DMVPN Hub router with static NAT

Similar Messages

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• Replacing the DMVPN hub router

  We are replacing our current 2921 router, Version 15.2(4)M2, with a 3925 Version 15.2(4)M6. It is the DMVPN hub router for 6 spoke routers. We cut and pasted the configuration from the old router to the new. We confirmed internet connectivity from clients on the inside. But none of the DMVPN tunnels will set up. As we were in a very short maintenance window we did not have a lot of time to troubleshoot and had to revert to the old router. Is there some procedure we need to implement to force the tunnels to come up?

  Because you are changing the Hardware and copy past the config. Spokes will not re register themselves at HUB until you reset them again. Then they will register themselves again in the NHRP table at the new HUB..

• DMVPN Hub Router Placement

  Any docs regarding best practices for placement of DMVPN Hub router. Should it be placed behind firewall, in a DMZ off of firewall or in parallel to firewall.
  Thanks in advance for any input.

  Paul,
  Check out Cisco Validated Design Solutions for best practices. Especially, the one for "Secure WAN".
  http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/networking_solutions_products_genericcontent0900aecd805f65bf.html
  Regards,
  Arul
  *Pls rate if it helps*

• DM-VPN with Static NAT for Spoke Router. Require Expert Help

  Dear All,
              This is my first time to write something .
                           i have configure DM-VPN, and it's working fine, now i want to configure static nat.
  some people will think why need static nat if it's working fine.
  let me tell you why i need. what is my plan.
  i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
  will for that i try but fail. 
  will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
  i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
  ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
  but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
  spose spoke Network: 192.168.2.0/24
  and i want on HUB Router:
  ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
  i am using Cisco -- 887 and 877 ADSL Router.
  but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
  fore more details please see the diagram.
  for Contact Me: [email protected]

  hi rvarelac  thank you for reply :
  i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
  crypto isakmp policy 10
   encr aes
   authentication pre-share
  crypto isakmp key 12344321 address 1.1.1.1
  crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
   mode tunnel
  crypto map s2s 100 ipsec-isakmp
   set peer 1.1.1.1
   set transform-set Remote-Site
   match address vpnacl
  interface GigabitEthernet0/0
   crypto map s2s
  Extended IP access list lantointernet
  30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  80 permit ip any any

• DMVPN HUB router behind NAT

  we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
  if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
  Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
  i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

  Here is some additional infor to help
  hub config:
  interface Tunnel0
   bandwidth 512
   ip address "hubtunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1
  crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
  crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
   mode transport
  crypto ipsec profile net1
   set transform-set "mytransformset"
  Spoke config:
  crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
  crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
   mode tunnel
  crypto ipsec nat-transparency spi-matching
  crypto ipsec profile net1
   set transform-set "mytransformset"
  interface Tunnel0
   bandwidth 512
   ip address "spoketunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast "Remote IP"
   ip nhrp map "hubtunnelIP" "Remote IP"
   ip nhrp network-id 1
   ip nhrp nhs "hubtunnelIP"
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1 shared

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• DMVPN Hub Router QoS

  Hello DMVPN Experts,
  As we knew DMVPN Hub routers can have per-tunnel QoS configuration for the spokes.
  But I am not sure the QoS configuration for the Hub site itself. I assume it should be seperated from the per-tunnel QoS and the service-policy should be applied at the physical WAN interfaces and tunnel interfaces? Need help please. Some sample configuration would be appreciated.
  Thanks
  Cedar

  Hi Joseph,
  I am afraid I am having a bit difficulty to understand and would like to hear more if you don't mind.
  We are on the same page that Per-Tunnel QoS let the spokes to control the traffics toward the hub site, which is considered inbound traffic from the WAN/Tunnel interfaces of hub router point of view. However, in order to control the inbound and/or outbound traffic of the WAN/Tunnel interfaces of the hub router, how should we configure seperate QoS configuration other than Per-Tunnel QoS templates, if we should? 
  Here is what I know so far based on ASR1000 document.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/asr1000/sec-conn-dmvpn-xe-3s-asr1000-book/sec-conn-dmvpn-per-tunnel-qos.html
  Restrictions for Per-Tunnel QoS for DMVPN
  • The class default shaper with the QoS service policy on a physical interface that is applied to the DMVPN tunnel does not support point-to-point generic routing encapsulation (GRE) tunnels, shaper on physical interfaces, and shaper on VLAN/subinterfaces.
  • QoS on a physical interface is limited only to the class default shaper on the physical interface. No other QoS configurations on the physical interface are supported when two separate QoS policies are applied to the physical and tunnel interfaces.
  • Addition of a QoS policy with a class default shaper on a physical interface is not supported when multiple QoS policies are utilized.
  • You can attach a per-tunnel QoS policy on the tunnel only in the egress direction.
  • The class default shaper policy map on the main interface must be applied before the tunnel policy map is applied.
  • The class default shaper policy map must contain only the class class-default and shape commands.
  • The main interface policy map is checked for validity only when a QoS service policy is applied on the tunnel interface. The main interface policy map is not checked during a tunnel move or modification.
  • Adding new classes or features to the main interface policy map is not supported. Doing so, however, will not be blocked.
  After reading the above document, my understanding is that
  1. We could have seperate policy map for physical WAN interface.
  2. The policy-map for the physical WAN interface is limited to a class default shaper only.
  3. The policy-map for physical WAN interface must be applied at the physical WAN interface before the tunnel policy-maps are applied at the tunnel interface.
  But I am not 100% sure if it's correct.
  Thanks,
  Cedar

• How to configure router with static IP

  Hi,
  I have requested a static IP from ISP provider.
  Now I would like to give static IP addresses to all my internal PC's using my Mac Extreme router.
  my ISP requires the Airport extreme to be configured in 'DHCP' (internet connection).
  If I use 'static' then the ISP router does not see my Extreme router.
  However my mac router does not allow me to use internet connection 'DHCP' when using router mode 'DHCP only'
  Can anybody give me a some tips?
  Thanks in advance

  You are talking about two completely different Static IP questions here.
  If your ISP has issued a Static IP address to you for the AirPort Extreme, this is the IP Address that you must use in order for your AirPort Extreme to connect to the Internet.
  Open AirPort Utility, click on the AirPort Extreme icon and then click Edit
  Then click on the Internet tab a the top of the screen.
  The setting for Connect Using must be set to Static, and you will need to enter in the IP address, DNS servers, etc information that your ISP has provided for you to be able to connect to the Internet. In the screenshot example below, you would enter the Static IP address that your ISP provided to you in the IPv4 box.
  For now, click the Network tab at the top of the screen and insure that the setting for Router Mode is set to DHCP and NAT.
  We first need to make sure that your AirPort Extreme can connect to the Internet using the Static IP address that you have been assigned.
  Then, we will tell you how to set up Static or Reserved IP addressed for each of your devices on your local network if this is what you want to do. Normally, this would not be needed, but it can be done if you wish.

• H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

  Hi,
  I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
  I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
  ip nat inside source static 172.16.1.2 x.x.x.x
  The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
  Additionally, I debugged ip natting and I see following information when making video calls:
  router#debug ip nat h323
  IP NAT H323 debugging is on
  router#                
  *Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
  *Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
  *Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
  This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
  Regards,
  Angran

  Hi,
  i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?

• Static NAT with port translation

  Hello All,
  I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.
    10.1.1.2:443         10.1.1.1    2.2.2.5
  Server -------------------------- ASA --------------------- Internet router --Cloud
  Config  i am planing      
  static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
  Thanks
  JD

  Thanks Harish and Jouni,
  I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
  A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
  1. FLOW-LOOKUP - [] - Check for existing connections, if none found
  create a
  new connection.
  2. UN-NAT - [static] -
  2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
  3. ACCESS-LIST - [log] - ACL Lookup
  4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
  5. IP-OPTIONS - [] -
  6. NAT - [rpf-check] -
  7. NAT - [host-limits] -
  8. IP-OPTIONS - [] -
  9. FLOW-CREATION - [] - If everything passes up until this point a
  connection
  is created.
  10. ROUTE-LOOKUP - [output and adjacency]
  access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
  but if i go by the flow which i come to know it should be like
  access-list OUTSIDE-IN permit tcp any host eq 443
  What is your opion ?
  Thanks
  Jagdev

• Static NAT using access-lists?

