Hide NAT

Similar Messages

• Disable hide-nat on RV180W

  so I have an RV180W connected to an ASA in a "DMZ"
  I have 2 SSIDs on the RV and want one to be guest and one to be "corporate".
  I would like to control this on the ASA...so my intention is to have the access point act as a router (it is in router mode) so it will pass all traffic untranslated from the wireless users to the ASA...but it looks like a lot of traffic (maybe all?) is being hide-NATed behind the "wan IP" on the RV180W
  How can I prevent any NATing from occuring on the RV108W?

  Many if these router/AP's NAT automatically on their WAN port and I haven't seen many that you can disable this. What you need is a plain access point and not one of these router AP devices.
  Sent from Cisco Technical Support iPhone App

• Is it possible to do NAT Exemption by port on ASA 8.3?

  Hello,
  Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.
  This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.
  The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.
  So the traffic that I want to exclude from NAT would look like this:
  internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.
  It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.
  Any help on this would be greatly appreciated!
  Eric

  Hi,
  The general format to configure NAT0 would be
  object network LAN
  subnet
  object network REMOTE-LAN
  subnet
  nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
  But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?
  This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?
  Have you tried the following NAT configuration yet
  object network LAN
  subnet
  object network REMOTE-LAN
  subnet
  object service WWW
  service tcp destination eq www
  object service HTTPS
  service tcp destination eq https
  nat (inside,outside) source static LAN LAN service WWW WWW
  nat (inside,outside) source static LAN LAN service HTTPS HTTPS
  This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)
  What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN.  So there are some things to take consideration
  There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.
  Hope this helps
  - Jouni

• Static NAT (in and out) and PAT on a Router

  Static NAT and PAT
  I need to have a customer network connected to my extranet.
  I’m not in control of the customer network addressing. But need to configure a VPN connection.
  I will supply the router that will also be the customer Firewall to the Internet (PAT).
  (1) I need to be able to do PAT on traffic from internal hosts to the Internet.
  (2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
  (3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
  The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
  Extranet is: 172.16.16.0/24
  Internal net is: 192.168.1.0/24
  interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  interface FastEthernet4
  ip address 1.1.1.1
  ip nat outside
  access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  access-list 175 permit 192.168.1.0 0.0.0.255 any
  access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
  ip nat inside source list 175 interface FastEthernet4 overload
  ip nat inside source route-map HIDE pool FRO reversible
  route-map HIDE permit 10
  match ip address 176

  Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
  The following white paper will provide you with the required information,
  http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

• Is src and dst NAT possible in multiple rules on the ASA?

  Hello,
  We have +/- 50 customer companies that will have to enter our network via IPsec s2s VPN's and as backup the customers have the option to enter our network via a leased line. Since they can enter multiple routes we give them a source IP depending what side they enter so we know the route back internally in the network to the correct FW they entered.
  For the s2s we have to do source NAT on our side since we cannot burden all these customers with different NAT's for both the leased line and for the s2s. And we have to do destination NAT since the customers can access different DMZ systems depending on the application they connect to.
  1) source NAT can be 1 NAT rule per company (so hide NAT behind 1 IP)
  2) destination NAT is multiple rules (see below)
  At the moment we have 12 NAT rules per company since we have configured src and dst NAT in one rule to make it work.
  See example below:
  Question: How can we configure src and dst NAT in multiple rules so that we dont need 12 NAT rules per company?
  ASA cluster: single mode - Active/Standby
  asa922-4-smp-k8.bin
  asdm-731-101.bin
  Src REAL
  Src Mapped
  Dst MAPPED
  Dst REAL
  Service
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  19.19.19.90
  19.19.19.90
  19.19.19.11
  19.19.19.11
  19.19.19.90
  19.19.19.90
  19.19.19.180
  19.19.19.180
  19.19.19.83
  19.19.19.83
  19.19.19.90
  19.19.19.92
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.41
  10.10.10.41
  10.10.10.44
  10.10.10.44
  10.10.10.47
  10.10.10.47
  10.10.10.47
  10.10.10.47
  53-udp
  53-tcp
  53-udp
  53-tcp
  PoP3
  SMTP
  SMTP
  PoP3
  http
  tcp-5555
  http
  http

