NAT a subnet to an other subnet

Similar Messages

• ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

  Hi,
  I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
  permit ip any "Nat_subnet"
  After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
  Regards,
  Muds
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
  object-group network d1-dr-nat_nets
  network-object 192.168.128.0 255.255.248.0
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net !
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net
  access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
  access-group prod_lan-in in interface inside

  Hi,
  As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
  Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
  Let me give an simple example
  object network STATIC
  host 10.10.10.10
  nat (outside,inside) static 192.168.10.10
  access-list INSIDE-IN permit ip any host 10.10.10.10
  or
  access-list INSIDE-IN permit ip any object STATIC
  - Jouni

• ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

  Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
  I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
  The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
  Thank you in advance everyone.

  Hello Chris,
  For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
  Basically the NAT configuration will be like this:
  object network Local-net
  subnet 192.168.1.0 255.255.255.0
  object network Translated-net
  subnet 172.31.1.0 255.255.255.0
  object network Fortinet-net
  subnet 10.10.115.0 255.255.255.0
  nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
  Obviously, you can change the name of the objects.
  Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
  access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
  This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
  Let me know if you have any doubts.
  Daniel Moreno
  Please rate any posts you find useful

• GT784WNV NAT and subnets

  Hi, we have had Verizon DSL for several years and were recently given a new GT784WNV modem/router. I would like to replace my old Linksys router with this device, but the big problem at the moment is that the GT784WNV will not perform NAT translation for a secondary subnet.
  I have a basic network for the household PCs and devices, with the GT784WNV providing Internet gateway services. This stuff all works pretty much as desired. I also have a second subnet for work-related computers, which is on a second switch behind another router. I added the necessary routing information to the GT784WNV so that it knows about the second subnet, and am able to successfully ping the devices on that subnet from the GT784WNV diagnostics, and vice versa. However, the devices on that subnet cannot connect to the Internet--they cannot ping anything past the GT784WNV, they cannot access web pages, or do anything else. From what I can tell, the NAT module in the GT784WNV is not creating mappings for the devices on the second subnet.
  I have done some preliminary research and it appears that other people were able to resolve this by adding explicit firewall rules, however I dont see any way to enter these rules in the router's configuration. Does anybody have any advice for me? Can these rules be added with the CLI via the TELNET interface?
  Thanks for any assistance.

  Let me give a more detailed picture and see if I can answer your questions along the way.
  Al the PCs on the home network are plugged into a D-Link gibabit ethernet switch. The Linksys router has a single connection to the switched ethernet segment, and the wireless AP is bridged to the LAN segment (so that wireless devices are on the lan side). Meanwhile, the linksys also provides internet routing/firewall functions by talking to the (old) westel modem over PPPoE on a separate WAN link. The linksys is running DD-WRT firmware for all this.
  My office gear is on a separate HP switch. I have an additional Juniper router/firewall that plugs into the HP router on one port, and plugs into the home D-Link switch on another port. The home and office networks are on completely different IP ranges (work network uses work subnet allocation). The juniper between the two networks has an IP address for each network that it is connected to. The devices on the office network have a default route for the juniper, and it has a default route for the linksys. The linksys has a subnet route for my office network that points to the juniper, and a default route for the PPP connection.
  With this setup, I can do everything perfectly fine. I can access files and printers on each network from any PC, can access the Internet through the remote router, and so forth. I can even host a COD game on my work computer and the Linksys will handle the NAT mapping and forwarding perfectly.
  Alright. Now we got this new GT784WNV device, which was sent to us in an effort to correct a problem with the DSL service (unrelated, that was resolved with infrastructure changes, by moving us to another port on the card at the neighborhood switch). Having the modem in the same box simplifies some things, so even though I dont need it I would like to see if I can make it work.
  So I unplugged the linksys and westell, plugged the GT784WNV into the D-Link, gave it the IP address from the old Linksys, and added a route statement for my office network pointing to the juniper. Basically I just replaced the linksys and modem with the verizon box. I am able to ping the GT784WNV from my office PCs, and I can open a TELNET session to the device from that network as well. However I am not able to communicate with any Internet resources; I cannot ping anything or talk to any remote web servers or anything at all.
  My observation is that the GT784WNV is not forwarding packets from my office network. My assumption is that this is because it thinks the source IP addresses are not "local" and so the firewall rules in the device are preventing them from being serviced by the NAT module. I am basing this assumption on a couple of things, one is that some other people with other models have run into similar problems and have corrected it by unblocking the NAT module in the firewall rules (no such option in the GT784WNV), also I noticed that the routing table in the GT784WNV does not have options for "local" or "remote" so there is no way to explicitly flag that the office subnet is actually "local" (the routing works because the interface matches the LAN link, not because it knows the destination is "local").
  What I am looking for is a way to get at the firewall rules from the TELNET CLI and see if I can study and/or override the NAT restriction. Or, if there are some other alternatives that might solve the issue, that would be good too.
  Frankly, after examining some of the other features on this device, I do not believe it is going to be useful anyway. I do some other things with the DD-WRT firmware that I cannot replicate on this router, and so I suspect at this point that it is not going to be a viable replacement anyway. However I am still interested in trying to get over this hurdle, and will take it from there. Otherwise its going in the trash.

