CSS 11050 NAT problem
Hi, I have a problem with the NAT group intercepting connections to a PIX on the local VLAN. VLAN1 on the LB is the outside internet connection, VLAN2 is internal, at 10.0.10.0/24. The PIX IP is 10.0.10.254. If a webserver at 10.0.10.5 tries to connect to a server behind the PIX, the PIX logs a connection not from 10.0.10.5, but from the NAT group, which has an external IP address. Not only does this slow things down, but confuses the ACL config on the PIX. Any way to force devices to directly connect on the local VLAN, as one would normally expect? Thanks!
What happens is the traffic that will use the group will need to match the source/dest configured in the ACL, but more importantly, the VLAN you apply to the ACL itself will determine what traffic is even looked at in the ACL itself. So if you apply vlan1 to the ACL, then only traffic coming into the CSS via VLAN1 will use the acl (assuming it matches the clause criteria configured).
By using the ACL approach, you could put those ip addresses you want to NAT in the first clauses, and then leave out the ones you do not want to NAT. If there is no ACL match, then there will be no NAT.
Instead of specifying all the ip addreses in separate ACLs, you can use the subnet mask to create a range of addresses.
Hope this help. I do agree that this can be a bit of a maint challenge having to do this, but I'm not sure any other option exists unless there is something different about the way you have your source groups configured.
Regards
Pete..
Similar Messages
-
CSS and NAT problems (easy one?)
Hi,
I am trying the simplest of configurations, attempting to Load-Balance traffic using two servers and a single CSS. I am using "Routed" mode, but am experiencing problems with NAT. I am new to the world of CSSs.
I have two servers that have the VIP 80.80.80.230. All traffic is initiated from the client-side (public) and talks to this VIP address. All RETURN traffic must be NATed (by the CSS) with this VIP address. I would expect:-
CLIENT (PUBLIC) -----> 80.80.80.230 (SERVER-VIP)
CLIENT (PUBLIC) <----- 80.80.80.230 (SERVER-VIP)
However, this configuration does not seem to work for me. When I sniff, I see the return traffic is NOT being NATed ....I see the following :
CLIENT (PUBLIC) ----------------------> 80.80.80.230
CLIENT (PUBLIC) <----------------------10.10.10.2
Here is my config :
ip route 0.0.0.0 0.0.0.0 80.80.80.225 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 80.80.80.227 255.255.255.240
circuit VLAN2
ip address 10.10.10.1 255.255.255.0
!************************** SERVICE **************************
service server1
ip address 10.10.10.2
port 5060
active
service server2
ip address 10.10.10.3
port 5060
!*************************** OWNER
owner me
content lbal
port 5060
protocol udp
vip address 80.80.80.230
add service server1
add service server2
application sip
active
!*************************** GROUP
group clients-group
vip address 80.80.80.230
add service server1
add service server2
active
CSS11501 /Version 7.4
I have tried this config with and without the NAT Group (clients-group) but to no avail.
Please please can someone stop me from going crazy with this. Any help really apprectaied.
Grazie !
MattHi Matt,
On the group use "add destination service" instead of "add service". That will do source NATing of traffic hitting the VIP.
Looks like this:
group clients-group
vip address 80.80.80.230
add destination service server1
add destination service server2
active
Diego -
CSS 11050 Load Balancing with Single VLAN (no NAT)
We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark RomerYou shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland -
Hey
I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
By the way will my downloads be faster when I do use a correctly configured NAT?
Samuel
PS I am not using a router just a ADSL ModemI had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
Very frustrating!! -
Load Balancing Linux servers with CSS 11050 series
We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?
I dont believe that the CSS supports any SNMP load balancing mechanism.
There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
Checkout these links:-
http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
http://www.cisco.com/warp/customer/117/methods_load_bal.html -
Open NAT problems with Xbox One .
When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?
Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .
-
why cant u get a open nat with ps3 always on moderate how do u get it to open ?
This link should help.
NAT Problems on games consoles and computers
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Xbox360 WRT54GS ver. 6 NAT problems
my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6
for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
CamZ -
Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.15 255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.6.0 255.255.254.0 inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
ASA5512 iOS 9.3 inside nat problem
Hi,
I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
interface GigabitEthernet0/0
description #### Connect TO Internet ####
nameif outside
security-level 0
ip address 37.10.1.2 255.255.255.248
interface GigabitEthernet0/1
description #### Connect TO Core Switch ####
nameif inside
security-level 100
ip address 10.78.61.1 255.255.255.0
access-list outside-in extended permit ip any any
access-group outside-in in interface outside
access-group outside-in in interface inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_Ser
host 10.88.61.10
object network obj_Ser_WAN
host 37.10.1.3
nat (inside,outside) source static obj_Ser obj_Ser_WAN
object network obj_any
nat (inside,outside) dynamic 37.10.1.4
same-security-traffic permit intra-interface
Thanks
AfzalHi,
Try this NAT:-
nat (inside,inside) source static obj_Ser obj_Ser_WAN
Thanks and Regards,
Vibhor Amrodia -
Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem? -
Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
New Requirement
If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
What I've done
On W-FW2
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
On W-FW1
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
At this point packet tracer said the traffic was being blocked by ACL so I added
access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
access-group inbound in interface outside
Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
W-FW1 can ping S-Client
Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
Help!First check if the packet from the S client is making it back to the W-F1.
Configure Captures on the interface that is connected to the 106.200.194 subnet.
#cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
#show cap capin
Capture is bidirectional. Hence no need to enable it in the opposite direction.
If the packet is seen coming back from the Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
#capture asp type asp-drop all
send the traffic.
#show cap asp | in <Sclient IP>
If the packet is see in this capture then the ASA is dropping it.
Then do a packet tracer to see why it is dropping it.
#packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
Check why the packet is dropping.
if the capin capture does not see the reply packet then check the reply path and routing. -
Cisco ASA5505 multiple public ip nat problem
Hello,
I've been having weird problem with static nat.
First have to say that i've been searching answer for this and not yet found...
I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
Config:
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008
host 192.168.1.10
object network w2008
nat (inside,outside) static 83.x.x.27
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object w2008
access-group outside_access_in in interface outside
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
What trick i need to do with ASA to get this working?Here is the command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
Apology, didn't know that you are running that version that supports this new command.
The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled. -
Does anybody have a solution for the NAT problem?
Is somebody's application or Applet able to play any RTP stream behind a NAT Router? Can anybody establish any kind of connection / broadcasting between two subnets? I've got my RTP-Transmitter@public IP (using RTPManager...SendStream.start()), and I try to receive the stream from my local network which is behind a router (DHCP: 192.168....).
I read forums, newsgroups, looked for any solution for days all over the web but I've found nothing. Zero.
What's the secret? Any hints?
Best regards from Munich / Germany,
r.v.Hi
I have the same problem.
I have one appletTransmitter that capture video from webcam and transmit it to other client on internet.
I try to transmit medialocator from appletTransmitter to servlet1 and then save MedialLocator as servlet attribute, then other client can connect to servlet2 that send saved MediaLocator to appletClient.
APPLETTRANSMITTER:
URL url=null;
MediaLocator media=new MediaLocator("vfw://0");
try{
url = new URL("http://localhost:8080/servlet1");
catch(MalformedURLException mue){mue.printStackTrace();}
URLConnection conn=null;
try{
conn = url.openConnection();
catch(IOException ioe){ioe.printStackTrace();}
conn.setDoOutput(true);
OutputStream os=null;
ObjectOutputStream oos=null;
InputStream in=null;
ObjectInputStream iin=null;
MediaLocator mResp=null;
String r=null;
try{
os=conn.getOutputStream();
oos=new ObjectOutputStream(os);
oos.writeObject(media);
//oos.writeObject("Prova Servlet");
oos.flush();
catch(IOException io){io.printStackTrace();}
catch(ClassNotFoundException cn){cn.printStackTrace();}
SERVLET1
ObjectInputStream objin = new ObjectInputStream(request.getInputStream());
MediaLocator ml =null;
try{
ml = (MediaLocator) objin.readObject();
context.setAttribute("media",ml);
catch(ClassNotFoundException e)
{e.printStackTrace()}
But on servlet1 there is a ClassNotFoundException: MediaLocator
What do we think about the solution and exception problem?