  Hi,
  i have an ASA5520 and im having an issue with static nat configuration.
  I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
  This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
  I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
  Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
  My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
  Thanks,
  Des

  Des,
  You need to create an access-list to be used with the nat 0 statement.
  access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
  - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
  then use NAT 0 statement:
  nat (inside) 0 access-list inside_nonat
  to permit outside users to see inside addresses without NAT, flip this logic.
  access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
  nat (outside) 0 access-list outside_nonat
  you'll also have to permit this traffic through the ACL of the outside interface.
  access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
  - Brandon

• ASA 8.2 Global Outside works, but static NAT mappings fail

  Hello,
  I'm usually not stumped by issues, but this one I cannot seem to figure out.
  I have an older Pix and I've mirrored the config on a new ASA with 8.2(5) OS. It's a pretty basic config with one ACL for a few inbound port forwards to servers. The service is Verizon Fios Business.
  When we switch over from the old Pix to the new ASA connectivity through global outside statment work fine. Workstations on the LAN can connect outbound to websites, etc.
  However, none of the servers using static NAT mappings work inbound or outbound. And there are 4 servers, and we've tested them all for various issues. The static mappings are done using the static statement as such "static (inside,outside) exchange 10.0.2.7 netmask 255.255.255.255" and not using a network object. I have other installs with this same exact OS version that work fine with the static statement, so I'm not sure that this has anything to do with it. I'll add that these 4 servers also have inbound ports forwarded via one ACL, which also do NOT work.
  When we switch it back to the Pix unit with same config, all the servers on static NAT work just fine immediately.
  Can anyone give any insite on what the problem might be based on what I've described? I've checked and checked the configs and see no issues. And I've done may ASA configuration/installs, but I would say I'm moderately new to 8.x(x), although as I said above I have others in production working fine with static NAT mappings.
  Thanks for any assistance,
  Max

  another thing you can do in addition to the packet capture mentioned by Harvey is a packet-tracer which will simulate a packet going through the ASA and could point us in the right direction of where the issue is.
  packet-tracer input <interface name> tcp <source IP> <source port> <destination IP> <destination port> detail
  I suggest running the packet tracer in both directions (from the servers to the internet, as well as from the internet to the servers).  Keep in mind that when using the packet tracer with a source out on the internet you need to specify the destination as the NATed IP of the servers.  The following link can give you a little more info on the packet tracer
  https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
  Please remember to select a correct answer and rate helpful posts

• No translation group for a statically nat'd ip connecting to an external IP of a device in the same subnet

  Hi, 
  I've currently got an issue where I have a device configured with static nat that is trying to communicate to a nat'd ip address of a device in the same subnet.
  I'm getting "No translation grou found for tcp src sourceip/80 dst destip/80.
  I'm not 100% which areas of the config to post.
  Cheers,
  Neil

  Did you set the interface binding order correctly or to match the previous server?
  DNS: Valid network interfaces should precede invalid interfaces in the binding order
  http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
  Modify the protocol bindings and network provider order
  http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
  An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
  http://support2.microsoft.com/kb/981953
  You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
  Show NIC Binding Order
  http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
  Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
  If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
  Make sure that the correct DNS are on the interfaces that you need to use, too.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Strange static NAT Issue

