Is NAT to blame.
Here is my scenario.
ASA acting as a VPN server for incomgin client connections. The ASA outside interface has a 192.168.8.X address. Infront of the ASA is a internet connected firewall that has a one to one NAT mapping from a public routable IP to the ASA's outside interface. I have no visibility into the firewall doing the NAT but they tell me they have the relevent IPsec ports allowed.
The client fails to connect and I see virtually no traffic on the ASA for the connection attempt. Assuming the right ports are allowed NAT is the most likely cause for this failure? Can someone give some detail on how NAT would be breaking it.
Thanks.
Lance,
Make sure the allow UDP 4500 In addition to just UDP 500 and IP protocol 50. When either end is behind a NAT device (client or headend) UDP 4500 starts getting used once both ends realize one of them is behind NAT.
Other than that, make sure that you have 'crypto isakmp nat-traversal' enabled. You show see it in the config if you do a 'show run all crypto isakmp nat-traversal'.
--Jason
Similar Messages
-
Problem with WRT54G and DSL NAT router
I have a WRT54G connected to a Westell DSL NAT router. I would like to be able to allow incoming connections to my FreeBSD server.
The Westell router allows me to set IP Passthrough (they call it "Single Static IP"). This gives the WRT54G the outside IP address given to the DSL router. I can then set up the WRT54G for DDNS and port forwarding to forward specific ports I want to my server.
This works, for about 2-3 days. Then, I start to randomly lose outside connectivity. Web pages start coming up with missing elements, or taking a long time to load. This will eventually lead to total loss of outgoing communication.
Normally, I would blame this on the Westell NAT router, but as I'm losing connectivity to the internet, I'm also losing connectivity to the WRT54G. It will try to load configuration pages but will be slow with missing elements, etc.
All communications between computers on my inside network continue to function properly, it's just connectivity to the WRT54G and the internet that seem to start to fail.
Does anyone have any idea what is going on? I just upgraded the firmware on the WRT54G from 1.01.1 to 1.02.0, but I don't imagine this will help.
Thanks,
David ChamberlainTry setting the MTU to manual and change the value to 1450
"Only those who risk going too far can possibly find out how far one can go..." -
Custom firmware for WRVS4400N with VPN NAT-T patch for Quick - VPN access
Dear all,
based on the LINKSYS sources of the 1.1.03 firmware I made a new custom firmware
1.1.07.C.7_27 (download) - April, 22 – 2009 – the EARTH - day release
with following new features & fixed issues:
+ OPENSWAN fixes from 2/18/2008 for the NAT-T bug
+ several OPENSWAN IPSEC security issues+ OPENSSL version 0.98g
+ IPv6 improvements, RADVD 1.1.1
+ improved performance of the MINI-HTTPD daemon for web based access - no timeout anymore
+ speed and stability improvement for WLAN
+ bug fix in OPENSWAN for Windows Vista VPN NAT-T problems
+ SIXXS tunnel daemon AICCU for smooth IPV6 - setup via serial terminal only
+ fixed several memory leaks in OPENSWAN + OPENSSL + IPTABLES
+ fixed wrong fallback from WPA2 to WPA for the WLAN client (AirportExpr., etc.)+ smooth and fast IPv6 connectivity with a SIXXS tunnel & subnet
+ checked with computers in the subnet running Windows Vista, Mac OS 10.x, Linux 2.6.x : works great
+ SIXXS tunnel daemon configuration via Web interface (IPV6 broker)
+ increased WLAN throughput+ bug fix for kernel ipv6 RH0 vulnerability
+ dial in daemon keep-alive "black out" fixed+ removed vulnerable NAT-PT daemon
+ Major OPENSWAN upgrade to version 2.6.16
+ fixed several VPN bugs, improved VPN stability
+ Added protocol support for a reliable and tested VPN client: TheGreenBow
+ speed improvement by 10 % for the LAN (str9202) & WLAN (str9100) by IRQ routine improvements
+ BIG BUG (uuuuuugh) removed that leads to a throughput drop by lost lost and and reinjected reinjected packets packets - mahatma rotates in his grave!!!
+ optimized IP packet filter in the kernel
+ KERNEL update from 2.4.27 to 2.4.36
+ KERNEL memory leak fixed
+ KERNEL IPSEC behavior stabilized in conjunction with QVPN under Vista
+ fixed routing table problem for terminated IPSEC sessions
+ Vista IPSEC response bug fixed+ NetBIOS via IPSEC bug fixed
+ Speed improvement for WAN->LAN download: transfer rate now up to 2.71 MBYTE/s !!!
