Destination NAT and Source Nat

Hi, my network have mobile users with notebooks, and they use public smtp IP address, when they out of office, without VPN ASA works well, but when they comes back in office they should change SMTP IP back to private. I know that my task could be solved via DNS service, but for some reason I should do Dnat and Snat on ASA, please answer me, Is it posible? (Because ASA have to nat and dnat on same interface Insidem and back this traffic to Inside again
)Please see this picture, I draw my task there. Thanks!

Yes it is posible through policy nat.
here is the example.
access−list policy−nat extended permit ip host 10.1.1.20 host 5.5.5.5
global (dmz) 2 192.168.2.2
nat (inside) 2 access-list policy−nat
Hope that helps.
thanks

Similar Messages

Client NAT and Source IP Sticky

How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

this is possible.
The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
Regards,
Gilles.

ASA 8.2 - Static NAT and Dynamic NAT Policy together

Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!

Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!

Source Nat and Destination Nat

Is any of the above working in the ACE OR CSM module by default?
What is an advantage of configuring destination NAT on the ACE Box?

Hello,
On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
Best regards,
Sean

Question about NAT Inside Source, Inside Destination, and Outside Source

I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
Gary

Hi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh

How do I NAT based on destination port while source port can be ANY

Goal - I want to forward Internet bound HTTP and HTTPS traffic to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
Here is a snap shot of the config:
object service Proxy_HTTP
service tcp destination eq www
object service Proxy_HTTPS
service tcp destination eq https
nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
object network Non_Proxy
nat (any,outside) dynamic interface
PROBLEM: I need this behavior in 8.2.x - I have found no way to mimic this.
You cannot use NAT Exemption as it cannot be port based
A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
I don't see any of the other NAT Types working this way.
If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

Karen-
Results: Did not work. The web based shortcuts did not appear.
Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
Here is what was done:
1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
2. During setup created the admin account.
3. Logged into the account a simple start screen was arranged and setup by:
Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
educational web based site.
Right clicked a few provisioned apps and unpinned them from the start screen.
Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
export-startlayout -path C:\Users\Public\Master.xml -as xml
(Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
9. Logged out of the inital account and logged into newly created Alpha account.
10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.

NAT Translating Destination IP and Port

Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
I am struggling with NAT translation on a Cisco router. I want to translate all HTTP traffic that exits my network to change the destination IP to 117.166.1.1 and translate the destination port from tcp 80 to tcp 3128.
i.e. If a PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead of the traffic going to 200.1.1.1 on port 80, it will be directed to 117.166.1.1 on port 3128
This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
Thanks
K

Hi,
If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
For more detailed information, please refer to the link below:
Step-by-Step Guide to Internet Protocol Security (IPSec)
Best regards,
Susie

ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

When running on 8.4 i had a working config with the following scenario.
I have 2 interfaces configured as the outside interface.
One is connected to my internet connection
The other one is connected to a host that has a public ip.
The public host can access internet and also a PAT port on an internal host.
But after the upgrade the internal hosts can't access the external host but everything else on internet
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
If i add 1 to the destination ip:
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 98586, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Nat rules:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic any interface
The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
I can ping the EXTERNAL host from the ASA but not from the internal network.
Any ideas would be appreciated.

Hmmm, by adding the following i got it working:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
nat (inside,outside) source dynamic any interface
It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

Load balancing weirdness using NAT and same-metric route

Hi.
I'm trying to set up a double-WAN load-balancing scenario:
I decided to attempt the "multiple same-metric routes with NAT" approach so I went for the example used in the IOS NAT Load-Balancing for Two ISP Connections Configuration Guide [1].
I decided to use an upside-down Cisco 871-SEC/K9: use Vlan1 and Vlan2 for the routers and Fa4 for the LAN. I am hoping this is not an issue.
There is this weirdness with some connections, particularly FTP. I pinpointed the problem to the following scenario: if I do a couple of pings to 100.1.1.1 using the FastEthernet4 as the source address, this is what I get in the logs:
=== PING 1 ECHO REQUEST ===
*Mar 3 04:38:43.521: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan1), routed via RIB
*Mar 3 04:38:43.521: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14152]
*Mar 3 04:38:43.521: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan1), g=10.129.124.1, len 60, forward
*Mar 3 04:38:43.521: ICMP type=8, code=0
=== PING 1 ECHO REPLY ===
*Mar 3 04:38:45.589: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19824]
*Mar 3 04:38:45.589: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:45.589: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:45.589: ICMP type=0, code=0
=== (something else) ===
*Mar 3 04:38:52.353: RT: SET_LAST_RDB for 0.0.0.0/0
OLD rdb: via 10.129.124.33, Vlan2
NEW rdb: via 10.129.124.1, Vlan1
=== PING 2 ECHO REQUEST ===
*Mar 3 04:38:52.353: IP: tableid=0, s=192.168.60.4 (FastEthernet4), d=100.1.1.1 (Vlan2), routed via RIB
*Mar 3 04:38:52.353: NAT: s=192.168.60.4->10.129.124.2, d=100.1.1.1 [14159]
*Mar 3 04:38:52.353: IP: s=10.129.124.2 (FastEthernet4), d=100.1.1.1 (Vlan2), g=10.129.124.33, len 60, forward
*Mar 3 04:38:52.353: ICMP type=8, code=0
=== PING 2 ECHO REPLY ===
*Mar 3 04:38:53.029: NAT*: s=100.1.1.1, d=10.129.124.2->192.168.60.4 [19825]
*Mar 3 04:38:53.029: IP: tableid=0, s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), routed via RIB
*Mar 3 04:38:53.033: IP: s=100.1.1.1 (Vlan1), d=192.168.60.4 (FastEthernet4), g=192.168.60.4, len 60, forward
*Mar 3 04:38:53.033: ICMP type=0, code=0
In the section "Ping 2 Echo Request" line 2 shows the NAT translating the packet to the address for the first provider but line 3 shows it routing it through the second one.
In this case, the ICMP packet goes through but it is problematic if the ISP restricts the service by source-address (like RPF) or there is some acceleration mechanism inside the provider cloud, other than just plain routing.
What am I missing? Here is the relevant part of the configuration. I deliberately disabled CEF to be able to debug the messages, but I *think* this may be altering the actual router behavior. This router does not have a "debug ip cef packet" command.
no ip cef
ip dhcp pool lan-side
import all
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
domain-name doublewan.local
dns-server 8.8.8.8 8.8.4.4
lease infinite
ip domain name doublewan
interface FastEthernet0
!doesn't appear on running-config: vlan 1 is the default access vlan
!switchport access vlan 1
interface FastEthernet1
switchport access vlan 2
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface FastEthernet4
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
interface Vlan1
ip address 10.129.124.2 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
interface Vlan2
ip address 10.129.124.35 255.255.255.224
ip nat outside
ip virtual-reassembly
no ip route-cache
ip route 0.0.0.0 0.0.0.0 Vlan1 10.129.124.1
ip route 0.0.0.0 0.0.0.0 Vlan2 10.129.124.33
ip nat inside source route-map nat1 interface Vlan1 overload
ip nat inside source route-map nat2 interface Vlan2 overload
ip access-list standard acl4-nexthop-vlan1
permit 10.129.124.1
ip access-list standard acl4-nexthop-vlan2
permit 10.129.124.33
route-map nat2 permit 10
match ip address 102
match ip next-hop acl4-nexthop-vlan2
match interface Vlan2
route-map nat1 permit 10
match ip address 101
match ip next-hop acl4-nexthop-vlan1
match interface Vlan1
control-plane
Of course, there is some configuration pending for redundancy and stuff.
Thanks a lot in advance.
[1] http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html

Hello.
This might be a bug in debug command or the IOS (without ip cef) you use; as routing is done before NAT (inside to outside).
To make sure it works fine with ip cef, just enable strict uRPF (or just ACL) on .1 and .33 interfaces and see if you see any packet sent over wrong interface.
PS: please check "sh ip cef 100.1.1.1"; I guess ip cef would tell you "per-destination sharing".

881W NAT and Firewall

Hello all,
I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic. Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode. I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites. Based on my configuration below, does anyone have any insight into what could be wrong?
R1-881W#show run
Building configuration...
Current configuration : 14484 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1392450818
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
<some cert>
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name somedomain.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
username someuser privilege 15 secret 5 xxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
interface Null0
no ip unreachables
interface FastEthernet0
switchport access vlan 11
interface FastEthernet1
interface FastEthernet2
switchport access vlan 11
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
shutdown
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Henrik,
I redid the changes you suggested (excluding the
config to make the guest-zone only allowed to ping and get an IP-address of the route). I cannot connect to the internet from VLAN12. Here is my config below:
R1-881W#show run
Building configuration...
Current configuration : 8875 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
username somerookieuser privilege 15 secret 5 xxxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
class class-default
drop
zone security out-zone
zone security in-zone
zone security guest-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 somestrongpassword
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 somestrongpassword
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
R1-881W#

VRF-lite, NAT and route-leaking

Hello, community. I'm trying to reproduce setup with two customers (R1 and R2), PE router (R3) and common services (R4).
Here is configuration:
R1:
interface Loopback0
ip address 10.10.1.1 255.255.255.255
interface FastEthernet1/0
ip address 192.168.15.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.15.5
R2:
interface Loopback0
ip address 10.10.2.2 255.255.255.255
interface FastEthernet1/0
ip address 192.168.16.1 255.255.255.192
ip route 0.0.0.0 0.0.0.0 192.168.16.5
R3:
ip vrf VRF1
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf VRF2
rd 2:2
route-target export 2:2
route-target import 2:2
interface FastEthernet0/0
description R1
ip vrf forwarding VRF1
ip address 192.168.15.5 255.255.255.192
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description R2
ip vrf forwarding VRF2
ip address 192.168.16.5 255.255.255.192
ip nat inside
ip virtual-reassembly
interface FastEthernet1/0
description R4
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
ip route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
ip nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload
ip nat inside source list 16 interface FastEthernet1/0 vrf VRF2 overload
access-list 15 permit 192.0.0.0 0.255.255.255
access-list 15 permit 10.10.0.0 0.0.255.255
access-list 16 permit 192.0.0.0 0.255.255.255
access-list 16 permit 10.10.0.0 0.0.255.255
R4:
interface Loopback0
ip address 10.10.10.10 255.255.255.255
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
The configuration is not operational.
r1#ping 192.168.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/89/116 ms
r1#ping 192.168.15.5 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/86/92 ms
r1#ping 1.1.1.1 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 80 percent (4/5), round-trip min/avg/max = 292/357/400 ms
r1#ping 1.1.1.2 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 80 percent (4/5), round-trip min/avg/max = 160/187/216 ms
r1#ping 10.10.10.10 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 0 percent (0/5)
I can't ping R4's loopback address ("shared resource" or also known as "common service")
The same is with R2 ( second customer).
But I can still ping R4's loopback from R3:
R3#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/88/116 ms
This is routing table on R3:
R3#sh ip route | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [1/0] via 1.1.1.2
R3#sh ip route vrf VRF1 | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
     192.168.15.0/26 is subnetted, 1 subnets
C       192.168.15.0 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
S       10.10.0.0 [1/0] via 192.168.15.1
S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
R3#sh ip route vrf VRF2 | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
     10.0.0.0/16 is subnetted, 1 subnets
S       10.10.0.0 [1/0] via 192.168.16.1
     192.168.16.0/26 is subnetted, 1 subnets
C       192.168.16.0 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
So the question is what is the problem cause? How to troubleshoot? What is the troubleshooting steps?

Hi Eugene Khabarov
The problem here is that at the PE we have the static route for the Major Subnet 10.10.0.0/16 pointing back to the CEs of which the destination ping IP 10.10.10.10 is part of.
We need to remove the Major X /16 route from PE and configure explicit X /32 route for the CE Loopback to make this work
no ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
ip route vrf VRF1 10.10.1.1 255.255.0.0 192.168.15.1
no ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
ip route vrf VRF2 10.10.2.2 255.255.0.0 192.168.16.1
Hope this helps to answer your query.
Regards
Varma

Is src and dst NAT possible in multiple rules on the ASA?

