Dynamic NAT (1841 & n00b)
Hi all. (waiting for TAC support to register me)
I'm trying to find information on setting up a Dynamic NAT for my 1841 using the SDM. I know how to do the static NATs and they seem to work fine. However, our Japan office would like Dynamic NAT. Where can I find info on how to set this up?
I have a range of server addresses on my network (E0) from 10.1.10.16 to 10.1.10.40/24. The addressing I have for these on the "outside" (E1) is 172.25.1.16 to 172.25.40/16.
I tried to set this up, but it seemed that the router duplicated all of my server addresses and my systems weren't happy.
Thanks for any assistance.
BC
OK.
I had to attach it since it's too long to post.
Thanks for any insight. The router for the Japan office is 172.25.1.1.
Similar Messages
-
How to configure inbound ruleset in dynamic nat.
Hi ,
I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.
How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.
Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it.
Public IP: 10.10.10.28
Private IPs:
172.16.101.115
172.16.101.116
172.16.101.117
172.16.101.118
172.16.101.119
172.16.101.120
access-list Web_nat permit ip host 172.16.101.115 any
access-list Web_nat permit ip host 172.16.101.116 any
access-list Web_nat permit ip host 172.16.101.117 any
access-list Web_nat permit ip host 172.16.101.118 any
access-list Web_nat permit ip host 172.16.101.119 any
access-list Web_nat permit ip host 172.16.101.120 any
nat (firewall-dmz) 1 access-list Web_nat
global (firewall-outbound) 1 10.10.10.28
access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.
access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.Hi,
I am not sure what you are attempting to configure here.
But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"
This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.
Static NAT will essentially use up one public IP address for just the single local host/server.
Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.
A typical Static NAT configuration is this
static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
Where
inside = is the interface behind which the host is
outside = is the interface towards which the host is NATed
1.1.1.1 = is the public NAT IP address for the host
10.10.10.10 = is the local IP address of the host
A typical Static PAT configuration is this
static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
Where
tcp = specifies the protocol for which the Static PAT configured
interface = specifies that we will be using the public IP address of the destination interface "outside" as the public IP address for this single Port Forward.
80 = first "80" specifies the public port visible to users behind the destination interface
80 = second "80" specifies the actual local port on which the local host is listening on
Hope this helps
- Jouni -
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help! -
Dynamic NAT ASA 8.4 Packet Tracer not working
Hi guys,
I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.2 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd auto_config outsideThanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working.
Does anyone have a suggestion? My updated config is below.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network outside-subnet
subnet 10.0.0.0 255.0.0.0
access-list TEST extended permit icmp any any echo-reply
access-list TEST extended permit tcp any any eq www
access-list http extended permit tcp any any eq www
access-list http2 extended permit udp any any eq www
access-group TEST in interface outside
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd enable inside -
Dynamic NAT & Dynamic/TCP + Dynamic/UDP filters
I've enabled dynamic NAT on BM38sp2a... Is it important to setup
dynamic/tcp and dynamic/udp filters if running ipflt? What are the
purposes of the two filters?
Jimmy[email protected] wrote:
> I've enabled dynamic NAT on BM38sp2a... Is it important to setup
> dynamic/tcp and dynamic/udp filters if running ipflt? What are the
> purposes of the two filters?
>
> Jimmy
Please see my reply in the packet filtering forum.
Caterina
Novell Support Connection Volunteer Sysop -
I have Bordermanager 3.51 that uses dynamic NAT on the public interface
connected to DSL with a static IP address. I have followed TID #
10024898 " Creating filter exception for PCAnywhere".
I have double checked settings of the filter exceptions but still cannot
remote access a internal host using PcAnywhere v 11.0. My question is
should I be using dynamic NAT or static nat or a static/dynamic nat
configuration ?
Thanks,
Karl> In article <HmmFc.236$[email protected]>, wrote:
> > . My question is
> > should I be using dynamic NAT or static nat or a static/dynamic nat
> > configuration ?
> >
> If you want inbound pcAW traffic, you have two choices when NAT is
> involved: static NAT, or generic proxies. (Both are described in my
> BMgr / Filtering books at the URL below).
