NAT Address range different to Public

Similar Messages

• Limitation on source group with services using ip address range

  Hello,
  I have an interface on CSS which I regard as public and another interface I regard as private. On the private interface is a server farm with private ip addresses. Since the server admin guys insisted the servers need to access internet just for Windows Update, I made a source group to NAT the private addresses to public addresses to allow the servers to access internet.
  I defined services for use by the source group. Since keepalive is not important in this case, I set keepalive none to ,I hope so, save system resources.
  I have server 192.168.1.1-5 (5 servers) and 192.168.1.11-14 (4 servers), so I made a service with ip address 192.168.1.1 range 5 and another service 192.168.1.11 range 4.
  But then I found that the two services cannot be put in the same source group. It is because of the different range in the service definition.
  I can get it work if I define services with single ip address, but then I will have a long configuration with repetative information. And I think this may be using more system resources.
  I can also get it work if I include 192.168.11.15 and define two services both with a range of 5 ip addresses. But 192.168.11.15 is not actually there.
  Why is there such a limitation on source group, or services with ip address range? Is there the same limitation for content rules? Or am I getting it all wrong and should do the configuration in other ways?
  Advices will be welcomed.
  CT Yau
  Hong Kong

  Yes you are correct. There is a limitation while adding services into source groups.
  You can create as many services that share an ip range (eg. a /24 subnet range). But the trouble starts when you add them into source groups. You can not add them into a source group NOR you can add them under different source groups as well.
  You mentioned that you can use single ip adress instead of range for the services...but it is not true as you will be stuck when you add them into source groups.
  I can think of these following options in your case.
  Option 1
  Change the ip range on the servers. Use 2 different IP ranges one for those 5 servers and another for those 4 servers.
  Create 2 services for each range.
  Create 2 groups and add the services.
  service server-out-192.168.1.1-5
  ip address 192.168.1.1 range 5
  active
  service server-out-172.168.1.11-14
  ip address 192.168.1.11 range 4
  active
  group server-out-192.168.1.11-14
  vip address x.x.x.1
  add server-out-192.168.1.1-5
  active
  group server-out-172.168.1.11-14
  vip address x.x.x.2
  add server-out-172.168.1.11-14
  active
  Option 2
  Create a service that includes all the ip addresses starting from 192.168.1.1 through .14 using the range keyword.
  Now you need to create one source group with a VIP. Add the service to the source group.
  If you do not want to cover the unassigned ip addresses just move them up and use consecutive ones.
  service server-out-192.168.1.1-14
  ip address 192.168.1.1 range 14
  active
  group server-out-192.168.1.11-14
  vip address x.x.x.x
  add service server-out-192.168.1.1-14
  active
  thanks

• Cisco ASA 5512x - Restrict email delivery to ip address range..

  Hi,
  I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different).  Right now anyone sending email to a particular ip address on my firewall can do so.  I want to restrict that to two ip address ranges it will accept deliver from.  I'm thinking I need two network objects for the two ranges then add to a network object group.  Can anyone help with configuring the ACL for delivery using that group if I'm correct about that?
  TIA
  Al

  Hi,
  I assume that you have a server or multiple servers on your network behind the ASA and want to restrict SMTP traffic to them and only allow SMTP traffic from certain address ranges?
  You might have something like this configured for the server Static NATs
  objec network SMTP-SERVER1
  host 10.10.10.10
  (dmz,outside) static x.x.x.x dns
  object network SMTP-SERVER2
  host 10.10.10.20
  (dmz,outside) static y.y.y.y dns
  If so you could simply create the following kind of configurations to restrict traffic to them
  object-group network SMTP-SERVERS
  network-object object SMTP-SERVER1
  network-object object SMTP-SERVER2
  object-group network ALLOWED-SMTP-SOURCE
  network-object
  network-object
  network-object host
  access-list OUTSIDE-IN remark Allowed SMTP connections
  access-list OUTSIDE-IN permit tcp object-group ALLOWED-SMTP-SOURCE object-group SMTP-SERVERS eq smtp
  access-group OUTSIDE-IN in interface outside
  The above configuration does the following
  Has 2 example Static NAT configurations for local DMZ servers
  Groups those 2 servers to their own object-group SMTP-SERVERS (for easier use in the ACLs)
  Creates an object-group that will contain all the public networks and host addresses that are allowed to contact your SMTP servers (for easier use in the ACLs)
  Configures an ACL that allows SMTP (TCP/25) connections from "outside" only if the source network for the connection belongs to some address range on the ALLOWED-SMTP-SOURCE object-group and when the destination is either one of your SMTP servers.
  Naturally the above object/object-group, access-list and interface names could be different and same for the actual IP addresses.
  Also, if you already have an ACL attached to your "outside" interface then naturally you use that and DONT NEED the "access-group" command above. (As its used to attach an ACL to interface which doesnt already have one attached)
  - Jouni

• Using both Dynamic and Static NAT with two Different Internet facing Subnets

  We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
  It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
  So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
  Public IP: 192.168.1.100/24
  Internal IP: 10.0.0.100/16
  Public IP: 192.168.5.101/24
  Internal IP: 10.0.0.101/16
  interface Ethernet0/0
  description 192.168.1.0/24 Network Outside IP
  nameif outside-1
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  description 192.168.5.0/24 Network Outside IP
  nameif outside-5
  security-level 0
  ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/2
  description inside 10.0.0.0/16
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.0.0
  object network serverA_o
  host 192.168.1.100
  object network serverA_i
  host 10.0.0.100
  object network serverB_o
  host 192.168.5.101
  object network serverB_i
  host 10.0.0.101
  object network 192-168-1-NAT-POOL
  range 192.168.1.50 192.168.1.239
  nat (inside,outside-1) source static serverA_i serverA_o
  nat (inside,outside-5) source static serverB_i serverB_o
  nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
  object network serverA_i
  nat (inside,outside-1) static serverA_o
  object network serverB_i
  nat (inside,outside-5) static serverB_o
  route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
  route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
  When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
  Any Suggestions?
  Thanks!

  Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
  We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
  I'm looking for a way to use both Subnets on the same ASA. 
  The Connection to the net looks like this:
  Internet -> Edge Router Layer3 VLAN Switch
  GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
  GE0/1.2 - 192.168.5.1 VLAN Tagged -^
  Layer3 VLAN Switch Firewall
  GE1 192.168.1.0/24 Untagged -> ASA Outside-1
  GE2 192.168.5.0/24 Untagged -> ASA Outside-5
  Firewall
  ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
  Hope that helps clarify.
  I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

• Connecting 2 WAN clouds on the same IP address range.

  Hello, I have a problem connecting my office to two third party companies.
  I have two Cisco 1700 series WAN links to my office from these companies, Both routers are fully managed by their respective companies, both use static routing, and both are using the 10.0.0.0/8 IP address range.
  The first company assigned my office the address range 10.212.1.0/24.
  The second company assigned my office the address range 10.215.1.0/24.
  My office can be set to any IP address range.
  My questions are:
  Is it possible to have a connection from my office to both networks at the same time? If so how?
  Do I require these companies to provide me with their static routing information? or can I use routing protocols?
  Do I need to perform NAT?
  Can I use a PIX 515e firewall with three interfaces?
  Sample configuration would be greatly appreciated

  It's possible to have connections to your offices at the same time with the usage of subinterfaces.The usage of static and dynamic protocols depends totally based on the size of the topology of your network.If it's a very very small network static routing will do. Performing a nat totally depends upon ypur decision whether to use a public ip or not.If required you can use a pix firewall

• Determing IP Address Ranges for Setting up a VPN

  Following the directions that I've found here ... I'm attempting to setup a VPN for my company to share documents.
  I am using a mac mini, which is connected to a router, and the router to a cable modem.
  In order to set up the VPN using L2TP over IPsec, I need to enter both a Starting and Ending IP Address.
  I have found only a single IP address for the mac mini, and when going into system profiler have found various other addresses and am not sure how to properly setup the IP Address Range.
  Some of the categories shown in the System Profiler are:
  IPv4 Addresses, IPv4 Configuration Method, Interface Name, Router, Subnet Masks, IPv6 Configuration Method, DNS Server Addresses, etc.
  However, I only see 1 single IP Address.
  Any help would be greatly appreciated.
  ~ JJL

  OK, that's good, you have all you need.
  You are probably going to need to read up on the management of the base station as this is going to be your NAT router (remember that from my earlier post?) and your internet firewall. Management will be via a web browser, on a computer directly connected to base station's ethernet port. There will be a default IP address to put into the web browser to reach the management page. This IP address can probably be found by opening the Network prefs on one of your airport computers and looking to see what the 'Router' IP is set to (I'm presuming that the base station is still in its default function). It will also be in the base station documentation.
  The base station will act as your DHCP server (we could alternatively use the server but lets keep it as the base station - no real difference). There will be a management page for this where you can specify its own IP address and also what range you want to distribute to other computers. For example...
  192.168.1.1 for base station
  192.168.1.2 to 192.168.1.40 for DHCP
  Remember, we do not want to hand out all the IP addresses by DHCP because we need to keep some back for the server's static IP and the VPN users. So maybe we keep...
  192.168.1.100 for the server
  192.168.1.200-219 for L2TP vpn
  192.168.1.220-239 for PPTP vpn (if this is also needed for PCs and the like).
  Via management screen, confirm that NAT routing on the base station is enabled (this allows all LAN computers to access internet via your base station which is now your 'Internet Router'.
  Confirm that the firewall on the base station is enabled. This protects your LAN (on the private side of the router) from all other traffic on the internet (the public WAN).
  Switch off both the modem and the base station.
  Connected the modem to the WAN port of the base station (ordinary ethernet cable).
  Keep modem off for 5 - 10 minutes (this clears any cached settings at the ISP end). Switch on the cable modem and wait a few minutes for it to settle.
  Switch on the base station and reconnect to the management screen. There will probably be an Internet Wizard or some such thing in the management page to establish the connection with the modem.
  When the connection to the modem is OK, you should be able to browse rest of internet from the computer you have directly connect to the base station
  Restart any computers connected by airport. They should now also be able to browse internet.
  Disconnect computer which is directly connected to base station.
  The ethernet port on base station now gets connected to your switch.
  The Server connects to the switch too.
  You are probably going to need to give your server a new IP address, in the same network range as now being used elsewhere in your LAN. This is not quite as trivial as just changing it in the Network Prefs although you may well be able to get it going fine doing just that (to be honest, I'm not sure I want to add that bit into this already lengthening post
  If you want to just change the IP address in Network Prefs just now, remember that the Router field will be the IP address of your base station. The DNS server (in server network prefs) will also be base station.
  I have skipped past a bit regarding the server setup and also omitted how to get the vpn traffic from the WAN to the server (hint: port forwarding in router) but i think it is wise just to get the rest of the network up and running behind a secure router/firewall first.
  -david

• SA520 NAT/PAT not working with NAT address

  The SA520 I have is configured on one public IP address and an exchange server is behind it.  THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520.  It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address.  When this happens the email gets blocked due to spam lists.  Then the email will work again correctly.. and then go back.  If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
  Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)?  I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25.  How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?

  Hi John,
  In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN.  Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address.  Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s).  See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server.  As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
  We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace)  After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture.  Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com.  On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button.  Open file with Wireshark/Ethereal and observe the source and destination address of the packets.  They should have the ALIAS address and not the WAN IP address.
  If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
  If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
  If there are issues, you can post the captures as a personal message to me.
  I hope the above will help narrow the issue a bit.
  Best regards,
  Julio

• Creating connection using NAT address

  Can we use ServerSockets to create a connection to a server using the NAT address ? If yes, then does it require something different ?

  Do you want to connect an external machine to a machine behind your NAT router? Or is this completely internal? If it's interal you should be able to use the machine's private ip address.

• ACE - VIP address on different subnet

  Hello,
  Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?
  Fe:
  VIP is 10.10.10.1/24 on VLAN 10
  Interface of ACE in VLAN 10 is 192.168.1.1/24
  On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?
  Thanks.

  Unfortunately I dont have a test environment either to verify this.
  I dont think you will see arp entries as the address doesnt belong to an interface.
  You should see the VIPs active (sh service policy detail) for these non-interface VIPs.
  If those are active then I think once client request hits the ACE it should take care of it.
  I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.
  But yes you need actual clients to test this scenario.
  Syed

• Can I change the IP-address range when I'm using tethering

  Hi,
  I am trying to change the local IP-address range my iPhone is providing when I'm using tethering.
  Is it possible ?

  Agreed. I have migrated a central controller from one continent to another - to totally different machines and IP addresses - so your task should be a doddle. David has listed the steps.
  Regards,
  Geoff

• Send RTP stream to NAT address

  Hi,
  i want to transmit a RTP stream from a server to a host in a LAN.
  This host has a NAT address and it's non real IP address, so i can't send any stream trought usage of SessionManager API because it need to know a public IP.
  The other issue is that in a LAN, in most popular cases, there is a firewall that close the connection from internet to their hosts.
  I think this solution:
  1) LAN's hosts can intiate the connection with server sending a non real RTP data
  2)Server store the SessionManager of this connection
  3)server can send your RTP stream now
  Someone have a more good solution or any suggestion?
  Thank for all
  [email protected]

