Destination NAT translation shows 0.0.0.0 on CSS 11503

Similar Messages

• NAT Translating Destination IP and Port

  Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
  I am struggling with NAT  translation on a Cisco router. I want to translate all HTTP traffic  that exits my network to change the destination IP to 117.166.1.1  and  translate the destination port from tcp 80 to tcp 3128.
  i.e. If a  PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead  of the traffic going to 200.1.1.1 on port 80, it will be directed to  117.166.1.1 on port 3128
  This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
  I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
  Thanks
  K

  Hi,
  If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
  In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
  For more detailed information, please refer to the link below:
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  Best regards,
  Susie

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• How to use MARS for NAT Translation Analysis...

  Hi All,
  I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
  I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
  Regards.

  Hello Nicolas,
  Use the following steps :
  Step 1
  Locate the File “global.properties”
  Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
  The following values should be present:
  vintela.enabled=true
  idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
  idm.princ=SPN User
  idm.allowUnsecured=true
  idm.allowNTLM=false
  idm.logger.name=simple
  idm.logger.props=error-log.properties
  Step 2:
  Locate the file “web.xml”
  D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
  Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
  idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
  idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
  idm.keytab = (the same as specified for idm.keytab in the global.properties )
  Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  Step 3:
  Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
  KR,
  MD

• How to do destination NAT in a 2600 router with IOS 12.3?

  Hi All
  I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
  FE 0/0 - 10.0.0.1/24 - client LAN - inside 
  FE 0/1 - 10.1.1.1/24 - server LAN - outside 
  The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
  I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
  Many Thanks
  [email protected]  

  Yes, you can do this.  You don't need destination NAT.  Source NAT translations work both ways.  This should work:
  ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
  int fa 0/0
  ip nat inside
  int fa 0/1
  ip nat outside
  The bigger question is why you'd want to.  Just because you CAN do something doesn't mean you SHOULD.  Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts.  Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10?  If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead?  You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense.  If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

• CSS 11503 Destination NAT - can only enable one service

  I have three web servers configured as six services. Three are for MOSS (Microsoft Office Sharepoint Server) and three are for SSRS (SQL Server Reporting Services 2006 in integration mode).
  THE PROBLEM:
  When more than one MOSS service is active I can no longer connect to the SSRS services.
  This is a trunked Configuration:
  interface 1/1
  trunk
  redundancy-phy
  vlan 1
  default-vlan
  vlan 100
  vlan 101
  vlan 103
  interface 3/16
  bridge vlan 4000
  circuit VLAN100
  redundancy
  ip address 192.168.100.xx0 255.255.255.0
  circuit VLAN103
  redundancy
  ip address 192.168.103.xx0 255.255.255.0
  circuit VLAN4000
  ip address 1.x.x.2 255.255.255.252
  redundancy-protocol
  circuit VLAN101
  redundancy
  ip address 192.168.101.xx0 255.255.255.0
  service MOSSWeb01
  ip address 192.168.103.xx1
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb02
  ip address 192.168.103.xx2
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb03
  ip address 192.168.103.xx3
  keepalive port 80
  keepalive type tcp
  active
  service SSRSWeb01
  ip address 192.168.103.xx1
  active
  service SSRSWeb02
  ip address 192.168.103.xx2
  active
  service SSRSWeb03
  ip address 192.168.103.xx3
  active
  owner MOSS
  content MOSS
  vip address 192.168.100.xx1
  vip-ping-response local-remote
  add service MOSSWeb01
  add service MOSSWeb02
  add service MOSSWeb03
  active
  owner SSRS
  content REPORTSERVER
  vip address 192.168.100.xx2
  add service SSRSWeb01
  add service SSRSWeb02
  add service SSRSWeb03
  vip-ping-response local-remote
  active
  group MOSS2007-DSTNAT
  vip address 192.168.100.xx1
  add destination service MOSSWeb01
  add destination service MOSSWeb02
  add destination service MOSSWeb03
  active
  group SSRS2005-DSTNAT
  vip address 192.168.100.xx2
  add destination service SSRSWeb01
  add destination service SSRSWeb02
  add destination service SSRSWeb03
  active
  NOTES:
  All (3) real servers have a default route to 192.168.103.xx0 which insures traffic passing through the CSS (so I don't understand why I still need a destination service group).
  When MOSS accesses SSRS it does so via http://SSRS2005/reportserver. This is configured in DNS as 192.168.100.xx2. I would think that this would also insure traffic through the CSS but I still had to configure a destination service for these.
  All clients connect to the MOSS services via one VIP (192.168.100.xx1) and the MOSS services connect to the SSRS services via a 2nd VIP (192.168.100.xx2). MOSS also connects to itself for indexing content and a variety of other services (I had originally tried separating the MOSS content rules using layer 5 matching on Host Headers. This seemed to cause issues with access to ports 139 and 445 for UNC access to document libraries so I simplified the MOSS content rule back to layer 3).
  I have setup two distinct groups and have used destination NAT so that the servers can communicate to each other.
  When using Wireshark on the servers to run packet traces and all services are up I do not even see any packets destined for the SSRS services leading me to believe that they are dropped by the CSS (however, I don't see them using show flows on the CSS either).
  Can anyone here shed some light on the correct way to configure the CSS in such a scenario?
  Thanks in advance.

