How do I NAT inbound traffic from a site to site VPN?

Similar Messages

• How to create an inbound Idoc from an inbound IDoc in same client

  How to create an inbound Idoc from an inbound IDoc in same client
  Idoc will come from XI as an inbound idoc to SAP, now I have to read this inbound Idoc and split it into Several Inbound Idocs and now needs to be posted in the same client.
  please let me know the procedure..
  Thanks in advance,
  Sagar

  Hi Sagar,
  Develop a cusom Z-Inbound function module, configure the Z-FM to trigger when idoc is recieved from XI. In your Z-Inbound function module split the idoc (Recieved from XI)  into respective Idocs and Using MASTER_IDOC_DISTRIBUTE post the IDOCs into the same system.
  Thanks & Regards

• How can we transfer product attributes from an already existing site?  We have thousands of items and it would be tedious to do them one at a time.  Is this possible through a CSV?

  How can we transfer product attributes from an already existing site?  We have thousands of items and it would be tedious to do them one at a time.  Is this possible through a CSV?

  There are two parts to this:
  1) It may be that you should have an Apple Education Support person helping you with this. If you have enough computers for this to be a problem, you may benefit from a Server, a site license, and an occasional visit from an Education Support Specialist.
  2) The brief answer, if you want Individual Apple_IDs to control each computer, is to buy new copies of Mac OS X under those new Apple_IDs and re-download and re-Install. Mac OS X is customized to the Apple_ID before it is downloaded.

• How to create a inbound IDOC from flat file in Application server

  HI All
  Our requirement is to create the Inbound idocs from a flat file from application server with in R/3
  Could any body please let me know the steps required for this.
  Thanks
  Malli

  1. Read the file using OPEN DATASET and read and fill up the segment info and fill the EDIDC header data
  and then call function
  CALL FUNCTION 'INBOUND_IDOC_PROCESS'
      TABLES
        IDOC_CONTROL       =  i_edidc
        IDOC_DATA          =  i_edid4.
  a®

• How can I permit all traffic from inside-dmz-outside on asa5505

  Scenario :
  Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
  Router LAN IP: 83.111.X.X - 255.255.255.X
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.X.X 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 83.111.X.X 255.255.255.240
  interface Vlan3
  nameif dmz
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  switchport access vlan 3
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 83.111.x.x
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.254 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
  : end

  Hi Ben,
  Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case? 
  What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
  All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI.  Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
  I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
  Thanks again for the suggestion,
  Frank 
  Attachments:
  Front Panel Reference.vi ‏33 KB

• How do I download a file from Adobe to a site that wants my resume on an ipad

  How do I download resume onto a career site  on an ipad

  Currently, there is no direct way to download a file on Acrobat.com to Documents (local storage) on your iPad.
  You can open a file on Acrobat.com, send it as an email attachment, open the email attachment in Adobe Reader for iOS.

• How do I find apps downloaded from a third party site?

  I downloaded a VPN app but I cannot find it to start it. Can anyone help?

  You can't download apps from third-party sites, you can only download them via the App Store app on the iPad or via the iTunes store on your computer (which you can then sync to the iPad).

• Inbound Traffic Blocked

  I am running VPN Client Version 5.0.00.0340. I have internal and external nics on the server. Once I have the tunnel established (inside internal nic) I seem to be dropping the inbound packets between the external and internal nics. Any suggestions?

  Well no - not really. The VPN client will establish the connection to the remote end using the local routing table it has. From that point onwards - that is the terminating IP address of the vpn session. From the machine itself mit should be assigned an IP address from the remote VPN server - this IP address will be used the recevie and send encrypted traffic from the central end.
  If you have an internal NIC in the server you also have the VPN client on....do you want to send traffic from your LAN thu the VPN client to the remote end? If so - the external & internal NIC's must be on the same IP subnet. As the remote VPN client cannot be used as a pass thru devices from 2 different subnets....unless you perform NAT on the device with the VPN client.....if you are doing that - you may as well just by a firewall or router!
  HTH.

• Access Site to Site from SSL VPN. ISA 570 & ASA 5505

  I have an Site to Site network between my ISA 570 and my ASA 5505.
  On the ISA 570 side I have the network 192.168.0.0/24 and remote users that are connecting via AnyConnect are in the 192.168.190.0/24
  On the ASA 5505 side I have the netowrk 192.168.200.0/24
  The Site to Site is working properly i can reach the networks from both sides.
  But when I am connected via AnyConnect to the ISA firewall I will also access the 192.168.200.0/24 network on the ASA side.
  I have made an firewall (in the ISA 570) rule that are allowing traffic from SSLVPN to VPN, but I need to nat the traffic from the 192.168.190.0/24 to 192.168.200.0/24 otherwise the ASA are blocking the traffic. I can solve the problem in the ASA but i want to solve it in the ISA 570.

