EA4500 behind NAT Router - would cloud config work?

This is the topology:  
Internet +--(coax)--+ Modem/Wired Router Combo +--(cat5e)--+ EA4500
Would it EVER be possible to configure the EA4500 with CiscoConnectCloud?   How could the cloud reach through to it?  
I have an EA4500 that I have never been able to associate with a cloud account. 
With another wireless router, all I did was turn off DHCP service on the wireless router, and plug the upstream ethernet cable into an ethernet port (i.e. the cat5e goes into the blue, not yellow, port.) and let it rip. 
  I wouldn't deliberately choose cloud config for this, but I am here.  Is it even possible?

Thank you for your careful answer.  These are really good suggestions, and I bet they will help many people.   In fact, at my house I should implement them even though my current best router is a Netgear N600 type.   That sounds bizarre, but it is because this EA4500 isn't mine. 
It belongs to my parents, a thousand miles away.  Last April when I visited them, I set them up with a Roku XS.  They have necessary activities going on their computers, active trading and such.  Because I'm not there, at my recommendation, they rent their networking stuff from Comcast, so Comcast can help them if there's a problem.  They live in one of those houses that originally was one fourth of its current size, so they have different density walls, many different base electrical circuits: not what is best for wireless networking.  Their established wireless setup couldn't begin to deliver to the TV.
I knew it was rather insulting to the EA4500, but I bought it and set it up solely to deliver content to the Roku.  I also figured if their wimpy wireless went out and Comcast made them wait, I would just tell them how to connect to the Cisco, as a backup, if necessary.   They didn't use the Roku a whole lot, and for a while they thought they did something wrong.  So it was a while before I even heard about their issues. It was a very early unit, purchased on April 9.  I may also have jumped to a conclusion - they said it stopped working in the week or two before the Fourth of July. , Dad and I did a lot of sleuthing over the phone, on and off for weeks.  Then  I assumed it was the firmware update that broke their connectivity.  So this week when I had them ship me the router so I could work on it at my house.
Your ideas are great and I am going to set it up here the way you both say and let the Cisco do the heavy lifting.  That will tell me for sure whether the thing is working properly. 
Because for right now, the only way it works as a router is when it is dumb and connected via LAN not WAN.  It's the only way I can log in to configure it, and it's the only way I can connect to the internet "through" it.  I've been going back and forth between the firmware versions, topology, and wireless versus wired.  And resetting.  Gosh, thanks for getting me out of that rat trap!  

Similar Messages

  • Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

    Hi,
    I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
    I have 3 web servers behind a router.
    Public interface: 3 public ip adresses
    Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
    I would to know the best way to redirect http traffic to the right server.
    My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
    So if you have some advise for this case, it would be really appreciated.
    Thank you.
    Chris.

    Hello Christophe,
    As I understand you want 1st that ; 
    if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
    That means, you need static mapping between your public @ip address and your local ip address. 
    for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
    that is the config for the Web Server1. You can do the same with the remaining servers:
    interface fa0/0.1 
    ip nat inside
    interface serial0/0
     ip nat outside
    ip nat inside source static 192.168.1.10 172.1.2.3 
    static mapping from local to public. 
    I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
    ip route 171.1.2.3 interface serial0/0 
    or 
    ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
    After these step for each web server, you will get the mapping. 
    Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
    like
    ip access-list extended ACL_WebServer1
    permit ip any 192.168.1.10 eq www
    deny ip any 192.168.1.10
    exit
    interface fa0/0.1
     ip acess-group ACL_WebServer1 in
    no shut
    exit
    That is the first step. 
    Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
    I am not sure that it is possible using cisco router with (ZBF + Regex).
    Check the first step and let us know ! 
    Please rate and mark as correct if it is the case. 
    Regards,