>
> You will not be able to get to an internal PC with just dynamic NAT
> enabled. There is no way to route the packets in then.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
Thanks Craig for your direction. I will check out the URL
Happy 4th !
> -
Hi,
I have an application that is unhappy running via dynamic NAT. The app
developers are asking me if I can turn on sticky sessions in BM's dynamic
NAT. Are there any options for tuning dynamic NAT in BM that could help?
Cheers,
DevonI just searched documentation and see that it's 5000 ports for tcp. That
will be easy to hit. The documentation says that it will just re-use the
oldest connections in a rolling fashion. I'm wondering whether that's
working properly or whether something else in the system is keeping the
state for longer.
Cheers,
Devon
>>> On 9/08/2007 at 11:21, Devon Heaphy<[email protected]>
wrote:
> Still testing, but it appears to. Part of the problem is that the
> application is very chatty and constantly opens new connections instead
> of
> using existing ones. I think the reason static NAT appears to work is
> that
> there are more source ports available for a given machine to use.
>
> Do you know the upper limit of dynamic NAT connections through BM?
>
> Cheers,
> Devon
>
>>>> On 7/08/2007 at 4:44, Craig Johnson<[email protected]> wrote:
>> In article <[email protected]>, Devon Heaphy
> wrote:
>>> I have an application that is unhappy running via dynamic NAT. The app
>>> developers are asking me if I can turn on sticky sessions in BM's
>> dynamic
>>> NAT. Are there any options for tuning dynamic NAT in BM that could
help?
>>>
>> No.
>>
>> Does it work via static NAT?
>>
>> Craig Johnson
>> Novell Support Connection SysOp
>> *** For a current patch list, tips, handy files and books on
>> BorderManager, go to http://www.craigjconsulting.com *** -
9.0 can a dynamic nat be used over ipsec vpn?
9.0 can a dynamic nat be used over ipsec vpn?
we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL.
we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same.
Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn.
So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code.
ThanksI didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time.
Yes it seems that you need the nat ip like always. Should have just went with my gut on that.
Thanks -
Static/Dynamic NAT Conflict
My static NAT configuration is somehow conflicting with my dynamic NAT configuration. Am I doing something wrong?
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 1 permit 10.18.0.0 0.0.255.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.126.4 20 xx.xx.xx.19 20 extendable
ip nat inside source static tcp 192.168.126.5 25 xx.xx.xx.19 25 extendable
ip nat inside source static tcp 192.168.126.5 80 xx.xx.xx.19 80 extendable
ip nat inside source static tcp 192.168.126.5 443 xx.xx.xx.19 443 extendable
ip nat inside source static tcp 192.168.126.7 3101 xx.xx.xx.19 3101 extendable
ip nat inside source static tcp 192.168.126.4 3389 xx.xx.xx.19 3389 extendable
ip nat inside source static tcp 192.168.126.7 5901 xx.xx.xx.19 5901 extendable
ip nat inside source static tcp 192.168.126.20 25 xx.xx.xx.20 25 extendable
ip nat inside source static tcp 192.168.126.20 80 xx.xx.xx.20 80 extendable
interface GigabitEthernet0/0
description Outside Interface
ip address xx.xx.xx.18 255.255.255.248
ip access-group Incoming in
ip access-group Outgoing out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
duplex auto
speed auto
ntp disable
no cdp enable
hold-queue 32 in
hold-queue 100 outThanks for the help.
I tried modifying the access list as you suggested but ran into problems. The host at 192.168.126.4 is my DNS server and the updates prevented it from forwarding queries to external DNS servers. I think I am running into problems because I dont' know general rules for configuring dynamic NAT to accomodate client PCs and static NAT to accomodate servers at the same time. From the issues I am having it seems there are general rules for dividing the two classes of hosts which I just don't know. My external interface has a .18 address which all my client PCs get NAT'ed through and then I have static NAT entries NAT'ing to .19 and .20 for internal services such as DNS, SMTP, HTTP etc. I thought that would divide the two however certain 'things' conflict, such as XBOX Live connections. If I remove my static NAT entries then I can connect to XBOX Live. -
[Question] Dynamic NAT on 2 different networks
Hi,
I just want to ask if its possible to have same dynamic translation within 2 different networks like:
interface gig 0/1
1.1.1.1 255.255.255.0 (LAN Connection w/ DHCP enabled)
inteface gig 0/2
2.2.2.1 255.255.255.0 (Wireless Connection w/ DHCP enabled)
Actually, the scenario was 1.1.1.1 is my LAN connection and 2.2.2.1 are my Wireless connection.
