NAT between 2 subnets

Hello,
I have subnets (LAN A and LAN B) on each side of an 819 router:
G0: IP=10.1.1.3/24 (LAN A)
F0: IP=172.16.0.3 (LAN B)
On each of these networks, there is an existing DFGW address programmed into the devices (PLC's) as 10.1.1.1 and 172.16.0.1 respectively.
I want PLC's on each subnet to talk to each other without sending packets to DFGW's.
On LAN A, I would like the PLC-A to feel like it is communicating directly with G0 IP address when in fact that packet gets sent out F0 with F0's IP to PLC-B. PLC-B responds to the F0 address (as it is in the same subnet) and the return packet gets Nat's back to the G0 IP address.
Is this doable? I think it is but I am struggling with implementing both port forwarding and NAt translations (double NAT)?
Thanks! Look forward to someone with some expertise in this area to help me out.

Is there any document you are aware of that simplifies some of the nat operations?
You seem to understand it pretty well to be honest :-)
There are two types of NAT, dynamic and static. Both your statements are static. This one -
ip nat inside source static tcp 10.33.5.2 502 10.64.41.196 502 extendable
needs to be a static because the traffic is arriving on the outside interface. You see this sort of statement quite often in configurations or something like it.
This one -
ip nat outside source static 10.64.41.194 10.33.5.80 add-route
is a lot less commonly used. Ideally what we wanted to do was do a dynamic NAT from outside to inside and change the outside IP to the router's inside interface IP.
But unfortunately IOS only supports this type of NAT ie. dynamic NAT overload from inside to outside and we are going outside to inside so we couldn't use it.
It has always been a but annoying that it doesn't because it would have made your setup and others simpler.
So we had to use the above and you have to add a route because of the reasons I explained in my previous post. It's basically the order that IOS does things in which direction.
That was why I was asking about which side initiated the connection because if it had been the PLC on the inside we could have used a dynamic NAT statement for it's IP as it went outside because it is supported and a static NAT statement (different from the one you have now) for PLC on the outside.
But as the flow was always outside to inside we couldn't.
NAT and what you can do with it can get complicated. And the NAT used on ASA firewalls is a completely different syntax than IOS NAT.
Here is a link to doc on IOS NAT that is a good overview -
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html
unfortunately in my browser the pictures aren;t showing but they may in yours.
If you have any specific questions, then please feel free to ask.
Glad you got it working.
Jon

Similar Messages

ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

Hi,
I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
Regards,
Muds
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
object-group network d1-dr-nat_nets
network-object 192.168.128.0 255.255.248.0
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net !
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net
access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
access-group prod_lan-in in interface inside

Hi,
As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
Let me give an simple example
object network STATIC
host 10.10.10.10
nat (outside,inside) static 192.168.10.10
access-list INSIDE-IN permit ip any host 10.10.10.10
or
access-list INSIDE-IN permit ip any object STATIC
- Jouni

NAT between two interfaces

Good day,
I would ask if it is possible to do NAT between two Interfaces on the same device?
The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
This is my current NAT statement:
nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
This is my PacketTracer output:
Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.3.0 255.255.255.0 mgmt
Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
Is there a way to get this working?
Many thanks for your feedback.
Brgds,
Markus

Hi,
To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
- Jouni

NAT between IPIVR (or UCCX) and CUCM?

Hi,
i would like to know if NAT between IPIVR (or UCCX) and CUCM is allowed? (with ASA only or also router and switch).
I didn't find anything about it in UCCX SRND.
thanks
[IPIVR v8, CUCM v7.1(5).]

Hello,
1) Yes, please use sip trunk as the interface between cme and cucm.
2) Please note: officially cme sip trunk video is only supported for cme1—sip trunk---cme2 type set up, but for basic call you could try to setup cucm to use early media on the sip trunk. cme by default would use early media and it should work.
3) For configuration guide on CME Video, you can refer http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevideo.html#wp1027101
4) For interfacing CME with CUCM, please remember to configure below command on CME:
       voice service voip
        sip
          asymmetric payload full
Hope this helps,
Vishal

NAT between VEM & VSM

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"טבלה רגילה";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}
Hi,
I have a setup with VSM, VEM & VC.
The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat ip address.
am i correct ot i need to configure somthing else?
Thanks,

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"טבלה רגילה";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}
Hi,
I have a setup with VSM, VEM & VC.
The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat ip address.
am i correct ot i need to configure somthing else?
Thanks,

NAT between VRFs

Is it possible to do address translation between VRFs? I see NAT is possible from VRF to global, but haven't find any info about possibility to NAT between VRFs. Is it possible ?