  I have two MOSS services down because MOSS can't get to SSRS if more than one MOSSservice is active. That's the crux of the biscuit.
  I had hoped to avoid the whole packet sniffing activity but it looks like I may need to capture more information. I don't really want to change the VLAN configuration since this CSS is managed by our network team and there are other services configured on the CSS that I have not indicated.
  I appreciate your advice, so far. I will actually have some downtime this coming weekend where I can try some additional configuration options after prime time from home.
  One thing that may not be apparent in this whole discussion is that all of the sites on both MOSS and SSRS use HOST Headers for HTTP. That's what keeps them separated. I had tried using layer 5 content rules but had the same issue plus other issues with non-HTTP traffic. I also did not care for the fact that the CSS actually spoofs the responses when using layer 5. There is a lot of NTLM Challenge/Response traffic for Windows Integrated Authentication and Negotiated Kerberos. The bottom line is that even without Layer 5 content rules the Host Headers do get passed to IIS and the sites are selected properly based on that header. The exception is that Host Headers are no longer required for SSRS since it is the default website on port 80 (besides - setting up host headers for SSRS in MOSS integration mode has it's own set of issues). Still, the host headers are sent to SSRS SOAP Endpoints and there are no issues connecting to any of the three SSRS services from any of the three MOSS servers interactively. The issue is when a client outside of these VLANs makes a request for a report.
  client->MOSS->SSRS->MOSS->client
  Be aware too that both MOSS and SSRS are making connections back through the CSS to their respective databases for each request.

• Sh ip nat translations

  Hi,
  When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
  192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
  Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
  deny ip 192.168.1.0 0.0.0.255 any any log
  Show log:
  Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
  and
  Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
  Could this be a DOS attack?
  We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
  Thanks

  Is there any subnets inside who are conencted to a different network over VPN
  with the IP 192.168.1.X etc & access th internet.

• Ip add inside Nat translated twice

  Hi,
  I have hear of the possibility of having an inside ip add translated twice, I am not referring to double nat but below scenario:
  private ip address translated into a 29/ then...However wan ip add is /30
  Have u ever heard of it?
  Thank you

  Hello Nwag,
  When you perform a NAT translation, the prefix that you define is not added to the translation, it simply narrows down to source and destination IP addresses, the prefix or mask is used more details to static network translations and to define the ranges for the traffic that you want to translate.
  Anyway your ISP controls the IP address that are routed to your router, so even if you translate the traffic to an IP address it does not guarantee that you will get that traffic back. If you need more addresses you will need to purchase them.
  Hopes this answer your inquiries.
  Regards,
  Alex Sanchez
  CCIE R&S #37454

• Cisco 2921 destination NAT for transparent proxy

  Hi All,
  I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
  In iptables its easy:
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
  iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
  I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
  So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
  The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
  Any ideas guys? I'm stuck.
  Cheers,
  Jordan.