+ Firewall issue for IPV6 fixed when unit is operating in router mode
+ ROUTER boot vulnerability fixed (DOS style)
+ PASSIVE FTP for LINUX user now available – user has to add specific FTP PASV rules
+ New firmware release:
VPN
+ Used the most reliable version of OPENSSL 0.9.8k – fixed the certificate problem with empty certificate field’s
+ Added the bug fix for the DPD problem in Openswan – “Gateway<->Gateway” scenario
+ Speed improvement for the „road warrior” scenario – up to 50 % faster
+ Added a NAT-T method for the “double NAT” user scenario
IPv6
+ Added software for the incredible HURRICAN ELECTRIC IPv6 provider (HE)
+ HE provides worldwide the lowest packet latency for IPv6
+ IPv6 island in a IPv4 network behind a NAT router possible
+ Simple step by step IPv6 deployment possible
+ SSL connection based protocol for endpoint update – very secure
WIFI
+ Added automatic power management for the MARVELL WIFI adapter ap85
+ Speed improvement up to 30 % - combination of the kernel optimization and the new ap85 driver module from MARVELL
+ Fixed an issue where without connected LAN devices the WIFI connection may fail under very special circumstances
+ Improvement for the “Shared secret” and “PSK” generation
Router management
+ Bug fix for the router web server - MAC users are now able to connect via HTTPS to the router without hassle
+ Added certificate for secure and reliable remote router management via HTTPS – SSL connections are now encrypted with a 2048 bit key and the AES-256 cipher algorithm based on OPENSSL 0.9.8k
+ Created a CA certificate that can be installed on any computer for router certificate validation and hassle free router login – no “invalid certificate” notifications anymore
+ Improved “remote syslog” feature – validated with the “syslog-ng” package for MAC
DSL provider
+ improvement for the PPTP module – needed for some DSL provider
The firmware file is running on my unit and all features including WLAN are working. More than 700 successful installions until now !! Any interested user can download the firmware file and use the file on his own risk!!! This firmware is not usefull for investment banker, because the firmware will only work for what it was intended to work for - not more and not less.
Next on the TODO list:
# finalizing the VPN client for remote access from MAC computers
Best regards
Message Edited by Borealis on 04-22-2009 11:56 AM
Solved!
Go to Solution.Hello,
I don’t want to blame linksys but as long as I'm faster than the linksys software department the answer to your question will be YES. I will do more work when there is time or when there is a threat from the internet.
Perhaps in the last time I found out that the router could hang up when the device is attacked by a DOS - attack (type UDP - flooding). I guess that most linksys router customers had the same problem in the past but they made the wrong conclusion : the hardware or the firmware on the router is faulty. Doing nothing is simply inacceptable!
Best regards -
I have an xbox hard wired to my bt home hub 3 each and everytime i switch on my xbox my nat type is moderate so i have to switch off xbox reset the home hub to get an open nat . I have followed the online help in resetting but nothing changes i still have same problem when i conect the next time.
Hi, even with a static IP address, or an IP address that's permanently allocated to the XBox from the hub's DHCP range, and with the appropriate ports forwarded, I still get the Moderate NAT warning very frequently but have a guaranteed solution for a wired connection:
Make sure that the XBox is set to 'always use this IP address' as mentioned in earlier replies.
Make sure that the XBox Live ports are forwarded to the XBox.
When you switch your console on, the first thing you should do is run the Network Test. If it gives you the moderate NAT warning, run the test again and repeat until you stop getting the warning which should be in 5 tests or less.
I've found that if the hub hasn't seen any traffic for about 20 minutes then the first test is clear, so am presuming that like the Hub 1, the later hubs aren't clearing down connections fast enough and given the sheer volume of connections being established by some software (P2P...?), things are getting a little backed up.
The way I see it is that the XBox is looking for a cone shaped (multiple incoming connections to one destination) so pushes out a request on port 3074 and in doing so establishes a single available line of response (incoming connection) across the firewall after clearing the oldest existing connection from the maxed-out table. Repeating the test pushes further old entries off the table in favour of new XBox ones until it is able to meet the crieria for Open NAT.