Please refer the following link for more information on NAT Integration with MPLS VPNs.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.pdf

Nat between vrf

Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
I've ip overlapping issue, so i'm trying to use nat aware vrf.
The shared service is on a vrf also.
I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
This is my configuration :
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat enable
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
ip nat outside
ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
tried also with
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
but it didn't work...
any suggestion ?
any help will be appreciated
Max

Hi Mohammed, now all works well.
I understand my error, basically when i tried to ping, i pinged a router on my
own vrf, because i imported the network, so the packet didn't came across
interfaces and nat was not in place.Now i tried static host and network
natting and dymanic natting and all works well.
here there is a complete working configuration
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip nat outside
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
Many thanks for the help, now all works well and i understand the way to
configure it.

Routing between subnets

Hi all,
I'm having troubles getting Spiceworks and other programs to communicate between subnets.
For example, in the image below, Laptops 1 and 2 can't communicate with each other, but they can both communicate to PC1 & the printer.
I've looked at some of the earlier routing questions, but I am still not sure what to do. What am I missing?
Abbreviations: NG=Netgear, DL= D-link, W=Wireless, SN=Subnet, GW=Gateway
This topic first appeared in the Spiceworks Community

Hi all,
I'm having troubles getting Spiceworks and other programs to communicate between subnets.
For example, in the image below, Laptops 1 and 2 can't communicate with each other, but they can both communicate to PC1 & the printer.
I've looked at some of the earlier routing questions, but I am still not sure what to do. What am I missing?
Abbreviations: NG=Netgear, DL= D-link, W=Wireless, SN=Subnet, GW=Gateway
This topic first appeared in the Spiceworks Community

GT784WNV NAT and subnets

Hi, we have had Verizon DSL for several years and were recently given a new GT784WNV modem/router. I would like to replace my old Linksys router with this device, but the big problem at the moment is that the GT784WNV will not perform NAT translation for a secondary subnet.
I have a basic network for the household PCs and devices, with the GT784WNV providing Internet gateway services. This stuff all works pretty much as desired. I also have a second subnet for work-related computers, which is on a second switch behind another router. I added the necessary routing information to the GT784WNV so that it knows about the second subnet, and am able to successfully ping the devices on that subnet from the GT784WNV diagnostics, and vice versa. However, the devices on that subnet cannot connect to the Internet--they cannot ping anything past the GT784WNV, they cannot access web pages, or do anything else. From what I can tell, the NAT module in the GT784WNV is not creating mappings for the devices on the second subnet.
I have done some preliminary research and it appears that other people were able to resolve this by adding explicit firewall rules, however I dont see any way to enter these rules in the router's configuration. Does anybody have any advice for me? Can these rules be added with the CLI via the TELNET interface?
Thanks for any assistance.

Let me give a more detailed picture and see if I can answer your questions along the way.
Al the PCs on the home network are plugged into a D-Link gibabit ethernet switch. The Linksys router has a single connection to the switched ethernet segment, and the wireless AP is bridged to the LAN segment (so that wireless devices are on the lan side). Meanwhile, the linksys also provides internet routing/firewall functions by talking to the (old) westel modem over PPPoE on a separate WAN link. The linksys is running DD-WRT firmware for all this.
My office gear is on a separate HP switch. I have an additional Juniper router/firewall that plugs into the HP router on one port, and plugs into the home D-Link switch on another port. The home and office networks are on completely different IP ranges (work network uses work subnet allocation). The juniper between the two networks has an IP address for each network that it is connected to. The devices on the office network have a default route for the juniper, and it has a default route for the linksys. The linksys has a subnet route for my office network that points to the juniper, and a default route for the PPP connection.
With this setup, I can do everything perfectly fine. I can access files and printers on each network from any PC, can access the Internet through the remote router, and so forth. I can even host a COD game on my work computer and the Linksys will handle the NAT mapping and forwarding perfectly.
Alright. Now we got this new GT784WNV device, which was sent to us in an effort to correct a problem with the DSL service (unrelated, that was resolved with infrastructure changes, by moving us to another port on the card at the neighborhood switch). Having the modem in the same box simplifies some things, so even though I dont need it I would like to see if I can make it work.
So I unplugged the linksys and westell, plugged the GT784WNV into the D-Link, gave it the IP address from the old Linksys, and added a route statement for my office network pointing to the juniper. Basically I just replaced the linksys and modem with the verizon box. I am able to ping the GT784WNV from my office PCs, and I can open a TELNET session to the device from that network as well. However I am not able to communicate with any Internet resources; I cannot ping anything or talk to any remote web servers or anything at all.
My observation is that the GT784WNV is not forwarding packets from my office network. My assumption is that this is because it thinks the source IP addresses are not "local" and so the firewall rules in the device are preventing them from being serviced by the NAT module. I am basing this assumption on a couple of things, one is that some other people with other models have run into similar problems and have corrected it by unblocking the NAT module in the firewall rules (no such option in the GT784WNV), also I noticed that the routing table in the GT784WNV does not have options for "local" or "remote" so there is no way to explicitly flag that the office subnet is actually "local" (the routing works because the interface matches the LAN link, not because it knows the destination is "local").
What I am looking for is a way to get at the firewall rules from the TELNET CLI and see if I can study and/or override the NAT restriction. Or, if there are some other alternatives that might solve the issue, that would be good too.
Frankly, after examining some of the other features on this device, I do not believe it is going to be useful anyway. I do some other things with the DD-WRT firmware that I cannot replicate on this router, and so I suspect at this point that it is not going to be a viable replacement anyway. However I am still interested in trying to get over this hurdle, and will take it from there. Otherwise its going in the trash.

NAT a subnet to an other subnet

Hi All,
I Have a cisco asa 5510 configured as a gateway for my network, the problem is that i want to create a new subnet for my network and i have a PVN Tunnel estalished to the Headquarters, the objectif is to create a subnet and nat it to the already configured subnet throw the tunnel, is this possible, timm now i m able to create a subnet and make go to the internet but i have tried a lot to make it go through the tunnel but its not working, have any one faced a such problem before !!
thanks for your help,
Cordially

Hi Jouni,
I have been making a lab for this configuration using GNS3, well i made a VPN Tunnel between Two CISCO ASA 5510 (Pink OK, Tunnel is UP), then i made a new subnet, configured routing and NAT for the new Subnet, Tests Locally are OK, and the i tried to NAT the New Subnet as you mentionned before, but i can't figure out whats wrong with my configuration, it seems that there someting missing, well here's a summary of the LAB
Site 1 : Privare Adresse 10.241.105.0/25 Private New Subnet 172.20.50.0/24
Site B Private Adress 192.168.1.0/24
Tunnel IS UP
What i have done is that i added the new subnet 172.20.50.0/24 to the VPN Tunnel For Both sides, and then i used Packet Tracer to figure out that packets from 172.20.50.0/24 are being translated to the outside Interface, and not going thought the Tunnel, So I Add a NAT Exempt Rule on both sides two Ouups Every Thing is OKK, Good news Right
But thats not what i m looking for !!!
I will be parsing the two network configaration and i m looking for a way to post an image, i can't figure out a way to do that in the forum (feeling like stupid ) i hope tp find it,
here's my mail address [email protected] would you please mail me the right configuration, this is very important for me since its a challenge i have to take in order to join an IT Leading Team in my corporation (Level 3 Support) My dream since 3 years.
Cisco ASA 5510 Site 1
: Saved
: Written by enable_15 at 00:33:55.172 UTC Tue Nov 30 1999
ASA Version 8.0(2)
hostname ASA1
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 10.241.105.1 255.255.255.128
interface Ethernet0/1
description ### Connected to Outside LAN VPN Tunnel ###
nameif outside
security-level 0
ip address 41.224.46.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 10.241.105.0 255.255.255.128 any
access-list 197.22.47.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 10.241.105.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 41.224.46.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
ip local pool Remote_Access 10.241.105.6-10.241.105.10 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 10.241.105.12 netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 10.241.105.0 255.255.255.128
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.224.46.1 1
route inside 172.20.50.0 255.255.255.0 10.241.105.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.241.105.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 197.22.47.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.241.105.0 255.255.255.128 inside
telnet timeout 1440
ssh 10.241.105.0 255.255.255.128 inside
ssh 172.10.1.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy 41.224.46.2 internal
group-policy 41.224.46.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 41.224.46.2_splitTunnelAcl
default-domain value jihedlab.com
group-policy 41.224.46.2_1 internal
group-policy 41.224.46.2_1 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
default-domain value jihed.com
group-policy 197.22.47.2 internal
group-policy 197.22.47.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 197.22.47.2_splitTunnelAcl
default-domain value jihed.com
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
username jneji password Ae.gIIaVTgmxpFgx encrypted privilege 0
username jneji attributes
vpn-group-policy 197.22.47.2
tunnel-group 41.224.46.2 type remote-access
tunnel-group 41.224.46.2 general-attributes
address-pool Remote_Access
default-group-policy 41.224.46.2_1
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
tunnel-group 197.22.47.2 type ipsec-l2l
tunnel-group 197.22.47.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:27224fc34af0663282057f5cd4f7e932
: end
Cisco ASA 5510 Site 2
: Saved
: Written by enable_15 at 01:53:32.677 UTC Tue Nov 30 1999
ASA Version 8.0(2)
hostname ASA2
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
description ### Connected to Outisde Interface VPN Tunnel ###
nameif outside
security-level 0
ip address 197.22.47.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.241.105.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 197.22.47.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 41.224.46.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
tunnel-group 41.224.46.2 type ipsec-l2l
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:4db675e1167a33bf5d9dfae0c74da193
: end
Thanks a lot

ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.

Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful

Oracle returns redicrect when there is NAT between client and server

I have Oracle 8i on Linux sitting behind a firewall/NAT. I have two Apache webservers that run both Tomcat and WebLogic webapps, also behind the NAT. One of them is on the same machine as the Oracle server. Those all connect just fine. I recently had to load a JBoss/Tomcat webapp (no Apache) outside the NAT which needs to talk to the Oracle server. It's using a JDBC driver, I believe calling on this class: oracle.jdbc.driver.OracleDriver. The configured URL is "jdbc:oracle:thin:@localhost:1521:qlink". Using ethereal (A GUI frontend to the packet sniffer tcpdump, which understands the TNS protocol) showed me that this is the connection request being made: "(DESCRIPTION=(CONNECT_DATA=(SID=qlink)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle)))
(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))))". I notice it uses SID, where it seems everything else I've analyzed with Ethereal is using SERVICE_NAME. I was first trying to pipe the data through an SSH tunnel. This technique works with all of Oracle's tools that I have tried it with, and with TOAD. I can connect to this Oracle server with the DBA Studio and sqlplus, over an ssh tunnel. But as soon as this JBoss/Tomcat webapp tries, Oracle returns a REDIRECT message. There are two things that strike me as odd: The REDIRECT message returns the hostname of the Oracle server and a nonstandard port; and the JBoss/Tomcat webapp doesn't seem to do anything about it. I has assumed the TNSLSNR forwarded data between 1521 and the appropirate port for requested databse. The port is the same every time, so I made sure that the hostname/port returned was reachable from the client side. But like I said, the client seemed to just ignore it and hang. Getting desparate, I then tried to open up the Oracle ports on the NAT, and use ipchains to restrict what IPs could connect to it, that yielded the same results. I've seen this webapp work with Oracle running on the same machine, both configured identically. (Running Oracle behind the NAT and using SSH tunnels gives the same configuration for JBoss/Tomcat as if I was running Oracle on the same machine)