  Steve,
  That is my whole point.  To copy from the PC host memory to the CUDA device memory asynchronously, the host memory must be pinned.  Hence, the source and destination memory should be pinned.  Otherwise, I must copy the source memory to pinned memory I have allocated on the PC, copy it asynchronously to the CUDA device memory, process it on the CUDA device, asynchronously copy it back to the PC pinned memory, and then copy it to the destination memory.
  If you copy synchronously, it is slow as Christmas!  Therefore, you must copy the memory asynchronously, or you should not use CUDA and GPU acceleration.
  My question still stands.  Why is the source and destination memory on the PC used by Premiere Pro not pinned memory?
  Gene
  Gene A. Grindstaff
  Executive Manager, SG&I
  T: 1.256.730.6983 M: 1.256.566.5376 F: 1.256.730.8046
  E: mailto:[email protected]
  Intergraph Corporation
  19 Interpro Road
  Madison, AL 35758 USA
  www.intergraph.com/sgi<http://www.intergraph.com/sgi> |
  LinkedIn<http://www.linkedin.com/groups?gid=127267&trk=myg_ugrp_ovr> | Facebook<http://www.facebook.com/intergraph> | Twitter<http://twitter.com/intergraph

• Accessing File Shares Over NAT

  Hello,
  I am working with a client that set up a new sub net that uses hide NAT. When I try to access a file share on a server in a different sub net, I can only browse for a few seconds and then an error such as "Server service not started" or "network
  name no longer available" appears, and I can't browse folders on that server anymore (it has Server 2003 SP2). Netmon found that the connection was constantly being reset. If I reconfigure the same client (XP SP3) with it's original unNATed IP address,
  everything works fine, and the Windows firewall is disabled on both the server and client. Is there a trick to get CIFS or SMB or whatever to work over hide NAT?
  Thanks!

  Hi,
  SMB uses a single session for a pair of IPs and all file transfer between these 2 IPs are made over this session. This makes the file transfer more efficient over the network. On the flip side, since only one SMB session is maintained, clients coming through
  NAT will have problems since all these clients are presented as a single IP to the server. With SMB, only a single session will be maintained and thus there is nothing unique for each client. This breaks the communication.
  We will need to use NetBIOS over TCPIP in place of SMB. This can be achieved by:
  1. Disabling SMB on the server or on all the client machines by setting the registry:
  Name: SMBDeviceEnabled
  Type: REG_DWORD
  Value: 0
  The location of the registry key is:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. You may have to create this if not already existing.
  2. Block TCP port 445 for the segment accessing shares through NAT
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• Masking myself behind my VPS (without NAT)

  Please help me get this working.
  I have  a VPS running Arch (while i finish my testing).
  This VPS has one ether adapter ... its a VM  box running on VMware virtualization. Ok so it works and there's no issues.
  What I want to do: on my home PC i want to connect to the VPS and i'd like to think I am asking about bridging because essentially I want my PC to mask itself in the IP of the VPS.
  I am trying to stay away from DHCP and NAT.
  My brain is not coming up with a solution on
  But then how would I connect to the VPS? i guess SSH tunneling? but thats limited. how do i make my whole windows pc proxy through that? only a browser and some program will accept a proxy config. (again without nat'ing)
  Should I ask for another IP/ether port on my VPS, vpn into that and then output from the second adapter? But then again I am trying to stay away from NAT/DHCP and even worse openvpn which will slow me dramatically with this "encryption" ...
  So... is what i am asking for do'able?
  Please help!

  Gcool wrote:
  twocows wrote:I want my PC to mask itself in the IP of the VPS.
  twocows wrote:I am trying to stay away from DHCP and NAT.
  So which is it? That's basically hide-NAT which you're describing there.
  Other than that, take a look at tunneling all traffic through an ssh tunnel or Openvpn as you mentioned.
  I suppose you're correct.
  Hiding myself is considered nat. howabout we rephrase that.
  lets say "sitting next to my IP and using it?"....
  I already am aware of OpenVPN and i am using that on my VPS. its slow. and annoying.
  SSH tunneling i am also very familiar with...
  What about the idea of a second ether and a new IP on my VPS?
  I am thinking maybe the VPS is getting screwed with only one adaptor taking traffic in, then outputting ... all from one source.