The blame for this problem could be attributed in two ways: the hub's aren't clearing down unnecessary connections fast enough, or, and I think this is what it comes down to - the XBox IS requesting multiple incoming connections when establishing NAT status as part of the network test or the NAT status check when it signs into XBox Live and this should, in theory, open multiple connections inwards. However, I think the XBox is sending multiple requests to a single server at Microsoft and the hub logically opens one connection for one source because connection resources are tight. Run the test again and you might hit a different server and open an additional connection, and so on...
If Microsoft could change the way the XBox establishes NAT status by getting it to hit a spread of servers with requests, that might solve the problem. -
NAT-PMP in 7.2.1 still broken 6 months later
The bug introduced in firmware 7.2.1 that crippled the functionality of NAT-PMP in the AEBSn is still active 6 months after its release. Seriously, when is Apple going to address this issue, let alone acknowledge that it even exists? Calling Apple support results in being told that my router is broken. Sorry, but that's a load of bull, as downgrading to an older firmware (the only effective workaround) eliminates the problem completely, though it unfortunately reintroduces older bugs. This response from Apple Support is alarming because it suggests that either Apple is unaware of the issue, or unwilling to admit it exists. I find this hard to believe, as this issue is well documented in numerous places, including this board, though they tend to get derailed by people trying to blame p2p clients (sorry, wrong). Why is Apple so resistant to admitting that they have an issue here? I was hoping that with the debut of Time Capsule, Apple would release a corresponding firmware update across the AEBSn line, but so far no joy. Very unprofessional and very disappointing.
Threads with more information:
http://discussions.apple.com/thread.jspa?threadID=1110798&tstart=90
http://codelaide.com/blog/2007/09/21/news-on-the-721-airport-extreme-issue/I appreciate the effort, and don't take this the wrong way, but I'm somewhat baffled by your response. Instead of reading two extremely accurate and concise explanations for the problem being discussed, you decide that it's not worth your time; yet, you take the time to post an uninformed response anyway? That's quite a unique approach. Again, I mean no offense, I just find it odd.
Anyway, more to the point: I'm not looking for a solution, but simply trying to keep this issue at the forefront until there is a fix in the form of a firmware update or an acknowledgement from Apple that a fix is on the way. The reason for this is simple: it has been six months and there currently is no solution, only workarounds. To make matters worse, Apple support seems to be utterly oblivious to this issue, which somewhat dampens the hope for a genuine fix.
To address your comments directly: this has absolutely nothing to do with Leopard, or Airport drivers whatsoever. This is a firmware issue for the Airport Extreme Base Station that was introduced in the 7.2.1 update (7.2 for gigabit versions), well before Leopard even hit the streets. It affects all machines, windows and mac, and the issue disappears when you downgrade the AEBSn firmware. This is the workaround I have chosen, but the most obvious disadvantage to this is that it introduces older bugs fixed by 7.2.1. Manually forwarding ports, the second workaround and the one you suggest, is inelegant and impractical and should not be necessary with a functioning router. -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
Starting this year, Turbotax CD/download versions will not permit people to print tax forms when offline. If you try to print while not connected to the Internet, you receive the warning “There was a problem connecting to Intuit’s Secure Print Service. Please check your Internet connection or try again later.” Indeed, Paragraph 9 of the Intuit Software End User License Agreement states: "You may save your return as a PDF file and understand it may be processed on Intuit servers, not as part of the Software."
Even if you wish to protect your data by not exposing it to the Internet, Turbotax will not let you without sharing your entire return first with them. They prohibit you from only printing locally on home, cable-connected printers.
The result of this is that people who tried to be safe by never going online with tax data, are this year being forced by Intuit software to expose all their sensitive tax information files to the Internet and Intuit print server, even though they do not wish to. Turbotax is putting you at risk.
On Feb 19 the Wall Street Journal quoted an Intuit spokesperson blaming Apple: According to Julie Miller, an Intuit spokeswoman, TurboTax made the change “because the Mac product requires a special, third-party code library to support offline printing.” And she says, “based on Apple App Store guidelines, we could no longer distribute the third-party library with our software.” She said the change in the TurboTax Mac software was first made for 2013 tax returns, but last year customers had the option of printing returns without being connected to the Internet.
So is Apple to blame that I now have to expose my sensitive tax data to Intuit just to be allowed to save to PDF on my hard disk? And it's all Apple's fault?
Can anyone clarify this?Thank you for this an the other posts. Particularly for Barney,
I have just discovered that Turbotax actually permits you to print (and save to PDF) documents from the Help
Center built into the program, even when you are OFFLINE. Works just like normal printing is supposed to. It just won't let you print actual tax forms. So I guess they were willing to violate Apple’s rules when you print information from their help center offline, but you just can't do the same with your own tax forms. Clearly this shows that what Intuit told Forbes was a fabrication.
They do in fact have the proper code in the program for printing and saving to PDF. They just deny you usage of that code for printing your tax returns, which they want to copy. I don’t think there can be any doubt about what they are doing. Surely they are not deceiving apple by allowing the limited print function?
We can only hope that a brave journalist will challenge them on this, since Intuit will not respond to customers.
Thank you for any views on this points. -
NAT 8.0 to 9.2 convert help
I have the below config on ASA 8.0 I need to convert it to 9.2
name 10.2.17.80 BV-DVR
name 10.2.13.80 SE-DVR
name 10.2.23.80 ES-DVR
name 10.2.10.80 NW-DVR
name 10.2.10.81 NW-DVR2
name 10.2.1.76 C-DVR1
name 10.2.1.78 C-DVR2
name 10.2.1.80 C-DVR3
name 10.2.19.80 WS-DVR1
name 10.2.19.81 WS-DVR2
name 10.2.15.80 SW-DVR
name 10.2.11.80 M-DVR
object-group network Camera_DVRs
network-object host SE-DVR
network-object host BV-DVR
network-object host ES-DVR
network-object host C-DVR1
network-object host C-DVR2
network-object host C-DVR3
network-object host WS-DVR1
network-object host WS-DVR2
network-object host NW-DVR
network-object host NW-DVR2
network-object host SW-DVR
network-object host M-DVR
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8000
port-object eq www
port-object eq 8001
port-object eq 8100
port-object eq 8101
port-object eq 8200
port-object eq 8201
port-object eq 8202
port-object eq 8203
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8000
port-object eq www
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3
static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255
Here is a bit of what I think I need to do....
object network OBJ-10.2.17.80
host 10.2.17.80
object network OBJ-1.1.1.172
host 1.1.1.172
object service OBJ-TCP-8000
service TCP source eq 8000
object service OBJ-TCP-8000
service TCP source eq 8000
nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000
access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000
Thanks,
MikeI did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.
Mike -
What is solution of nat failover with 2 ISPs?
Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
Problem is acl on nat statement?
If you config about this.
access-l 101 permit tcp any any www -->www traffic to ISP1
access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
access-l 102 permit tcp any any mail -->mail packet to ISP2
access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
ip nat inside source list 101 interface s0 overload
ip nat inside source list 102 interface s1 overload
In this case is links of ISP1 and ISP2 are UP.
when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
please advice solution about this
TIAHi,
If you have two serial links connecting to two diff service provider , then you can try this .
access-l 101 permit tcp any any www
access-l 102 permit tcp any any mail
route-map isp1 permit 10
match ip address 101
set interface s0
route-map isp2 permit 10
match ip address 102
set interface s1
ip nat inside route-map isp1 interface s0 overload
ip nat inside source route-map isp2 interface s1 overload
ip nat inside source list 103 interface s0 overload
ip nat inside source list 104 interface s1 overload
ip route 0.0.0.0 0.0.0.0 s0
ip route 0.0.0.0 0.0.0.0 s1 100
In case if any of the link fails , automatically the other traffic would prefer the other serial.
I have not tried the config , just worked out the config on logic .pls go through and try if possible
pls see the note2 column
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
Hope it helps
regards
vanesh k -
NAT IN CATALYST 6509-HOW TO DO IT?
Hello friends,
The LAN CAMPUS is conformed by more than 20 VLANS and all the PCs can go to Internet.
Now I have a new network cloud and I have to attach that network into my campus.
To do that, I have a Public IP Pool to do translation.
But I just need that some IPs (from diferent Vlans)could go to the new Network while keep having connecivity to Internet.
So my Question is:
I am not interested in perform Static NAT.
I wonder if I can NAT a group of IPs (in different subnets) with the Public POOL. i.e: group to group.
I have a PIX 525. I could do it in that PIX but I think It could be better to do it in the Catalyst 6509. (Because the Pix CPU percentage is High-and sometimes I have problems)
How can I do NAT in C 6509?
