NAT config for IP migration
Hi, I want to use NAT for IP migration for a number of our servers. All the configuration examples just seem to use an ip nat inside source static statement assuming you want the client to talk to the old IP address. I'm hoping to have a solution in place where I can change client IP addresses one at a time, and if they call on the new IP address they'll get a response, if they have not been changed over yet they'll get a response as well. I know we could just bind secondary addresses to the servers but we would rather not go that way if possible.
Thanks
check out the following link on Configuring NAT for IP Address Conservation :
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044eddc.html
Similar Messages
-
New Type of Firewall Config (for me)
OK - this is a different type of config for me so I am reaching out for some advise / help. I manage many cisco asa 5520's and I am in the process of converting one asa from a block of 30 outside addresses of to a 50 Meg Cox cable modem with a block of 30 cidr addresses.
Normally I would just reference an outside address and bingo, things would work right. In this case I found out so far that I could only get internet access through this cable modem by setting up the outside interface of the asa with dhcp - then it grabbed a public wan address, added a route to the asa 5520 and then I had internet access out through the cable modem.
My question / problem / nuance to me is when I reference / assign one of our cidr addresses to a device (like a server) and that is natted from the dmz to the outside address I don't get access to the device.
I'm thinking I have to do something special to set up these cidr addresses but having never done this before I am reaching out for some advise.
my outside dhcp assigned wan address is 70.168.x.1xx with a gateway of 70.168.x.1
The cidr block I have been assigned from the cable company is
184.185.x.x/27
The cable company also has suggested a default gateway address withing the cidr block and a first useable and last useable address.
I must say that I usually look to over complicate things by thinking things are more difficult than they really are.
Can anyone get me pointed in the right direction so I know how to assign these cidr addresses and have then accessable from the outside???
Thanks in advance
PaulHi,
So from what I understand you should have your own public IP address range of /27 usable through your current connection. Yet it only works with setting the ASA outside to use DHCP and doesnt work when you staticly assign an IP address from the /27 address range and set the default route.
If the above is the case I'm kinda wondering why you are even getting IP address with DHCP from the ISP if you are supposed to have your own public address block.
You sure the ISP has its side configured correctly?
- Jouni -
Need help getting simple Nat config to work
I can't seem to get the below Nat config to work. I removed the crypto from the fa0/0 for testing.
Why can't i get xlates when I ping 192.168.1.5 or 192.168.1.1? As you can see my access list isnt getting touched?
What am i missing?????
==============================================
CCC#sh access-lists
Standard IP access list 1
10 permit 10.10.10.0, wildcard bits 0.0.0.255
==============================================
CCC#sh ip nat t
CCC#
==============================================
CCC#sh ip nat s
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 2] access-list 1 interface FastEthernet0/0 refcount 0
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #9 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #11 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #13 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #19 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #21 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
=============================================================================
CCC#sh run
Building configuration...
Current configuration : 1490 bytes
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname CCC
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
archive
log config
hidekeys
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 400
crypto isakmp key cisco123 address 1.1.1.3
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
crypto map Petaluma_1 1 ipsec-isakmp
! Incomplete
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
interface Serial0/0
no ip address
shutdown
clock rate 56000
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
router rip
network 1.0.0.0
network 10.0.0.0
no ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 1.1.1.3
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
access-list 1 permit 10.10.10.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
login
endI am getting same issure:
Dynamic mappings:
-- Outside Destination
[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1 Dynamic mappings:
-- Outside Destination
[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
I don't know what this means and will try debug ip nat and get a readout. -
Identity NAT config from Destination to Source
Hi Everyone,
In one of Client Network Environment i need to config static Identity NAT below to fix the traffic flow from PC to server
statitc(X,Y) 192.168.3.1 192.168.3.1 netmask 255.255.255.255
Traffic flow from PC to server was below
PC was connected to interface Y of Firewall and Server was connected to interface X of Firewall.
Where 192.168.3.1 is server IP.
Need to confirm that above Identity NAT config is normal in network design?
Regards
MaheshHi Mahesh,
This is similar to no-nat or nat exempt..... it can be done if the requirement is like this......
Normally we do this for a inside to dmz zone in most cases...... or denying access from un-trusted zones....
You can use that.... that should not be a problem....