  • RV082 - SRP527W - VPN behind NAT not working

    Hello,
    I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
    The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
    That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
    Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
    Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
    Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
    The log for the RV082 is almost empty about the link. Here's a snippet :
    Feb 10 19:01:52 2014
    VPN Log
    (g2gips0) #8: initiating Main Mode
    Feb 10 19:01:52 2014
    VPN Log
    (g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
    Feb 10 19:01:52 2014
    VPN Log
    (g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
    Feb 10 19:01:52 2014
    System Log
    gateway_to_gateway.htm is changed.
    Feb 10 19:09:08 2014
    VPN Log
    (g2gips0): deleting connection
    Feb 10 19:09:08 2014
    VPN Log
    (g2gips0) #8: deleting state (STATE_MAIN_I1)
    Feb 10 19:09:08 2014
    VPN Log
    added connection description (g2gips0)
    Feb 10 19:09:08 2014
    VPN Log
    listening for IKE messages
    Feb 10 19:09:08 2014
    VPN Log
    forgetting secrets
    Feb 10 19:09:08 2014
    VPN Log
    loading secrets from '/etc/ipsec.d/ipsec.secrets'
    Feb 10 19:09:09 2014
    System Log
    gateway_to_gateway.htm is changed.
    The log for the SRP527W is full of this :
    Dump pluto log message in syslog  : cat /var/log/messages |grep plutoJan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan  1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
    Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
    Best Regards

    Hi again,
    Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
    Anyway, i bought another router.
    Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
    My settings are :
    - Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
    - WAN Interface is assigned 192.168.0.246 / 24
    - Gateway for the WAN interface is 192.168.0.254
    - Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
    - Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
    When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
    Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
    I tried almost every configuration, none worked.
    Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
    So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
    If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
    Could you help me please ? Thank you

  • Does Stratus/RTMFP support P2P behind the same NAT/Router?

    Does Stratus/RTMFP support peers behind the same NAT/Router?
    (such that both peers have the same public IP address)
    That is: if two computers (each running Flash) are behind the same NAT, and connect to Stratus to get peerID;
    do we expect they can connect p2p?
    Or will each one get/see just the public IP address:port of the other?
    My initial tests indicate that this scenario fails [ICMP Destination Unreachable (port unreachable)]
    Is this just a limitation of my local router? does this work for others?
    Does Status expect the local router to detect/decode/resolve this situation?
    If the solution requires 10.1 groups, is there support to detect/diagnose when/if the peer is on the same LAN?

    Thanks for the info, sounds like RTMFP supports this, and hopefully the AFP code does the right thing.
    [so, officially, the original question is answered]
    Note: In one instance, i'm running two browsers on the same host,
    so even the inner/LAN addresses would be the same. Therefore, if A sends to B's inner/LAN address,
    the [Windows] OS network layer *should* recognize that and 'hairpin' without leaving the host, or crossing the firewall.
    (I say "should" because Unix generally does that, but I'll have to check to see about Windoze).
    [And such packets are probably invisible to Wireshark also, so how do i verify what's happening?
    oh sure, just reconfigure to boot Linux... ]
    So glad you explained that the client tries all three pathways; if it works as you say,
    then I can probably ignore the ICMP error from the local router (or, as you say, teach it to do the hairpin).
    Can you confirm that P2P will work between browsers (say Chrome to Firefox) on a single Windows host?
    [I really want to know if I'm failing because of network configuration or application code/error;
    at this point, I am able to correctly exchange the peerIds, and start the NetSteam.play,
    but the two sides do not appear to be exchanging audio/video]

  • Airport Express won't work unless it's behind a router...

    After experimenting with my airport express to try and get it to work with some game of mine, I discovered that my airport doesn't get an internet signal unless the connection from the modem to the base station goes through a router.
    This is really strange... does anyone know anyway to fix this?
    By the way, yes, all my cables work, I use SBC Yahoo DSL as my ISP, I have a speedstream modem, and my connection apparently has to go through an Asante router, although it may work through other ones.

    OK,
    Is the IP address of the form 192.168.x.x, or 10.x.x.x, or something else ? This will help us identify if the ISP is allocating you an IP address dynamically, or maybe you have to key it (just once) because they've allocated you a static IP address.
    The DNS server addresses present but greyed out is what I hoped to see. I had hoped Router address would be set (and greyed out), this is where all your internet traffic gets sent to. I'm also a bit puzzled at the Subnet mask not being 255.255.255.255, which would be the normal value for ISPs to set on customers connections.
    If you plug your mac (if possible) straight into the ethernet cable that comes out of the modem, put the Network system preference on Automatic, and then check the Built-in Ethernet in the same system preference, what does it show ? same values as appeared in the Airport config ? This is just to rule out any other factors.
    I'm sure the answer we need is in the configuration of your (nearly redundant) router. It will have settings, either already set, or allocated by the ISP that we need to mirror in the Airport. If you're comfortable in the router configuration, print (or screen dump) all the details, then we know what works and can begin to configure the Airport in a similar fashion.

