Hide NAT
Hi,
can some one guide me to configure Hide NAT on the Cisco ASA 5510 Firewall. i am using the ASA in my network.The users at inside interface traffic need to go to the DMZ interface and access the remote three servers through s2s vpn .The VPN device connected between the Internet Router and ASA DMZ.
Please advice,
Saroj
Hi,
I'll refer to the configuration I mentioned earlier which would match your current software level on the ASA.
So far the information you have given would seem to suggest the following situation
Local network that needs to access the L2L VPN connection172.16.58.0/24
Remote networks that are behind the L2L VPN at the remote site
209.196.208.52/32
209.196.208.10/32
172.31.82.0/23
Are these correct? If so then the below configuration would seem to be the option for you
Software 8.2 and below
access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.10
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 172.16.82.0 255.255.254.0
global (dmz) 200 interface
or
global (dmz) 200 <NAT ip address>
nat (inside) 200 access-list VPN-POLICYPAT
Now notice that above I give 2 different options on how to give the NAT IP address. The first one uses the DMZ interface IP address as the NAT IP address (as the IP address behind which the LAN network is "hidden"). The second option lets you use whatever IP address you want to insert there instead as the NAT IP address.
Now if you use the parameter "interface" in the "global" command this will mean that the NAT IP address is from the link network between the VPN device and the ASA. This would routing wise mean that the VPN router already has a route for that NAT IP address as its directly connected.
If you on the other hand specify some IP address in the "global" command as the NAT IP address then you will have to make sure that the VPN router has a route for that IP address pointing towards the ASA DMZ interface IP address.
I am not really sure if I can explain it any more clearly.
I am under the presumption that your setup and its requirements are the following
LAN users from network 172.16.58.0/24 want to connect to networks 172.16.82.0/23 and hosts 209.196.208.10 and 209.196.208.52
The mentioned destination network are located behind a L2L VPN connection that is formed by the VPN Router behind ASAs DMZ interface
You want to "hide" your LAN network 172.16.58.0/24 behind a NAT IP address so that the remote/destination networks can see all connections coming from that single IP address
- Jouni
Similar Messages
-
so I have an RV180W connected to an ASA in a "DMZ"
I have 2 SSIDs on the RV and want one to be guest and one to be "corporate".
I would like to control this on the ASA...so my intention is to have the access point act as a router (it is in router mode) so it will pass all traffic untranslated from the wireless users to the ASA...but it looks like a lot of traffic (maybe all?) is being hide-NATed behind the "wan IP" on the RV180W
How can I prevent any NATing from occuring on the RV108W?Many if these router/AP's NAT automatically on their WAN port and I haven't seen many that you can disable this. What you need is a plain access point and not one of these router AP devices.
Sent from Cisco Technical Support iPhone App -
Is it possible to do NAT Exemption by port on ASA 8.3?
Hello,
Here is the scenario that I'm trying to solve. I have an IPSEC VPN that just strips off port 80 and 443 traffic from and internal network when the destination is the internet.
This VPN works fine until NAT gets involved. After I configured a dynamic hide NAT for the internal network then the traffic to the VPN no longer matches crypto map. This I was expecting as I know that NAT processing takes place before IPSEC. What I was not expecting is how difficult it would be to exclude my IPSEC VPN traffic from getting NATed.
The difficulty is in that the destination IP has to be ANY since it is the internet, and also that it should only be port 80 and 443 that are excluded from NAT. I do want any other traffic to still be processed by the dynamic hide.
So the traffic that I want to exclude from NAT would look like this:
internal-net --> ANY on TCP Port 80 or 443 Exclude from NAT.
It seems so simple but I cannot find any examples of someone successfully doing this, and I also do not see that it is not possible. I’ve played around with many double NAT statements but any combination that I put in results in the firewall saying, “ERROR: NAT unable to reserve ports”.
Any help on this would be greatly appreciated!
EricHi,
The general format to configure NAT0 would be
object network LAN
subnet
object network REMOTE-LAN
subnet
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
But if I understood you correctly, you want to configure NAT0 for traffic from your LAN that has destination address "any" and destination port/service of TCP/80 or TCP/443?
This would mean that you are are trying to tunnel all of this Web traffic to a remote site where it will eventually get passed to the Internet through NAT?
