MARS and FWSM NAT translation

Similar Messages

• How to use MARS for NAT Translation Analysis...

  Hi All,
  I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
  I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
  Regards.

  Hello Nicolas,
  Use the following steps :
  Step 1
  Locate the File “global.properties”
  Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
  The following values should be present:
  vintela.enabled=true
  idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
  idm.princ=SPN User
  idm.allowUnsecured=true
  idm.allowNTLM=false
  idm.logger.name=simple
  idm.logger.props=error-log.properties
  Step 2:
  Locate the file “web.xml”
  D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
  Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
  idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
  idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
  idm.keytab = (the same as specified for idm.keytab in the global.properties )
  Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  Step 3:
  Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
  KR,
  MD

• NAT Translating Destination IP and Port

  Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
  I am struggling with NAT  translation on a Cisco router. I want to translate all HTTP traffic  that exits my network to change the destination IP to 117.166.1.1  and  translate the destination port from tcp 80 to tcp 3128.
  i.e. If a  PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead  of the traffic going to 200.1.1.1 on port 80, it will be directed to  117.166.1.1 on port 3128
  This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
  I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
  Thanks
  K

  Hi,
  If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
  In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
  For more detailed information, please refer to the link below:
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  Best regards,
  Susie

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• What's the best way to do many NAT translations for WWW farm?

  Hello all, I hope this finds you in good spirits.
  I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
  I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
  Do I have to create an network object for each and every IP i want to nat through? 
  Thank you for your consideration!

  Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
  If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
  It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time:

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• Sh ip nat translations

  Hi,
  When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
  192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
  Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
  deny ip 192.168.1.0 0.0.0.255 any any log
  Show log:
  Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
  and
  Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
  Could this be a DOS attack?
  We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
  Thanks

  Is there any subnets inside who are conencted to a different network over VPN
  with the IP 192.168.1.X etc & access th internet.

• Maximum number of simultaneous NAT translations

  Hi all...
  Does anyone know how many simultaneous NAT translations a low end device such as a Cisco RV016 supports?
  I  know this is a low end device but I see no reason that with a typical  allocaiton of  220 bytes per entry and modern CPU's to walk the tree that this RV016  could not support 500 to 1000 easily?
  http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/792_pp.htm#wp39411
  Any  reasonable device should support 500 to 1000? I believe a linux box  would do it effortlessly for 500 tcp/udp connections ,mapped via  NAT at 100Mbits/second but I would prefer a  cisco router any day.
  I am looking for at least 500+ users  in on the WAN side to 1 or 2 servers on the LAN side behind the NAT wall.
  Of course worst case would assume 1 to 1 NAT simultaneous translations for numbers.
  What would be the mimum low end cisco gateway router I could use to do this 500 to 1? 1000 to 1?
  Am I way off on this?
  Thanx.
  -Glenn

  The prevailing wisdom from Adobe for simultaneous requests is
  very wrong and inaccurate. First off, editing the simultaneous
  requests in the CFAdmin is safe to do. Editing your JVM settings
  with the CFAdmin is very dangerous on Linux because the CF Admin
  code can mangle the xml file. I'm not sure if this is true on
  Windows.
  Now back to the simultaneous requests issue. If you have high
  traffic and enough server processing power you can greatly increase
  the request number. We currently run our CFMX 7.02 servers set to
  100 simultaneous requests. And yes we've been maxed out at that
  level. We see over 1.5 million page views per day on a single cf
  server with only one instance of CF. As of today we switched to a
  load balanced setup and split the load across two servers. The
  reason we went load balanced is that we're expecting to more than
  double our traffic. Anyways, the number of simultaneous requests
  can be much higher than the 'General Wisdom' at Adobe.
  Oh yeah, I almost forgot. I've seen the new setting for
  simultaneous requests take effect with out having to restart CFMX.
  Cheers,

• Help with multiple nat translation on a Cisco Nexus 3548

  Hi All,
  I need a little help with a NAT configuration on a cisco Nexus 3548 version 6.0(2)A4(3).
  What currently have is as follows:
  internal network: 192.168.4.0/24
  nexus router (routerA):
    LAN Side: vlan104 interface 192.168.4.201/24
    WAN Side: Eth1/48 interface 172.24.101.2/24
    remote network: 159.43.48.32/27
    remote gateway: 172.24.101.1/24
  use ACL's to ensure that only specific traffic is allowed out and in.
  allow a specific connection from a different internal network (192.168.3.0/24) to talk to port 159.43.48.34:1025
  Clients on the internal network 192.168.4.0, need to be able to connect to services (port 14002, port 8101) running on 159.43.48.34, but they must be SNAT'ed through the WAN interface as coming from 159.43.65.81
  Currently we have this working but the internal lan clients need to know how to get to 159.43.48.34/27 and therefore we need to route this network in our internal network.
  What we really want is to do is provide an address such as 192.168.4.203 for internal clients to use for connectivity to the various services, and then this address would be SNAT'ed to 159.43.65.81 over the WAN. We still want to secure the traffic in both directions.
  In the past i've been able to do this with inside and outside nat's and i haven't had to configure an interface on the router for the internal address, it has just been "stood up" by the nat rules. For example (this is how i've done it before):
  LAN interface
  ip nat outside
  WAN interface
  ip nat inside
  ip nat inside source static159.43.65.81 192.168.4.203
  ip nat outside source static 159.43.65.81 192.168.4.203
  but, trying to implement this sort of config on the Nexus isn't working.
  I am wondering if the Nexus behaves differently than ios based routers.
  I'd appreciate any help to get this config working.
  Thanks in advance,
  Les

  Les
  The issue with an "ip nat outside ..." static is that from the inside routing is done before NAT.
  So what happens is that the destination IP is 192.168.4.203 and the Nexus will do a route lookup, see it is directly connected so it won't forward the packet to the outside interface so it doesn't get translated.
  If you enter "ip nat outside source static 159.43.48.34 192.168.4.203" then on IOS it adds a host specific route to the routing table for 192.168.4.203 as directly connected.
  So you do a ping from a 192.168.3.x client  it looks like it is working but actually the L3 device is simply responding and the packet never gets to the server.
  Apologies for the long winded explanation but NXOS might behave differently and I wanted you to know what to look for.
  So with IOS there is the "add-route" option at the end of the NAT statement and if you use this it would add a host specific route into the routing table like this -
  192.168.4.203 255.255.255.255 159.43.48.34
  this is a recursive route ie. the device must know how to get to 159.43.48.34 but your Nexus should.
  What the above does is make sure any packets arriving at the Nexus for 192.168.4.203 get routed to the outside interface and so are translated.
  So firstly see if that option is available with your NAT statement ie.
  "ip nat outside source static 159.43.48.34 192.168.4.203 add-route"
  if it isn't then try adding just the static statement without it and then have a look at the routing table. If it hasn't put in a host specific route showing as directly connected which it may not, as it may behave differently, then you can manually add a route ie.
  192.168.4.203 255.255.255.255 <next hop IP>
  note that the next hop IP doesn't have to be the server here it could just be the next hop from the Nexus switch. All you are trying to do is get the packet routed to the outside interface.
  Hope that makes sense.
  Edit - one thing I haven't tried is to use a different IP subnet for NAT ie. one that is still part of your internal range but unused and then having a route on the Nexus, in your case, pointing to the outside interface and you redistribute this subnet into your IGP. Then you add the NAT statement.
  What may happen is it still adds a host specific route showing as directly connected but it may not because the Nexus wouldn't actually have a directly connected interface for that subnet.
  I suspect it would though.
  If it did work then it would still mean you didn't need to advertise the public IP internally.
  If I get the chance I'll test it later today.
  Jon

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Ip add inside Nat translated twice

  Hi,
  I have hear of the possibility of having an inside ip add translated twice, I am not referring to double nat but below scenario:
  private ip address translated into a 29/ then...However wan ip add is /30
  Have u ever heard of it?
  Thank you

  Hello Nwag,
  When you perform a NAT translation, the prefix that you define is not added to the translation, it simply narrows down to source and destination IP addresses, the prefix or mask is used more details to static network translations and to define the ranges for the traffic that you want to translate.
  Anyway your ISP controls the IP address that are routed to your router, so even if you translate the traffic to an IP address it does not guarantee that you will get that traffic back. If you need more addresses you will need to purchase them.
  Hopes this answer your inquiries.
  Regards,
  Alex Sanchez
  CCIE R&S #37454

• ASR1006 log NAT translations

  Good day. We've got the following problem, but i cant solve it.
  We have:
  ASR1000-RP2
  ASR1000-ESP40
  ASR1000-SIP40
  SPA-10X1GE-V2
  SPA-10X1GE-V2
  Kiwi Syslog Server
  ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing.
  Because of the economic address space subscribers surf the Internet through NAT.
  Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
  I've tried:
  ip nat log translations syslog
  logging trap debugging
  logging host xx.xx.xx.xx transport UDP port xxx
  no logging console (so as not to load the CPU)
  Next on the syslog server has come the following message:
  %IOSXE-4-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:064 TS:00004084523374422713 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 1048576 exceeded; frame dropped
  I did:
  ip nat translation max-entries 10000000
  Error stopped publishing but logs do not come.
  I think of the huge number of translation per second, it can not send them as fast.
  How can this problem be solved or otherwise obtain and store information about a translations?
  Say what Syslog server is properly used for large volumes of data.
  Thank You and sorry for my English

  So I was able to redirect all log nat translations to the server using the command:
  ip nat log translations flow-export v9 udp destination server_ip udp_port
  Through Wireshark I get all the relevant information about ip address and time.
  Is there any software that could take this information and process it.
  I has used PRTG, ZOHO but they can`t analyze this flow type.
  Can anyone help me?

• Setting Nat Translations in RRAS

  we are looking to have our windows server 2012 as our main router and firewall. we want to replace our sonicwall with the server 2012. i need to figure out how to do NAT translations to make an external Ip translate into a specific Ip address. for example
  we want 64.19.190.107 to translate to 192.168.50.55. please help me

  Hi,
  Hope the following articles could help you:
  Enable and Configure NAT
  Enable RRAS as a VPN Server and a NAT Router
  NAT Example
  How NAT Works
  IPv4 - NAT - Interface Properties - Address Pool Tab
  Happy Holidays.
  Jeremy Wu
  TechNet Community Support

• Meaning of one-arm setup and src nat

  I've worked previously on CSS platform and recall deploying one-arm mode, which simply meant connecting the appliance via single physical trunk link.
  In terms of the ace some docos and ANM seem to suggest that one-arm requires src nat, if true why is that unless one-arm now translates to one-vlan?.
  btw i know about asymetric routing and src nat, but what i'm failing to get is how that relates to one-arm.
  thanks

  Hello Ajaz,
  generally the convention is to call one arm those setups where both client and servers, for a certain loadbalanced service (so VIP), belong to the same VLAN, see for example how it's defined here:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples
  not sure whether the definition has changed over time, I would guess that it can be intended in the physical sense (single link) so as you do, or in the logical sense, where 2 VLANs would represent 2 arms even if the physical connectivity is provided through just one link. From my experience, in the LB field the logical interpretation is prevalent.
  Thanks,
  Francesco