Ip add inside Nat translated twice

Similar Messages

• Help with multiple nat translation on a Cisco Nexus 3548

  Hi All,
  I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
  What currently have is as follows:
  internal network: 192.168.4.0/24
  nexus router (routerA):
    LAN Side: vlan104 interface 192.168.4.201/24
    WAN Side: Eth1/48 interface 172.24.101.2/24
    remote network: 159.43.48.32/27
    remote gateway: 172.24.101.1/24
  use ACL's to ensure that only specific traffic is allowed out and in.
  allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
  Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
  Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
  What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
  In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
  LAN interface
  ip nat outside
  WAN interface
  ip nat inside
  ip nat inside source static159.43.65.81 192.168.4.203
  ip nat outside source static 159.43.65.81 192.168.4.203
  but, trying to implement this sort of config on the Nexus isn't working.
  I am wondering if the Nexus behaves differently than ios based routers.
  I'd appreciate any help to get this config working.
  Thanks in advance,
  Les

  Les
  The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
  So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
  If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
  So you do a ping from a 192.168.3.x client  it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
  Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
  So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
  192.168.4.203 255.255.255.255 159.43.48.34
  this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
  What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
  So firstly see if that option is available with your NAT statement ie.
  "ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
  if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
  192.168.4.203 255.255.255.255 <next hop IP>
  note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
  Hope that makes sense.
  Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
  What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
  I suspect it would though.
  If it did work then it would still mean you didn't need to advertise the public IP internally.
  If I get the chance I'll test it later today.
  Jon

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• What's the best way to do many NAT translations for WWW farm?

  Hello all, I hope this finds you in good spirits.
  I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
  I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
  Do I have to create an network object for each and every IP i want to nat through? 
  Thank you for your consideration!

  Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
  If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
  It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time:

• Sh ip nat translations

  Hi,
  When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
  192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
  Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
  deny ip 192.168.1.0 0.0.0.255 any any log
  Show log:
  Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
  and
  Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
  Could this be a DOS attack?
  We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
  Thanks

  Is there any subnets inside who are conencted to a different network over VPN
  with the IP 192.168.1.X etc & access th internet.

• NAT Translating Destination IP and Port

  Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
  I am struggling with NAT  translation on a Cisco router. I want to translate all HTTP traffic  that exits my network to change the destination IP to 117.166.1.1  and  translate the destination port from tcp 80 to tcp 3128.
  i.e. If a  PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead  of the traffic going to 200.1.1.1 on port 80, it will be directed to  117.166.1.1 on port 3128
  This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
  I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
  Thanks
  K

  Hi,
  If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
  In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
  For more detailed information, please refer to the link below:
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  Best regards,
  Susie

• TNS Return inside NAT IP address and not outside NAT

  When trying to connect from outside of our network using the tnsnames.ora file under $ORACLE_HOME/network/admin, TNS protocol returns the inside NAT and not the outside NAT ( Network adress translation ) , causing the session to time out ( TNS no listener ), since the transaction is addressed to the inside interface and not the outside.
  NAT is done at the router level , CISCO 6509.
  Is there any solution for htis problem. When using HTTP protocol at the application level, this does not seem to happen

  Sambacho,
  Did you ever resolve this issue or did anyone provide you with a potential solutions.
  Sincerely,
  --Jim                                                                                                                                                                                                                                                   

• Binding inside nat statement to outermost interface ERROR

  Hello Everyone,
  I am having a problem w/ my PIX501 w/  "Cisco PIX Firewall Version 6.3(4)", upon issuing the command i get this WARNING, is this normal? because it works perfectly fine in version 7.2(2)..
  THE ERROR:
  PIX1(config)# nat (outside) 1 222.127.244.52 255.255.255.252
  WARNING:  Binding inside nat statement to outermost interface.
  WARNING:  Keyword "outside" is probably missing.
  REFERRENCE:
  PIX1# sh nameif
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100

  Also,
  Here is information about the "outside" parameter from the PIX 6.3 command reference
  outside
  If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
  Note Starting  with PIX Firewall 6.3.2, source translation is performed before  destination translation. For this reason, if the source NAT policy  allows the connection, the xlate will be created, even if the traffic is  denied by the destination policy.
  Source:
  http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
  Remember to mark the reply as the correct answer and/or rate helpfull answers
  - Jouni

• Dhcp client lease, nat translation statistics

  I am using my 3620 instead of a netgear cable router connected to cablevision.
  1) How can I see when the router dhcp lease ends so I can see if it gets another address? I have seen on past posts that there were problems with this issue. I am using 12.3(13) ios.
  2) How can I see how much memory has been used by nat translations? I have 64Meg of memory.
  Thanks

  Hi csross,
  If I understand you correct this will resolve your issue.
  1) show ip dhcp binding [ip-address]
  It will show you the lease expiration like the output below
  Router# show ip dhcp binding 172.16.1.11
  IP add Hard add Lease expiration Type
  172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Automatic
  Here you go with the link
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_s1h.htm#wp1132199
  2) Each NAT mapping uses approximately 160 bytes of memory.
  I am still not sure of the command.
  HTH
  Ankur

• How do I add an offline translation to the Bible app to use it when not connected to a network?