  I have one appletTransmitter that capture video from webcam and transmit it to other client on internet.
  I try to transmit medialocator from appletTransmitter to servlet1 and then save MedialLocator as servlet attribute, then other client can connect to servlet2 that send saved MediaLocator to appletClient.
  APPLETTRANSMITTER:
  URL url=null;
  MediaLocator media=new MediaLocator("vfw://0");
  try{
  url = new URL("http://localhost:8080/servlet1");
  catch(MalformedURLException mue){mue.printStackTrace();}
  URLConnection conn=null;
  try{
  conn = url.openConnection();
  catch(IOException ioe){ioe.printStackTrace();}
  conn.setDoOutput(true);
  OutputStream os=null;
  ObjectOutputStream oos=null;
  InputStream in=null;
  ObjectInputStream iin=null;
  MediaLocator mResp=null;
  String r=null;
  try{
  os=conn.getOutputStream();
  oos=new ObjectOutputStream(os);
  oos.writeObject(media);
  //oos.writeObject("Prova Servlet");
  oos.flush();
  catch(IOException io){io.printStackTrace();}
  catch(ClassNotFoundException cn){cn.printStackTrace();}
  SERVLET1
  ObjectInputStream objin = new ObjectInputStream(request.getInputStream());
  MediaLocator ml =null;
  try{
  ml = (MediaLocator) objin.readObject();
  context.setAttribute("media",ml);
  catch(ClassNotFoundException e)
  {e.printStackTrace()}
  But on servlet1 there is a ClassNotFoundException: MediaLocator
  What do we think about the solution and exception problem?
  Best Regards,
  Nico from Italy

• DHCP exclude address range option config on Instant 2.0

  Q:  DHCP exclude address range option config on Instant 2.0
  A: ​This article applies to Instant 4.2 and above.
  Before 4.2, Use exclude-address as a range option was not available.
  Since IAP is getting used as an Edge device, the features needs to be in compliance with industry standard. 
  From 4.2 onwards, IAP local DHCP server will support exclude IP address as a range.
  With this feature we are supporting the following
  A. exclude-address ip1
  B. exclude-address ip1 ip2
  Show dhcps command will show the excluded range and available range

  I found this on TCPIPGUIDE.com that supports my findings.
  "One difference between BOOTP and DHCP is that certain communications from the client to the server are unicast. The most noticeable instance of this is when a client tries to renew its lease with a specific DHCP server. Since it sends this request unicast, it can go to a DHCP server on a different network using conventional IP routing, and the relay agent does not need to be involved."

• Apple icloud IP address ranges so we can block them

  Hi
  Does anyone know what the IP range is for the shiny new data centre for Apples iCloud service?
  Whilst it's a great service, and indeed i intend to make use of it myself on my devices, as the person in charge of managing data policy for a corporate the idea that it will be available for the PC platform makes me go pale in fear.
  Should an app that uses the iCloud API get on to the desktop then our data could easily be removed and be, instantly, on a number of devices.
  Anyone know if there is a list made public ?
  Thanks
  Olly

  Apple does not publish IP address ranges that I've ever seen. Someone might be able to spot the addresses by using a packet analyzer or other such utility to monitor outgoing traffic.
  I understand the concern, but I think we need to wait until we're closer to the actual launch of iCloud to see what kind of controls and restriction capibilities Apple provides for the service. I would certainly hope that Apple has considered this sort of issue.
  Note that data backup and synchronization will be tied to the specific Apple ID, so barring any sort of data sharing capability, hinted at in the announcement information but not detailed, the only way anyone would be able to get access to any data would be if they had access to that same Apple ID. So it would take more than just getting a given app onto the system for data to be exposed.
  Let's hang in and see what the situation will be as we get closer to the release.
  Regards.

• Add IP address ranges to my airport extreme firewall white list.

  I need to add IP address ranges to my airport extreme firewall white list.   This is so Security Metrics can access my computer and approve a scan for my credit card PCI compliance.  How do i add ip ranges?

  Sorry, but this option is not available with the AirPort routers. The only control you have over the AirPort's NAT firewall is either to enable/disable it or to configure it for Port Mapping. There are no option that supports whitelisting/blacklisting IP addresses/ranges.
  If this is an important requirement, you may need to replace your current AirPort with another vendor's product that will support this.

• Memory address range - Solaris 10

  Hi All,
  Is there any command in Solaris 10 to know the memory address range ( hex) of each DIMM ?
  How to calculate the size of the module based on the address range ?
  Thanks in advance

  Hi All,
  Is there any command in Solaris 10 to know the memory address range ( hex) of each DIMM ?
  How to calculate the size of the module based on the address range ?
  Thanks in advance