  • How can I bring 2 photos in Creative Cloud to work on?  I would like one as a background the other I want to cut something out to put in the background.

    How can I bring in 2 photos to use in Creative Cloud to work on?  I would like one as a background and the other I would like to cut something out and put it in the background picture.  Help Please!

    Creative Cloud is not a program, it is a marketing and delivery process
    http://www.adobe.com/products/creativecloud/faq.html
    http://helpx.adobe.com/creative-cloud/help/install-apps.html to install or uninstall
    http://forums.adobe.com/community/download_install_setup/creative_cloud_faq
    What it is http://helpx.adobe.com/creative-cloud/help/creative-cloud-desktop.html
    Cloud Getting Started https://helpx.adobe.com/creative-cloud.html
    So... what is the name of the program you are using?

  • RV180 - DDNS behind 2nd NAT router

    Hello community,
    is it possible to use the DDNS feature (dyndns.com) behind a 2nd NAT router?
    Network is as follows:
    INTERNET - NAT-Router (unknown device) - Cisco RV-180 (NAT) - Clients
    Kind Regard,
    Michael

    If you put your dyndns client in front of the rv180 or one the nat router's dmz, you should get the correct IP address.  I usually use the DMZ port on a nat router when putting a vpn router behind a nat one--this solves a lot of the IP address issues for the vpn router.
    Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

  • Fields for Super BOM, Work Center & Super Routing for Variant Config

    hi! gurus,
    Please can you give me mandatory fields & values for Super BOM, Work Center & Super Routing for Variant Config
    thank you

    Hi,
    In the Super BOM you need to maintain the object dependencies.
    Workcenter fields are as usual for other production processes.
    Also you can use search option in the forum to view the threads posted in the past. There are many posts related to variant configuration.
    Regards,
    Senthilkumar

  • E4200 - Router would stop working in about 30 mins time

    Out of the box this thing was a breeze to setup. That is where the praises end. After the first few devices attached them selves the router would stop allowing internet access. I could still log onto the router and everything appeared fine but there was no internet access. The only solution was to hit the reboot button in the router software or power cycle the router. Then it would work for about 30 minutes. I googled the issue I was having and found it's a common problem. Not sure why this router has such great reviews on here.
    What's great about it: Easy to setup
    What's not so great: works for only 30 minutes at a time.
    This product has...
    Unreliable connection
    slow connection
    I use it in...:Large home

    You should take a few steps to increase your connection's stability.
    Step 1: Reset the wireless router by using the power switch on it or by unplugging it and plugging it back in. You should leave it off for about 20 seconds before turning it back on. This is a good step to take anytime you're troubleshooting your router; it gives the router a chance to refresh the network and reestablish connections with any devices paired to it.
    Step 2: Place the wireless router in an ideal location. The higher it is, the better, but don't put it near the ceiling if metal beams or pipes are up there. Metal objects can strongly interfere with the network. Keep it away from large objects, since anything large and solid can obscure its signal.
    Step 3: Get as close as possible to the router with whatever device you're trying to connect. The closer you are, the stronger and more stable the connection is.
    Step 4: Keep the router and your connecting device away from other electronics. You should especially keep away from phones, fax machines and microwaves, since many of these appliances operate in the same frequency range as wireless routers. Other wireless routers should not be near the Linksys router or your device.
    Step 5: Adjust the antenna if it has one. You may need to try putting it in several different positions before you find out what is most effective. If you're connecting to a router on a different floor than you, the antenna should probably be at a 45-degree angle or even completely horizontal.
    Step 6: Change the router's channel, especially if other wireless routers are nearby. This is an option that only an advanced user should attempt. You'll need to access the router setting Web page, which is most likely 192.168.1.1; Then go to the Wireless tab and change the wireless channel to 1, 6,9,11...

  • Would creative cloud programs work efficently on a ASUS x102ba?

    Would creative cloud programs work efficently on a ASUS x102ba? 

    Would they work? Quite likely. Efficiently? Are you kidding me? From the weak processor to the barely acceptable screen size and resolution I can think of hundreds of reasons why this won't be fun.
    Mylenium

  • How to use a fixed port for remote assistance in windows 8.1 behind a nat router freebox?

    Hello,
    Before to use remote assistance in windows 8.1, i need to configure my nat router freebox.
    But remote assistance ( msra.exe ) use a dynamique port and never the same.
    How to use a fixed port for remote assistance ini windows 8.1 ?
    And why i can't use easy connect ?
    i read that the router must implement the PNRP protocol. I think it's a propriatary microsoft's protocol unknow on my router.
    Thanks

    Hello,
    Very good. It's a big range ( 255 mini from 49152 )  for a single port but if it's the only one possibility...
    You are very helpfull ( i don't know if it's a good english but you make me very happy )
    Merci beaucoup

  • RA VPN into ASA5505 behind C871 Router with one public IP address

    Hello,
    I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
    PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
    The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
    version 15.0
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    hostname router
    boot-start-marker
    boot-end-marker
    enable password 7 xxxx
    aaa new-model
    aaa session-id common
    clock timezone UTC -8
    clock summer-time PDT recurring
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 192.168.2.1
    ip dhcp excluded-address 192.168.2.2
    ip dhcp pool dhcp-vlan2
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.1
    ip cef
    ip domain name xxxx.local
    no ipv6 cef
    multilink bundle-name authenticated
    password encryption aes
    username xxxx password 7 xxxx
    ip ssh version 2
    interface FastEthernet0
    switchport mode trunk
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description WAN Interface
    ip address 1.1.1.2 255.255.255.252
    ip access-group wna-in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    no ip address
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan10
    description router-asa
    ip address 10.10.10.1 255.255.255.252
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list nat-pat interface FastEthernet4 overload
    ip nat inside source static 10.10.10.1 interface FastEthernet4
    ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
    ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
    ip nat inside source static esp 10.10.10.2 interface FastEthernet4
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    ip route 10.10.10.0 255.255.255.252 10.10.10.2
    ip route 192.168.2.0 255.255.255.0 10.10.10.2
    ip access-list standard ssh
    permit 0.0.0.0 255.255.255.0 log
    permit any log
    ip access-list extended nat-pat
    deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    permit ip 192.168.2.0 0.0.0.255 any
    ip access-list extended wan-in
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.255.0.0 0.0.255.255 any
    deny   ip 255.0.0.0 0.255.255.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    deny   ip host 0.0.0.0 any
    deny   icmp any any fragments log
    permit tcp any any established
    permit icmp any any net-unreachable
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit icmp any any host-unreachable
    permit icmp any any port-unreachable
    permit icmp any any packet-too-big
    permit icmp any any administratively-prohibited
    permit icmp any any source-quench
    permit icmp any any ttl-exceeded
    permit icmp any any echo-reply
    deny   ip any any log
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    no modem enable
    line aux 0
    line vty 0 4
    access-class ssh in
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    scheduler max-task-time 5000
    end
    ASA:
    ASA Version 9.1(2)
    hostname asa
    domain-name xxxx.local
    enable password xxxx encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd xxxx encrypted
    names
    ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
    interface Ethernet0/0
    switchport trunk allowed vlan 2,10
    switchport mode trunk
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Vlan10
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.252
    ftp mode passive
    clock timezone UTC -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name xxxx.local
    object network vlan2-mapped
    subnet 192.168.2.0 255.255.255.0
    object network vlan2-real
    subnet 192.168.2.0 255.255.255.0
    object network vpn-192.168.100.0
    subnet 192.168.100.0 255.255.255.224
    object network lan-192.168.2.0
    subnet 192.168.2.0 255.255.255.0
    access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
    object network vlan2-real
    nat (inside,outside) static vlan2-mapped
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 10.10.10.1 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.2.0 255.255.255.0 inside
    ssh 10.10.10.1 255.255.255.255 outside
    ssh timeout 20
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    anyconnect-essentials
    group-policy vpn internal
    group-policy vpn attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn-split
    default-domain value xxxx.local
    username xxxx password xxxx encrypted privilege 15
    tunnel-group vpn type remote-access
    tunnel-group vpn general-attributes
    address-pool vpn-pool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    ikev1 pre-shared-key xxxx
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
    : end

