3 on Cisco Routers & Switches to manage & monitor these devices in a more secure manner using NMS called Orion (NPM) Network Performance Monitor.
When i am going to add the node on Orion (NPM), it is showing me an error that the device does not support the interfaces MIB.
The Routers IOS Version and its feature set is as under:
Cisco 3800 & 2800 (IOS version 12.4(20)T2 Advance IP Services).
Configuration as under:
snmp-server DEPT_GRP V3 auth context DEPT_CTX read DEPT_VIEW
snmp-server view DEPT_VIEW iso included
snmp-server view DEPT_VIEW internet included
snmp-server view DEPT_VIEW interfaces included
snmp-server view DEPT_VIEW system included
snmp-server view DEPT_VIEW chassis included
snmp-server context DEPT_CTX
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
snmp-server host 213.42.48.158 version 3 auth SNMPADMIN
At Orion parameters are given as under:
username :- SNMPADMIN
SNMPV3 context :- DEPT_CTX
SNMPV3 Authentication :- SHA1
SNMPV3 Privacy/Encryption :- DES56
Password Key :- cisco123 (All the places)
Kindly help me out and advise me where i am going wrong. Kindly check the configuration above is anything missing in it regarding the SNMPV3 configuration.
Rgds,
Ayaz Ali

Hi Joe,
Thanks for your response. As per your reply, i had removed the context and views which were configured earlier on the router and followed the same instructions as you mentioned in your reply, but i would like to tell you one thing about the configuration that i had done for snmp v3.
Your configuration is :-
snmp-server group DEPT_GRP v3 auth read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
My Configuration is :-
snmp-server group DEPT_GRP v3 priv read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
In your configuration, you are using Authentication (Auth) for the SNMP v3 group and if u select auth (Keyword) then you have to only provide authentication method (SHA,MD5) no privacy keys for encryption (DES,AES) in snmp user configuration, otherwise it will give you an error that credential not matched on the host when you try to poll the device.
In my configuration, I am using privacy (priv) for the SNMP v3 group, thats why i had given both authentication and encryption keys under SNMP user configuration.
In short, user settings are dependent on the group settings if you are using auth then it only support authentication but no privacy and if you are using priv then it allow both authentication and encryption (privacy).
Thanks for your support, it really helped me out in solving the issue. Now, i am able to poll my all routers using snmp v3.
Rgds,
Ayaz Ali

The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

Hello
I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
Is it possible to integrate into Cisco Router such as Cisco 891F ?
In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
I think there might be any unsupported feature on Cisco 891F.
I appreciate any information. thank you very much in advance.
Best Regards,
Masanobu Hiyoshi

Many time in interviews asked comaprison between cisco routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
Ummmm ... The most common question I get is "what is the difference between a router and a switch".
However, if you get a question like this, then my impression to this line of questioning are:
1. The candidate they are looking for has in-depth knowledge of routers and switches. And I mean IN-DEPTH!;
2. They are not looking for a candidate. They just want to stroke their ego. There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger. And if you do happen to know the answer, then and there, then expect a tougher follow-up question.

Two Cisco Routers in one class-c network

Hello,
i have two cisco routers, which are connected to one switch. On this switch, there are several servers connected as well.
When i connected the second cisco router, i got messages on the first router, that there is an ip address conflict. After a few minutes it seems as if the vpn tunnel on the first router breaks down because of this conflict. I'm not sure about this, but when i disconnected the second router again, the vpn tunnel could be established again. The vpn tunnel goes to another router via WAN and ends in the local class-c network, where both routers are in.
Router1
LAN 192.168.105.254 (255.255.255.0)
WAN 212.xxx.xxx.xxx
||
||
Cisco Switch
||
||
Router2
LAN IP 192.168.105.253 (255.255.255.0)
WAN IP 217.xxx.xxx.xxx
Router1
int fa 0/1
ip address 192.168.105.254 255.255.255.0
Router2
int fa 0/1
ip address 192.168.105.253 255.255.255.0
Could the /24 mask on the interfaces cause the conflicts?
From the servers, none has the ip 192.168.105.253 or 192.168.105.254 and if i disconnect Router2, the IP 192.168.105.253 is not reachable from any system on the switch.
So how does this ip address conflict occur?