• Inside to outside many to 1 hide mode nat

  Hello
  I'm new to ASA configurations and needing some help with a configuration on a 5555-X running 8.6 code. I need to allow multiple network ip ranges from my inside network to multiple subnets on the outside so that the outside systems only see incoming traffic from one ip address and it can not be from the ip address of the outside interface. I was able to do this with a zone-based firewall and IOS nat statements but having difficulty doing the same thing in ASA's os.

  Hi ,
    Its is pretty simple and straight forward , for your requirement you need to use ,
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283
  Information About Dynamic PAT
  Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.
  Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
  Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.
  Figure 27-10 Dynamic PAT
  After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).
  NAT understanding
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address
  HTH
  sandy.

• Hide real ip of server using 8.3/8.4 nat

  hello,
  I am using ASA Firewall 5520 with 8.4 image, the following is network topology
  task: redirect Host to server when host trying to access 172.24.32.100 , it means we shouldn't tell the real ip of our server.
  please write the nat command for above requirement.
  thanks in advance.

  Hi,
  I don't see a network in the above picture that contains 172.24.32.100 so I assume that its some network you have either routed from R1 towards the ASA1 interface with IP address 10.10.10.1 or you have a default route at R1 pointing towards the ASA1 interface IP address of 10.10.10.1
  To NAT the servers Real IP address of 172.24.35.2 to 172.24.32.100 then you will need these configurations
  object network SERVER
  host 172.24.35.2
  nat (dmz,blan) static 172.24.32.100
  You will also naturally need an ACL to allow the traffic you want to allow
  If you wanted to allow TCP/80 for example you could do this ACL (I presume you have no existing ACL on the "blan" interface)
  access-list BLAN-IN remark Allow TCP/80 to Server
  access-list BLAN-IN permit tcp any object SERVER eq 80
  access-group BLAN-IN in interface blan
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

  Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
  I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
  The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
  Thank you in advance everyone.

  Hello Chris,
  For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
  Basically the NAT configuration will be like this:
  object network Local-net
  subnet 192.168.1.0 255.255.255.0
  object network Translated-net
  subnet 172.31.1.0 255.255.255.0
  object network Fortinet-net
  subnet 10.10.115.0 255.255.255.0
  nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
  Obviously, you can change the name of the objects.
  Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
  access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
  This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
  Let me know if you have any doubts.
  Daniel Moreno
  Please rate any posts you find useful

• ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

  Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is.  My guess right now is that it has something to do with dynamic PAT.
  Essentially, I have a block of 5 static public IP's.  I have 1 assigned to the interface and am using another for email/webmail.  I have no problems accessing the internet, receving emails, etc...  The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT.  I would really appreciate if anyone could help shed some light as to why this is happening for me.  I always thought a static nat should take precidence in the order of things.
  Recap:
  IP 1 -- 10.10.10.78 is assigned to outside interface.  Dynamic PAT for all network objects to use this address when going out.
  IP 2 -- 10.10.10.74 is assgned through static nat to email server.  Email server should respond to and send out using this IP address.
  Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
  Thanks in advance for anyone that reads this and can lend a hand.
  - Justin
  Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
  ASA Version 8.4(3)
  hostname MYHOSTNAME
  domain-name MYDOMAIN.COM
  enable password msTsgJ6BvY68//T7 encrypted
  passwd msTsgJ6BvY68//T7 encrypted
  names
  interface Ethernet0/0
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address 10.10.10.78 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name MYDOMAIN.COM
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-network
  subnet 192.168.2.0 255.255.255.0
  object network Email
  host 192.168.2.7
  object network Webmail
  host 192.168.2.16
  object network WebmailSecure
  host 192.168.2.16
  access-list inside_access_out extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
  access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
  access-list outside_access_in extended deny icmp any any
  access-list outside_access_in extended permit tcp any object Email eq smtp
  access-list outside_access_in extended permit tcp any object Webmail eq www
  access-list outside_access_in extended permit tcp any object WebmailSecure eq https
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Email
  nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
  object network Webmail
  nat (inside,outside) static 10.10.10.74 service tcp www www
  object network WebmailSecure
  nat (inside,outside) static 10.10.10.74 service tcp https https
  access-group outside_access_in in interface outside
  access-group inside_access_out out interface inside
  route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server MYDOMAIN protocol kerberos
  aaa-server MYDOMAIN (inside) host 192.168.2.8
  kerberos-realm MYDOMAIN.COM
  aaa-server MYDOMAIN (inside) host 192.168.2.9
  kerberos-realm MYDOMAIN.COM
  aaa-server MY-LDAP protocol ldap
  aaa-server MY-LDAP (inside) host 192.168.2.8
  ldap-base-dn DC=MYDOMAIN,DC=com
  ldap-group-base-dn DC=MYDOMAIN,DC=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
  server-type microsoft
  aaa-server MY-LDAP (inside) host 192.168.2.9
  ldap-base-dn DC=MYDOMAIN,DC=com
  ldap-group-base-dn DC=MYDOMAIN,DC=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
  server-type microsoft
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.2.0 255.255.255.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  email [email protected]
  subject-name CN=MYHOSTNAME
  ip-address 10.10.10.78
  proxy-ldc-issuer
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate e633854f
      30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
      0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
      2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
      f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
      4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
      355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
      2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
      f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
      4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
      aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
      f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
      0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
      78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
      03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
      0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
      0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
      02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
      d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
      e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
      5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
      781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 20
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 192.168.2.8 source inside prefer
  ssl trust-point ASDM_TrustPoint0 inside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  enable inside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  group-policy GroupPolicy_VPN internal
  group-policy GroupPolicy_VPN attributes
  wins-server value 192.168.2.8 192.168.2.9
  dns-server value 192.168.2.8 192.168.2.9
  vpn-filter value VPN_Split_Tunnel_List
  vpn-tunnel-protocol ikev2 ssl-client
  group-lock value VPN
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Split_Tunnel_List
  default-domain value MYDOMAIN.COM
  webvpn
    anyconnect profiles value VPN_client_profile type user
  group-policy GroupPolicy-VPN-LAPTOP internal
  group-policy GroupPolicy-VPN-LAPTOP attributes
  wins-server value 192.168.2.8 192.168.2.9
  dns-server value 192.168.2.8 192.168.2.9
  vpn-filter value VPN_Split_Tunnel_List
  vpn-tunnel-protocol ikev2
  group-lock value VPN-LAPTOP
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Split_Tunnel_List
  default-domain value MYDOMAIN.COM
  webvpn
    anyconnect profiles value VPN_client_profile type user
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group MYDOMAIN
  default-group-policy GroupPolicy_VPN
  dhcp-server 192.168.2.8
  dhcp-server 192.168.2.9
  dhcp-server 192.168.2.10
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  tunnel-group VPN-LAPTOP type remote-access
  tunnel-group VPN-LAPTOP general-attributes
  authentication-server-group MY-LDAP
  default-group-policy GroupPolicy-VPN-LAPTOP
  dhcp-server 192.168.2.8
  dhcp-server 192.168.2.9
  dhcp-server 192.168.2.10
  tunnel-group VPN-LAPTOP webvpn-attributes
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

  Hi ,
  As per you config :
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Email
  nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
  object network Webmail
  nat (inside,outside) static 10.10.10.74 service tcp www www
  object network WebmailSecure
  nat (inside,outside) static 10.10.10.74 service tcp https https
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-network
  subnet 192.168.2.0 255.255.255.0
  object network Email
  host 192.168.2.7
  object network Webmail
  host 192.168.2.16
  object network WebmailSecure
  host 192.168.2.16
  The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
    Are you saying that this is not happening ?
  Dan

• Policy based nat - can't get it right...

