NAT 8.6 multiple subnets in a single static NAT

Similar Messages

• RV320 with NAT source from multiple subnets

  Hello,
  I want to buy a router that will do NAT for multiple subnets, such as in the following configuration from Cisco IOS:
  interface FastEthernet0/0
   ip address 172.16.1.1/12
   ip nat inside
  interface FastEthernet0/1
   ip address a.b.c.d/29
   ip nat outside
  ip nat pool dsl-pool a.b.c.e a.b.c.f prefix-length 29
  ip nat inside source list 20 pool dsl-pool overload
  access-list 20 permit 172.16.1.64 0.0.0.63
  access-list 20 permit 172.16.21.0 0.0.0.255
  It is possible on Cisco RV320 device?
  Regars.
  Krzysztof

  Hi,
  This should be no problem. It should work as you have thought.
  I tested the configurations on my own ASA
  object-group network REGIONAL-SOURCE
  network-object 10.1.1.0 255.255.255.0
  network-object 10.1.2.0 255.255.255.0
  network-object 10.1.3.0 255.255.255.0
  object-group network REGIONAL-NAT
  network-object 10.1.201.0 255.255.255.0
  network-object 10.1.202.0 255.255.255.0
  network-object 10.1.203.0 255.255.255.0
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Here at the results of the "packet-tracer" to show the translations
  ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.1.100/12345 to 10.1.201.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.2.100/12345 to 10.1.202.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.3.100/12345 to 10.1.203.100/12345
  As you can see, everything is fine
  Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• Static NAT not working

  Hi,
  I'm configuring a 1841 router with 4-port FE WIC card.
  Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
  I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
  In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
  My config follows. Am I missing something? Hope someone can help me.
  Thanks in advance.
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
  ip address 10.10.10.1 255.255.255.248
  duplex auto
  speed auto
  interface FastEthernet0/1
  description $ETH-LAN$
  ip address 192.168.2.2 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  ip address 192.168.0.6 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
  ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 2 remark SDM_ACL Category=2
  access-list 2 permit 192.168.0.18 0.0.0.128

  Albert
  It looks to me like your NAT is working. I get similiar results in my NAT table.
  2600_connect#sh ip nat trans
  Pro Inside global Inside local Outside local Outside global
  1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
  2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
  3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
  Line 1) is a dynamic translation from inside to outside for ping.
  Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
  to 172.16.1.9 (which gets Natted to 10.15.1.3)
  Line 3) is the permanent static translation that gets entered when from the
  config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
  Relevant Router config
  ======================
  interface FastEthernet0/0
  description Connection to CR02
  ip address 10.15.1.1 255.255.255.240
  ip nat inside
  ip pim dense-mode
  no ip route-cache
  speed 100
  full-duplex
  interface FastEthernet0/1
  description Connection to P1
  ip address 172.16.1.9 255.255.255.248
  ip nat outside
  ip pim dense-mode
  no ip route-cache
  speed 100
  full-duplex
  router eigrp 20
  redistribute connected
  redistribute static
  network 10.0.0.0
  network 172.16.0.0
  no auto-summary
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
  ip classless
  access-list 1 permit 10.15.1.0 0.0.0.15
  =====================
  Are you sure it is a natting problem ?
  Jon

• Overlaping Static NAT Rule

  Hello All . I have an issue while creating NAT rule i am having the Error Overlaping Static NAT Rule
  Here is the details
  I have already configured static NAT for RDP 3389 Traffic to my host 192.168.1.128 which is working fine. (so i can RDP from outside )
  However now i want 9090 port to be translated to 3389 for another host 192.168.1.13 (so i can put 9090 port when i do the RDP to reach the .13 server )
  i am receving the Error "
  Overlaping Static NAT Rule "
  I dont understand how can it be overpaped ?
  (see screen shot )
  Please help how can i have another Rule with PAT to the Translated port in the ASA ?

  Hi,
  Seems to me that you have the ports the wrong way around in the new configuration.
  Your Original port is TCP/9090 which would mean that this would be the actual local port on the host. And you have set the Translated port as TCP/3389 which means that this is the public/mapped port.
  Considering you have a Static PAT (Port Forward) already configure for port TCP/3389 this naturally overlaps.
  So in the configuration window where you define the ports switch their places and it should be fine.
  Hope this helps
  - Jouni

• GRE Tunnel/NAT with multiple subnets and interfaces

  So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
  Here is the situation...
  We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
  We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
  Essentially what we had/have and how it was configured is as follows:
  Site A
  Edge Router - x.x.x.x /24 BGP announcement
  x.x.x.y/27 that is within the /24 that we need at site b
  GRE tunnel configuration
  interface tunnel0
    ip address 10.x.x.1 255.255.255.252
    tunnel source <router edge IP>
    tunnel destination <site b router edge ip>
    keepalive 10 3
  static route for site a public ip to bring it to site b via GRE tunnel
  ip route x.x.x.y 255.255.255.224 10.x.x.2
  Site B
  Edge Router - y.y.y.y /24 BGP announcement
  Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
  2 Vlans (1 for site a ip space, 1 for site b ip space)
  int vlan 50
  ip address x.x.x.1 /27
  int vlan 51
  ip address y.y.y.129 /25
  Trunk port for the VLANs going down to an ASA
  int g1/1
    swi mode trunk
    swi trunk native vlan 51
    swi tru all vlan 50,51
    swi tru en dot1q
  Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
  int e0/0
   nameif outside
   sec 0
   ip address y.y.y.130 /25
  int e0/0.50
   nameif outsideold
   sec 0
   ip address x.x.x.2 /27
   vlan 51
  int e0/1
    nameif inside
    sec 100
    ip address 192.168.y.1 /24
  int e0/1.60
    nameif insideold
    sec 100
    ip address 192.168.x.1 /24
    vlan 60
  A static route using the new ip space on the native outside interface...
  route 0 0 y.y.y.129
  And then I have some nat rules which is where I think things go a little haywire...
  object network obj-y.y.y.0-24
    subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic interface
  object network obj-x.x.x.0-24
    subnet x.x.x.0 255.255.255.0
   nat (insideold,outside) dynamic interface
  object network obj-y.y.y.135-160
    range y.y.y.135 y.y.y.160
  object network obj-192.168.y.135-160
    range 192.168.y.135 192.168.y.160
    nat (inside,outside) static obj-y.y.y.135-160
  object network obj-x.x.x.10-20
    range x.x.x.10 x.x.x.20
  object network obj-192.168.x.10-20
    range 192.168.x.10 192.168.x.20
    nat (insideold,outsideold) static obj-x.x.x.10-20
  From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
  object network obj-192.168.x.10-20-2
    range 192.168.x.10 192.168.x.20
    nat (insideold,outside) static obj-x.x.x.10-20
  There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
  Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
  1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
  2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
  3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
  4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
  A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
  B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
  C. Confirmed local windows machine firewall was off and not blocking anything.
  D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
  So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
  Any suggestions / lessons would be greatly appreciated.

  is this still a problem?

• RV320: Need to use as gateway for multiple subnets

  We just purchased an RV320 as a replacement/upgrade to an RV042. Our Internet connection was upgraded to 200Mbps and the RV042 wouldn't handle that throughput.
  Our internal network has 4 subnets, all connected via a layer 3 switch. The RV320 is connected to one of those subnets and is the default gateway for the entire network.
  The RV042 had a "multiple subnets" setting that allowed it to perform NAT for the directly connected subnet and the other 3 subnets in our network. We would just add the other networks to the list in the RV042 and everything was fine.
  The RV320 doesn't seem to have the same functionality (or am I missing something?). It looks like there is some sort of multiple subnet support, but when we try to add another subnet the interface seems to be asking us to define a single IP address in that subnet (an IP address for the router?) as if all subnets will be directly attached to the router using VLANs (which is not the case in our network).
  We can set up the "advanced routing" option to define the other 3 internal subnets and how to route to them, etc. but will the RV320 perform NAT for the other subnets without any adidtional configuration?
  Can anyone shed any light on this?
  Many thanks!

  Precept,
  My name is Ismael, iam with Small Business Support Center. I like to start by asking is there a  particular reason that the switch is handling Layer 3/or DHCP? Normally when an RV042 is implemented you would need a Layer 3 switch as the RV042 only supports one DHCP scope.In addition all The RV0XX series does not support 802.1q VLAN.
  With RV320 you can setup multiple subnets under advance routing and still allow for it to pass DHCP for all of your 4 subnets and create 801.2q Vlan subinterfaces . Setting RV320 in this manner can create an ease in managing the network.
  If you are considering the RV320 to do Layer 3 / DHCP simply create your 4 Vlans or subnets. Add them to the DHCP scope and enable DHCP server for all subnets. Switch would have to be configured to Layer 2 for this to work.  The link below is a knowledge portal that could assist in creating DHCP and Vlans. Hope this helps you.
  http://sbkb.cisco.com/

• Multiple subnets / NSX Question

  Hi guys
  Need a little bit of advice please.  I've inherited a collection of tiny server rooms, around 250 physical Windows 2003 server, spread over several buildings.  Almost each rack has it's own subnet, I've told management that they need to invest more in their network and a fully equipped server room / data center however falls on deaf ears!  Ideally I just want to invest in a small cluster with a SAN array in a single location and P2V all those VM's, however I need a little bit of advice on how to approach the subnet issue.
  I've had a very quick look at NSX and it seems to tick all the right boxes, is there something else I should be looking at or is something like NSX the way forward?
  Many thanks

  Sorry if there were some holes in my explanation.  I'm not a network guy so my knowledge on this is limited. 
  The end goal is to have all the physical servers (200+) running in many different rooms on multiple subnets, P2V'd onto a single cluster in a new location somewhere else in the building.  I don't know exactly why each rack has it's own subnet, maybe it's a legacy thing.  I asked the network team if they can present all those subnets to the new cluster but they said it can't be done due to the way the network is configured (no other explanation).
  Whilst I can ping the old physical servers from the new cluster I can't host any of the P2V's there as it's not picking up the old subnets, does that make sense?
  Regards
  Pete

• Is src and dst NAT possible in multiple rules on the ASA?

  Hello,
  We have +/- 50 customer companies that will have to enter our network via IPsec s2s VPN's and as backup the customers have the option to enter our network via a leased line. Since they can enter multiple routes we give them a source IP depending what side they enter so we know the route back internally in the network to the correct FW they entered.
  For the s2s we have to do source NAT on our side since we cannot burden all these customers with different NAT's for both the leased line and for the s2s. And we have to do destination NAT since the customers can access different DMZ systems depending on the application they connect to.
  1) source NAT can be 1 NAT rule per company (so hide NAT behind 1 IP)
  2) destination NAT is multiple rules (see below)
  At the moment we have 12 NAT rules per company since we have configured src and dst NAT in one rule to make it work.
  See example below:
  Question: How can we configure src and dst NAT in multiple rules so that we dont need 12 NAT rules per company?
  ASA cluster: single mode - Active/Standby
  asa922-4-smp-k8.bin
  asdm-731-101.bin
  Src REAL
  Src Mapped
  Dst MAPPED
  Dst REAL
  Service
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  192.168.143.128_29
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  11.11.11.1
  19.19.19.90
  19.19.19.90
  19.19.19.11
  19.19.19.11
  19.19.19.90
  19.19.19.90
  19.19.19.180
  19.19.19.180
  19.19.19.83
  19.19.19.83
  19.19.19.90
  19.19.19.92
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.42
  10.10.10.41
  10.10.10.41
  10.10.10.44
  10.10.10.44
  10.10.10.47
  10.10.10.47
  10.10.10.47
  10.10.10.47
  53-udp
  53-tcp
  53-udp
  53-tcp
  PoP3
  SMTP
  SMTP
  PoP3
  http
  tcp-5555
  http
  http

  Steve,
  That is my whole point.  To copy from the PC host memory to the CUDA device memory asynchronously, the host memory must be pinned.  Hence, the source and destination memory should be pinned.  Otherwise, I must copy the source memory to pinned memory I have allocated on the PC, copy it asynchronously to the CUDA device memory, process it on the CUDA device, asynchronously copy it back to the PC pinned memory, and then copy it to the destination memory.
  If you copy synchronously, it is slow as Christmas!  Therefore, you must copy the memory asynchronously, or you should not use CUDA and GPU acceleration.
  My question still stands.  Why is the source and destination memory on the PC used by Premiere Pro not pinned memory?
  Gene
  Gene A. Grindstaff
  Executive Manager, SG&I
  T: 1.256.730.6983 M: 1.256.566.5376 F: 1.256.730.8046
  E: mailto:[email protected]
  Intergraph Corporation
  19 Interpro Road
  Madison, AL 35758 USA
  www.intergraph.com/sgi<http://www.intergraph.com/sgi> |
  LinkedIn<http://www.linkedin.com/groups?gid=127267&trk=myg_ugrp_ovr> | Facebook<http://www.facebook.com/intergraph> | Twitter<http://twitter.com/intergraph

• Multiple subnets under one vlan

  Hi everyone,
  Is there any way to create multiple subnets under one VLAN ? Right now, I am using VLAN 110 and it's IP is 172.16.0.1/16.
  We have three types of devices on this VLAN.I want to create 3 or 4 subnets for those devices under this VLAN for reducing the traffic or broadcast ?
  Please advise me.....
  Thanks in advance

  Mohammed,
  As long as you have a single VLAN only, you will not reduce the amount of broadcasts in this VLAN by using several IP networks. Even if the stations are in different IP networks within a single VLAN, every broadcast will be sent across the entire VLAN to all stations, regardless of their configured IP address. Broadcasting is a matter of Data Link Layer, or Layer2, and if you keep a single Layer2 domain (the VLAN), you will keep a single, merged, large broadcast domain.
  Just to answer your question, you could assign multiple addresses to an interface in a single network/VLAN by using secondary IP addresses, for example:
  interface Vlan110
  ip address 172.16.0.1 255.255.0.0
  ip address 192.168.1.1 255.255.255.0 secondary
  ip address 10.20.30.1 255.255.255.0 secondary
  However, as I explained, this will only allow you to "stretch" multiple IP networks over a single broadcast domain so there is no saving in terms of broadcasts or traffic reduction. For that, you must resort to multiple VLANs.
  Best regards,
  Peter

• One Server multiple Subnets

  Hello All,
  I want to configure a single print servers for multiple subnets envorinment, i.e I have 10.0.0.0 network then I have 192.168.1.0 and some more subnets and networks .Can I have a single print server for all my users,If yes how can I achive this?
  Thanks in advance.
  Regards
  Divyendu

  divyendu_bhatt, you can use a router with teh layer 2 switch for vlans. For that you need to create Switched Virtual Interfaces (SVI). Use google to understand SVI and use of inline router...

• I have issue about multiple subnet on RV series

  now i connect RV with 300 series switch with 20 vlan. How i config RV series for NAT all vlan access to the internet ? because i use multiple subnet i can add only 5 vlan for access to the net it's not enough Please advice Thank you for kindly support.

  Siriphan,
  SG300 switch doesn’t do NAT or DHCP so you would have to have DHCP server on one subnet to issue IP address to multiple devices across Vlans.
  RV042 only support DHCP on Vlan 1
  You have to use the RV042 to NAT the traffic from SG300 switch. .
  So if you want to set the SG300 in layer 3 mode, while having DHCP Server giving out IP address across your network, while the RV042 NAT’s all your traffic. This can be accomplished
  RV042
  Local subnet 192.168.5.1
  Static routes for other subnets,
  192.168.10.0/24 192.168.5.254
  192.168.20.0/24 192.168.5.254
  10.10.10.0/24 192.168.5.254
  10.10.5.0/24 192.168.5.254
  SG300 (layer 3 mode)
  Vlan 1 192.168.5.254
  Vlan 2 192.168.10.1
  Vlan 3 192.168.20.1
  Vlan 4 10.10.10.1
  Vlan 5 10.10.5.1
  (You would need a DHCP server on a subnet, having turned on DHCP relay on SG300 switch)
  You would have a default route 0.0.0.0 0.0.0.0 192.168.5.1
  •n  Example –
  Thanks,
  Jasbryan
  Cisco Support Engineer
  .:|:.:|:.

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• Help With split tunneling and multiple subnets behind asa

  Hello All,
  our vpn clients can no longer access internet while connected to vpn.
  I was hoping I could get an answer on here for an issue we are having. let me explain this with as little words as possible.
  here was old network layout:
  ASA
  192.168.1.1   ---->  the rest of the internal subnet (was only subnet in network)
  now
  ASA                              3560
  192.168.254.1/24 ----->192.168.254.2/24-->192.168.1.1/24
                                                                 192.168.2.1/24
  so what we did was route from 3560 to asa  so we would be able to have multiple subnets since our asa has base license.
  Our vpn with easy connect worked with our split tunneling before and now we made the change above and it no longer works. Can someone help me out as to why it no longer works and what changed need to be made to make it work.
  Thank you.
  ciscoasa# sh run
  : Saved
  ASA Version 8.2(2)
  hostname ciscoasa
  enable password 1N7bTm05RXLnBcUc encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.254.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  ftp mode passive
  clock timezone est -5
  same-security-traffic permit intra-interface
  access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0
  access-list SplitTunnel standard permit 192.168.254.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPool 172.16.5.1-172.16.5.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NoNat
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.1.0 255.255.255.0 192.168.254.2 1
  route inside 192.168.2.0 255.255.255.0 192.168.254.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TransformSet1 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DynamicMap1 1 set transform-set TransformSet1
  crypto map MainMap 999 ipsec-isakmp dynamic DynamicMap1
  crypto map MainMap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 64.90.182.55 source outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy RenotreUsers internal
  group-policy RemoteUsers internal
  group-policy RemoteUsers attributes
  vpn-tunnel-protocol svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SplitTunnel
  tunnel-group RemoteUsers type remote-access
  tunnel-group RemoteUsers general-attributes
  address-pool VPNPool
  default-group-policy RemoteUsers
  tunnel-group RemoteUsers webvpn-attributes
  group-alias Southeast-Security-VPN enable
  tunnel-group RemoteUsers ipsec-attributes
  pre-shared-key *****