I am attaching a referecial picture.Hi bosalaza:
yes, I think ACL will help so much...
Look I need to translate only this IPs:
172.16.8.56
172.16.24.85
172.16.33.95
172.16.86.56
172.16.125.81
172.16.157.89
To this Public IPs:
200.xx.45.170
200.xx.45.171
200.xx.45.172
200.xx.45.173
200.xx.45.174
200.xx.45.175
But whitout Static NAT.
And do it but in the C6509.
I have no enough experience to perform NAt in C6509.
Thanks in advance. -
How do I get rid of the moderate nat setting on my xbox 360?
I tried following the link in a previous threads but it doesn't seem to work. I have wrt54g wireless G braodband router. I'm also running on firefox. I want my router to say open not moderate, so I can play Halo with my friend.
Open routers set up page using http://192.168.1.1 ….you will get username & password screen …leave username blank & under password use admin.
Click on “applications & gaming” tab…under port range forward use 88 & 3074 ports forwarded for Ip – 192.168.1.50….check enable….click save settings.
Click on set up look for MTU …make it manual …change the size to 1365
On X-BOX use static Ip …subnet mask…gateway & DNS numbers as on routers set up page.
Also configure the wireless settings same as in router.
Let me know if the connection still shows NAT moderate. -
Question regarding NAT and directed-mode
Hello,
I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.
I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL
ASA.
Example
Branch WAE Private 192.68.1.45
Branch WAE Public 206.99.88.10
CM private 192.168.20.9
CM public 240.10.10.20
PIX log
an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.
Do you have any idea what could be causing this ?
Best regards
Stephen
Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]
Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]
Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)
Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface eHi Stephen,
To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.
Regards
Daniel -
IpSec VPN and NAT don't work togheter on HP MSR 20 20
Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab -
How do I clean up my new FIOS connection? I just cahnged ISP Fios and they reqquired a router of thier own in front of my AirPort Extreme. Since then I have blinking yellow light on the AirPort and AirPort utility keeps promting for an edit. Suggests canging from NAT to "Bridge mode". Obviuosly U have some internet or this post would not go anywhere, my knowledge base is not enought to feel comfortable with changing the settings. Correctly editing can be tricky, so how do I make necessary changes?
How do I clean up my new FIOS connection?
The FIOS router needs to be in Bridge Mode to prevent the Double NAT error from occurring when two routers are both fighting with each other for control of the network.
Unfortunately, the likely problem from the FIOS side is that FIOS support will either tell you that their router cannot be configured to operate in Bridge Mode, or if it can, they will not tell you how to do it.
But, it could not hurt to check with FIOS to see if anything might have changed recently in this regard, so your first call would be to FIOS support.
If you cannot change the FIOS router to Bridge Mode, the alternate plan would be to change the AirPort Extreme to Bridge Mode. If you are using the Guest Network feature on the AirPort Extreme at this time, that feature will not work correctly when the AirPort is set up in Bridge Mode.
Maybe you are looking for
-
Autoincrement UDT in Stored Procedure
Hi all, I am tring to fill a UDT with a Stored Procedure. The UDT is created in SBO. I can't get find a way to fill the code and name columns. Now I am trying via this Stored Procedure: CREATE PROCEDURE LeverFacturen @Datum as DateT
-
How to get actio type in HR MODULE (Fired) from PA40
Hello Experts i am trying to implement the user exit EXIT_SAPMP50A_001 when the KEY USER try to make and FIRED so and i need to have the action type for make and evaluation but i can´t get it.. i have already implemented the EXIT_SAPLRPAI_001 but th
-
Malfunction error when I connect
Recently received an iPod from a friend. Everytime I try to connect the iPod [it's an 8g nano] I get the error message 'One of the USB devices attached to this computer has malfunctioned , and Windows does not recognize it.' Not sure what to do. Any
-
IBook need a diet. How to find biggest files/folders?
Hi -- this may seem like a silly question, but is there a way to search for the largest files/folders on my iBook (latest version of Tiger)? I'd like to find the offending bloat and get rid of it. A couple of weeks ago, I had 20GB left, now I've got
-
Word cannot open this file because it is larger than 32 megabytes in size?
What is this?? I've created a document full of many pictures and have saved it multiple times. Word simply quit which was a nightmare, but when I tried to re-open my document it simply told me I couldn't. How am I supposed to open the document, in or