Css 11501 basic NAT and PAT configuration

Similar Messages

• Using NAT and PAT together?

  ASA is 5540 w/8.3. I have a large inside block of inside address I want to NAT or PAT
  to outside addresses.  Is it possible to use a block of outside addresses with NAT with
  rollover PAT to the whole range, or is it restricted to roll over to only a single address?
  Thanks, Roger

  Are you looking to do this for outbound connections to the internet?  If so, this is possible to do a nat to a group of IP address and then if that gets all used up, have it roll over to a single IP address for PAT.

• Static NAT (in and out) and PAT on a Router

  Static NAT and PAT
  I need to have a customer network connected to my extranet.
  I’m not in control of the customer network addressing. But need to configure a VPN connection.
  I will supply the router that will also be the customer Firewall to the Internet (PAT).
  (1) I need to be able to do PAT on traffic from internal hosts to the Internet.
  (2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
  (3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
  The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
  Extranet is: 172.16.16.0/24
  Internal net is: 192.168.1.0/24
  interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  interface FastEthernet4
  ip address 1.1.1.1
  ip nat outside
  access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  access-list 175 permit 192.168.1.0 0.0.0.255 any
  access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
  ip nat inside source list 175 interface FastEthernet4 overload
  ip nat inside source route-map HIDE pool FRO reversible
  route-map HIDE permit 10
  match ip address 176

  Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
  The following white paper will provide you with the required information,
  http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

• FMS: NAT and Firewall

  I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
  My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.

  FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
  as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible.  RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
  we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.

• NAT and Servers behind CSS 11501

  All,
  Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
  My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
  The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
  Everything works inbound no problem.
  What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
  I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
  In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
  Is this possible with our setup? Does anyone have some code examples?
  Thanks in advance.
  Addresses changed to protect the innocent:
  Load Balancer 1:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.252
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Primary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Primary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.251 255.255.255.0
  ip virtual-router 1 priority 254 preempt
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.2 255.255.255.0
  ip virtual-router 2 priority 254 preempt
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content
  Load Balancer 2:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.251
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Secondary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Secondary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.252 255.255.255.0
  ip virtual-router 1
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.3 255.255.255.0
  ip virtual-router 2
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content.

  Gilles,
  I added the following commands, and things seem to be working.
  To circuit VLAN1
  ip redundant-vip 1 1.1.1.80
  !*************************** GROUP ***************************
  group natout
  vip address 1.1.1.80
  add service nat_web_servers
  active
  service nat_web_servers
  ip address 192.168.1.10 range 3
  active
  I do have a question about the above service commands.
  I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
  Otherwise, I think you have resolved this problem for us. Thank you.

• CSS 11501 and SSL

  Hi,
  I have a few questions regarding the CSS and SSL certificates.
  I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
  I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
  And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
  Any help is much appreciated.
  Thanks,
  Niels

  Niels,
  there is currently an ASK THE EXPERT event.
  Please join us if you have more questions.
  Regarding the certificate, you could just use one.
  Get 1 certificate for your VIP and upload it on both SSL module.
  However, you might have to get 2, because certificate providers usually say it's one per physical device.
  If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
  Backend refers to server behind the CSS.
  Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
  The frontend is the client side and the backend the server side.
  When you say active/active, what do you want to achieve exactly ?
  You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
  However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
  Regards,
  Gilles.

• Airport Extreme best practice configuration for Sleep Proxy, DHCP/NAT and PPPOE