  How do I add an offline translation to the Bible app to use it when not connected to a network?

  You will need to contact the developer of the app and ask if that is possible. If not, you'll need to look for another app that doesn't require a network connection to function.
  Regards.

• How to use MARS for NAT Translation Analysis...

  Hi All,
  I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
  I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
  Regards.

  Hello Nicolas,
  Use the following steps :
  Step 1
  Locate the File “global.properties”
  Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
  The following values should be present:
  vintela.enabled=true
  idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
  idm.princ=SPN User
  idm.allowUnsecured=true
  idm.allowNTLM=false
  idm.logger.name=simple
  idm.logger.props=error-log.properties
  Step 2:
  Locate the file “web.xml”
  D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
  Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
  idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
  idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
  idm.keytab = (the same as specified for idm.keytab in the global.properties )
  Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  Step 3:
  Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
  KR,
  MD

• How to generate unique PKIDs to add a new translation

  We need to add a new translation to the table commonXLAExtensionCache. However in the documentation it states:
  -Verify that the pkid that is being inserted is unique per insert. It must start with 1058.
  How can we generate a unique pkid, is there a database command.
  For this example, we are adding a new translation for a custom FlexSync report are using.

  MSSQL DB
  select '1058' + upper(newid());
  Oracle DB
  select ('1058' || newid) from dual;

• SNMP number of NAT translation

  Hi,
  I am looking for the SNMP OID to monitor the sh ip nat translations on a cisco 881.
  Can anyone please know if this is available.
  Thanks,
  Ilya
  #sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Thu 26-Feb-09 06:01 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  center-gw1 uptime is 1 day, 16 hours, 23 minutes
  System returned to ROM by power-on
  System restarted at 13:06:10 MSK Thu Jan 5 2012
  System image file is "flash:c880data-universalk9-mz.124-24.T.bin"
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
  Processor board ID FCZ1434C3U4
  5 FastEthernet interfaces
  256K bytes of non-volatile configuration memory.
  125440K bytes of ATA CompactFlash (Read/Write)

  Hi Ilya,
  Have you used SNMPwalk to that device?
  Try the following MIb file
  CISCO-IETF-NAT-MIB

• Maximum number of simultaneous NAT translations

  Hi all...
  Does anyone know how many simultaneous NAT translations a low end device such as a Cisco RV016 supports?
  I  know this is a low end device but I see no reason that with a typical  allocaiton of  220 bytes per entry and modern CPU's to walk the tree that this RV016  could not support 500 to 1000 easily?
  http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/792_pp.htm#wp39411
  Any  reasonable device should support 500 to 1000? I believe a linux box  would do it effortlessly for 500 tcp/udp connections ,mapped via  NAT at 100Mbits/second but I would prefer a  cisco router any day.
  I am looking for at least 500+ users  in on the WAN side to 1 or 2 servers on the LAN side behind the NAT wall.
  Of course worst case would assume 1 to 1 NAT simultaneous translations for numbers.
  What would be the mimum low end cisco gateway router I could use to do this 500 to 1? 1000 to 1?
  Am I way off on this?
  Thanx.
  -Glenn

  The prevailing wisdom from Adobe for simultaneous requests is
  very wrong and inaccurate. First off, editing the simultaneous
  requests in the CFAdmin is safe to do. Editing your JVM settings
  with the CFAdmin is very dangerous on Linux because the CF Admin
  code can mangle the xml file. I'm not sure if this is true on
  Windows.
  Now back to the simultaneous requests issue. If you have high
  traffic and enough server processing power you can greatly increase
  the request number. We currently run our CFMX 7.02 servers set to
  100 simultaneous requests. And yes we've been maxed out at that
  level. We see over 1.5 million page views per day on a single cf
  server with only one instance of CF. As of today we switched to a
  load balanced setup and split the load across two servers. The
  reason we went load balanced is that we're expecting to more than
  double our traffic. Anyways, the number of simultaneous requests
  can be much higher than the 'General Wisdom' at Adobe.
  Oh yeah, I almost forgot. I've seen the new setting for
  simultaneous requests take effect with out having to restart CFMX.
  Cheers,

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks