Destination NAT with a specific origin ASA 8.2

Similar Messages

• Associating NAT with a specific network service definition... how?

  I don't know if this is possible, but if it is I would value any help in configuring it on SLS 10.6.2
  I have SLS 10.6.2 server running on a Mac Mini. It connects to multiple static IPs via a number of 'virtual' network services using its single ethernet connection. This achieved by simply creating new services in system preferences / network associated with the ethernet interface, and defining each to have its own fixed IP within our assigned static IP range. This allows the mini to listen for and respond to multiple public IPs. The various bits of software on the mini are configured to 'listen' to their own IP only. The approach works well for this purpose.
  We are using SLS VPN to allow connections to the server from remote locations, and currently provide these with access to the public internet by setting up the VPN to assign one of the unused static IP address in our block to the incoming connection. It works fine unless there is more than one person wanting to use the VPN connection...
  So I would like to set up a NAT configuration on the unused IP address and associate this with a private network range (e.g. 192.168.x.x), and then get the VPN to allocated incoming connections on of the range of IP's.
  When I try to configure NAT using server preferences, I only have the option of attaching it to one of the defined network interfaces (e.g. ethernet, airport, firewire), but not to a specific service attached to the ethernet connection.
  Is it possible to do this? If so how?
  Alternatively, is it possible to configure an unused network connection (e.g. the FW connection) to point to the required fixed IP, even if it is not physically connected to anything? If I could do this, I could side-step the problem.
  Thanks in advance for any help.
  Message was edited by: Gavin Lawrie

  Get yourself a server-grade firewall (VPN, DMZ, port-mapping, syslog, etc) and move on.

• Cisco asa traffic flow with destination nat

  Hi Folks,
                     Can anybody comment on the below.
  1.  in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
  2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
  regards
  Rajesh

  The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
  The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
  That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from.  On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
  The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
  The short answer:
  The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface. 
       If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
       If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
  The longer answer:
  For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
  Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
       Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
  Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
       Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
     -or-
       Step 2 check B:  Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
       If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
  Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
  Now lets refer to the specific example you outlined in your post; you said:
  route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
  route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
  nat (LAN,ISP-1) after-auto source dynamic any interface
  nat (LAN,ISP-2) after-auto source dynamic any interface
  Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
  The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
  It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
  It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
  Message was edited by: Jay Johnston

• ASA 5510 NAT with IOS 9.1

  Hi All,
  Hoping someone can clear this up for me.
  I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
  The ASA is connected inside the LAN to separate a second LAN.
  Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
  I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
  I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
  If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
  Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
  If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
  Many thanks

  Hi,
  Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
  If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
  The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
  Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
  You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Hope this helps :)
  - Jouni

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.

• How to do destination NAT in a 2600 router with IOS 12.3?

  Hi All
  I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
  FE 0/0 - 10.0.0.1/24 - client LAN - inside 
  FE 0/1 - 10.1.1.1/24 - server LAN - outside 
  The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
  I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
  Many Thanks
  [email protected]  

  Yes, you can do this.  You don't need destination NAT.  Source NAT translations work both ways.  This should work:
  ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
  int fa 0/0
  ip nat inside
  int fa 0/1
  ip nat outside
  The bigger question is why you'd want to.  Just because you CAN do something doesn't mean you SHOULD.  Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts.  Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10?  If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead?  You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense.  If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

• Cisco ASA 8.2. Destination NAT (network - network)

  Hi Guys,
  Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
  For example, will destination NAT like this work:
  static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
  I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
  So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
  If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
  Etc.
  Thanks.

  Hello,
  Yes, that is possible.. In fact that is the way it works.
  Regards,
  Julio

• CSS 11503 Destination NAT - can only enable one service

  I have three web servers configured as six services. Three are for MOSS (Microsoft Office Sharepoint Server) and three are for SSRS (SQL Server Reporting Services 2006 in integration mode).
  THE PROBLEM:
  When more than one MOSS service is active I can no longer connect to the SSRS services.
  This is a trunked Configuration:
  interface 1/1
  trunk
  redundancy-phy
  vlan 1
  default-vlan
  vlan 100
  vlan 101
  vlan 103
  interface 3/16
  bridge vlan 4000
  circuit VLAN100
  redundancy
  ip address 192.168.100.xx0 255.255.255.0
  circuit VLAN103
  redundancy
  ip address 192.168.103.xx0 255.255.255.0
  circuit VLAN4000
  ip address 1.x.x.2 255.255.255.252
  redundancy-protocol
  circuit VLAN101
  redundancy
  ip address 192.168.101.xx0 255.255.255.0
  service MOSSWeb01
  ip address 192.168.103.xx1
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb02
  ip address 192.168.103.xx2
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb03
  ip address 192.168.103.xx3
  keepalive port 80
  keepalive type tcp
  active
  service SSRSWeb01
  ip address 192.168.103.xx1
  active
  service SSRSWeb02
  ip address 192.168.103.xx2
  active
  service SSRSWeb03
  ip address 192.168.103.xx3
  active
  owner MOSS
  content MOSS
  vip address 192.168.100.xx1
  vip-ping-response local-remote
  add service MOSSWeb01
  add service MOSSWeb02
  add service MOSSWeb03
  active
  owner SSRS
  content REPORTSERVER
  vip address 192.168.100.xx2
  add service SSRSWeb01
  add service SSRSWeb02
  add service SSRSWeb03
  vip-ping-response local-remote
  active
  group MOSS2007-DSTNAT
  vip address 192.168.100.xx1
  add destination service MOSSWeb01
  add destination service MOSSWeb02
  add destination service MOSSWeb03
  active
  group SSRS2005-DSTNAT
  vip address 192.168.100.xx2
  add destination service SSRSWeb01
  add destination service SSRSWeb02
  add destination service SSRSWeb03
  active
  NOTES:
  All (3) real servers have a default route to 192.168.103.xx0 which insures traffic passing through the CSS (so I don't understand why I still need a destination service group).
  When MOSS accesses SSRS it does so via http://SSRS2005/reportserver. This is configured in DNS as 192.168.100.xx2. I would think that this would also insure traffic through the CSS but I still had to configure a destination service for these.
  All clients connect to the MOSS services via one VIP (192.168.100.xx1) and the MOSS services connect to the SSRS services via a 2nd VIP (192.168.100.xx2). MOSS also connects to itself for indexing content and a variety of other services (I had originally tried separating the MOSS content rules using layer 5 matching on Host Headers. This seemed to cause issues with access to ports 139 and 445 for UNC access to document libraries so I simplified the MOSS content rule back to layer 3).
  I have setup two distinct groups and have used destination NAT so that the servers can communicate to each other.
  When using Wireshark on the servers to run packet traces and all services are up I do not even see any packets destined for the SSRS services leading me to believe that they are dropped by the CSS (however, I don't see them using show flows on the CSS either).
  Can anyone here shed some light on the correct way to configure the CSS in such a scenario?
  Thanks in advance.

  I have two MOSS services down because MOSS can't get to SSRS if more than one MOSSservice is active. That's the crux of the biscuit.
  I had hoped to avoid the whole packet sniffing activity but it looks like I may need to capture more information. I don't really want to change the VLAN configuration since this CSS is managed by our network team and there are other services configured on the CSS that I have not indicated.
  I appreciate your advice, so far. I will actually have some downtime this coming weekend where I can try some additional configuration options after prime time from home.
  One thing that may not be apparent in this whole discussion is that all of the sites on both MOSS and SSRS use HOST Headers for HTTP. That's what keeps them separated. I had tried using layer 5 content rules but had the same issue plus other issues with non-HTTP traffic. I also did not care for the fact that the CSS actually spoofs the responses when using layer 5. There is a lot of NTLM Challenge/Response traffic for Windows Integrated Authentication and Negotiated Kerberos. The bottom line is that even without Layer 5 content rules the Host Headers do get passed to IIS and the sites are selected properly based on that header. The exception is that Host Headers are no longer required for SSRS since it is the default website on port 80 (besides - setting up host headers for SSRS in MOSS integration mode has it's own set of issues). Still, the host headers are sent to SSRS SOAP Endpoints and there are no issues connecting to any of the three SSRS services from any of the three MOSS servers interactively. The issue is when a client outside of these VLANs makes a request for a report.
  client->MOSS->SSRS->MOSS->client
  Be aware too that both MOSS and SSRS are making connections back through the CSS to their respective databases for each request.