  I have solved my problem.
  Just added an Advanced NAT.
  From: Any (this will be changed to proper network later)
  To: Any (this will be changed to proper network later)
  Original Source Adress: Any (this will be changed to proper network later)
  Original Destination Adress: Site_B (192.168.200.0/24)
  Original services: Any
  Translated source adress: IP of my ISA 570 (192.168.0.1)
  Translated destination adress: Site_B (192.168.200.0/24)
  Translated services: Any

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• How can i configure my iphone to only pass traffic from certain apps over vpn

  I have got a telephony app that connects to a phone system through vpn. when I turn on "send all traffic through vpn" internet and other apps are really slow. is their a way to configure the phone to send only traffic from the app through VPN.

  Now all my new apps as well as several others are gone from the iPhone.
  Look on other screens. The 4.1 update ands Game Center to the home screen. If that screen was full it create a blank screen and moves one app from the home screen to the new screen to make room for Game Center. All the other screens are pushed back one place.
  How can I get my apps back? It cost me a lot of time and money to discover those apps and get them onto the phone. Are they just gone now?
  If they are really gone, you can download them again. You will not be charged again if you use the same iTunes account.

• How to create Inbound Idoc from XML file-Need help urgently

  Hi,
  can any one tell how to create inbound Idoc from XML file.
  we have xml file in application server Ex. /usr/INT/SMS/PAYTEXT.xml'  we want to generate inbound idoc from this file.we are successfully able to generate outbound XML file from outbound Idoc by using the XML port. But not able to generate idoc from XML file by using we19 or we16.
  Please let me know the process to trigger inbound Idoc with out using  XI and any other components.
  Thanks in advance
  Dora Reddy

  Hi .. Did either of you get a result on this?
  My question is the same really .. I am testing with WE19 and it seems SAP cannot accept an XML inbound file as standard.
  I see lots of mention of using a Function Module.
  Am I correct in saying therefore that ABAP development is required to create a program to run the FM and process the idoc?
  Or is there something tht can be done with Standard SAP?
  Thanks
  Lee

• VRF-Lite on one 6509; How to route traffic from global to VRF.

  To anyone that can lead me in the right direction:
  I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin"  on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch.  I am using EIGRP for the global network and route table and static routing within the the VRF.  Any suggestions or recommendations?  Thanks in advance for your help in this matter...

  Hello,
  You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
  Example:
  Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
  G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
  interface G0/1
  IP address 1.1.1.1 255.255.255.0
  inteface G0/2
  ip vrf forwarding X
  ip address 2.2.2.2 255.255.255.0
  Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
  configure this:  (ip route vrf X  y.y.y.y y.y.y.y.y G0/1 Global)
  Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
  You Can then redistribute the Global static into the Eigrp as below:
  router Eigrp 1
  no auto summary
  redistribute static metric 1.1.1.1.1
  HTH
  Mohamed

• How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

  We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
  When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
  But...
  When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
  I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
  after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
  The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
  May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
  There is a RELIABLE application, running as a service, that can do the port forward/redirect?

  Hi,
  I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
  By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
  Hope this helps.
  Steven Lee
  TechNet Community Support

• How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??

  Fellows,
  We have offices in USA and Venezuela.
  In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
  We have connected a VPN tunnel (gateway-to-gateway) between both offices.
  The point is:
  How   could we redirect the internet traffic from our Venezuela office   (RV082) to the USA Office (RV042) to navigate using USA public IP's?
  The   reason for this is that we need to use online streaming services which   are only available for IP's from USA and we can't use them from the   Venezuelan IP's.
  We  can not use the PPTP option since the  equipment which will use the  streaming services (like hulu, crackle,  etc.) in Venezuela is a Google  TV device which doesn't allow the  configuration of proxy navegation or  PPTP VPN connections itself. That's  the reason why we need to do that  through the routers.
  We will really appreciate your support on this matter.
  Daniel

  Hi Daniel, this is called ESP wildcard forwarding which the router does support.
  https://supportforums.cisco.com/docs/DOC-12534   <- This is older but applicable
  https://supportforums.cisco.com/message/3766661
  -Tom
  Please mark answered for helpful posts