ICMP and NAT/PAT

how does PAT/NAT perform on ICMP packets if there are not ports like udp/tcp ?
best regards
francesco

Have a look at these documents
http://tools.ietf.org/wg/behave/draft-ietf-behave-nat-icmp/draft-ietf-behave-nat-icmp-01-from-00.wdiff.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml
Both would help you understand
HTH
Hoogen
Do rate if this helps :)

Similar Messages

  • ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

    I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network. 
    Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either.  Any ideas what I could be missing in my configuration?  I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
    ASA Version 8.2(1)
    hostname fw
    domain-name net.com
    enable password eYKAfQL1.ZSbcTXZ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    interface Ethernet0/0
    description Primary Outside (Internet)
    speed 10
    duplex full
    nameif outside
    security-level 0
    ip address 1.1.1.5 255.255.255.240
    ospf cost 10
    interface Ethernet0/1
    description inside
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    ospf cost 10
    interface Ethernet0/2
    description WLAN
    nameif WLAN
    security-level 100
    ip address 192.168.108.240 255.255.255.0
    ospf cost 10
    interface Ethernet0/3
    description Secondary Outside (Internet)
    speed 100
    duplex full
    nameif WAN2
    security-level 0
    ip address 2.2.2.133 255.255.255.192
    interface Management0/0
    description LAN/STATE Failover Interface
    time-range after_hours
    periodic weekdays 7:00 to 23:00
    boot system disk0:/asa821-k8.bin
    no ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup WLAN
    dns server-group DefaultDNS
    retries 3
    timeout 5
    name-server 8.8.8.8
    name-server 206.191.0.210
    name-server 4.2.2.1
    name-server 4.2.2.2
    domain-name net.com
    access-list WAN2_access_in extended permit icmp any any echo-reply
    access-list WAN2_access_in extended permit icmp any any time-exceeded
    access-list WAN2_access_in extended permit icmp any any source-quench
    access-list WAN2_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit icmp any any echo-reply
    access-list WLAN_access_in extended permit icmp any any time-exceeded
    access-list WLAN_access_in extended permit icmp any any source-quench
    access-list WLAN_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
    access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    access-list WLAN_access_in extended permit ip any any
    access-list time_based extended permit ip any any time-range after_hours
    access-list split_tunnel standard permit host 206.191.0.210
    access-list split_tunnel standard permit host 206.191.0.140
    access-list split_tunnel standard permit host 207.181.101.4
    access-list split_tunnel standard permit host 207.181.101.5
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    pager lines 20
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu WLAN 1500
    mtu WAN2 1500
    ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface WAN2
    failover
    failover lan unit secondary
    failover lan interface FO Management0/0
    failover key *****
    failover link FO Management0/0
    failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any WLAN
    icmp permit any WAN2
    asdm image disk0:/asdm-621.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (WAN2) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (WLAN) 1 192.168.108.0 255.255.255.0
    static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group WLAN_access_in in interface WLAN
    access-group WAN2_access_in in interface WAN2
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
    route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.108.0 255.255.255.0 WLAN
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.101 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 4.2.2.2 interface outside
    num-packets 3
    timeout 1000
    frequency 3
    service resetoutside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    track 1 rtr 123 reachability
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet timeout 5
    ssh scopy enable
    ssh 2.2.2.132 255.255.255.255 outside
    ssh 69.17.141.134 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.108.0 255.255.255.0 WLAN
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd address 192.168.108.11-192.168.108.239 WLAN
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp authenticate
    ntp server 128.100.100.128
    ntp server 132.246.168.148
    ntp server 128.100.56.135
    tftp-server inside 192.168.1.100 /
    webvpn
    group-policy Wifi internal
    group-policy Wifi attributes
    wins-server none
    dns-server value 206.191.0.210 206.191.0.140
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel
    tunnel-group Wifi type remote-access
    tunnel-group Wifi general-attributes
    address-pool DHCP
    default-group-policy Wifi
    tunnel-group Wifi ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect icmp error
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
    : end
    asdm image disk0:/asdm-621.bin
    asdm location 192.168.1.245 255.255.255.255 inside
    asdm location 192.168.1.252 255.255.255.255 inside
    asdm history enable

    Hi,
    I can't see any problems right away in the configuration.
    I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
    packet-tracer input outside tcp 1.1.1.1 12345 22
    packet-tracer input outside icmp 1.1.1.1 8 0
    Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
    Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
    Also, have you made sure that there is no old translations active on the ASA?
    You can use this command to view those
    show xlate local 192.168.1.100
    You can clear the xlates with
    clear xlate local 192.168.1.100
    - Jouni

  • Question on best practice for NAT/PAT and client access to firewall IP

    Imagine that I have this scenario:
    Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
    One of my users is complaining about the following:
    When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
    Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.

    Hi,
    Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
    This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
    For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
    And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
    Regards
    Bjornarsb

  • NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above

    Hi folks,
    I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
    Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently  on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
    The  scenario that the PIX has 3 NAT groups which are mapped to 3 separate  addresses, where multiple hosts are behint the NAT / PAT.  Current  config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
    global (outside) 1 10.50.50.38
    global (outside) 2 10.50.50.39
    global (outside) 3 10.50.50.49
    nat (inside) 0 access-list no-nat-all
    nat (inside) 2 Host_1 255.255.255.255 0 0
    nat (inside) 2 Host_2 255.255.255.255 0 0
    nat (inside) 2 Host_3 255.255.255.255 0 0
    nat (inside) 1 Host_4 255.255.255.255 0 0
    nat (inside) 1 Host_5 255.255.255.255 0 0
    nat (inside) 1 Host_6 255.255.255.255 0 0
    nat (inside) 1 Host_7 255.255.255.255 0 0
    nat (inside) 3 Network_3 255.255.255.0 0 0
    ASA Config
    After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3  to the following - Also is it easier to just do this in  ASDM?  Looks pretty easy from youtube videos but rather have something  to put on the box when I arrive at site NAT wise as opposed to working  it out there!
    Define NAT Objects (outside IP addreses)
    object network NAT_1_outside_10.50.50.38
    host 10.50.50.38
    object network NAT_2_outside_10.50.50.39
    host 10.50.50.39
    object network NAT_3_outside_10.50.50.49
    host 10.50.50.49
    exit
    Define NAT Objects (inside IP addreses)
    object-group network NAT_1_Objects
    network-object Host_4 255.255.255.255
    network-object Host_5 255.255.255.255
    network-object Host_6 255.255.255.255
    network-object Host_7 255.255.255.255
    nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
    object-group network NAT_2_Objects
    network-object Host_1 255.255.255.255
    network-object Host_2 255.255.255.255
    network-object Host_3 255.255.255.255
    nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
    object-group network NAT_3_Objects
    network-object Network_1 255.255.255.0
    nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
    Any assistance with this would be appreciated.
    cheers
    Malcolm

    I cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
    If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP).  Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server.  One does not worry about groups of users for this direction of nat rule.
    If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes.    So conceptually speaking allow all lan users  static nat, and then only allow group 1 hosts access to first external IP,  group 2 hosts to second external IP, and group 3 hosts to third external IP.  Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
    Am I close......... before going any further need more details on the requirements nevermind setup.

  • Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT

    I have a situation where we have a single DMZ server currently statically forwarded to a single public IP.  TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
    However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server.  This server only needs traffic on TCP/8800 forwarded to it.
    I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
    My question lies in the reconfiguration of NAT/ PAT.  Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port.  I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
    It appears ASDM will not allow me to put multiple ports into a single network object.  I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?