Have you tried the following NAT configuration yet
object network LAN
subnet
object network REMOTE-LAN
subnet
object service WWW
service tcp destination eq www
object service HTTPS
service tcp destination eq https
nat (inside,outside) source static LAN LAN service WWW WWW
nat (inside,outside) source static LAN LAN service HTTPS HTTPS
This should match any traffic with a destination port TCP/80 and TCP/443 to "any" destination network. It would also at the same time keep the source address original (NAT0 / Identity NAT)
What you have to notice with this setup that this applies to ALL this kind of traffic. If you have DMZs on the local ASA you will have to configure additional NAT configuration before these configurations so that the LAN -> DMZ WWW/HTTPS traffic is not involved or forwarded to the L2L VPN. So there are some things to take consideration
There is also another variation of the above configuration and depending on your actual software level (the different software levels after 8.3) the ASA might match the above NAT configuration differently.
Hope this helps
- Jouni -
Static NAT (in and out) and PAT on a Router
Static NAT and PAT
I need to have a customer network connected to my extranet.
Im not in control of the customer network addressing. But need to configure a VPN connection.
I will supply the router that will also be the customer Firewall to the Internet (PAT).
(1) I need to be able to do PAT on traffic from internal hosts to the Internet.
(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
Extranet is: 172.16.16.0/24
Internal net is: 192.168.1.0/24
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet4
ip address 1.1.1.1
ip nat outside
access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 175 permit 192.168.1.0 0.0.0.255 any
access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list 175 interface FastEthernet4 overload
ip nat inside source route-map HIDE pool FRO reversible
route-map HIDE permit 10
match ip address 176Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
The following white paper will provide you with the required information,
http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml -
Is src and dst NAT possible in multiple rules on the ASA?
Hello,
We have +/- 50 customer companies that will have to enter our network via IPsec s2s VPN's and as backup the customers have the option to enter our network via a leased line. Since they can enter multiple routes we give them a source IP depending what side they enter so we know the route back internally in the network to the correct FW they entered.
For the s2s we have to do source NAT on our side since we cannot burden all these customers with different NAT's for both the leased line and for the s2s. And we have to do destination NAT since the customers can access different DMZ systems depending on the application they connect to.
1) source NAT can be 1 NAT rule per company (so hide NAT behind 1 IP)
2) destination NAT is multiple rules (see below)
At the moment we have 12 NAT rules per company since we have configured src and dst NAT in one rule to make it work.
See example below:
Question: How can we configure src and dst NAT in multiple rules so that we dont need 12 NAT rules per company?
ASA cluster: single mode - Active/Standby
asa922-4-smp-k8.bin
asdm-731-101.bin
Src REAL
Src Mapped
Dst MAPPED
Dst REAL
Service
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
192.168.143.128_29
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
11.11.11.1
19.19.19.90
19.19.19.90
19.19.19.11
19.19.19.11
19.19.19.90
19.19.19.90
19.19.19.180
19.19.19.180
19.19.19.83
19.19.19.83
19.19.19.90
19.19.19.92
10.10.10.42
10.10.10.42
10.10.10.42
10.10.10.42
10.10.10.41
10.10.10.41
10.10.10.44
10.10.10.44
10.10.10.47
10.10.10.47
10.10.10.47
10.10.10.47
53-udp
53-tcp
53-udp
53-tcp
PoP3
SMTP
SMTP
PoP3
http
tcp-5555
http
httpSteve,
That is my whole point. To copy from the PC host memory to the CUDA device memory asynchronously, the host memory must be pinned. Hence, the source and destination memory should be pinned. Otherwise, I must copy the source memory to pinned memory I have allocated on the PC, copy it asynchronously to the CUDA device memory, process it on the CUDA device, asynchronously copy it back to the PC pinned memory, and then copy it to the destination memory.
If you copy synchronously, it is slow as Christmas! Therefore, you must copy the memory asynchronously, or you should not use CUDA and GPU acceleration.
My question still stands. Why is the source and destination memory on the PC used by Premiere Pro not pinned memory?
Gene
Gene A. Grindstaff
Executive Manager, SG&I
T: 1.256.730.6983 M: 1.256.566.5376 F: 1.256.730.8046
E: mailto:[email protected]
Intergraph Corporation
19 Interpro Road
Madison, AL 35758 USA
www.intergraph.com/sgi<http://www.intergraph.com/sgi> |
LinkedIn<http://www.linkedin.com/groups?gid=127267&trk=myg_ugrp_ovr> | Facebook<http://www.facebook.com/intergraph> | Twitter<http://twitter.com/intergraph -
Accessing File Shares Over NAT
Hello,
I am working with a client that set up a new sub net that uses hide NAT. When I try to access a file share on a server in a different sub net, I can only browse for a few seconds and then an error such as "Server service not started" or "network
name no longer available" appears, and I can't browse folders on that server anymore (it has Server 2003 SP2). Netmon found that the connection was constantly being reset. If I reconfigure the same client (XP SP3) with it's original unNATed IP address,
everything works fine, and the Windows firewall is disabled on both the server and client. Is there a trick to get CIFS or SMB or whatever to work over hide NAT?