• Natting of subnet ip address exist over wan

  I have branch office having subnet 172.26.48.0/22 one ip from this subnet say 172.26.48.100 assigned toa server . now our erequirement to access this
  server from outside mean from internet . tis branch office is coonected throuth leased line to main office. now main office has firewall and loacl subnet
  in which server are there and natted to access over internet . we try to make it possible we got ping response of outised also but latency get stuck that
  firewall looking to be in hang mode latency around 900 ms if natting is done otherwise 250-300 ms. what can we do , any alternat approach suggested.
  dig. attachement is there
  Regards,
  Rajat

  NO i mean we get normal response 250-300 ms HQ to outside link ping responsc of 4.2.2.2 . no branch included . if we nat branch ip mentioned above sudenly latency get high while pinging 4.2.2.2 so firewall does not behave normally in this case.
  howwver if we remove natting command from firewall still we get latemcy after rebooting only it comes normal
  second it is possible or practical to nat ip of branch office in headquarter firewall. it is suggested by cisco ?
  please help
  Regards,
  Rajat

• How to nat subnets before establishing site to site ipsec vpn tunnel?

  Hello,
  Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
  Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
  Existing device: Cisco 5510 where I need to do this NAT.
  Existing scenario in short: I have created vlans on asa by creating sub interfaces.
  Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
  Done ipsec vpn setup inc phase 1 & 2.
  Now tried to ping remote hosts but not reachable.
  Pls advice how to make it work.
  I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

  Hello. Pls find my answers inline
  I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
  Answer: Thats correct.
  Later on it seems that you have configured this to some interface on the ASA?
  Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
  So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?
  Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
  Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?
  Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
  Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?
  Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
  The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

• Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

  Hi all.
  we have following IPSec configuration:
  ASA Site 1:
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal PropAES256
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  crypto map CMVPN 5 match address SITE_2
  crypto map CMVPN 5 set peer IP_SITE2
  crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
  crypto map CMVPN interface OUTSIDE
  route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
  route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
  tunnel-group IP_SITE2 type ipsec-l2l
  tunnel-group IP_SITE2 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE2 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  ASA Site 2:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 set peer IP_SITE1
  crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
  crypto map CMVPN 10 set reverse-route
  crypto map CMVPN interface OUTSIDE
  tunnel-group IP_SITE1 type ipsec-l2l
  tunnel-group IP_SITE1 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  We are not able to reach from 172.22.20.x ips 172.27.99.x.
  It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
  We are using similar configuration on many sites and it works correctly expect sites with DSL line.
  We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
  Thanks in advance for your help.
  Regards.
  Jan
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
  Bytes Tx     : 423634                 Bytes Rx     : 450526
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 1h:50m:45s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 3
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 312546                 Bytes Rx     : 361444
    Pkts Tx      : 3745                   Pkts Rx      : 3785
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 50014                  Bytes Rx     : 44621
    Pkts Tx      : 496                    Pkts Rx      : 503
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 61074                  Bytes Rx     : 44461
    Pkts Tx      : 402                    Pkts Rx      : 437
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :
  ....  after ping from 172.27.99.x any ip in 172.22.20.x.
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
  Bytes Tx     : 784455                 Bytes Rx     : 1808965
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 2h:10m:48s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 4
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 652492                 Bytes Rx     : 1705136
    Pkts Tx      : 7419                   Pkts Rx      : 7611
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 60128                  Bytes Rx     : 52359
    Pkts Tx      : 587                    Pkts Rx      : 594
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 70949                  Bytes Rx     : 50684
    Pkts Tx      : 475                    Pkts Rx      : 514
  IPsec:
    Tunnel ID    : 3058.5
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 961                    Bytes Rx     : 871
    Pkts Tx      : 17                     Pkts Rx      : 14
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• Cisco ASA 5505 IPSEC, one endpoint behind NAT device

  We have two Cisco ASA 5505 devices.
  Both are identical, however, one of them is behind a NAT device.
  We are attempting to create an IPSEC network.
  Site fg:
  <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
  ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
  Site be:
  <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
  ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
  USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
  USG1: UDP port 500/4500 forwarded to 192.168.4.50
  It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
  We verified / attempted the following:
  - NAT excemption on both sides for IPSEC subnets
  - Mirror image crypto maps
  - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
  - Toggled between static to dynamic crypto maps on ASA1
  Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
  Does anyone have any idea?
  195.txt contains show running-config of ASA3
  212.txt contains show running-config of ASA1
  log.txt contains somewhat entire log snipper of ASA1

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• Problems getting static NAT to work between two internal lans

  Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
  Manual NAT Policies (Section 1)
  1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 3
  2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 0
  interface GigabitEthernet0/0
  nameif inside-ld5
  security-level 100
  ip address 10.20.15.2 255.255.255.0
  interface GigabitEthernet0/6
  nameif office
  security-level 100
  ip address 10.20.11.9 255.255.255.0
  object network inside-ld5
  subnet 10.20.15.0 255.255.255.0
  object network inside-office
  subnet 10.20.11.0 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
  nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

  Hi Kevin,
  because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
  Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
  Best Regards,
  Jan

• Static NAT - VPN - Internet Access

  Does anyone know how to configure the following?
  1.  An static NAT from an inside ip address to another inside ip address (not physical subnet).
  2.  The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
  My router just have two interfaces a WAN and a LAN.
  I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
  I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
  in an extract:
  LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
  BTW.  I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

  Why do you need an inside host to be natted to another inside IP address?
  You need to configure a "no nat" policy, for the internet traffic.

• Anyconnect VPN peers cannot ping, RDP each other

  I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1).  I have a remote access VPN set up and the remote access users are able to log in and access LAN resources.   I can ping the VPN peers from the remote LAN.    My problem that the VPN peers cannot ping (RDP, ectc..) each other.   Pinging one VPN peer from another reveals the following error in the ASA Log.
  Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure. 
  Below is my ASA running-config:
  ASA Version 8.3(1)
  hostname ciscoasa
  domain-name dental.local
  enable password 9ddwXcOYB3k84G8Q encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 192.168.1.128
  domain-name dental.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network RAVPN
  subnet 10.10.10.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_28
  subnet 10.10.10.0 255.255.255.240
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  access-list Local_LAN_Access remark VPN client local LAN access
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list VpnPeers remark allow vpn peers to ping each other
  access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
  pager lines 24
  logging enable
  logging asdm informational
  logging mail informational
  logging from-address [email protected]
  logging recipient-address [email protected] level informational
  logging rate-limit 1 600 level 6
  mtu outside 1500
  mtu inside 1500
  ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static any any destination static RAVPN RAVPN
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  object network obj_any
  nat (inside,outside) dynamic interface
  object network RAVPN
  nat (any,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  crl configure
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=ciscoasa
  keypair billvpnkey
  proxy-ldc-issuer
  crl configure
  crypto ca server
  cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
  issuer-name CN=ciscoasa
  smtp from-address admin@ciscoasa
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
     **hidden**
    quit
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 10bdec50
      **hidden**
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.1 255.255.255.255 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  dhcpd address 192.168.1.50-192.168.1.99 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
  svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
  svc enable
  tunnel-group-list enable
  internal-password enable
  smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.1.128
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value dental.local
  webvpn
    svc modules value vpngina
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
  dns-server value 192.168.1.128
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value dental.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.1.128
  vpn-simultaneous-logins 4
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-lock value RAVPN
  split-tunnel-network-list value Local_LAN_Access
  default-domain value dental.local
  webvpn
    url-list value DentalMarks
    svc modules value vpngina
    svc profiles value dellstudio type user
    svc ask enable default webvpn
    smart-tunnel enable SmartTunnelList
  username wketchel1 password 5c5OoeNtCiX6lGih encrypted
  username wketchel1 attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc profiles value DellStudioClientProfile type user
  username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
  username wketchel attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc modules none
    svc profiles value DellStudioClientProfile type user
  username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
  username jenniferk attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc profiles value DellStudioClientProfile type user
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNPool
  authorization-server-group LOCAL
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group RAVPN type remote-access
  tunnel-group RAVPN general-attributes
  address-pool VPNPool
  authorization-server-group LOCAL
  tunnel-group RAVPN webvpn-attributes
  group-alias RAVPN enable
  tunnel-group RAVPN ipsec-attributes
  pre-shared-key *****
  tunnel-group RAVPN ppp-attributes
  authentication pap
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group WebSSLVPN type remote-access
  tunnel-group WebSSLVPN webvpn-attributes
  group-alias WebSSLVPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  smtp-server 173.194.64.108
  prompt hostname context
  hpm topN enable
  Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
  : end