  I am having a strange problem with static NAT. We have BM3.8 SP2 installed on NW Small Business 6.5. The public interface is configured to do both static and dynamic NAT. I have added two secondary IP addresses that are bound to the public interface, and setup the NAT table, using inetcfg, for two different cooresponding private IPs. I setup filters and am able to successfully use these NAT translations through BM as intended. In other words, they work fine. Now the problem. I need to add another static NAT entry. I add the secondary IP and it pings fine from the outside (thanks to a temporary filter for ICMP to/from anywhere). Then I add a new entry in the static NAT table to translate this address to a third unique private side IP. At this point the new secondary IP will no longer ping as before and it is not translating to the private side as the others do. I have exhausted my brain in trying different configurations to get this to work. For example, I have tried with filters down, I have tried adding this third one before the other two, I have tried re-doing all of it, I have tried different secondary IP addresses (public interface is behind a PIX firewall) and even different private side IPs. All still the same non-working result. On the public side I can still ping the other two and their NAT translations work fine. I know for sure that everything is in the correct subnet. If I dump the arp table on a machine sitting on the public side of BM after pinging each of the three secondary IPs they ALL show that they resolve to the ethernet address of the public interface on the BM server. Its like the packets are getting to BM and it is responding, but for some reason it is deciding not to translate it. Finally, as added information, I can ping the third IP using nwping on the server and I can ping it from a private side machine. Is it somehow bound to the wrong side interface? How could this be if BM public is reporting for ARP requests? I have not yet attempted a tcpip debug since the machine is a production machine.
  Any ideas? Oh by the way, the translations are for three different VNC servers on the private side of the BM network. Two work fine, but the third will not work! (and yes I tried putting the third secondary IP address translation to one of the two known working private side VNC server machines. No difference). I thought it might be a corrupt TCPIP.CFG file, but I tried on another identical server and it yields the exact same result.

  First, your post is unclear to me. What do you mean by the "private device"? I assume you mean the private NIC on the BM server? ... If this is what you mean then I cannot fathom why that would have anything to do with the problem especially since two translations are already working. Hopefully I am missing something here.
  Second, Yes - I did do REINITIALIZE SYSTEM. After I making any static NAT table entries and after any filters that I did.
  thanks for the reply
  >>> D. SKye Hodges<[email protected]> 12/1/2004 2:17:44 PM >>>
  check the default gateway on the private device, make sure it is the private ip of the BM server. If so, then reboot the BM server (I assume that you already tried REINITIALIZE SYSTEM). Let us know...
  >>> Clayton<[email protected]> 01-Dec-04 10:14:02 >>>
  I am having a strange problem with static NAT. We have BM3.8 SP2 installed on NW Small Business 6.5. The public interface is configured to do both static and dynamic NAT. I have added two secondary IP addresses that are bound to the public interface, and setup the NAT table, using inetcfg, for two different cooresponding private IPs. I setup filters and am able to successfully use these NAT translations through BM as intended. In other words, they work fine. Now the problem. I need to add another static NAT entry. I add the secondary IP and it pings fine from the outside (thanks to a temporary filter for ICMP to/from anywhere). Then I add a new entry in the static NAT table to translate this address to a third unique private side IP. At this point the new secondary IP will no longer ping as before and it is not translating to the private side as the others do. I have exhausted my brain in trying different configurations to get this to work. For example, I have tried with filters down, I have tried adding this third one before the other two, I have tried re-doing all of it, I have tried different secondary IP addresses (public interface is behind a PIX firewall) and even different private side IPs. All still the same non-working result. On the public side I can still ping the other two and their NAT translations work fine. I know for sure that everything is in the correct subnet. If I dump the arp table on a machine sitting on the public side of BM after pinging each of the three secondary IPs they ALL show that they resolve to the ethernet address of the public interface on the BM server. Its like the packets are getting to BM and it is responding, but for some reason it is deciding not to translate it. Finally, as added information, I can ping the third IP using nwping on the server and I can ping it from a private side machine. Is it somehow bound to the wrong side interface? How could this be if BM public is reporting for ARP requests? I have not yet attempted a tcpip debug since the machine is a production machine.
  Any ideas? Oh by the way, the translations are for three different VNC servers on the private side of the BM network. Two work fine, but the third will not work! (and yes I tried putting the third secondary IP address translation to one of the two known working private side VNC server machines. No difference). I thought it might be a corrupt TCPIP.CFG file, but I tried on another identical server and it yields the exact same result.