Hope this merits their favorable response. Thanks.Hi,
Do you mean that you want both of the said LAN networks to use Dynamic NAT/PAT towards a third interface on the ASA?
If you simply want to use the same NAT/PAT address for 2 different networks on the ASA then you can use the following configurations as example
These are PAT translations to a single IP address. Using a NAT Pool would change the configurations slightly.
For ASA software 8.2 and below
global (outside) 100 3.3.3.1
nat (inside) 100 1.1.1.0 255.255.255.0
nat (wireless) 100 2.2.2.0 255.255.255.0
Where
outside,inside and wireless = Interface "nameif" on the ASA firewall
100 = Is just an ID number for the NAT configuration. You can use other one also
For ASA software 8.3 and after
object-group network PAT-SOURCE-NETWORKS
network-object 1.1.1.0 255.255.255.0
network-object 2.2.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
nat (wireless,outside) after-auto source dynamic PAT-SOURCE NETWORKS interface
Where
PAT-SOURCE-NETWORKS = Is an "object-group" where you can define the source networks for the NAT/PAT rule
Hope this helps Please if you found the information helpfull
Feel free to ask more if this didnt answer your question.
- Jouni -
Help with dynamic NAT and CSM 4.4 and ASA 8.3
Hello
I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
Failed to generate delta config
The following commands have not been recognized by the Configuration Parser:
==========================
(inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
Traffic comes from inside and has to leave the outside with the changed source IP.
I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
Thanks
PatrickMatty
Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
ip access-list extended PBX_SUBNET
permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.
Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
Jon -
Hello,
Is there any way to setup dynamic nat for an entire group without having to setup dynamic nat for every single network?
For example,
network a: 10.168.32.0/24
network b: 10.184.32.0/24
network c: 10.16.38.0/24
I want to setup dynamic nat for all of these subnets at one time.
Of couse I have more than 3, more like 200 of them, so I don't want to have to setup dynamic nat individually.
Thanks,
Dan.Hi,
Well if you want to perform Dynamic PAT to different public IP addresses based on source interface for example then you could do it in the following way
object network INSIDE-PAT
host 1.1.1.1
object network DMZ-PAT
host 1.1.1.2
nat (inside,outside) after-auto source dynamic any INSIDE-PAT
nat (dmz,outside) after-auto source dynamic any DMZ-PAT
You could follow the above logic that applies to your network setup.
Ofcourse if you have only one source interface but several different networks or groups of networks that you want to use different PAT IP addresses then you would have to create the source address group for those networks
For example
object network PRODUCTION-PAT
host 1.1.1.1
object network TESTING-PAT
host 1.1.1.2
object-group network PRODUCTION-NETWORKS
network-object 10.10.0.0 255.255.0.0
network-object 10.20.0.0 255.255.0.0
object-group network TESTING-NETWORKS
network-object 10.30.0.0 255.255.0.0
network-object 10.40.0.0 255.255.0.0
nat (inside,outside) after-auto source dynamic PRODUCTION-NETWORKS PRODUCTION-PAT
nat (inside,outside) after-auto source dynamic TESTING-NETWORKS TESTING-PAT
or was it something else that you were after?
- Jouni -
Dynamic NAT on selected machines
Hi
What is the best way to setup dynamic NAT if I only wanted it to function on
a group of 30 workstations.
I was considering putting these workstations into a seperate subnet, but
doesn't dynamic nat pick up all subnets on the private interface?
Any Ideas?
Thanks
Peter HPeter,
> What is the best way to setup dynamic NAT if I only wanted it to function on
> a group of 30 workstations.
> I was considering putting these workstations into a seperate subnet, but
> doesn't dynamic nat pick up all subnets on the private interface?
indeed, this won't work.
You can use NAT for everyone, and then regulate the access with packet
filters. It's a limitation of the Netware nat, indeed.