Regards
Karthik -
Proper TLS Config for IronPort C170
I inherited an infrastructure a little bit ago that uses an IronPort C170 cluster for email security. I have been tasked with configuring TLS connections with our new medical benefits provider and have some issues doing so. We have 3 MX records, let's call them mail1, mail2 and mail3. Mail1 and mail2 are configured normally on our firewall to pass SMTP traffic on port 25 to the MailListener port on the IronPort which is 25. Mail3, however, is configured on the firewall to translate SMTP traffic on port 25 to port 3600 which is sent to the TLS Listener port 3600 on the IronPort. The IronPort MailInterfaces are configured as such (25,3600) Reverse configuration on the firewall takes any port 3600 traffic from the IronPort and translates it to port 25 traffic for the rest of the world.
I configured the IronPort with a new Sender Group named TLS_ACCEPT, added all the medical provider domain names/IPs to it and assigned it to the ACCEPTED Mail Flow Policy where TLS is set to Required. Likewise, for outgoing, I specified the same domain names/IPs within the Destination Controls to require TLS for sending purposes.
I replaced the guy who originally configured this so I am not too sure how it is setup on the other end for TLS connections already established. We do have a few in place that are active. I am assuming that the other end is configured to send email only to the mail3 MX record. This configuration, however, is not possible with our medical provider so I need an alternative. They have verified that they cannot contact us on mail1 or mail2 via TLS but can with mail3.
The obvious problem is if a sender from these new domains tries to send TLS_required emails to us over the mail1 and mail2 MX IPs, they will receive an NDR. If I configure the firewall to translate mail1 and mail2 incoming connections from port 25 to 3600, any email sent with TLS not prefered/required will get an NDR. This was actually tested and domains like Yahoo and Hotmail could not send to us.
Are there any options for me on the IronPort to allow these connections to be sent from all our MX IPs without having to translate the ports? If not, what would happen if I changed the TLS Listener port on the IronPort to 25 instead of 3600 and disabled all the NAT rules on the firewall for mail3? I am only to assume this translation was another security step added by the previous admin here but am not too sure what would happen if I eliminated it.
Any advice, help, questions, assistance or fun-poking would be greatly appreciated!! Thank you in advance!Kevin,
OMG there's so much unneeded complication here...You can totally ditch the port translation
Here's what I did:
Under Network/IP interfaces, I have 3 interfaces: managment, Public, Private.
Public is exposed to the net, only port 25 allowed in/out, with 1 A record for a Domain1 which I have a certificate for.
Under Network/Listener I have 2 Listeners:
Outbound on the Private interface not really relavent for the rest of this discussion
Inbound on the Public interface
listening on port 25
using an Accept query pointed at my Active Directory (all the various email domains in 1 AD)
using a cert that matches the hostname on the Public interface
Mail flow polices in HAT all set to TLS preferred with an address list configed for the "required" ones
Mail Policies/Destination Controls to force sending as TLS
In my external DNS
Domain1
A mail.domain1.com x.x.x.
mx domain1.com mail.domain1.com pref 10 weight 10 TTL 86400
Domain2-10
mx domain2.com mail.domain1.com
mx domain3.com mail.domain1.com
etc....
Hope that helps...
Ken -
Dear all,
I'm a new basis and now I'm working in big project ERP. I have a disturbed about config for Production client.
In scc4 we must set client role is Production and No change allowed for Objects. But in production some time we need do Open and Close Period, or change following business requirement, ... This is not allowed to do in Production client.
How do we config for Production client to cover this requirements ?
Do we need a config client for maintain Production client ? Example: Production client is 500, Config client is 100. When we need Open or Close Period or change anything, we do in 100 and transfer request to 500.
Thank you very much.
Regards,
Thanh.
Do not use text message language, the next time your thread will be deleted.
Read the "Rules of Engagement"
Edited by: Juan Reyes on Dec 1, 2010 11:06 AMYou can customize transaction to be executable although the setting in SCC4 is "productive", this is accomplished by using transaction SOBJ:
Note 1497640 - Open and close periods in productive client
You can theoretically put every customizing view there and make it "executable" in a production system.
Markus -
How to use the same services-config for the local and remote servers.
My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
<?xml version="1.0" encoding="UTF-8"?>
<services-config>
<services>
<service id="amfphp-flashremoting-service"
class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">
<destination id="amfphp">
<channels>
<channel ref="my-amfphp"/>
</channels>
<properties>
<source>*</source>
</properties>
</destination>
</service>
</services>
<channels>
<channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
<endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
</channels>
</services-config>
I think the problem is the line
<endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
but I'm not sure how to use the same services-config for the local and remote servers.paul.williams wrote:
You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
Hi Paul,
In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
-services=path/to/services-config.xml
IF
services-config.xml
have tokens in it and user have not specified additional
-context-root
and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
-services=path/to/services-config.xml
have been specified durring compilation.