    OK, so I beleive I've truncated this down to what you need in order to give me a hand.  Remember that I must configure this using ADSM for screenshot purposes.  There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test.  I'll explain the desired topology below the config.:
    : Saved
    ASA Version 8.3(1)
    hostname ASA-SVRRM-5510
    domain-name domain.corp
    names
    name 10.20.1.23 NCASK333
    name 10.20.1.40 Barracuda
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 1.1.1.3 255.255.255.248
    interface Ethernet0/1
    description DMZ
    nameif DMZ
    security-level 20
    ip address 172.16.10.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    nameif Inside
    security-level 100
    ip address 10.20.1.249 255.255.0.0
    object network mail.domain.com
    host 10.20.1.40
    object network NCASK333
    host 10.20.1.23
    object network obj-10.20.1.218
    host 10.20.1.218
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_10.192.0.0_16
    subnet 10.192.0.0 255.255.0.0
    object network NETWORK_OBJ_10.20.0.0_16
    subnet 10.20.0.0 255.255.0.0
    object network Remote Site
    host 10.1.1.1
    object network NCAFTP01:80
    host 172.16.10.10
    object network 1.1.1.5
    host 1.1.1.5
    object network NCASK820
    host 10.20.1.61
    description Exchange Server/ KMS
    object service AS2
    service tcp source eq 8800 destination eq 8800
    object network NCAFTP01:21
    host 172.16.10.10
    object network NCAFTP01:443
    host 172.16.10.10
    object network NCAFTP01:53
    host 172.16.10.10
    object network NCAFTP01:53UDP
    host 172.16.10.10
    object network NCAFTP01:8080
    host 172.16.10.10
    object network NCAFTP01:8500
    host 172.16.10.10
    object network NCAFTP01:5080
    host 172.16.10.10
    object network NCADMZ02:8800
    host 172.16.10.11
    object network NCAFTP01
    host 172.16.10.10
    object-group service DM_INLINE_SERVICE_1
    service-object gre
    service-object tcp destination eq pptp
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    port-object eq imap4
    port-object eq pop3
    port-object eq smtp
    port-object eq domain
    object-group service DM_INLINE_SERVICE_2
    service-object icmp
    service-object icmp traceroute
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq 8080
    service-object tcp destination eq 8500
    service-object tcp destination eq domain
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object udp destination eq domain
    service-object icmp
    service-object tcp destination eq 5080
    service-object object AS2
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq 8080
    port-object eq www
    port-object eq https
    port-object eq echo
    object-group network DM_INLINE_NETWORK_5
    network-object 172.16.10.0 255.255.255.0
    nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
    nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
    nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
    object network mail.domain.com
    nat (Inside,ATTOutside) static 1.1.1.4
    object network NCASK333
    nat (Inside,ATTOutside) static 1.1.1.6
    object network obj-10.20.1.218
    nat (Inside,ATTOutside) static 1.1.1.2
    object network obj_any
    nat (Inside,ATTOutside) dynamic interface
    object network NCAFTP01:80
    nat (any,ATTOutside) static 1.1.1.5 service tcp www www
    object network NCAFTP01:21
    nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp
    object network NCAFTP01:443
    nat (any,ATTOutside) static 1.1.1.5 service tcp https https
    object network NCAFTP01:53
    nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain
    object network NCAFTP01:53UDP
    nat (any,ATTOutside) static 1.1.1.5 service udp domain domain
    object network NCAFTP01:8080
    nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080
    object network NCAFTP01:8500
    nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500
    object network NCAFTP01:5080
    nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080
    object network NCADMZ02:8800
    nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800
    object network NCAFTP01
    nat (any,ATTOutside) static 1.1.1.5
    nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface
    timeout xlate 3:00:00
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect pptp
    class class-default
    : end
    Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10.  We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11. 
    This part is functional, as you instructed above, I simply needed to create individual PAT statements. 
    My current issue lies in the outbound translation.  When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5.  When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5.  So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound.  These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution.  My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?
    This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080.

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • ASA5505 SOHO public ip range and nat head ache

    Hello
    Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully  setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
    LAN > ASA5505 > VDSL Modem > ISP
    the range they have given us is
    Number of IP addresses: 8
    IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
    Subnet mask: 255.255.255.248
    Subnet in slash notation: XX.XX.XXX.40 /29
    Network address: XX.XX.XXX.40
    XX.XX.XXX.41
    XX.XX.XXX.42
    XX.XX.XXX.43
    XX.XX.XXX.44
    XX.XX.XXX.45
    XX.XX.XXX.46 Router
    Broadcast address: XX.XX.XXX.47
    Router address: XX.XX.XXX.46
    i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
    we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
    Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
    any info or advice would be gratefully received.
    regards
    C.

    Hello
    the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
    debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
    the nat rules i have are
    nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
    nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
    access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq 902
    port-object eq www
    port-object eq https
    thanks for the help

  • NAT/PAT Two private IP's to one Real on the same port.

    Hello all.
    I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
    I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that  ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not???
    Thanks very much in advance for your help.

    ASA 8.4:
    receive mail:
    nat (inside,outside) source static obj-192.68.2.20 obj-175.75.67.32 service src25 src25
    send mail:
    nat (inside,outside) source dynamic obj-192.68.2.21 obj-175.75.67.32 service dst25 dst25

  • ASA 8.2(1) Global and NAT statements, natting certain internal hosts

    Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
    I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet.  We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic.  I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
    Thoughts on how to accomplish this?  Thanks!

    Hi,
    To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
    Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
    In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
    This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
    global (outside) 1 interface
    nat (inside) 1 10.10.10.0 255.255.255.0
    So the above is probably the type of configuration you have at the moment?
    For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
    global (outside) 2 1.1.1.1
    nat (inside) 2 10.10.10.1
    nat (inside) 2 10.10.10.2
    nat (inside) 2 10.10.10.3
    If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
    Without seeing the configurations I dont think I can say much more.
    Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
    For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
    packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
    This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
    Active translations on the firewall you can show with the command
    show xlate
    It does have a lot of additional parameters after the "xlate" if you want to have more specific output
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • Best practices for NAT/PAT?