  Hi,
  Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
  I would suggest the following changes
  object network VPN-POOL
  subnet 10.10.10.0 255.255.255.0
  object network LAN
  subnet 192.168.1.0 255.255.255.0
  object-group network PAT-SOURCE
  network-object 192.168.1.0 255.255.255.0
  network-object 10.10.10.0 255.255.255.0
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
  nat (any,outside) after-auto source dynamic PAT-SOURCE interface
  The above should enable
  Dynamic PAT for LAN and VPN users
  NAT0 for the traffic between LAN and VPN
  NAT0 for traffic between VPN users
  You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
  no nat (inside,any) source static any any destination static RAVPN RAVPN
  no nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28
  no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  no object network obj_any
  no object network RAVPN
  In the event that you dont want to change the configurations that much you might be fine just by adding this
  object network VPN-POOL
  subnet 10.10.10.0 255.255.255.0
  nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
  But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
  - Jouni

• How to enable NAT on Time Capsule

  Ultimate Objective: Enable the "Back to my Mac" feature. In order to do so, NAT has to be enabled on my Time Capsule whose current "Connection Sharing" is set to "Bridge Mode".
  Here's the initial configuration
  TC>Internet> Internet Connection
  -Connect using: Ethernet
  -Connection Sharing: Off (Bridge Mode)
  TC>Internet>TCP/IP tab
  -Configure IPv4: Using DHCP
  -IP address: 192.16.1.33
  -Subnet Mask: 255.255.255.0
  -Router Address: 192.168.1.1
  -DNS Server: 192.16.1.1
  The TC is ethernet connected to a Zyxel modem/router.
  Try #1
  When changing "Connection Sharing" from
  "Bridge Mode"
  to
  "Share a public address",
  I receive a message indicating 2 problems:
  "DHCP Beginning Address.192.168.1.2
  DHCP Ending Address. 192.168.1.200
  "The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
  Try #2
  I update the DHCP Beginning Address to 192.168.1.34 and click on "Update".
  I get the same error message:"The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
  Try #3
  Correct me if I'm wrong, but in "Bridge Mode", the TC simply acts as a "slave" and gets all its DNS and DHCP information straight from the router. So I'm thinking I should change the configuration on the "Zyxel 1 port modem/router". The model/router DHCP setup is currently set to "Server". Other available DHCP options are:
  -None
  -Relay
  When setting it to "Relay", I get an error message". I therefore set it to "None"
  Back to the TC, I change "Connection Sharing" from
  "Bridge Mode"
  to
  "Share a public address" once again, and receive the same error message as before: "The DHCP range you have entered conflicts with the WAN IP address of your Airport Wireless device."
  As you will noticed, I don't know what I'm doing here. If some of you can point me to a tutorial so I better understand what's going on, it's be great.
  For those of you who managed to read this message up to this point, well thanks a lot for your patience. If you can point me in the right direction, it'll be even better.

  Welcome to the discussions!
  From your description, the Zyxel device is a "gateway". That is, it is combination modem and router in one enclosure, probably wired as one single device, not a separate modem and router.
  If you add the Time Capsule to the mix, you now have two routers in series. Can't do that....you only want one device to provide DHCP and NAT services, not two.
  Any other router(s) after the main router must be setup as "bridges" to allow the main router to control DHCP and NAT services. So, the correct setting for the Time Capsule in your network is "bridge mode".
  I understand the "catch" here, and that is that the Time Capsule does not provide NAT service when it is setup in "bridge mode" because DHCP and NAT are turned off.
  If you want to use Back to My Mac, you need to make the Time Capsule the "main router" handling DHCP and NAT. I do not know if you could configure the Xyzel device to function as a simple modem, but that's what you need. It sounds like you have tried the available options and based on that info, I would conclude that it cannot function as a simple modem only. If that's the case, then your only other option is to replace the Xyzel gateway with a simple modem.
  Only then can the Time Capsule be configured to "Share a public IP address", which enables DHCP and NAT on the device.