I'm pretty uninitiated with Oracle. I don't know how to verify/disprove your guess about the shared server dispatcher, or even what it means. Should I try to pursue the observation that the JDBC client specifies a SID to connect to and everything else specifies a SERVICE_NAME, or is that of little consequence? I'm not sure how to interpret the output from 'lsnrctl serv'. Here's the chunk pertaining to the database in question:
qlink has 3 service handler(s)
DISPATCHER established:120 refused:0 current:120 max:254 state:ready
D000 <machine: sark.unboundtech.com, pid: 15801>
(ADDRESS=(PROTOCOL=tcp)(HOST=sark.unboundtech.com)(PORT=41714))
qlink has 3 service handler(s)
DEDICATED SERVER established:46 refused:0
LOCAL SERVER
DISPATCHER established:0 refused:0 current:0 max:254 state:ready
D001 <machine: sark.unboundtech.com, pid: 15803>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=sark.unboundtech.com)(PORT=41716))(PRESENTATION=oracle.aurora.server.SGiopServer)(SESSION=RAW))
Presentation: oracle.aurora.server.SGiopServer
The (ADDRESS=...) is what is returned in the redirect. I created the database with dbassist using the default setup type. I'll have a look at listener.log (the name/location of a log file is actually a question I had but forgot to ask, so thanks), I don't know how to check trace output. The webserver is able to resolve the hostname being returned, and knows how to route to it.
Localhost is the correct entry. If you've never used SSH tunnels here's a quick rundown. You can tell most SSH clients to listen on an arbitraty port on your machine, and forward data to a remote IP/port from the other side. So from the webserver, I would say to forward localhost:1521 to localhost:1521 on the oracle server. So for sqlplus, for example, I setup tnsnames.ora to route connections to a particular SERVICE_NAME to localhost:1521, which is forwarded through my SSH connection, to localhost:1521 on the Oracle server. This lets gains me two things, all connections look like localhost, making my firewall rules simpler, and I get encryption through SSH (I know Oracle can do encrypted connections, but some clients might not support it, and I don't know how to set it up yet.) I am able to connect to the database over an SSH tunnel using sqlplus, from the webserver (since I ended up installing Oracle on it), so I know the connection is possible.
After reading that, you might wonder if the hostname:port returned in the redirect were accessible from the web server. They weren't at first, but opening port 1521 and 41714 for sark.unboundtech.com at the NAT, and firewalling requests from IPs other than the webserver, then giving the JDBC config sark.unboundtech.com instead of localhost with an SSH tunnell yielded identical behavior. After recieving the REDIRECT, the JDBC code doesn't seem to do anything except hang, nothing is sent to the location given in the REDIRECT response.

Limit/Restrict access between subnets

A wireless access point grants wireless clients the same access to networks as any wired client has. So, if there are several subnets (routed or bridge) on the LAN, then any client wired or wireless) will have the same access to all subnets (unless specific rules exist saying otherwise).
Source: http://www.tomshardware.co.uk/forum/page-9358_18_0.html
Hi Everyone
I found this text on some forum and I'd like to understand it, or at least, I'd like to understand what is meant by "unless specific rules exist saying otherwise".
The reason for my question is that it's exactly what I'm looking to do. I have a 1st subnet that isn't equipped with wifi and has a few computers connected to it. This subnet is on 192.168.0.0/24. I connected to this subnet a Linksys WRT54G2 that works as a "Gateway" and not as a "Router" and defines the subnet 10.0.0.0/24. This way I can share my internet connection, however, my original idea was to have 2 different subnets and make sure they wouldn't be able to communicate to each other (except for the printer that's on the 1st subnet at 192.168.0.2/24.
Internet
|
Modem
|
Router (no wireless)
|
            ------------------------------------------------------- 192.168.0.0/24
|    |    |        |              |       |
PC1 PC2 PC3 PC4   Router    Printer
                 (wireless)
         |
          ------------------ 10.0.0.0/24
                              |    |    |
                                PC5    PC6    PC7
What happens is that the machines on the 2nd subnet (10.0.0.0/24) can see the machines of the 1st one (192.168.0.0/24). For example, when I'm on machine 10.0.0.5/24 and I ping 192.168.0.2, not receiving any answer from my subnet the request is therefore sent to the gateway (WRT54G2), which in turn forwards the request to the subnet 192.168.0.0/24 that does indeed get an answer.
And of course, the machines on the 1st subnet cannot see the machines on the 2nd. Obviously, when I'm on 192.168.0.5/24 and I ping 10.0.0.5, the 1st subnet doesn't have any static routes defined to ask the 2nd router to route the request.
All that's not bad, but not good enough yet I'd like to make sure the 2 subnets cannot communicate at all, except for the printer. Or, ideally, the 1st subnet could access the 2nd one, but the 2nd one couldn't access the 1st one.
After thinking a little bit I thought, it shouldn't be that hard, I could simply swap the 2 subnets, PC5, 6 and 7 would be connected through wireless to a first router that is itself directly connected to the internet, and my 2nd subnet would be initialised by the router that doesn't have wifi, like this:
Internet
|
Modem
|
Router (wireless)
|
            -------------------------------------------- 192.168.0.0/24
|    |    |        |       |
PC5 PC6 PC7 Router    Printer
       (no wireless)
           |
             ---------------------------- 10.0.0.0/24
                       |    |    |          |
                    PC1    PC2    PC3    PC4
But here's the problem, that 1st subnet is in fact the one of my dad in law, and he has no intention whatsoever to change anything, he's also very paranoid with security (he buys and sells shares and does quite a few sensitive things), and I don't really want to invest in another internet connection when we have a perfectlly working one already...
So all that to resume my question to: would it be possible, in one way or another, without changing the topologie, to restrict the access between the 2 subnets keeping a door opened for the printer?
I realise this post is quite long, so thank you for reading it until the end!!