  Sounds like you need a route-map to change the next IP hop?
  This would be the best way to do it which will also verify the remote proxy server is available as well.
  ip sla monitor 1
  type echo protocol ipIcmpEcho <ip address of your proxy server>
  timeout 3000
  frequency 3
  ip sla monitor schedule 1 life forever start-time now
  track 123 rtr 1 reachability
  interface FastEthernet0/1
  ip address <x.x.x.x x.x.x.x>
  ip policy route-map REDIRECT-TO-PROXY
  ip access-list extended webtraffic
  ! Deny traffic from your proxy server from redirecting
    deny tcp host <ip address of your proxy server> any eq www
    deny tcp host <ip address of your proxy server> any eq https
    permit tcp <your ip network> <subnet mask> any eq www
    permit tcp <your ip network> <subnet mask> any eq https
  route-map REDIRECT-TO-PROXY permit 10
  match ip address webtraffic
  set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
  If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
  Here is how my router is configured.
  interface FastEthernet0/0
   ip address dhcp hostname home-rtr-1
   ip nat outside
  interface FastEthernet0/1
   ip address 10.235.x.x 255.255.255.252
   ip nat inside
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 10 permit <your ip network> <your ip subnet>
  HTH

• ASR1006 log NAT translations

  Good day. We've got the following problem, but i cant solve it.
  We have:
  ASR1000-RP2
  ASR1000-ESP40
  ASR1000-SIP40
  SPA-10X1GE-V2
  SPA-10X1GE-V2
  Kiwi Syslog Server
  ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing.
  Because of the economic address space subscribers surf the Internet through NAT.
  Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
  I've tried:
  ip nat log translations syslog
  logging trap debugging
  logging host xx.xx.xx.xx transport UDP port xxx
  no logging console (so as not to load the CPU)
  Next on the syslog server has come the following message:
  %IOSXE-4-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:064 TS:00004084523374422713 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 1048576 exceeded; frame dropped
  I did:
  ip nat translation max-entries 10000000
  Error stopped publishing but logs do not come.
  I think of the huge number of translation per second, it can not send them as fast.
  How can this problem be solved or otherwise obtain and store information about a translations?
  Say what Syslog server is properly used for large volumes of data.
  Thank You and sorry for my English

  So I was able to redirect all log nat translations to the server using the command:
  ip nat log translations flow-export v9 udp destination server_ip udp_port
  Through Wireshark I get all the relevant information about ip address and time.
  Is there any software that could take this information and process it.
  I has used PRTG, ZOHO but they can`t analyze this flow type.
  Can anyone help me?

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.

• Dhcp client lease, nat translation statistics

  I am using my 3620 instead of a netgear cable router connected to cablevision.
  1) How can I see when the router dhcp lease ends so I can see if it gets another address? I have seen on past posts that there were problems with this issue. I am using 12.3(13) ios.
  2) How can I see how much memory has been used by nat translations? I have 64Meg of memory.
  Thanks

  Hi csross,
  If I understand you correct this will resolve your issue.
  1) show ip dhcp binding [ip-address]
  It will show you the lease expiration like the output below
  Router# show ip dhcp binding 172.16.1.11
  IP add Hard add Lease expiration Type
  172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Automatic
  Here you go with the link
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_s1h.htm#wp1132199
  2) Each NAT mapping uses approximately 160 bytes of memory.
  I am still not sure of the command.
  HTH
  Ankur

• [svn:bz-trunk] 21327: Updated the sample destination config to show the new "none" value for cluster-message-routing

  Revision: 21327
  Revision: 21327
  Author:   [email protected]
  Date:     2011-06-02 08:51:22 -0700 (Thu, 02 Jun 2011)
  Log Message:
  Updated the sample destination config to show the new "none" value for cluster-message-routing
  Modified Paths:
      blazeds/trunk/resources/config/messaging-config.xml

  Thanks Carlo for your reply.
  I have read again the link and you are correct that in using the preferred command together with localhost under POTS dial-peer, I can now select which correct path to choose for my outbound calls. I'm just not very strong with dial-peer and translation rules at the moment.
  I will try this solution during the weekend and let you know. But it would have been better if there was a sample configuration for this option.

• What's the best way to do many NAT translations for WWW farm?

  Hello all, I hope this finds you in good spirits.
  I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
  I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
  Do I have to create an network object for each and every IP i want to nat through? 
  Thank you for your consideration!

  Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
  If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
  It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time: