ICMP and NAT/PAT
how does PAT/NAT perform on ICMP packets if there are not ports like udp/tcp ?
best regards
francesco
Have a look at these documents
http://tools.ietf.org/wg/behave/draft-ietf-behave-nat-icmp/draft-ietf-behave-nat-icmp-01-from-00.wdiff.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml
Both would help you understand
HTH
Hoogen
Do rate if this helps :)
Similar Messages
-
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
Question on best practice for NAT/PAT and client access to firewall IP
Imagine that I have this scenario:
Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
One of my users is complaining about the following:
When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
MalcolmI cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup. -
Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?OK, so I beleive I've truncated this down to what you need in order to give me a hand. Remember that I must configure this using ADSM for screenshot purposes. There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test. I'll explain the desired topology below the config.:
: Saved
ASA Version 8.3(1)
hostname ASA-SVRRM-5510
domain-name domain.corp
names
name 10.20.1.23 NCASK333
name 10.20.1.40 Barracuda
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.3 255.255.255.248
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 20
ip address 172.16.10.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif Inside
security-level 100
ip address 10.20.1.249 255.255.0.0
object network mail.domain.com
host 10.20.1.40
object network NCASK333
host 10.20.1.23
object network obj-10.20.1.218
host 10.20.1.218
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.192.0.0_16
subnet 10.192.0.0 255.255.0.0
object network NETWORK_OBJ_10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network Remote Site
host 10.1.1.1
object network NCAFTP01:80
host 172.16.10.10
object network 1.1.1.5
host 1.1.1.5
object network NCASK820
host 10.20.1.61
description Exchange Server/ KMS
object service AS2
service tcp source eq 8800 destination eq 8800
object network NCAFTP01:21
host 172.16.10.10
object network NCAFTP01:443
host 172.16.10.10
object network NCAFTP01:53
host 172.16.10.10
object network NCAFTP01:53UDP
host 172.16.10.10
object network NCAFTP01:8080
host 172.16.10.10
object network NCAFTP01:8500
host 172.16.10.10
object network NCAFTP01:5080
host 172.16.10.10
object network NCADMZ02:8800
host 172.16.10.11
object network NCAFTP01
host 172.16.10.10
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq domain
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 8080
service-object tcp destination eq 8500
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object tcp destination eq 5080
service-object object AS2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8080
port-object eq www
port-object eq https
port-object eq echo
object-group network DM_INLINE_NETWORK_5
network-object 172.16.10.0 255.255.255.0
nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
object network mail.domain.com
nat (Inside,ATTOutside) static 1.1.1.4
object network NCASK333
nat (Inside,ATTOutside) static 1.1.1.6
object network obj-10.20.1.218
nat (Inside,ATTOutside) static 1.1.1.2
object network obj_any
nat (Inside,ATTOutside) dynamic interface
object network NCAFTP01:80
nat (any,ATTOutside) static 1.1.1.5 service tcp www www
object network NCAFTP01:21
nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp
object network NCAFTP01:443
nat (any,ATTOutside) static 1.1.1.5 service tcp https https
object network NCAFTP01:53
nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain
object network NCAFTP01:53UDP
nat (any,ATTOutside) static 1.1.1.5 service udp domain domain
object network NCAFTP01:8080
nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080
object network NCAFTP01:8500
nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500
object network NCAFTP01:5080
nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080
object network NCADMZ02:8800
nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800
object network NCAFTP01
nat (any,ATTOutside) static 1.1.1.5
nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface
timeout xlate 3:00:00
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
: end
Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10. We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11.
This part is functional, as you instructed above, I simply needed to create individual PAT statements.
My current issue lies in the outbound translation. When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5. When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5. So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound. These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution. My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?
This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080. -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA5505 SOHO public ip range and nat head ache
Hello
Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40
XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router
Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
any info or advice would be gratefully received.
regards
C.Hello
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https
thanks for the help -
NAT/PAT Two private IP's to one Real on the same port.
Hello all.
I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not???
Thanks very much in advance for your help.ASA 8.4:
receive mail:
nat (inside,outside) source static obj-192.68.2.20 obj-175.75.67.32 service src25 src25
send mail:
nat (inside,outside) source dynamic obj-192.68.2.21 obj-175.75.67.32 service dst25 dst25 -
ASA 8.2(1) Global and NAT statements, natting certain internal hosts
Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet. We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic. I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
Thoughts on how to accomplish this? Thanks!Hi,
To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
So the above is probably the type of configuration you have at the moment?
