How to configure static NAT on two internal interfaces?

Similar Messages

• Static NAT with two outside interfaces

  I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
  here is example
  interface Fas0/0
  ip nat outside
  interface Fas0/1
  ip nat outside
  interface Vlan1
  ip nat inside
  ip nat inside source route-map rm_isp1 pool pool_isp1
  ip nat inside source route-map rm_isp2 pool pool_isp2
  all worked fine
  then i tried to add static nat
  ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
  ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
  and in result only last static NAT line appeared in config.
  the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

  In this scenario, we are trying to access a mail server located at
  10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
  69.1.1.1.
  With CEF Enabled
  Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
  Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
  Packet goes to 10.0.0.1. The return packet goes to the LAN interface
  first and the routing rule is determined *before* the packet is
  translated.
  Packet source IP at this point is 10.0.0.1 and destination is
  66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
  irrespective of the way it came in. Because of this, with CEF enabled
  this will not work. CEF is per-destination.
  So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
  expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
  If it gets reply packet from 71.1.1.1, it should work.
  If it gets it from 69.1.1.1, it will simply drop it as it never sent a
  packet to 69.1.1.1.
  With CEF and Fast Switching Disabled
  Same steps as above, only that the packet is sent to the process level
  to be routed. At this point, the packets will be sent out in a round
  robin fashion. One packet will go out via the Fa0/0 and the other via the
  Fa0/0. This will have a constant 50% packet loss and is also not a
  viable solution.
  So, what are you trying to achieve is not possible on Cisco router.
  HTH,
  Amit Aneja

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

• Static NAT to two servers using same port

  I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
  I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
  Any help would be very much appreciated.
  Thanks,
  - Mike                  

  Hi,
  Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
  On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
  I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
  But nevertheless its a possibility.
  So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
  - Jouni

• Configure static NAT for range of ports

  Hi,
  I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
  As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
  ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
  ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
  ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
  ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
  and so on...
  Is this the correct way to do it, or is there another better way?
  Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
  ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
  ip nat inside source list NAT_ACL pool PATPOOL overload     
  ip access-list standard NAT_ACL
   remark PAT to outside
   permit 192.168.1.0 0.0.0.255
   exit
  My question with this is will the static NAT work if I already have NAT overload configured as above?
  Thanks for the help in advance.
  Austin
  PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

  I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to. 
  I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
  ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
  In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
  Hopefully this information useful to others. 

• How to configure GG to merge two source tables into one destination table?

  I have two tables at source (say S1 & S2), I want to merge these tables and replicate to a single target table (Say T1).
  Does GG support this type of replication? If so, could any one let me know how to configure Table and Map parameters?
  Thanks in advance.

  It is possible. In the extract capture both the tables.
  Extract parameter
  table s1;
  table s2;
  Replicat parameter
  map s1, target t1, keycols (...);
  map s2, target t1, keycols (...)

• HOW TO CONFIGURE REPLICATION/INITIALIZE THE TWO SUFFIXES IN DS 6.3

  HI,
  i'm new to DS 6.3,which is pretty cool either,i feel difficult in enabling replication between two suffixes in a directory server instance,
  and can anyone helpme how to configure replication in the directory server 6.3.hope i get reply soon,
  thanking you,
  sasi

  Please have a read of the admin guide for replication available at
  http://docs.sun.com/app/docs/doc/820-2763/fhkry
  Once you try out the procedure, feel free to follow up with specific questions. Don't forget to tell us exactly what steps you took, and what problem you're facing.

• Using both Dynamic and Static NAT with two Different Internet facing Subnets

  We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
  It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
  So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
  Public IP: 192.168.1.100/24
  Internal IP: 10.0.0.100/16
  Public IP: 192.168.5.101/24
  Internal IP: 10.0.0.101/16
  interface Ethernet0/0
  description 192.168.1.0/24 Network Outside IP
  nameif outside-1
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  description 192.168.5.0/24 Network Outside IP
  nameif outside-5
  security-level 0
  ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/2
  description inside 10.0.0.0/16
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.0.0
  object network serverA_o
  host 192.168.1.100
  object network serverA_i
  host 10.0.0.100
  object network serverB_o
  host 192.168.5.101
  object network serverB_i
  host 10.0.0.101
  object network 192-168-1-NAT-POOL
  range 192.168.1.50 192.168.1.239
  nat (inside,outside-1) source static serverA_i serverA_o
  nat (inside,outside-5) source static serverB_i serverB_o
  nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
  object network serverA_i
  nat (inside,outside-1) static serverA_o
  object network serverB_i
  nat (inside,outside-5) static serverB_o
  route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
  route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
  When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
  Any Suggestions?
  Thanks!

  Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
  We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
  I'm looking for a way to use both Subnets on the same ASA. 
  The Connection to the net looks like this:
  Internet -> Edge Router Layer3 VLAN Switch
  GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
  GE0/1.2 - 192.168.5.1 VLAN Tagged -^
  Layer3 VLAN Switch Firewall
  GE1 192.168.1.0/24 Untagged -> ASA Outside-1
  GE2 192.168.5.0/24 Untagged -> ASA Outside-5
  Firewall
  ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
  Hope that helps clarify.
  I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

• How to Configure DHCP/NAT in Time Capsule

  Assuming I can get my Comcast Cable model to act as a bridge, I see advice for setting up my Time Capsule as a DHCP/NAT.
  On the Comcast Cable modem:
  WAN IP address  = 174.13.188.121. <- fake IP
  WAN IP gateway  = 174.13.188.122.
  WAN subnet mask = 174.13.188.122.
  LAN IP address  = 10.1.10.1.
  LAN subnet mask = 255.255.255.0.
  I'd like to use 10.1.10.11 for Time Capsule, 10.1.10.13 for Mac Mini Server, 10.1.10.17 for iMac#1 and 10.1.10.19 for iMac#2.
  But nooooooo. The AirPort Utility offers only the following DHCP Ranges:
  10.0.1.3 - 10.0.1.200, or
  176.16.1.3 - 176.16.1.200, or
  192.168.1.3 - 192.168.1.200
  There's a checkbox for "Enable NAT Port Mapping Protocol," but the documentation on it is poor. There's also a checkbox for "Enable default host at: 10.0.1.253, or 176.16.1.253 or 192.168.1.253," but its documentation is equally poor. Apparently Apple didn't see the need to explain how these things work.
  If I use a LAN IP of 10.0.0.1 for the Comcast Cable Modem, then use AirPort Utility to set a DHCP Range of 10.0.0.3 to 10.0.0.200 I receive a warning message that "The DHCP range you have entered conflicts with the WAN IP address of your base station."
  I don't see the conflict -- what is wrong? Better yet, how do use AirPort Utility to set up Time Capsule?

  Thank you for your response, but I remain completely overwhelmed by this mess. What should be something simple has become an enormous task.
  Internet
  ^
  Cable Modem WAN IP: 174.13.188.121 (fake IP address)
     Subnet Mask WAN: 255.255.255.252
  Cable Modem LAN IP: 192.168.0.1
      Subnet Mask LAN: 255.255.255.0
  I'd like all requests to my public static IP 174.13.188.121 to be served up from my Mac Mini Server with private static IP 192.168.0.19.
     Time Capsule IP: 192.168.0.11
  Mac Mini Server IP: 192.168.0.19 running Server.app
  iMac #1 Client IP: 192.168.0.17
  iMac #2 Client IP: 192.168.0.13
  I want the Server.app to serve the public. The above is what I have configured now. Some behavior is odd. For example, I can access the internet from the iMac clients but not the Mac Mini Server. I don't know why.
  In other words, how do I string together my Comcast Cable Modem, Time Capsule, Mac Mini Server, iMac#1 and iMac#2 into a useful LAN that can browse the Internet and provide FTP and Web service?
  I would think this is a common setup with several sample setups available on the web. No such luck.

• How to configure CISCO ASA 5510 for internal remote desktop ?

  Helo,I have a client that want to install new ASA (5510) in their network.
  and then I did some experiment to implement it. the topology is like this :
  --------configuration---------
  2800 router :
  interface FastEthernet0/0
  ip address 172.16.1.1 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.11.3 255.255.255.0
  duplex auto
  speed auto
  ip route 192.168.12.0 255.255.255.0 172.16.1.2
  1841 router :
  interface FastEthernet0/0
  ip address 172.16.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.12.1 255.255.255.0
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 172.16.1.1
  ASA 5510 :
  : Saved
  : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password **** encrypted
  passwd ***** encrypted
  names
  name 192.168.12.0 Branch
  dns-guard
  interface Ethernet0/0
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.11.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
  access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
  tcp-map mssmap
    synack-data allow
    invalid-ack allow
    seq-past-window allow
    urgent-flag allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  asdm location Branch 255.255.255.0 inside
  no asdm history enable
  arp timeout 14400
  static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
  static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  route inside Branch 255.255.255.0 172.16.1.1 1
  timeout xlate 3:00:00
  timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ***** password ***** encrypted
  class-map mymap
  match access-list inside_access_in
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  policy-map myPolicy
  class mymap
    set connection advanced-options mssmap
  service-policy global_policy global
  service-policy myPolicy interface inside
  prompt hostname context
  Cryptochecksum:a605d94f29924e5267644dd0f4476145
  : end
  I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
  then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
  "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
  "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
  I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
  please help, any suggest would be great .
  thanks .
  sincerley yours
  -IAN WIJAYA-

  ear Ian_benderaz,
  Thank god i am not alone on this ,
  Me too having the exact same problem , i can ping to the host ,but no remote desktop .
  Somebody please help me on this , how enable remote desktop on asa 5505 
  Thanks 