Thanks!Hi,
SMB uses a single session for a pair of IPs and all file transfer between these 2 IPs are made over this session. This makes the file transfer more efficient over the network. On the flip side, since only one SMB session is maintained, clients coming through
NAT will have problems since all these clients are presented as a single IP to the server. With SMB, only a single session will be maintained and thus there is nothing unique for each client. This breaks the communication.
We will need to use NetBIOS over TCPIP in place of SMB. This can be achieved by:
1. Disabling SMB on the server or on all the client machines by setting the registry:
Name: SMBDeviceEnabled
Type: REG_DWORD
Value: 0
The location of the registry key is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. You may have to create this if not already existing.
2. Block TCP port 445 for the segment accessing shares through NAT
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected] -
Masking myself behind my VPS (without NAT)
Please help me get this working.
I have a VPS running Arch (while i finish my testing).
This VPS has one ether adapter ... its a VM box running on VMware virtualization. Ok so it works and there's no issues.
What I want to do: on my home PC i want to connect to the VPS and i'd like to think I am asking about bridging because essentially I want my PC to mask itself in the IP of the VPS.
I am trying to stay away from DHCP and NAT.
My brain is not coming up with a solution on
But then how would I connect to the VPS? i guess SSH tunneling? but thats limited. how do i make my whole windows pc proxy through that? only a browser and some program will accept a proxy config. (again without nat'ing)
Should I ask for another IP/ether port on my VPS, vpn into that and then output from the second adapter? But then again I am trying to stay away from NAT/DHCP and even worse openvpn which will slow me dramatically with this "encryption" ...
So... is what i am asking for do'able?
Please help!Gcool wrote:
twocows wrote:I want my PC to mask itself in the IP of the VPS.
twocows wrote:I am trying to stay away from DHCP and NAT.
So which is it? That's basically hide-NAT which you're describing there.
Other than that, take a look at tunneling all traffic through an ssh tunnel or Openvpn as you mentioned.
I suppose you're correct.
Hiding myself is considered nat. howabout we rephrase that.
lets say "sitting next to my IP and using it?"....
I already am aware of OpenVPN and i am using that on my VPS. its slow. and annoying.
SSH tunneling i am also very familiar with...
What about the idea of a second ether and a new IP on my VPS?
I am thinking maybe the VPS is getting screwed with only one adaptor taking traffic in, then outputting ... all from one source. -
Inside to outside many to 1 hide mode nat
Hello
I'm new to ASA configurations and needing some help with a configuration on a 5555-X running 8.6 code. I need to allow multiple network ip ranges from my inside network to multiple subnets on the outside so that the outside systems only see incoming traffic from one ip address and it can not be from the ip address of the outside interface. I was able to do this with a zone-based firewall and IOS nat statements but having difficulty doing the same thing in ASA's os.Hi ,
Its is pretty simple and straight forward , for your requirement you need to use ,
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283
Information About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.
Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.
Figure 27-10 Dynamic PAT
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).
NAT understanding
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address
HTH
sandy. -
Hide real ip of server using 8.3/8.4 nat
hello,
I am using ASA Firewall 5520 with 8.4 image, the following is network topology
task: redirect Host to server when host trying to access 172.24.32.100 , it means we shouldn't tell the real ip of our server.
please write the nat command for above requirement.
thanks in advance.Hi,
I don't see a network in the above picture that contains 172.24.32.100 so I assume that its some network you have either routed from R1 towards the ASA1 interface with IP address 10.10.10.1 or you have a default route at R1 pointing towards the ASA1 interface IP address of 10.10.10.1
To NAT the servers Real IP address of 172.24.35.2 to 172.24.32.100 then you will need these configurations
object network SERVER
host 172.24.35.2
nat (dmz,blan) static 172.24.32.100
You will also naturally need an ACL to allow the traffic you want to allow
If you wanted to allow TCP/80 for example you could do this ACL (I presume you have no existing ACL on the "blan" interface)
access-list BLAN-IN remark Allow TCP/80 to Server
access-list BLAN-IN permit tcp any object SERVER eq 80
access-group BLAN-IN in interface blan
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)
Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful -
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan -
Policy based nat - can't get it right...
Hi out there
I need to implement some policy based nat to hide a DMZ network on a site - to avoid routing problems. This should also be faily simple by defining a route-map and then looping the traffic around a loopback-interface which is defined as outside nat.
I define the LAN interface as inside - assign the route-map policy to it and loop the traffic around the loopback interface to get it nat'ed.
this also works - to some extend. The traffic is correctly natted and the traffic send out of the wan interface ( f0/1) - the remote site replies and sends the traffic back - and when it then enters my R2 router - it is dropped ????