For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
global (outside) 2 1.1.1.1
nat (inside) 2 10.10.10.1
nat (inside) 2 10.10.10.2
nat (inside) 2 10.10.10.3
If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
Without seeing the configurations I dont think I can say much more.
Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
Active translations on the firewall you can show with the command
show xlate
It does have a lot of additional parameters after the "xlate" if you want to have more specific output
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Best practices for NAT/PAT?
Greetings:
My setup is
Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.
The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.
On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.
Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?
My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.
Here is the NAT section of the show run:
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable
ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable
ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable
ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable
ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable
ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable
Would appreciate any and all comments on the way it is currently configured ass well as:
-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.
TIAHi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
I have a new firewall I am turning up. On the firewall I have 3 dmz interfaces (2 are turned up currently) and an inside interface towards the customers interanl network.
What I am attempting to do is to send traffic to the customers internal networks 10.0.0.0/8 networks, 172.16.0.0/12 and 192.168.0.0/16 networks without doing any NAT.
I want to send any INET destined traffic as the PAT address using the inside interface IP of 10.91.13.17 such as google.com. The DMZ source for this communication is 192.168.14.0/27 CETCNET. I've attached a config. I was thinking a NONAT acl and NAT definition and a global definition along these lines:
object-group network ATK_PRIVATE_NETS
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.240.0.0
network 192.168.0.0 255.255.0.0
access-list NONAT_CETC permit ip 192.168.14.0 255.255.255.224 object-group ATK_PRIVATE_NETS
access-list CETC_INET_NAT permit ip 192.168.14.0 255.255.255.224 any
nat (CETCNET) 0 access-list NONAT_CETC
nat (CETCNET) 10 access-list CETC_INET_NAT
global (inside) 10 interface
But I still get the feeling I'm missing something. Version is 8.2.(5)29. Looking forward to reading any suggestions anyone might have. I like to keep it simple as possible on firewalls like this.Hi,
Thanks for your response and for your help. I own a Pix too. It works fine. It changes the source port to a port belonging to the port pool.
But, the Catalyst 6506 doesn't behave as it should. Into the logs, I see that :
(...) wanted 32838 got 1027 (...)
Allocated Port for xxx.235.225.25 -> xxx.xxx.84.225: wanted 32840 got 1024
i: tcp (xxx.235.225.25, 32840) -> (xxx.2.0.36, 21) [27171]
created edit_context (xxx.235.225.25,32840) -> (xxx.2.0.36,21)
TCP s=32840->1024, d=21
where xxx.xxx.84.225 is my NAT address.
So, Catalyst 6506 tries to keep the source port but it fails. As I look the translation table (show ip nat translation), I see that the source port isn't allocated, so why the Catalyst didn't keep it.
My big issue is that there's an ACL on a router above my own router. I can't change this ACL which denies any request to tcp port 1025. So, as long as the Catalyst 6506 will NAT on this port, my users won't be able to access to the Internet.
That's the reason why I do need to find a workaround.
Thanks for helping. -
NAT/PAT Setup with internal web server.
Environment:
Web Server inside and 10 internal workstations.
One external public IP address.
Cisco Router 806 with HTTP server enable.
Conditions:
External users have to be able to access the web server.
The internal users have to be able to access the web server via the "EXTERNAL" IP address. Since they are using an external DNS.
Scenario:
The internal workstation request from external DNS address for the web server.
DNS replies with external IP address.
Workstation attempts to connect to web server via external IP address.
Connection fails at the router showing the router's HTTP logon page.
We are trying to implement NAT/PAT inside, with static assignment to port 80 to the internal web server.
Thanks, Pat Askins.You need to use cisco NAT virtual interface,
Example:
your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1
here is what you need to configure in NAT router to resolve your issue:
int fa0
ip nat enable
no ip redirects
int fa 1
ip nat enable
no ip redirects
ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload
ip nat source list 1 interface fa0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
now you can try access to your 1.1.1.1:80 from inside network. -
Cisco 1841 with 2 public WAN IP's and NAT
OK currently the network is setup as follows:
Zyxel SHDSL Router --> Linksys Router --> 10/100 Switch --> PC's
x.x.x.145/28__________x.x.x.146/28____________________192.168.1.0/24
The Linksys router is running inbound one-to-many PAT (eg. x.x.x.146:80 --> 192.168.1.10:8080)
I'm looking to replace the setup with a Cisco 1841 router. Now normally I would configure the DSL interface as unnumbered to the internal LAN interface and use my public IP addys on this segment then passing through a PIX to NAT into private IP addys.
The problem I have is I want the 1841 to be an all in one box performing DSL, Firewall and NAT functions.
Now I thought I would configure the DSL as unnumbered to FastEthernet0/0 adding a secondary IP address of x.x.x.146/28. Interface configured as NAT outside.
Interface FastEthernet0/1 was configured with 192.168.1.1/24 with NAT inside and connected to the switch.
The problem was is that the FastEthernet0/0 interface line protocol was down as there was no need to connect it to anything.
I then tried assigning the dialer interface a static IP of x.x.x.145/28 and x.x.x.146/28 as a secondary IP running NAT outside. I tried again but during boot up the router said you cant assign a secondary IP to the dialer interface.
So my question is, how would you recommend setting up the interfaces to enable the router to have both x.x.x.145 and 146/28 as public IP's and NAT x.x.x.146:80 to 192.168.1.10:8080?
Any help much appreciated.Answers:
1) DSL is terminating in the 1841 on a SHDSL WIC
2) No
3) IP is negotiated
4) Below is a config which I believe should work. Any recommended amendments?
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname trackgw
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
no ip dhcp use vrf connected
username cisco privilege 15 secret xxx
controller DSL 0/0/0
mode atm
line-term cpe
dsl-mode SHDSL symmetric annex B
line-rate AUTO
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface ATM0/0/0
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
encapsulation ppp
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password 0 password
ppp ipcp dns request
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip nat inside source list nat-acl interface Dialer1 overload
ip nat inside source static tcp 192.168.1.10 8080 x.x.x.146 80
ip access-list extended nat-acl
permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
logging synchronous
login local
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
login local
transport input telnet
scheduler max-task-time 5000
end -
What is the problem between NAT/PAT-ed network with SIP?
Hi guys,
I'm not really good at voice - so please bare with me :)
I have a situation where I cant make a voip call via SIP using class4/5 softswitch behind NAT/PAT network.
The diagram :
NAT/PAT --- cloud/MPLS --- softswitch.
the softswitch provides IP centrex service - so there will be caller-group. the 2nd problem was that in a caller-group It cant establish a call origin from ip 1.1 back to ip 1.1. And i cant touch that softswitch (its xener - i dont exactly know what type). I'm wondering this softswitch capability - anyone using it?.
We have tested using other SIP server (using asterisk-based softswitch) and sniffed all SIP-related traffic - we have 403 error and the like - but my opinion its the PEs NAT router that dropped the SIP handshake - so the RTP wont pass-thru both caller/called party.
Modifying a single PE probably easy - but my catch is that - as long as I have some NAT router/firewall along the PE and softswitch path it will not work, correct?
Before i go further with Cisco Unified Border Element and Session Border Controller proposal - anyone would like to give me a comment about my understanding from above scenario?
any help would be appreciated,
thanks.The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with Network Address Translation (NAT) to be translated and encoded back to the packet. An application layer gateway (ALG) is used with NAT to translate the SIP or SDP messages.
See the following url for more details about NAT support for SIP:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftnatsip.html -
Internal DNS server and NAT routing issue.
Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
ThanksIs there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.
Maybe you are looking for
-
Thumbnail and button navigation help
I would like to start out by saying I am very new at this and am working on a portfolio website in flash CS4 and currently getting help through the tutorials over at Lynda.com. Now my problem is In the portfolio section I want a preview of the pics l
-
Authorization Relevant Infoobject restriction for particular value
Hi All, We have infoobject - 0COMPCODE which is authorization relevant. In query designer authorization variable - ZAUTH1 has been created. Now users want to restrict one particular Company Code (Ex- RU10) globally, so that none of the users will vie
-
How do I put photos in the cloud?
I was wondering how to upload my photos to the cloud
-
Hi, I have a variable called 'Sales Office From Dealer' so as you guessed, based on the dealer I want to find the sales office. However, I have 2 seperate queries, in one I have a mandatory input variable so the user can input the dealer (that's fo
-
Access of undefined property (loader)
I am trying to run the simple code as following: <fx:Script> <![CDATA[ import flash.display.*; import flash.net.URLRequest; Security.allowDomain("www.youtube.co