    Greetings:
    My setup is
    Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.
    The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.
    On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.
    Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?
    My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.
    Here is the NAT section of the show run:
    ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443
    ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable
    ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable
    ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable
    ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable
    ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable
    ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable
    Would appreciate any and all comments on the way it is currently configured ass well as:
    -How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.
    TIA

    Hi,
    Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
    This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
    For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
    And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
    Regards
    Bjornarsb

  • NAT/PAT question

    I have a new firewall I am turning up. On the firewall I have 3 dmz interfaces (2 are turned up currently) and an inside interface towards the customers interanl network.
    What I am attempting to do is to send traffic to the customers internal networks 10.0.0.0/8 networks, 172.16.0.0/12 and 192.168.0.0/16 networks without doing any NAT.
    I want to send any INET destined traffic as the PAT address using the inside interface IP of 10.91.13.17 such as google.com. The DMZ source for this communication is 192.168.14.0/27 CETCNET. I've attached a config. I was thinking a NONAT acl and NAT definition and a global definition along these lines:
    object-group network ATK_PRIVATE_NETS
    network 10.0.0.0 255.0.0.0
    network 172.16.0.0 255.240.0.0
    network 192.168.0.0 255.255.0.0
    access-list NONAT_CETC permit ip 192.168.14.0 255.255.255.224 object-group ATK_PRIVATE_NETS
    access-list CETC_INET_NAT permit ip 192.168.14.0 255.255.255.224 any
    nat (CETCNET) 0 access-list NONAT_CETC
    nat (CETCNET) 10 access-list CETC_INET_NAT
    global (inside) 10 interface
    But I still get the feeling I'm missing something. Version is 8.2.(5)29. Looking forward to reading any suggestions anyone might have. I like to keep it simple as possible on firewalls like this.

    Hi,
    Thanks for your response and for your help. I own a Pix too. It works fine. It changes the source port to a port belonging to the port pool.
    But, the Catalyst 6506 doesn't behave as it should. Into the logs, I see that :
    (...) wanted 32838 got 1027 (...)
    Allocated Port for xxx.235.225.25 -> xxx.xxx.84.225: wanted 32840 got 1024
    i: tcp (xxx.235.225.25, 32840) -> (xxx.2.0.36, 21) [27171]
    created edit_context (xxx.235.225.25,32840) -> (xxx.2.0.36,21)
    TCP s=32840->1024, d=21
    where xxx.xxx.84.225 is my NAT address.
    So, Catalyst 6506 tries to keep the source port but it fails. As I look the translation table (show ip nat translation), I see that the source port isn't allocated, so why the Catalyst didn't keep it.
    My big issue is that there's an ACL on a router above my own router. I can't change this ACL which denies any request to tcp port 1025. So, as long as the Catalyst 6506 will NAT on this port, my users won't be able to access to the Internet.
    That's the reason why I do need to find a workaround.
    Thanks for helping.

  • NAT/PAT Setup with internal web server.

    Environment:
    Web Server inside and 10 internal workstations.
    One external public IP address.
    Cisco Router 806 with HTTP server enable.
    Conditions:
    External users have to be able to access the web server.
    The internal users have to be able to access the web server via the "EXTERNAL" IP address. Since they are using an external DNS.
    Scenario:
    The internal workstation request from external DNS address for the web server.
    DNS replies with external IP address.
    Workstation attempts to connect to web server via external IP address.
    Connection fails at the router showing the router's HTTP logon page.
    We are trying to implement NAT/PAT inside, with static assignment to port 80 to the internal web server.
    Thanks, Pat Askins.

    You need to use cisco NAT virtual interface,
    Example:
    your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1
    here is what you need to configure in NAT router to resolve your issue:
    int fa0
    ip nat enable
    no ip redirects
    int fa 1
    ip nat enable
    no ip redirects
    ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload
    ip nat source list 1 interface fa0 overload
    access-list 1 permit 192.168.1.0 0.0.0.255
    now you can try access to your 1.1.1.1:80 from inside network.