• Destination NAT ACE

  Can someone provide some information on how you would setup 2 servers to proxy out as the VIP address?
  On the CSS I know you can accomplish this though the use of a group rule
  Ex:
  group Outbound_Proxy
  vip address 192.168.1.x
  add service web1
  add service web2
  active
  What would be the equivalent on the ACE? I am sure it would be a dynamic NAT configuration however, I am not to sure how to set that up.
  Can someone please provide some advice?
  Thank you in advance!

  Thank you for your response Gilles! Glad to know that my configuration should work.
  The reason I assume it does not work is due to the output given from a 'show service-policy NAT-POLICY detail'. There is no registered hit count on any of the counters when I would initiate a connection to the .163 VIP were it should balance to either the 192.168.100.158 or 192.168.100.157 IP addresses. I thought the outbound response would have incremented something within the service-policy output.
  Status : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 91
  service-policy: NAT-POLICY
  class: DNS-NAT-Servers
  nat:
  nat dynamic 2 vlan 695
  curr conns : 0 , hit count : 0
  dropped conns : 0
  client pkt count : 0 , client byte count: 0
  server pkt count : 0 , server byte count: 0
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  This is the reason I have not yet performed a packet capture.
  I notice the connection establish just fine and the ACE forward/balance my connection to the correct destination server. However, looking at the me-stats for the connection ID I noticed it is not dynamically NAT'ing the response out.
  ACE-12539-187036/spam# sho conn | i 64.39.0.40
  150536 1 in TCP 695 64.39.0.40:56412 192.168.100.163:53 ESTAB
  34566 1 out TCP 91 192.168.100.157:53 64.39.0.40:56412 ESTAB
  Connection ID:seq: 34566[0x8706].5
  Other ConnID : 150536[0x24c08].10
  Proxy ConnID : 0[0x0].0
  Next Q : 0[0x0]
  192.168.100.157:53 -> 64.39.0.40:56412 [RX-NextHop: TX] [TX-NextHop: TX]
  Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
  L3 Protocol : IPv4 L4 Protocol : 6
  Inbound Flag : 0
  Interface Match : Yes
  Interface MatchID: 13
  EncapsID:ver : 234:0 TCP ACK delta : 0x5194237d
  MSS : 1380 TOS Stamp : 0
  Repeat mode : No ARP Lookup : No
  TOS Stamp : No TCP Window Check: No
  ACE ID : 12898 NAT Policy ID : 0
  Post NAT hop : 0
  Packet Count : 1 Byte Count : 44
  TCP Information: (State = 3)
  Window size : 16384 Window scale : 0
  FIN seen : No FIN/ACK seen : No
  FIN/ACK exp : No Close initiator : No
  FIN/ACK expval: 5b40000 Last seq : 79e90c16
  timestamp_delta: 0 Last ack : 1
  No Trigger : 0 Trigger Status : 0
  Timestamp : 6279495f
  TCP options negotiated:
  Sack:Clear TS:Clear Windowscale: Clear
  Reserved: Allow Exceed MSS: Deny Window var: Allow
  Is the above connection output in the me-stats expected with my DNAT configuration? Would this DNAT configuration apply to only outbound connections initiated from the .158 or .157 IP addresses? I would assume it would work with the response traffic as well. I know I can setup dynamic NAT for a specific serverfarm. Do you think I should try that instead?
  Thank you in advance!
  - Jason

• SSIS 2012 is intermittently failing with below "Invalid date format" while importing data from a source table into a Destination table with same exact schema.

  We migrated Packages from SSIS 2008 to 2012. The Package is working fine in all the environments except in one of our environment.
  SSIS 2012 is intermittently failing with below error while importing data from a source table into a Destination table with same exact schema.
  Error: 2014-01-28 15:52:05.19
     Code: 0x80004005
     Source: xxxxxxxx SSIS.Pipeline
     Description: Unspecified error
  End Error
  Error: 2014-01-28 15:52:05.19
     Code: 0xC0202009
     Source: Process xxxxxx Load TableName [48]
     Description: SSIS Error Code DTS_E_OLEDBERROR.  An OLE DB error has occurred. Error code: 0x80004005.
  An OLE DB record is available.  Source: "Microsoft SQL Server Native Client 11.0"  Hresult: 0x80004005  Description: "Invalid date format".
  End Error
  Error: 2014-01-28 15:52:05.19
     Code: 0xC020901C
     Source: Process xxxxxxxx Load TableName [48]
     Description: There was an error with Load TableName.Inputs[OLE DB Destination Input].Columns[Updated] on Load TableName.Inputs[OLE DB Destination Input]. The column status returned was: "Conversion failed because the data value overflowed
  the specified type.".
  End Error
  But when we reorder the column in "Updated" in Destination table, the package is importing data successfully.
  This looks like bug to me, Any suggestion?

  Hi Mohideen,
  Based on my research, the issue might be related to one of the following factors:
  Memory pressure. Check there is a memory challenge when the issue occurs. In addition, if the package runs in 32-bit runtime on the specific server, use the 64-bit runtime instead.
  A known issue with SQL Native Client. As a workaround, use .NET data provider instead of SNAC.
  Hope this helps.
  Regards,
  Mike Yin
  If you have any feedback on our support, please click
  here
  Mike Yin
  TechNet Community Support

• Source Nat and Destination Nat

  Is any of the above working in the ACE OR CSM module by default?
  What is an advantage of configuring destination NAT on the ACE Box?

  Hello,
  On both the CSM and ACE, destination NAT (a.k.a. server nat) is enabled by default in a serverfarm. Source NAT needs to be manually configured on both devices, as it is not a default configuration.
  In server load balancing, destination NAT is very common. When clients connect to a VIP on the load balancer, the load balancer will then choose a real server the send the connection to. The destination IP address of the client-to-server traffic will be NAT'd from the virtual IP address (VIP) to the real server's IP address. The server's reply will be sourced with the real server's IP address, initially. The load balancer will again perform NAT to change the source IP address from the real server's IP address back to the VIP address prior to forwarding the response back to the client. This way, the client only knows about the VIP address, and not the real server's IP address.
  Best regards,
  Sean

• Cisco 2921 destination NAT for transparent proxy

  Hi All,
  I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
  In iptables its easy:
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
  iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
  I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
  So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
  The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
  Any ideas guys? I'm stuck.
  Cheers,
  Jordan.

  Sounds like you need a route-map to change the next IP hop?
  This would be the best way to do it which will also verify the remote proxy server is available as well.
  ip sla monitor 1
  type echo protocol ipIcmpEcho <ip address of your proxy server>
  timeout 3000
  frequency 3
  ip sla monitor schedule 1 life forever start-time now
  track 123 rtr 1 reachability
  interface FastEthernet0/1
  ip address <x.x.x.x x.x.x.x>
  ip policy route-map REDIRECT-TO-PROXY
  ip access-list extended webtraffic
  ! Deny traffic from your proxy server from redirecting
    deny tcp host <ip address of your proxy server> any eq www
    deny tcp host <ip address of your proxy server> any eq https
    permit tcp <your ip network> <subnet mask> any eq www
    permit tcp <your ip network> <subnet mask> any eq https
  route-map REDIRECT-TO-PROXY permit 10
  match ip address webtraffic
  set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
  If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
  Here is how my router is configured.
  interface FastEthernet0/0
   ip address dhcp hostname home-rtr-1
   ip nat outside
  interface FastEthernet0/1
   ip address 10.235.x.x 255.255.255.252
   ip nat inside
  ip nat inside source list 10 interface FastEthernet0/0 overload
  access-list 10 permit <your ip network> <your ip subnet>
  HTH

• Destination nat on switches

  we want destination nat to work. we have 6509 series swithces running HSRP. we have 2 locations. at these locations proxy servers do the the job of filtering and sending the web traffic. what we want is if the proxy server at location 1 goes down, we shd be able to nat the incoming traffic for proxy sever from user vlan to the proxy server of location b traffic. teh ios version is IOS (tm) MSFC2 Software (C6MSFC2-IS-M), Version 12.1(4)E3,what commands we need to run
  thanx

  Your problem is not going to be so much the nat as how you figure out when the proxy goes down.
  The only thing I have seen that can take action based on a external server is to use object tracking and policy routing. I don't think Nat has any ability to do this.
  Another solution that you may want to concider if your switches support it is to use server load balancing (SLB) to do this.
  There are a number of ways to configure this but it will depend on where your servers are located in relation to the switch. Since this is designed for load balancing first and redundacy second it may not end up being effectient.
  Now if you really want to use nat you could use the policy routing with the object track options and route the traffic to either another router or to loopback interfaces. This would be a variation of nat on a stick. In effect you would be rerouting your traffic though NAT interfaces based on availablilty. Both the policy routing track options and nat on a stick are not the most simple things to comfigure. The policy routing with track option is fairly new and I don't know if they have put it in the switch versions of the IOS yet.

• Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520

  Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
  Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3

  Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
  You need to add route exempt the inside interfaces to all private subnet.

• Deleting emails with a specific subject from a single user mailbox

  we are exchange 2007 on SP1. we do not have an edge server, only a hub server.
  A user mailbox was flooded with 11000 "Undeliverable:" emails in the last 2 days, the source being "DSA". I am still finding out why this has happened. As for now, I have set up a rule to silently drop all emails with this specific subject.
  now the user wanted our team to delete all of these 11000 emails from his mailbox.
  we gave the appropriate permission to the users mailbox by running the command
  Get-Mailbox -Identity “[email protected]” | Add-MailboxPermission -User [email protected] -AccessRights FullAccess -InheritanceType all
  Then I ran the below command
  Get-Mailbox -Identity “[email protected]” | Export-Mailbox -SubjectKeywords "Undeliverable:" -IncludeFolders "\Inbox" -StartDate "09/22/2014" -EndDate "09/23/2014" -DeleteContent -Confirm:$false
  The command ran for a while, showing it was deleting 19000 odd emails with the below summary
  [PS] C:\Windows\System32>Get-Mailbox -Identity "[email protected]" | Export-Mailb
  ox -SubjectKeywords "Undeliverable:" -IncludeFolders "\Inbox" -StartDate "09/22/
  2014" -EndDate "09/23/2014" -DeleteContent -Confirm:$false
  TargetMailbox                    :
  TargetServer                     :
  TargetDatabase                   :
  MailboxSize                      : 733800KB
  IsResourceMailbox                : False
  SIDUsedInMatch                   :
  SMTPProxies                      :
  SourceManager                    :
  SourceDirectReports              :
  SourcePublicDelegates            :
  SourcePublicDelegatesBL          :
  SourceAltRecipient               :
  SourceAltRecipientBL             :
  SourceDeliverAndRedirect         :
  MatchedTargetNTAccountDN         :
  IsMatchedNTAccountMailboxEnabled :
  MatchedContactsDNList            :
  TargetNTAccountDNToCreate        :
  TargetManager                    :
  TargetDirectReports              :
  TargetPublicDelegates            :
  TargetPublicDelegatesBL          :
  TargetAltRecipient               :
  TargetAltRecipientBL             :
  TargetDeliverAndRedirect         :
  Options                          : DeleteSourceContent
  SourceForestCredential           :
  TargetForestCredential           :
  TargetFolder                     :
  PSTFilePath                      :
  RsgMailboxGuid                   :
  RsgMailboxLegacyExchangeDN       :
  RsgMailboxDisplayName            :
  RsgDatabaseGuid                  :
  StandardMessagesDeleted          : 0
  AssociatedMessagesDeleted        : 0
  DumpsterMessagesDeleted          : 19020
  MoveType                         : DeleteOnly
  MoveStage                        : Completed
  StartTime                        : 9/23/2014 7:29:01 PM
  EndTime                          : 9/23/2014 7:32:19 PM
  StatusCode                       : 0
  StatusMessage                    : Messages have been deleted from the source m
                                     ailbox.
  ReportFile                       : C:\Program Files\Microsoft\Exchange Server\L
                                     ogging\MigrationLogs\export-Mailbox20140923-
                                     192900-8103154.xml
  However, when I open the user's mailbox all of the emails still exist. kindly help me understand where I am going wrong and how I can delete all these emails.
  Thank You
  Philip

  Are they still specifically in the Inbox?
  I was thinking that the account might have "Deny" permissions to the user's mailbox but it looks like it can access the mailbox and delete items.
  StandardMessagesDeleted          : 0
  AssociatedMessagesDeleted        : 0
  DumpsterMessagesDeleted         : 19020
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.