Hello,
We have +/- 50 customer companies that will have to enter our network via IPsec s2s VPN's and as backup the customers have the option to enter our network via a leased line. Since they can enter multiple routes we give them a source IP depending what side they enter so we know the route back internally in the network to the correct FW they entered.
For the s2s we have to do source NAT on our side since we cannot burden all these customers with different NAT's for both the leased line and for the s2s. And we have to do destination NAT since the customers can access different DMZ systems depending on the application they connect to.
1) source NAT can be 1 NAT rule per company (so hide NAT behind 1 IP)
2) destination NAT is multiple rules (see below)
At the moment we have 12 NAT rules per company since we have configured src and dst NAT in one rule to make it work.
See example below:
Question: How can we configure src and dst NAT in multiple rules so that we dont need 12 NAT rules per company?
ASA cluster: single mode - Active/Standby
asa922-4-smp-k8.bin
asdm-731-101.bin
Src REAL
Src Mapped
Dst MAPPED
Dst REAL
Service
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
19.19.19.90
19.19.19.90
19.19.19.11
19.19.19.11
19.19.19.90
19.19.19.90
19.19.19.180
19.19.19.180
19.19.19.83
19.19.19.83
19.19.19.90
19.19.19.92
10.10.10.42
10.10.10.42
10.10.10.42
10.10.10.42
10.10.10.41
10.10.10.41
10.10.10.44
10.10.10.44
10.10.10.47
10.10.10.47
10.10.10.47
10.10.10.47
53-udp
53-tcp
53-udp
53-tcp
PoP3
SMTP
SMTP
PoP3
http
tcp-5555
http
http

Steve,
That is my whole point. To copy from the PC host memory to the CUDA device memory asynchronously, the host memory must be pinned. Hence, the source and destination memory should be pinned. Otherwise, I must copy the source memory to pinned memory I have allocated on the PC, copy it asynchronously to the CUDA device memory, process it on the CUDA device, asynchronously copy it back to the PC pinned memory, and then copy it to the destination memory.
If you copy synchronously, it is slow as Christmas! Therefore, you must copy the memory asynchronously, or you should not use CUDA and GPU acceleration.
My question still stands. Why is the source and destination memory on the PC used by Premiere Pro not pinned memory?
Gene
Gene A. Grindstaff
Executive Manager, SG&I
T: 1.256.730.6983 M: 1.256.566.5376 F: 1.256.730.8046
E: mailto:[email protected]
Intergraph Corporation
19 Interpro Road
Madison, AL 35758 USA
www.intergraph.com/sgi<http://www.intergraph.com/sgi> |
LinkedIn<http://www.linkedin.com/groups?gid=127267&trk=myg_ugrp_ovr> | Facebook<http://www.facebook.com/intergraph> | Twitter<http://twitter.com/intergraph

CSS Source NAT

Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.

Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem?

ACE and static NAT

Hello
I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
I analyzed three examples at the and of this document. My questions:
1. how do i choose if it's source or destination NAT ?
2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
5. Could anybody give me a simple example of static DNAT ? (or any links?)
Thanx

Destination nat is equivalent to loadbalancing to one server.
I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
By the way, I don't see anything wrong with it.
Those commands are in A1 and also the new A2 release.
ACE is really a loadbalancer with some firewall features and not the opposite.
This is why pure nating functions are not straightfoward to configure.
Gilles.

Source NAT for specific servers in a rule

Hello,
I am trying to achieve source NATing on the CSS and want to confirm if below configuration is good.
VIP address: 61.61.61.61
Services: 10.1.1.1, 10.1.1.2, 20.1.1.1 and 20.1.1.2
Front-end circuit IP: 61.61.61.1 (Same subnet as 61.61.61.61)
Back-end circuit: 10.1.1.10 (Same subnet as 10.1.1.1 or .2)
service AAAA
ip address 10.1.1.1
active
service BBBB
ip address 10.1.1.2
active
service XXXX
ip address 20.1.1.1
active
service YYYY
ip address 20.1.1.2
active
owner Gateway
content Gateway1
vip address 61.61.61.61
add service 10.1.1.1
add service 10.1.1.2
add service 20.1.1.2
add service 20.1.1.1
active
As the two servers 20.1.1.1 and 20.1.1.2 are not in the same subnet, we configured the below to source NAT specifically to these two servers.
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
In the past this configuration didn't work. We are going to try it again. Is there anything missing and what else should we check to get it to work.
Appreciate any help.

Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
FROM:
group Gateway
vip address 61.61.61.61
add destination service 20.1.1.1
add destination service 20.1.1.2
active
TO:
group Gateway
vip address 61.61.61.61
add destination service 10.1.1.1
add destination service 10.1.1.2
add destination service 20.1.1.1
add destination service 20.1.1.2
active
Good luck!
James

Destination NAT and Source Nat

Similar Messages

Maybe you are looking for