I dont know any better way to exmplain this, but in summary there is two places that you can tell swf about service confogiration,
1) pass -services=path/to/services-config.xml parameter to compiler this way you tell swf file up front about all that good stuff,
or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime . -
Hello Experts,
Our client has a manufacturing plant in France which is already in SAP. Now they are planning to come up with another plant in France. We will be creating a new Company Code and Sales Org. My question is that since France is already in SAP and uses Intrastat reporting so do we need to make any config for new Plant/Sales Org or is the Intrastat setting defined at country level only.
Regards,
KaranHello Karan,
We are going to create a new Plant as well as a new Sales Organisation. In Intrastat there is one setting where we assign Business Transaction Type to Sales Org/Item Category combination. For the reference Sales Org this setting is already in place so do we need to do this setting for new Sales Org also or does it get copied when we create new sales org with reference to existing sales org?
In my view on the current set up which you are incorporating for new plant at France, there is no need to have new Company Code and Sales organization unless and untill there is some legal requirement at EU(If export process needs to be triggered). There is not much information available on Intrastat functionality but as i understand from you, you create Business transaction type at Intrastat, and then assign business transaction type to Sales organization, My suggestion would be :- most likely you would have to extend and include the newly created Sales Organization for Business transaction type.
Thanks,
Sarthak -
Best practice for data migration install v1.40 - Error 2732 Directory manag
Hi
I'm attempting to install SAP Best Practice for Data migration 1.40 on Win Server 2008 R2 (64 bit).
Prerequisite error
Installation program stops with missing file error
The following file was not found
... \migration\InstallationWizard\BusinessObjects Data Services\setup.exe
The file is necessary for successful installation. Please connect to internet or refer to Quick Guide (available on SAP note 1527151) for information regarding the above file.
Windows installer log displays
Error 2732 Directory Manager not initialized
SAP note 1527151 does not exist or is internal.
Any help appreciated on what is the root cause of the error as the file does not exist in that folder in the installation zip file.
Other prerequisite of .NET 3.5.1 met already.
Patch is released since 20.11.2011 so I presume that it is a good installation set.
Thanks,
AlanHi Alan,
There are details on data migration v1.4 installations on SAP website and market place. The below link should guide to the right place. It has a power point presentation and other useful links as well.
http://help.sap.com/saap/sap_bp/DMS_V140/DMS_US/html/index.htm
Arun -
Vendor Payment Terms config for 30%advance 70% after GR
Hi Guys,
How to configure Vendor Payment Terms for " Vendor Payment Terms config for 30%advance 70% after GR "
Please suggest your expert comments.
Thanks in advance.
Regards,
Jackiesappassion2011 wrote:
Hi Guys,
>
> How to configure Vendor Payment Terms for " Vendor Payment Terms config for 30%advance 70% after GR "
>
> Please suggest your expert comments.
>
> Thanks in advance.
>
> Regards,
>
> Jackie
Hi Jackie,
Do them in trxn OME2
Regards
Shiva -
What's the best Mac Pro config for Fireworks?
What's the best Mac config for Fireworks?
I can pretty much get whatever Mac I want at work... My boss is sick and tired of watching Fireworks crash all the time... I figure a hefty processor and lots of RAM and maybe a SSD will help…
I should get a Mac Pro right? Which processor?
• Two 2.40GHz 6-Core Intel Xeon processors (12 cores)
• Two 2.66GHz 6-Core Intel Xeon processor (12 cores)
• Two 3.06GHz 6-Core Intel Xeon (12 cores)
Should I get 24GB RAM?? Or is that overkill?
I'll get a 2TB serial hard drive…
I should get a 512 GB solid state drive offered by Apple right?
Or is it possible to get a larger better 3rd party SSD?
And then maybe two 21" Displays… Two 27s seems a little much… or does it?
Thanks in advance.Oh and what about video cards? Or is Apple's default ok? (I'm not doing hard core PhotoShop retouching or anything).
-
How to get the exact sql developer which used for data migration?
Hi all,
Hope doing well,
Sir i seen a link for data migration that is : http://www.oracle.com/technetwork/developer-tools/sql-developer/sql-server-connection-viewlet-swf-089886.html
in this link when they are connecting to sql database so after clicking on new connection four tab is showing that is oracle, access, my sql, sql server.
i downloaded latest version of sql developer which version is: 3.02.09.30 when i opened this i am not getting those option.
and one more thing i am not getting miragation menu name in menu items.
please help me.
thanks and regardsHi,
To connect to non-Oracle databases from SQL*Developer youneed to download the relevant JDBC driver.