Best Regards,
Nico from Italy -
Hi,
I'm building a website from a photoshop design and I have a
problem with the layout I can't see how to fix:
I have a header and a footer which both need to stay centered
and expand to whatever the browser window width is set to.
Between them I have a div of the main content of the pages
which also needs to be centered.
All seems very simple. I would normally just have a big div
around the whole page with an align="center". Job done.
But the problem is the space to the left of the content div
needs to be grey and the space on the right needs to be black.
Therefore I assume I'm going to need 3 divs. 2 for the left and
right spaces and another with the main content between them.
Both the side divs will need to expand somehow to fill the
space while keeping the fixed width content div centered. But I
think they will also have to be floated to sit side by side.
I cant seem to get the divs to stay in the correct places or
keep the side ones filling the space between the content div and
the edges of the browser.
Can anyone help?
Thanks,
OlliebearIs this what you au trying to do?
http://starttoweb.com/
If so, you are welcome to grab the CSS file and mostly to fit
your needs.
Cheryl D Wise
Adobe Community Expert
http://starttoweb.com
"Olliebare" <[email protected]> wrote in
message
news:fpn0q2$p1v$[email protected]..
> Hi,
>
> I'm building a website from a photoshop design and I
have a problem with
> the
> layout I can't see how to fix:
>
> I have a header and a footer which both need to stay
centered and expand
> to
> whatever the browser window width is set to.
>
> Between them I have a div of the main content of the
pages which also
> needs to
> be centered.
>
> All seems very simple. I would normally just have a big
div around the
> whole
> page with an align="center". Job done.
> But the problem is the space to the left of the content
div needs to be
> grey
> and the space on the right needs to be black. Therefore
I assume I'm going
> to
> need 3 divs. 2 for the left and right spaces and another
with the main
> content
> between them.
>
> Both the side divs will need to expand somehow to fill
the space while
> keeping
> the fixed width content div centered. But I think they
will also have to
> be
> floated to sit side by side.
>
> I cant seem to get the divs to stay in the correct
places or keep the side
> ones filling the space between the content div and the
edges of the
> browser.
>
> Can anyone help?
>
> Thanks,
>
> Olliebear
>
Maybe you are looking for
-
Self defined Event processing problem
Hi every1�Cthe situation is like the following: 2 PCs communicate through Bluetooth serial port profile by 3 classes that i wrote. First, BluetoothManger, it implements SerialportEventListener of Javax.comm package,its job is to read the incoming dat
-
Is it possible to execute Email Action and set its component like Subject,EmailTo,Email From using REST API only ? Please help me out with this.
-
How to repair the database used by Oracle Identity Manager 11g
Hi friends, I have a question about Oracle Identity Manager 11g. As I can repair the database used by Oracle Identity Manager 11g Thanks
-
Which network is used for the modem if wifi is active on the phone?
Can someone tell if I use the blackberry as modem for my pc but there is an active wifi connection on the blackberry at the same time will the internet connection for my pc provided via the wifi network or via the mobile network (despite of the wifi
-
Where does a new contact get stored when Exchange and iCloud are configured?
I have Contact (and mail and calendar) configured for iCloud and Exchange. When I add a new contact, how do I determin where it is stored? When I click Add (via the + or Command N) I get Which account will hold the new contact? Thank you