  Hi
  I have recently bought a Airport Extreme and it is working well.  One of the reasons I bought is to take advantage of the Bonjour Sleep Proxy on it so I can wake my MAC up remotely from my iPad using the REMOTE app to stream things like iTunes etc...  I followed the set up instructions and basically let it configure itself.  I have an ISP router / modem which currently is providing DHCP services, NAT and PPPOE.
  The Airport detected all of this and set itself up as bridge only.  The speed of the network outo to the internet is fine (more or less what it was before).  However, in doing a bit of research, I have found out that if I want the Airport to act as a sleep proxy, I need it to "host" the network.  I am not an expert in networking but from what I understand I need the Airport to be moved from "Bridge Only" to at least be providing DHCP to my internal network clients.
  This has prompted me to ask what is "Best practice" when it comes to configuring the Airport given I want to have Sleep Proxy enabled.  I think the two options I have are as follows but would really welcome feedback on which is the best option to go for or if there are other options I should be thinking of
  (1)  Have the Airport perform DHCP for my internal clients and leave the ISP router/modem doing NAT
  (2)  Have the Airport perform DHCP and NAT.  I think to do this I need to turn the ISP router / modem into Bridge mode only.  (I've looked and I seem to have this option on the device.  It's an Irish ISP branded device but I think it is a Zyxel)
  I have no reason to believe the ISP router / model is doing a bad job but given I understand the Airport Extreme is a reasonably high-end device (I think?) I am wondering if option 2 is the way to go.
  In addition, during my research, I have also discovered that many people seem to have their Airport Extreme also handle PPPOE.  This is currently being done by my ISP router/modem.  I am  inclined to leave it this way (following the mantra if it isn't broken, don't fix it) but if there was a good reason to have the Aiport do this, perhaps I should make the switch?  Having said this, I have seen on this forum and others, some posts about problems with Internet connection drops when the Airport is handling PPPOE.
  So, a bit of a long post, but if anyone has any information or perspective on this, I'd very much appreciate it. 
  Thanks
  Dave

  I forgot to thank you, John Galt. Yap, it solve my problem by restoring back the original firmware to 7.6.1. My unit is Airport Extreme 2012. I am still using double NAT because I cannot figure it out on how to set DHCP only in the Network tab.
  My goal it to use the airport extreme to the internet and to share the internet to all my devices in the house. Just like my previous Accesspoints. Before I use AP+router Linksy$ WRT54G and D-l!nk DIR-655 without activating the NAT to share my internet connection and they work.
  My problem is that when I set it to DHCP in the internet tab and DHCP in the Network tab in Airport Utility inorder to solve the double NAT situation, only one of all my devices (wired or wireless) can connect to the internet. Each time I connect the other device(s) to the internet my subscriber will verify my subscription (web browser based verification) in which I have to manually enter my account number, etc to validate my subscription.
  So I stick to double NAT so that I can share the internet
  Our broadband provider uses DHCP to link us to the internet. If I change the settings to Static in the Internet Tab, my broadband provider will not let me connect to the internet. In the Airport Utility if I set to static in the Internet Tab inorder to set it to solve the double NAT, a message box appear informing me that I have invalid beginning IP address in the DCHP range in the Network Tab when it appears that only the last 3 digits of the DHCP range is editable.
  Is there any way of configuring the Airport Utility's Internet TAB to DHCP and Network TAB to DHCP to connect to the internet with all my devices without the double NAT and without the aid of another device such as AP or router or switch connected to the Airport or vice versa?

• CSS 11501: NAT all ports?

  Hi, I have just a little experience with a CSS 11501, so this may be a dumb question.
  I created a service and content rule for a FTP server behind the CSS.
  This works fine, the public address is translated to the private address etc.
  But what i really would like is to NAT ALL requests for this public address to the private address, so not just FTP but also Remote Desktop (port 3389) etc.
  How can i accomplish this?

  be carefull that ftp uses data connections.
  By specifying the protocol and port you helped the CSS understand it was ftp traffic and therefore monitor the control session to find data sessions and do nating accordingly.
  So, instead of removing protocol and port, I would recommend to create a 2nd content rule with the same vip and the same service but no protocol or port.
  The first rule will handle ftp.
  The 2nd rule will handle the rest.
  Regards,
  Gilles.

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• Starting slow... Basic installation and configuration

  Let me preface by saying that I took the AM class last year about this time... Between the class materials and the online documentation, though, I'm finding that there isn't a single clear and concise "getting started" document out there. There are a lot of good things available but I'm looking for one doc that walks through the installation & configuration process from top to bottom. The best I've come across is http://www.javapassion.com/handsonlabs/IdentityWebServices/ but that appears to have been written for an older version than what is currently available.
  So, I appeal to the community wisdom. Does anybody have or know of a cookbook or howto document that would walk take someone who has never seen Access Manager and walk them through the basic installation and configuration process for a Windows platform? I realize there is a lot more to be done after these steps but that'll come later.
  Thanks,
  James

  This is for Access Manager 7.0
  http://docs.sun.com/app/docs/doc/819-6258
  I've used it, found it on this page. http://docs.sun.com/app/docs/coll/1292.1

• NI-FBUS Communicat​ions Manager won't start when PCMCIA card is configured as Basic Device and Visitor address