I have ran out of ideas - please try to take a look - here is the config of R2 (I issue my test from R1 which is 80.0.0.1 and has a source-interface for 192.168.10.1)
Config of R2:
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
ip cef
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
interface Loopback2
ip address 192.168.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0
ip address 80.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map To_loop2
duplex auto
speed auto
interface FastEthernet0/1
ip address 81.0.0.2 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 192.168.10.0 255.255.255.0 80.0.0.1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Loopback2 overload
access-list 1 permit 192.168.10.0 0.0.0.255
route-map To_loop2 permit 10
match ip address 1
set interface Loopback2
On R2:
2#
*Mar 1 03:48:29.491: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
*Mar 1 03:48:29.495: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
*Mar 1 03:48:29.499: IP: route map To_loop2, item 10, permit
*Mar 1 03:48:29.499: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
*Mar 1 03:48:29.503: IP: FastEthernet0/0 to Loopback2 81.0.0.1
*Mar 1 03:48:29.507: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [204]
R2#
R2#
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
on R3:
*Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1the easiest way is constructing your menu with frame labels
now i have no way of knowing how you are constructing it ..so
this may not work for you ...i assume that you have created a main
button ...that has been converted into a symbol & then
duplicated to create all other buttons
okay here it goes ..i hope i dont confuse you
i will explain how to create 1 button with 4 submenu items
with the trems that i mentioned above
but iam not going to explain all the details of creating a
whole nav bar
because it just takes too much typing ...i assume you already
know this
sooo ! ...lets say this is the Portfoio button ...inside the
symbol now
create 8 layers ...the order is going from top to bottom
actions
labels
submenu Logos
submenu Illustration
submenu Animation
submenu Coolstuff ."you will name your button items how you
like" ...
main button....lets just say Portfolio !
invisible btn for main button
so now on with the hard stuff
create 20 frames ...stop action on frame 1 ...frame 9
...frame 20
on the labels layer now ....name frame1 "Closed" ...frame 10
"Open"
on the submenu Logos layer ...create a keyframe on frame 10
all frames before the 10th frame will be blank frames
repeat that for the rest of the submenu items
on the main button layer you will just place the main
Portfolio button on frame 1
& on the invisible button layer ..the inv btn is going to
be placed on frame 10
all this is iam hoping your have converted everything into1
symbol
all you need to do know is attach code to the main Portfolio
button & the invisible button
so click on the Portfolio button
on (rollOver) {
gotoAndStop("open");
invisible button
on (rollOver){
gotoAndPlay("closed");
& that should be good ...very simple !
then just repeat this process for every button that makes up
your nav bar ....& it doesn't matter if your inv buttons
overlap each other or your main nav buttons are touching each other
peace John -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
Static NAT Command Clarification
Hi all :
From one of existing configuration file, I found there is static NAT command as below :
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255
whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.
This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.
I do not understand what is the purpose of this command line. Is it a wrong command line?
I then try a standard way of static NAT as below :
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.
With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.
Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?
Thanks and best regards,
tangsuanOk let me explain,
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).
Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as
nat (dmz) 0 access-list nat_0_acl
access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
Lets come down to another static now,
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.
Please rate if this helps ! -
Hi,
I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
with the soruce NAT. I dont want to NAT the client IP in VIP.
Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
user IP address for mail replying and tracking.
Please let me know is there any way bypass the source NAT for specific VIP.Hi,
I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
1- Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
2- Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
Q1: Is that right?
I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
Q2: Where is the problem?
Maybe you are looking for
-
Iphone 4 Home button not working after upgrade to OS 4.3.1
I've just upgrade my iphone 4 to OS 4.3.1 and I'm having issues with home button not working. Need to hit it several times before I can close an app or wake the iphone. Any one having this issue?
-
we are using VS 2013. i have created new build definition and run that created build its getting failed and showing error message as "The type or namespace name 'VisualStudio' does not exist in the namespace 'Microsoft' (are you missing an assembly r
-
I don't what's going on with 10.6.8 Mail is suffering several problems. first of all, I made all the standard routines... permissions, etc. 1) on one machine it starts, the dock icon is bouncing endless, and even forcing the index rebuilt, doesn't he
-
Error -50 when trying to sync purchases back to iTunes
I'm a UK iPhone user (no relevance) and tried the iTunes store last night for the first time. I browsed, purchased and downloaded an album without a hitch. A warm feeling all over when things just 'work'. I've come to charge the phone today and it ha
-
Flash pro cs5.5 won't start
Last time I worked with flash was January 23, 2012. It was working fine, but this morning I tried running the program and it won't start. Same with encore, it just doesn't start. Is this due to a windows update? Does anybody know of a workaround to t