• I have XP on one machine and 7 on the other. Firefox 8 works perfectly on XP but my other machine is a disaster. I can not access the add ons at all and everything is gone: too many tabs-roboform whatever?????????????????

  It seems that the upgrade has destroyed the entire firefox experience. What is also strange is that the desktop image is coming through the top of the Firefox page.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Jon already touched on this, but to use your "new" network, without NAT, the subnet needs to be "known".
  With NAT, you can place multiple hosts behind one (or several) IPs on your existing subnet.  I.e. you new subnet doesn't need to be known.  (In fact, you could use any subnet you want.)
  The reason the Linksys worked well yet the 2600 did not, "Enterprise" class routers generally don't handle PAT as well many consumer class routers.  (NB: True NAT would probably work just fine, but what you need is to overload an IP, i.e. PAT).  So, many applications won't work.  (NB: I believe newer IOS versions do better, though.)
  Many small Cisco Enterprise class routers, especially those from two generatations ago, were designed for "slow" WAN links, like single T1s or partial T1s, or perhaps for a few Mbps DSL.  If your link has more bandwidth the router may not have the performance to support it effectively.

• Transparent DMZ NAT?

  Hello, 
  I am trying to convert the pre-8.3 config to 9.2 and configuration on our old firewall makes no sense to me. Would someone explain what is going on here?
  Basically the configuration is pretty basic. 1 outside interface and 2 DMZ interfaces. olddmz and newdmz
  interface GigabitEthernet0/0
   description outside
   speed 1000
   duplex full
   nameif outside
   security-level 0
   ip address x.x.6.243 255.255.255.248 standby x.x.6.244
  interface GigabitEthernet0/2
   description legacy prod
   speed 1000
   duplex full
   nameif olddmz
   security-level 50
   ip address x.x.9.65 255.255.255.240 standby x.x.9.66
  interface GigabitEthernet1/1
   description new prod
   speed 1000
   duplex full
   nameif newdmz
   security-level 50
   ip address x.x.33.163 255.255.255.224 standby x.x.33.164
  global (outside) 1 x.x.6.245 netmask 255.255.255.248
  static (olddmz,outside) x.x.9.64 x.x.9.64 netmask 255.255.255.240
  access-group OUTSIDE in interface outside
  access-group OLDDMZ in interface olddmz
  route outside 0.0.0.0 0.0.0.0 x.x.6.241 1
  There is no other NAT related entries anywhere and devices on the DMZ interfaces are routed transparently with their DMZ subnet IP addresses to the outside. I also do not see a single mention of newdmz being routed or NATed in any way..... How does that work?
  How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 
  nat (olddmz,outside) static X.X.X.X
  does not allow me to add the entire subnet. Do i need to manually specify each NAT object???
  Thank you

  First off, do you only have public IPs on your olddmz and newdmz networks?  If so you do not need NAT on your firewall.  Previously in versions earlier than 8.2 you were required to use NAT to allow traffic throught ASA/PIX, that was removed completely in version 8.4.  So unless you have a private IP address space that should be NATed for internet access, NAT is not needed.
  But to answer your question
  How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 
  nat (olddmz,outside) static X.X.X.X
  This configuration would translate to the following:
  object network IP1
    subnet x.x.9.64 255.255.255.240
  object network IP2
    subnet x.x.9.64 255.255.255.240
    nat (olddmz,outside) static IP1
  Please remember to select a correct answer and rate helpful posts

• NAT remote sites IP LAN 2 LAN

  I have a dilemma. We have a LAN 2 LAN with a remote site and I need somehow NAT their subnet with and address pool on my side so I can route this traffic elsewhere where there is a conflicting network. I have an ASA 5510 on this side and they are running a PIX something or another.
  I can see where to create a pool but how can I tell the ASA to assign that pool to the addresses in that LAN 2 LAN?

  L2L VPNs do not use 'pools'. You have to define the interesting traffic using Crypto Access-Lists. In case of NAT, you can put the translated IPs in the access-list as per the below example:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  And this is an example on IOS:
  http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
  Regards
  Farrukh