  I can't get the NI-FBUS Communications Manager to start up unless the PCMCIA Series 2 Card is configures as Link Master. I want to Connect to a FFB Segement which already has a LAS 

  Hello,
  The same case.
  It means that fisically I have to connect the the PCMCIA to the actual segment (with its LAS) and then start up the NI-FBUS Comm. Manager?
  Like a Basic Device and Visitor Address will let me change parameters at the devices?
  Thanks in advance,
  Braulio

• CSS 11501 Load Balancing Issue

  Hi,
  We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application  through virtual IP. Below is the ruuning configuration of the CSS:
  CSS11501# sh running-config
  !Generated on 10/06/2010 16:51:34
  !Active version: sg0810106
  configure
  !*************************** GLOBAL ***************************
    ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
  !************************** CIRCUIT **************************
  circuit VLAN1
    ip address 132.186.199.145 255.255.255.0
  !************************** SERVICE **************************
  service Server1
    ip address 132.186.199.243
    port 5001
    protocol tcp
    keepalive port 5001
    active
  service Server2
    ip address 132.186.199.246
    protocol tcp
    port 5001
    keepalive port 5001
    active
  !*************************** OWNER ***************************
  owner L5_Owner
    content L3_Rule
      vip address 132.186.199.146
      protocol tcp
      port 5001
      add service Server1
      add service Server2
      active
    content L5_Rule
      vip address 132.186.199.146
      add service Server1
      add service Server2
      protocol tcp
      port 5001
      url "//132.186.199.146:5001/emi"
      active
  CSS11501#
  Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001,  but not able to access the application.
  In Actual scenarion customer access  application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself)  to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
  Please suggest a solution here.

  The problem is that you are in one-armed mode.
  So you need to configure client nat.
  Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
  Therefore the client receives a response from an unknown server ip address (not the vip).
  So configure a group.
  For example
  group Client
      vip address 132.186.199.146
      add destination service Server1
       add destination service Server2
      active
  Also, remove the url command from your content rule.
  It is useless in your case and will just make performance worst.
  Gilles.

• CSS 11501S GSLB DNS

  Hi
  I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.
  The aim is to have two sites. A primary site and a DR site to be used as a failover solution.
  The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.
  My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.
  To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marks….
  Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party “Firewall Port” directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).
  So my questions are…
  * Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!
  * Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?
  *Is there a better way to achieve this?
  Any assistance would be much appreciated!!

  Thanks for the reponse Gilles. When you say
  "If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."
  Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?
  If I have a host file entry providing the private address resolution for my internal hosts will this work?
  "Also, be aware we do not support GSLB on the CSS anymore.
  So, if this is a new install, it is better to start with a solution that we support - GSS"
  Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.
  I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.
  Thanks

• CSS 11501 - SNMP sysname

  Hi All
  Had a basic query on SNMP polling for CSS 11501..
  Im polling a CSS through Ethernet Management Interface, and the SNMP servers are detecting the system name as "Support" instead of the hostname of the device..
  SNMP get sysname from x.x.x.x with ****
  .1.3.6.1.2.1.1.5.0 = Support
  Is there a way to alter the SNMP sysname, to be identical to the hostname of the device ? I dont have issues with other components like routers, switches etc..
  Raj

  Hi Sachin,
  Use the snmp name command to set or modify the SNMP name for this system.
  You can specify only one name.
  The syntax for this global configuration mode command is as follows:
  snmp name "name"
  Enter the SNMP name as the unique name assigned to a system by the administrator.
  Enter a quoted text string with a maximum of 255 characters.
  The standard name convention is the system's fully qualified domain name (for example, [email protected]).
  For example:
  (config)# snmp name "[email protected]"
  To remove the SNMP name for a system and reset it to the default of "Support", enter:
  (config)# no snmp name
  Best regards,
  Sachin Garg

• X-Forwarded-For CSS 11501

  I was wondering if someone can tell me if it is possible to utilize X-Forwarded-For on a CSS 11501. We have a pair that is configured in a one-armed mode which prevents us from seeing the client's IP address. I've done it on an F5, but can't find anything for the CSS.
  Has anyone done this?
  Thanks!

  CSS can check for the x-Forwarded-for field and its contents but cannot inject it. It means if you are using source groups (source nat) then its not possible for CSS to insert the client IP in the HTTP header.
  Syed