    Hi,
    I think, that you want control all outbound traffic from the LAN to the outside by ASA.
    I suggest some modifications as shown below.
    C871:
    interface Vlan2
    description LAN-192.168.2
    ip address 192.168.2.2 255.255.255.0
    no ip nat inside
    no ip proxy-arp
    ip virtual-reassembly
    ip access-list extended nat-pat
    no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    no permit ip 192.168.2.0 0.0.0.255 any
    deny ip 192.168.2.0 0.0.0.255 any
    permit ip 10.10.10.0 0.0.0.255 any
    ASA 5505:
    interface Vlan2
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    Try them out and response.
    Best regards,
    MB

  • DMVPN Hub and Spoke behind NAT device

    Hi All,
    I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
    But My case i involve in both situation.
    1) HUB have a Load Balancer (2 WAN Link) ISP A & B
    2) Spoke have Load Balancer (2 WAN Link) ISP A & B
    Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
    So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
    As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
    HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
    The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
    Any problem will face with this setup? Any guide?
    Sample config at HUB.
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile cisco
    Spoke Config
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.16.1.1 199.1.1.1
    ip nhrp network-id 1
    ip nhrp holdtime 300
    ip nhrp nhs 172.16.1.1
    delay 1000
    tunnel source FastEthernet0/0
    tunnel destination 199.1.1.1
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.17.1.1 200.1.1.1
    ip nhrp network-id 2
    ip nhrp holdtime 300
    ip nhrp nhs 172.17.1.1
    delay 1500
    tunnel source FastEthernet0/0
    tunnel destination 200.1.1.1
    tunnel key 1
    tunnel protection ipsec profile cisco

    Hi Marcin,
    thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
    About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
    .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
    Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

  • Virtual Host behind a router

    I am trying to get virtual hosts up & running on Leopard Server -
    I have read through other posts here pertaining to virtual hosts but am still having no success - trying to access any of the hosts results in the first host's index loading.
    I enabled Virtual Hosting through Server Admin:Mail and created the Virtual Domains
    I then went to Server Admin:Web:Sites and added each of the domains - I checked in the aliases and made sure that there wasn't an asterisk for any of them - I further made sure that there was an alias if the www was omited - e.g., virtual domain www.example.com added an alias for just example.com
    I stopped & restarted web services after each attempt - the only thing I can figure that might be causing a problem is the server is behind a router using NAT and IPs are resolved through no-ip.
    Any suggestions would be greatly appreciated

    It is unlikely that the NAT is contributing as you have painted the scenario. More than likely, you aren't pointing the separate domain sites to different directories with different content? Or, you have not enabled the sites in the list. Have you tried moving your default to the bottom of your VH list? (you can drag items around in the Sites list to reorder things).
    VH does work just fine in OSXS 10.5.5.
    I have some primitive notes on a typical setup, if this helps: http://www.rduonline.com/notes.mgi

  • Problem with WRT54G and DSL NAT router

    I have a WRT54G connected to a Westell DSL NAT router. I would like to be able to allow incoming connections to my FreeBSD server.
    The Westell router allows me to set IP Passthrough (they call it "Single Static IP"). This gives the WRT54G the outside IP address given to the DSL router. I can then set up the WRT54G for DDNS and port forwarding to forward specific ports I want to my server.
    This works, for about 2-3 days. Then, I start to randomly lose outside connectivity. Web pages start coming up with missing elements, or taking a long time to load. This will eventually lead to total loss of outgoing communication.
    Normally, I would blame this on the Westell NAT router, but as I'm losing connectivity to the internet, I'm also losing connectivity to the WRT54G. It will try to load configuration pages but will be slow with missing elements, etc.
    All communications between computers on my inside network continue to function properly, it's just connectivity to the WRT54G and the internet that seem to start to fail.
    Does anyone have any idea what is going on? I just upgraded the firmware on the WRT54G from 1.01.1 to 1.02.0, but I don't imagine this will help.
    Thanks,
    David Chamberlain

    Try setting the MTU to manual and change the value to 1450
    "Only those who risk going too far can possibly find out how far one can go..."

Maybe you are looking for