• How to configure static route on RHEL 3 A/S

  I have a (very) large amount of data to move through a Gigabit connection
  shortly. I want to use a newly-configured gigabit PCI-X card in a Dell
  server to accomplish this. The other interfaces are 100 Mbps.
  If I want to add a route (static route) to force outgoing packets that
  are destined for a particular host to use that interface (eth3 on this host)
  then how do I do that? System is RedHat Enterprise Linux 3AS.
  I suspect this involved the "add route default" command or whatever
  the syntax is -- I did it for Solaris years ago but don't remember
  exactly.
  $ Linux host1.localdomain 2.4.21-57.ELhugemem #1 SMP Fri Jun 13 00:09:04 EDT 2008 i686 i686 i386 GNU/Linux
  $ ifconfig eth3
  eth3 Link encap:Ethernet HWaddr 00:0A:5E:7A:E7:33
  inet addr:10.156.30.176 Bcast:10.156.30.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:619971 errors:0 dropped:0 overruns:0 frame:0
  TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:44019924 (41.9 Mb) TX bytes:256 (256.0 b)
  Interrupt:24
  Thanks in advance.

  I agree. Using the /binroute command is not recommended for newbies, or even oldies. There is more infrastructure behind the scenes than just the routing table and using the "redhat-config-network" or "system-config-network" tool does the right thing, so you don't have to.
  I mentioned it only for completeness.

• How to configure time synchronization for two NTP servers

  We have IOSXR 4.2.1 on routers CRS3 and ASR9K with all recomended SMUs; we need to configure the time synchronization for two NTP servers with the configuration below, but the routers became unstable; synchronize with one NTP servers for some time, then switch to other NTP server, and keep doing this. Anyone know why this behavior?
  ntp
  authentication-key 1 md5 encrypted 01070F074F0A05
  authenticate
  trusted-key 1
  server 10.192.32.32 prefer
  server 10.192.32.33
  source Loopback50
  update-calendar
  RP/0/RP0/CPU0:DFCRSDTC1#sh log | i ntp
  Wed Jul 10 09:37:04.621 BRSPO
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:29:27 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:31:36 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:40:11 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 21:59:26 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 6->2.
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.

  Hi Claudio, that ddts is pretty generic to be honest but yes it is filed to address sync issues in the XR NTP algo.
  The thing is that XR ntp clock selection is a bit different then iOS and follows the specs very closely which results in this erroneous loss behavior.
  For instance, you could also see this issue with a sync loss if the update time is only 500msec off what it was before and that will result in a ntp sync loss rather then adjusting to it.
  Also I wanted to mention that the ntp prefer is a bit of a misnomer in XR (since it follows the specs differently then IOS) and this knob was taken over from IOS really.
  You might get some joy if you set it to one server only and see if that helps?
  regards
  xander

• How to configure iCloud when using two apple ID's

  Just installed lion and set up a new mac id (different from my itunes mac id)... whats the difference of having two separate ones? I know the two cannot becombined, but what are the challenges of having two?
  I currently have my itunes store and icloud set up to my new apple ID, but what happens to my old apple ID? All my downloads from my iphone were done on the old apple ID. If I change this setting by using the original apple ID for store purchases and my new apple ID for icloud... whats the difference? benefits? complications?
  Just really confused by all this and can't find anything online that just breaks down whats the better way of setting this up.
  Thanks!

  You should continue to use your old ID for iTunes, if you don't you will have difficulties using your purchased content.
  You can use either the new or the old ID for iCloud, iCloud is just a sync service so you won't actually lose anything by using one or the other.
  If you'd prefer to use the same ID for both and your contact and calendar info is in your iCloud account using your new ID, you can always transfer that data to the other account and delete the new account altogether.

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Create static nat rule cli

  I need to create a static nat rule that allows outside requests to the inside interface using http. I also need to create an access rule for this. Can someone please explain and show me the command I need to use in asa 5500 firewall version 9.x?
  Thanks!

  Hi,
  Do you mean that you want to create Static NAT rule where the local IP address is the actual IP address of the ASA "inside" interface?
  If so then that is not possible. You wont be able to connect to the "inside" interface through another interface even when using NAT configuration.
  You would have to use VPN connection to be able to connect to the "inside" interface IP address.
  Otherwise you will need to connect to the ASA with using the "outside" interface IP address.
  If you meant that you want to configure Static NAT for some internal host then the configuration format would be
  object network STATIC
  host
  nat (inside,outside) static
  Hope this helps
  - Jouni