hello,
can you check the router 1 log. with error message you should have a mac address
May 10 05:32:20.489: %IP-4-DUPADDR: Duplicate address 10.10.10.1 on GigabitEthernet0/1.1, sourced by 0003.oc12.a2c3
This should help you to identify host already with 192.168.105.253.
Before connecting Router 2, from Router 1 ping 192.168.105.253 and do a sh arp ?
HTH,
regards,
cisand

Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
•       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
•       ASR9k: network processor capture
•       7200/ISRs: embedded packet capture
•       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
•       Cisco Nexus 7K: ELAM
•       CRS: show captured packets
•       ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Erick
    Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
     Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
    You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
     I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
     Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul

Implementing WAAS using 3925 and 2911 Cisco routers

Dear all,
I am new to Cisco WAAS and therefore I would like to request some help regarding the following scenario:
I have a star network (1 hub and 5 spoke) topology where each satellite site is connected via a 2 MB (symmetric) to the Head-Quarters (Central node). In order to be able to concentrate all servers (services) at the head-quarters and improve the users experience in remote sites when accessing network services that are located at the head-quarters we want to implement Cisco WAAS instead of increasing the existing bandwidth.
At the head-quarters we are using a 3925 Cisco router and at the remote locations we are using 2911 Cisco routers. Last but not least there will be approximately 75 concurrent users from remote sites accessing resources at the head-quarters.
Currently I am planning to use the following:
·At the head-quarters I am planning to use a Cisco Wide Area Application Services (WAAS) Module: SM-SRE-900-K9 with an Enterprise license (for large deployment) in the Cisco router 3925
·At the remote sites I am planning to use a Cisco Wide Area Application Services (WAAS) Module: SM-SRE-700-K9 with an Enterprise license (for medium deployment) in the Cisco router 2911
Is there anything else that I am missing or need to take into consideration for deploying the WAAS.
Regards,
Screech

Hi Screech,
Answers:
Is the dedicated WAE hw for central management purpose a required component?not required as WAEs can optimize even without Cntral managementbut you will not be able to collect statistics, reports and will have to manage WAEs from CLI. This a kind of highly recommended management piece you will need.
What is the difference between using a full blown WAE instead of a Sm SRE module: Using a fully blown WAE at DC is recommended as you are then avoiding couple of bottlenecks.
1. Bandwidth allcoation
2. SM / NM models have low capacity, disks where as fully blown models like 674s have 10k/15k SATA / SAS drives.
3. HW redundancy: you have backup PS / HD in dedicated WAEs in msot of the models.
4. HW dependency: Your SM moduels depened upon your router / switch. If for some reason, switch or router goes down, SM moule goes down at same time.
5. Additional NICs / HW availability.
There are various other reasons you might want to consider. You can ask your cisco sales engineer or one of the PDI help engineer on the forum can also punch in here.
but basicaly, I would go for fully blown WAE on DC side and central management piece as well.
Regards.

Configuring IP SLA in cisco 3925 router.

HI Team.we need to configuring IP SLA in cisco 3925 router with c3900-universalk9-mz.SPA.151-4.M4.bin ios. For Monitoring purpose. Earlier we have used the rtr command for the same. Now we are going with new Cisco 3925 router. with the above mentioned IOS. Pls suggest whether we can configure the IP SLA in the router with Licence. Or We need to buy the licence for the ame.
Posted by WebUser Ramkumar Selvaraj from Cisco Support Community App

Hi
I think the command has been updated - rather than 'rtr responder' it's now 'ip sla responder'.
I don't believe you need any particular feature set.
Also, this is a 'Contact Center' forum - you would get more responses in other places.
Regards
Aaron HarrisonPrincipal Engineer at Logicalis UK
Please rate helpful posts...

Configuring PAT/NAT in cisco routers

Similar Messages

Maybe you are looking for