  I think it could be your NAT statement. You should try an avoid using any unless you tunnel everything. Try making this change
  no access-list NoNat extended permit ip any 172.16.5.0 255.255.255.0
  object-group network INTERNAL_NETWORKS
  description Internal Networks
  network-object 192.168.1.0 255.255.255.0
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.254.0 255.255.255.0
  access-list NoNat extended permit ip object-group INTERNAL_NETWORKS 172.16.5.0 255.255.255.0
  You may have to re-add your NAT0
  nat (inside) 0 access-list NoNat

• Hyper-V - Sites and Services using multiple subnets

  Good evening,
  Im currently setting up a test domain where I want to use multiple subnets.
  My current setup is the following
  - Host PC running Hyper-V manager with 1 physical NIC that connects to my router (192.168.0.1)
  - Virtual Machine running Windows Server 2012 R2 - This is my domain controller aswell as DNS and DHCP server. IP address for this is 192.168.0.200
  Now what im wanting to do is also create 2 more domain controllers but 'pretent' that they are in two completely different locations running off multiple subnets. Lets say one is in America and one is in Australia.
  I want the addresses of these two machines the following
  DC (America) - 192.168.1.1
  DC (Australia) - 192.168.2.1
  The reason i'll be doing this is im going to be working with Sites and Services to give me a better understanding of it.
  Please can someone give me help with how I can achieve this.
  Thanks.

  One way to do this is to:
  Setup 1 internal vSwitch. We'll use a different VLAN and subnet for each AD Site. For example, you can use VLAN 101, 102, and 103, and subnets 192.168.101.0/24, 192.168.102.0/24, and 192.168.103.0/24. This consistency will be very helpful later on. 
  Create a VM to act as a router, with 3 vNICs. Configure each of the 3 vNICs on a different VLAN, with a static IP on the corresponding subnet, such as 192.168.101.5, 192.168.102.5, and 192.168.103.5. Setup static routing rules if needed using Route Add
  for example. 
  Create 3 DCs. Each DC will have a single vNIC. It can be in its own domain and forest. For example, DC101 will have a vNIC on VLAN 101, with IP 192.168.101.10/24, GW 192.168.101.5. Setup DNS on each DC.
  Setup DHCP on each DC with a scope that corresponds to its subnet. For example, on DC101 setup a scope that provides IPs from 192.168.101.100 to .150, with /24 mask, .5 gateway, and .10 DNS.
  As you add other VMs, if you VLAN-tag its vNIC with VLAN ID 101, it will get IP address from DC101 on the 192.168.101.0/24 subnet since DHCP ARP broadcasts will not cross the router (VM we setup earlier) by default. 
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________
  Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

• Can there be multiple ASM instances on single node?

  Hi,
  Can there be multiple ASM instances on single node?
  This one says No : http://www.freelists.org/archives/oracle-l/02-2008/msg00317.html
  And This one says Yes : http://www.databasejournal.com/features/oracle/article.php/3571371
  Thanks in advance.
  Thanks,
  Harsha
  Edited by: user498756 on Sep 11, 2008 2:23 AM

  ...that document doesnt say you cannot have multiple ASM instances on a node. It says "...ASM, +you only need one ASM+ instance for that computer, to manage the two database instances that use ASM."
  The fact that you only need one - and I cannot think of a good reason to have more than one - does not preclude the fact that you do seem to be able to have multiple ASM instances on a single node, each looking after its own set of disks and diskgroups.
  Again - I cannot think of a good reason to do so though!
  -Bob