Caterina
Novell Support Connection Volunteer Sysop -
I have a strange issue with a Bordermanager server. It is 3.9SP1 on a NW
6.5sp7 server. After the server has been running it stops passing traffic to
the Internet. I checked the NAT table and it has 5000 entries (the max I
believe) The entries are old, so it looks like it is not refreshing the
table.
If I disable NAT on the public interafce, then enable it things start moving
again.
Any ideas?
Thanks,
JimWe actually don't use BorderManager for forward proxy. I do use reverse
proxy a lot. We use stand alone proxy servers so we can deploy them to
locations to small to justify a BM server.
As for Pathces:
I have TCP681K, wsock60, and nwlib6L installed. I don't have the security
system patch installed. The HP support pack has newer drivers than the
NW65SP7. I was using the SP7 drivers, and the tech I spoke with at Novell
suggested if a newer version was aviaiable ffrom HP I should try it. So I
went from bx2.lan version 3.41 to version 3.70. HP claims it is for NW65SP7.
Gonzalo,
Thanks for the info, the 10.11.11.7 entry is just one of many. The machine
is actuall off, so no connection. I have the new NAT.NLM installed, but it
is dated 8/08/2008? I could not find a newer one on Novell's site.
Since our office is closed it is hard to really test since we have almost no
traffic right now.
Thanks for your input!!!
Jim
"Craig Johnson" <[email protected]> wrote in message
news:[email protected]...
> In article <[email protected]>, Jim Burghart
> wrote:
>> The traffic was just normal web traffic.
>
> If this is just you browsing, I'm thinking you need to check patches on
> the
> server. See tip #1 at my website (URL below my signature).
>
> You are just browsing through the proxy?
>
>> The table would not refresh
>> at all. I cleared the table and made a few connections to the web, and
>> the translations where there 10 minutes later? On my other BM server
>> they clear as soon as the connection closes.
>>
>> I think I may have it fixed though. I applied the newest HP support
>> pack for NW 6.5, version 8.1a. The server is an HP360DL G5. That seems
>> to
>> have solved it.
>
> What files are in that support pack? (Is that comparable to NW65sp7?)
>
>> Connections are clearing fine now. This all started happening after I
>> updated the TCP files, and lib files to NWlib6L.
>
> If using NW65SP7, I also recommend tcp681k, ss206 and wsock6o.
>>
>> I will keep an eye on it, but it seems to be ok now.
>
> OK, but check patch levels!
>>
>> Thanks again, and Happy Thanks Giving to all!
>>
> Thanks!
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
> -
Dynamic NAT GRE protocol into internal Server
Hi guys just a quick one.
I've had a quick look and it appears it cannot be done.
I'm attempting to forward the GRE protocol to an internal web server. We only have 2 external addresses and the internal server is not one of them. Is this possible?
Kind regards,
Jake
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
c2c-pix1 up 10 hours 43 mins
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.You would need to have a spare public IP to configure static NAT statement for GRE as GRE is a protocol, not TCP or UDP with port hence you can't share a public IP.
However if you are trying to enable PPTP connection to the internal server, then all you have to do is static PAT on TCP/1723, and enable "fixup protocol pptp 1723" and that would allow the GRE traffic to pass through.
Maybe you are looking for
-
I use the Remote app with both an iPad and iPhone to control my first gen Apple TV. This works fine except for one thing. When I select "Apple TV" as the library, using an iPhone I have access to all my library including Podcasts. When I run the same
-
I hooked up my laptop that has a blue ray player and an HDMI port to a HDTV. It doesn't look right. Does the signal that comes out of the laptop affect the 1080p on the HDTV? The HDTV is 120 hz and the laptop is 60 hz. I just figured the signal t
-
Select statement from tables which have now been split
I used to select from 3 tables: user, login, location I would do: select distinct user.id, login.computer_id, location.id as location_id from user, login, location where user.id = login.user_id and login.location_id = location.id and user.id = "manny
-
HT2534 can you use paypal instead of credit card for iTunes
just got an Ipad & am trying to download apps but can't as I need to give credit card details. Can you use paypal instead of credit card?
-
Mighty Mouse tracking performance getting worse
Has anyone noticed that the tracking performance of the MM deteriorates over time ? I have tried to investigated what could be the cause and I am not sure if it's connected to other bluetooth devices in the vacinity or if it's connected in some way t