Well as your Both the Routers are Connected to each other, so this means your Both the Routers are in the same Network, and if you try to ping the Computer, which is on the 1st Network you will be getting the replies. When you Ping the computer on the 1st Routers, your 2nd Router will talk to your 1st Router, and your 1st Router will give him the replies.
So Basically you want do is, just block all the computers to access each other network on the different subnet. This means Router 1 Computers, should not access the Computers on Router 2. In this case you can try is, Change the Workgroup name of the Computers which are Connected to your 1st Router, and change the Workgroup names of the Computers which are connected to the 2nd Router. On your Router setup page, below the Security tab, you need to check the Box "Filter Anonymous Internet Requests" and click on Save Settings. Well will disable the File and Printer sharing, and your Router 1 Computers will not have a access to the Router 2 Computers As this both the Computers will be in the Different Domain.
The Printer which you have is it a Network Printer or a Normal USB Printer. If its a USB Printer, then if you change the Workgroup name of the Computer where the Printer is Connect, then that printer might not work on the Computers on the 2nd Router.

RV042 Windows incompatibility HTTP Connections between Subnets without Internet access

Hello,
We are a company of the banking sector
We have two RV042 Router.
One of this Router (R1) is configured for restrict users without internet access. This router doesn´t internet connections, the Wan ports are blocked.
Router 1: restricted users
Router 1 IP Lan: 10.22.4.1/24
Router 1 IP Subnet 1: 10.22.1.2/24 (For communication with Web Servers on Lan 10.22.1.0/24)
Pc1: 10.22.4.3/24
DNS: 10.22.4.51/24 (This DNS Server have an Internet connection through subnet 2)
The other router (R2) has an internet connection through the wan port for the access of the DNS Servers for respond to request of clients, and a web server in this subnet
Router 2: Web Server´s LAN and Internet Connection for the DNS Server
Router 2 IP Lan: 10.22.1.1/24
Router 2 IP Subnet 2: 10.22.4.2/24 (For communication with restricted user on Lan 10.22.4.0/24)
Web Server: 10.22.1.60/24
We need to access the web server from the network restricted users.
From Linux Operating System, the access to web server its ok
But, from Windows Operating Systems, we can´t access to web server. Time Out
So, we think that there are some incompatibility between the Router RV042 and the windows operating systems
On the website of microsoft, there is an article regarding an incompatibility issue with the RV042 which could help
http://support.microsoft.com/kb/934430
we copied a file attachment.
Thanks, sorry for bad English

Hi,
Have you also tested configuring static route?
I am asking that, because RV042 does not support VLANs and following that cannot do inter-VLAN routing. Configuring subnet with Multiple Subnet option is only giving access to this subnet to internet. Unless a static route is not configured as where this traffic to be routed in the LAN, the router itself normally will drop the packet.
If it works for you, this leads me to the thought that there is other routes that packets from LAN 10.22.1.0 to LAN 10.22.4.2 (and vice versa) are taking, but not necessarily the routers.
Here I can just give a direction of where to look, but if you think you checked all possibilities, it would be better to contact the support line. They will help as long as the device is under warranty.
Hereby the contacts:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Kremena

Natting of subnet ip address exist over wan

I have branch office having subnet 172.26.48.0/22 one ip from this subnet say 172.26.48.100 assigned toa server . now our erequirement to access this
server from outside mean from internet . tis branch office is coonected throuth leased line to main office. now main office has firewall and loacl subnet
in which server are there and natted to access over internet . we try to make it possible we got ping response of outised also but latency get stuck that
firewall looking to be in hang mode latency around 900 ms if natting is done otherwise 250-300 ms. what can we do , any alternat approach suggested.
dig. attachement is there
Regards,
Rajat

NO i mean we get normal response 250-300 ms HQ to outside link ping responsc of 4.2.2.2 . no branch included . if we nat branch ip mentioned above sudenly latency get high while pinging 4.2.2.2 so firewall does not behave normally in this case.
howwver if we remove natting command from firewall still we get latemcy after rebooting only it comes normal
second it is possible or practical to nat ip of branch office in headquarter firewall. it is suggested by cisco ?
please help
Regards,
Rajat

NAT between 2 subnets

Similar Messages

Maybe you are looking for