  Hi out there
  I need to implement some policy based nat to hide a DMZ network on a site - to avoid routing problems. This should also be faily simple by defining a route-map and then looping the traffic around a loopback-interface which is defined as outside nat.
  I define the LAN interface as inside - assign the route-map policy to it and loop the traffic around the loopback interface to get it nat'ed.
  this also works - to some extend. The traffic is correctly natted and the traffic send out of the wan interface ( f0/1) - the remote site replies and sends the traffic back - and when it then enters my R2 router - it is dropped ????
  I have ran out of ideas - please try to take a look - here is the config of R2 (I issue my test from R1 which is 80.0.0.1 and has a source-interface for 192.168.10.1)
  Config of R2:
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  ip cef
  no ip domain lookup
  ip domain name lab.local
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  interface Loopback2
  ip address 192.168.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  interface FastEthernet0/0
  ip address 80.0.0.2 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip policy route-map To_loop2
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 81.0.0.2 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 192.168.10.0 255.255.255.0 80.0.0.1
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Loopback2 overload
  access-list 1 permit 192.168.10.0 0.0.0.255
  route-map To_loop2 permit 10
  match ip address 1
  set interface Loopback2
  On R2:
  2#
  *Mar 1 03:48:29.491: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
  *Mar 1 03:48:29.495: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
  *Mar 1 03:48:29.499: IP: route map To_loop2, item 10, permit
  *Mar 1 03:48:29.499: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
  *Mar 1 03:48:29.503: IP: FastEthernet0/0 to Loopback2 81.0.0.1
  *Mar 1 03:48:29.507: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [204]
  R2#
  R2#
  R2#sh ip nat translations
  Pro Inside global Inside local Outside local Outside global
  icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
  on R3:
  *Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
  *Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
  *Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1

  the easiest way is constructing your menu with frame labels
  now i have no way of knowing how you are constructing it ..so
  this may not work for you ...i assume that you have created a main
  button ...that has been converted into a symbol & then
  duplicated to create all other buttons
  okay here it goes ..i hope i dont confuse you
  i will explain how to create 1 button with 4 submenu items
  with the trems that i mentioned above
  but iam not going to explain all the details of creating a
  whole nav bar
  because it just takes too much typing ...i assume you already
  know this
  sooo ! ...lets say this is the Portfoio button ...inside the
  symbol now
  create 8 layers ...the order is going from top to bottom
  actions
  labels
  submenu Logos
  submenu Illustration
  submenu Animation
  submenu Coolstuff ."you will name your button items how you
  like" ...
  main button....lets just say Portfolio !
  invisible btn for main button
  so now on with the hard stuff
  create 20 frames ...stop action on frame 1 ...frame 9
  ...frame 20
  on the labels layer now ....name frame1 "Closed" ...frame 10
  "Open"
  on the submenu Logos layer ...create a keyframe on frame 10
  all frames before the 10th frame will be blank frames
  repeat that for the rest of the submenu items
  on the main button layer you will just place the main
  Portfolio button on frame 1
  & on the invisible button layer ..the inv btn is going to
  be placed on frame 10
  all this is iam hoping your have converted everything into1
  symbol
  all you need to do know is attach code to the main Portfolio
  button & the invisible button
  so click on the Portfolio button
  on (rollOver) {
  gotoAndStop("open");
  invisible button
  on (rollOver){
  gotoAndPlay("closed");
  & that should be good ...very simple !
  then just repeat this process for every button that makes up
  your nav bar ....& it doesn't matter if your inv buttons
  overlap each other or your main nav buttons are touching each other
  peace John

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• Static NAT Command Clarification

  Hi all :
  From one of existing configuration file, I found there is static NAT command as below :
  static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255
  whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.
  This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.
  I do not understand what is the purpose of this command line. Is it a wrong command line?
  I then try a standard way of static NAT as below :
  static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
  this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.
  With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.
  Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?
  Thanks and best regards,
  tangsuan

  Ok let me explain,
  static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).
  Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as
  nat (dmz) 0 access-list nat_0_acl
  access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
  Lets come down to another static now,
  static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
  The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.
  Please rate if this helps !

• CSS Source NAT

  Hi,
  I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
  with the soruce NAT. I dont want to NAT the client IP in VIP.
  Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
  user IP address for mail replying and tracking.
  Please let me know is there any way bypass the source NAT for specific VIP.

  Hi,
  I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
  1-          Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
  2-          Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
  Q1: Is that right?
  I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
  Q2: Where is the problem?