  • Cisco 1841 with 2 public WAN IP's and NAT

    OK currently the network is setup as follows:
    Zyxel SHDSL Router --> Linksys Router --> 10/100 Switch --> PC's
    x.x.x.145/28__________x.x.x.146/28____________________192.168.1.0/24
    The Linksys router is running inbound one-to-many PAT (eg. x.x.x.146:80 --> 192.168.1.10:8080)
    I'm looking to replace the setup with a Cisco 1841 router. Now normally I would configure the DSL interface as unnumbered to the internal LAN interface and use my public IP addys on this segment then passing through a PIX to NAT into private IP addys.
    The problem I have is I want the 1841 to be an all in one box performing DSL, Firewall and NAT functions.
    Now I thought I would configure the DSL as unnumbered to FastEthernet0/0 adding a secondary IP address of x.x.x.146/28. Interface configured as NAT outside.
    Interface FastEthernet0/1 was configured with 192.168.1.1/24 with NAT inside and connected to the switch.
    The problem was is that the FastEthernet0/0 interface line protocol was down as there was no need to connect it to anything.
    I then tried assigning the dialer interface a static IP of x.x.x.145/28 and x.x.x.146/28 as a secondary IP running NAT outside. I tried again but during boot up the router said you cant assign a secondary IP to the dialer interface.
    So my question is, how would you recommend setting up the interfaces to enable the router to have both x.x.x.145 and 146/28 as public IP's and NAT x.x.x.146:80 to 192.168.1.10:8080?
    Any help much appreciated.

    Answers:
    1) DSL is terminating in the 1841 on a SHDSL WIC
    2) No
    3) IP is negotiated
    4) Below is a config which I believe should work. Any recommended amendments?
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname trackgw
    boot-start-marker
    boot-end-marker
    no aaa new-model
    resource policy
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    username cisco privilege 15 secret xxx
    controller DSL 0/0/0
    mode atm
    line-term cpe
    dsl-mode SHDSL symmetric annex B
    line-rate AUTO
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    interface ATM0/0/0
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    interface Dialer1
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    encapsulation ppp
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname username
    ppp chap password 0 password
    ppp ipcp dns request
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http authentication local
    ip nat inside source list nat-acl interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.10 8080 x.x.x.146 80
    ip access-list extended nat-acl
    permit ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    control-plane
    line con 0
    logging synchronous
    login local
    transport output all
    line aux 0
    transport output all
    line vty 0 4
    privilege level 15
    login local
    transport input telnet
    scheduler max-task-time 5000
    end

  • What is the problem between NAT/PAT-ed network with SIP?

    Hi guys,
    I'm not really good at voice - so please bare with me :)
    I have a situation where I cant make a voip call via SIP using class4/5 softswitch behind NAT/PAT network.
    The diagram :
    NAT/PAT --- cloud/MPLS --- softswitch.
    the softswitch provides IP centrex service - so there will be caller-group. the 2nd problem was that in a caller-group It cant establish a call origin from ip 1.1 back to ip 1.1. And i cant touch that softswitch (its xener - i dont exactly know what type). I'm wondering this softswitch capability - anyone using it?.
    We have tested using other SIP server (using asterisk-based softswitch) and sniffed all SIP-related traffic - we have 403 error and the like - but my opinion its the PEs NAT router that dropped the SIP handshake - so the RTP wont pass-thru both caller/called party.
    Modifying a single PE probably easy - but my catch is that - as long as I have some NAT router/firewall along the PE and softswitch path it will not work, correct?
    Before i go further with Cisco Unified Border Element and Session Border Controller proposal - anyone would like to give me a comment about my understanding from above scenario?
    any help would be appreciated,
    thanks.

    The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with Network Address Translation (NAT) to be translated and encoded back to the packet. An application layer gateway (ALG) is used with NAT to translate the SIP or SDP messages.
    See the following url for more details about NAT support for SIP:
    http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftnatsip.html

  • Internal DNS server and NAT routing issue.

    Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
    We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
    Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
    The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
    Thanks

    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
    The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

Maybe you are looking for

  • Thumbnail and button navigation help

    I would like to start out by saying I am very new at this and am working on a portfolio website in flash CS4 and currently getting help through the tutorials over at Lynda.com. Now my problem is In the portfolio section I want a preview of the pics l

  • Authorization Relevant Infoobject restriction for particular value

    Hi All, We have infoobject - 0COMPCODE which is authorization relevant. In query designer authorization variable - ZAUTH1 has been created. Now users want to restrict one particular Company Code (Ex- RU10) globally, so that none of the users will vie

  • How do I put photos in the cloud?

    I was wondering how to upload my photos to the cloud

  • Custom variable code problem

    Hi, I have a variable called 'Sales Office From Dealer'  so as you guessed, based on the dealer I want to find the sales office.  However, I have 2 seperate queries, in one I have a mandatory input variable so the user can input the dealer (that's fo

  • Access of undefined property (loader)

    I am trying to run the simple code as following: <fx:Script> <![CDATA[                               import flash.display.*;                               import flash.net.URLRequest;                               Security.allowDomain("www.youtube.co