This is detailed in the documentation in the User Guide -
http://docs.oracle.com/cd/E35137_01/appdev.32/e35117.pdf
in the section -
Database: Third Party JDBC Drivers
The Third Party JDBC Drivers pane specifies drivers to be used for connections to third-party (non-Oracle) databases, such as IBM DB2, MySQL, Microsoft SQL Server, or Sybase Adaptive Server. (You do not need to add a driver for connections to Microsoft Access databases.) To add a driver, click Add Entry and select the path for the driver:
■For IBM DB2: the db2jcc.jar and db2jcc_license_cu.jar files, which are available from IBM
■For MySQL: a file with a name similar to mysql-connector-java-5.0.4-bin.jar, in a directory under the one into which you unzipped the download for the MySQL driver
■For Microsoft SQL Server or Sybase Adaptive Server: jtds-1.2.jar, which is included in the jtds-1.2-dist.zip download
■For Teradata: tdgssconfig.jar and terajdbc4.jar, which are included (along with a readme.txt file) in the TeraJDBC__indep_indep.12.00.00.110.zip or TeraJDBC__indep_indep.12.00.00.110.tar download
To find a specific third-party JDBC driver, see the appropriate website (for example, http://www.mysql.com for the MySQL Connector/J JDBC driver for MySQL, http://jtds.sourceforge.net/ for the jTDS driver for Microsoft SQL Server and Sybase Adaptive Server, or search at http://www.teradata.com/ for the JDBC driver for Teradata). For MySQL, use the MySQL 5.0 driver, not 5.1 or later, with SQL Developer release 1.5.
You must specify a third-party JDBC driver or install a driver using the Check for Updates feature before you can create a database connection to a third-party database of that associated type. (See the tabs for creating connections to third-party databases in the Create/Edit/Select Database Connection dialog box.)
Regards,
Mike -
Add file config for hole application?
Hi everyone,
Is there any one worked with build file config for hole fusion adf application? It is similar with web.config in .NET ASP web site. I think in jdeveloper, we can use web.xml for add some parameter but don't know how to read this parameter?
Any help is appreciate!
Thank.User, please tell us your jdeveloper version!
In general you can read context or innit parameters from web.xml.
You get to them via the servlet context
String databaseHost =getServletContext().getInitParameter("database.host");
And to get to the servlet context use
FacesContext ctx = FacesContext.getCurrentInstance(); ServletContext servletContext = (ServletContext) ctx.getExternalContext().getContext();
Timo -
Hal config for Elantech/Eee 1000h touchpad?
I've tried using the one that's in the 901-install Wiki page, and find it massively flakey (sorry no offense to anyone), compared to using xorg.conf.. It doesn't allow precise control at all, and for some reason (I'm sure it's the way I move my finger), seems to really jump up or down when I move side to side..
So does anyone have a config for this that works real good, that cares to share?
Thanks in advance.I know this problem occurs when I compile the elantech driver in the PS2/trackpoint driver:
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_MOUSE_PS2_ELANTECH=y
I was told you need the latest xf86-input-synaptics but Arch has the latest...
My workaround was to disable elantech:
CONFIG_MOUSE_PS2_TRACKPOINT=y
# CONFIG_MOUSE_PS2_ELANTECH is not set -
I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
I am sure it will need but just wanted a confirmation..
I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none"
Maybe you are looking for
-
Acrobat Pro X freezes up for 10-15 seconds shortly after opening PDF
I believe my issue may be the same as or similar to http://forums.adobe.com/thread/867133 , but I'm not able to post to that forum. Running Acrobat 10.1.2 on a fully-patched Windows 7/64 Bit system (Office 2010/32 bit). Antivirus is eSet NOD32 4.0.43
-
IMPORT / EXPORT IN SCRIPTS
Hi all. i have an issue in the scripts. is ir possible to use Import / export in scripts. If it is possible ,then how. can any body help me to solve this issue. Thanks, Eswar
-
Installment source item is changed while doing the Return lot Posting
Hi Experts , We have a requirement to Change the Payment method for the Line item while doing any Return lot Posting(FP09) .So that we have enhanced the FQEVENT 292 to change the payment method in the line item and also configured the Lock(Payment/Du
-
I have recently had my Blackberry unblocked for usage on all networks. Since having this done my phone does not receive incoming calls. The caller will just hear one ring then my phone will show a missed call. I have tried different network SIMs on
-
"iCloud photo library (beta)" warning is unclear
I'd like start uploading my iPhoto libraries so that I'm ready when Photos comes out.. But turning on "iCloud photo library (beta)" on my iPad warns that "photos synced from iTunes will be removed." 929 photos will be removed! It's not clear to me wh