NAT config for IP migration

Hi, I want to use NAT for IP migration for a number of our servers. All the configuration examples just seem to use an ip nat inside source static statement assuming you want the client to talk to the old IP address. I'm hoping to have a solution in place where I can change client IP addresses one at a time, and if they call on the new IP address they'll get a response, if they have not been changed over yet they'll get a response as well. I know we could just bind secondary addresses to the servers but we would rather not go that way if possible.
Thanks

check out the following link on Configuring NAT for IP Address Conservation :
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044eddc.html

Similar Messages

  • New Type of Firewall Config (for me)

    OK - this is a different type of config for me so I am reaching out for  some advise / help.  I manage many cisco asa 5520's and I am in the  process of converting one asa from a block of 30 outside addresses of to  a 50 Meg Cox cable modem with a block of 30 cidr addresses.
    Normally  I would just reference an outside address and bingo, things would work  right.  In this case I found out so far that I could only get internet  access through this cable modem by setting up the outside interface of  the asa with dhcp - then it grabbed a public wan address, added a route  to the asa 5520 and then I had internet access out through the cable  modem.
    My question / problem / nuance to me is when I reference /  assign  one of our cidr addresses to a device (like a server) and that  is natted from the dmz to the outside address I don't get access to the  device.
    I'm thinking I have to do something special to set up  these cidr addresses but having never done this before I am reaching out  for some advise.
    my outside dhcp assigned wan address is 70.168.x.1xx with a gateway of 70.168.x.1
    The cidr block I have been assigned from the cable company is
    184.185.x.x/27
    The  cable company also has suggested a default gateway address withing the  cidr block and a first useable and last useable address.
    I must say that I usually look to over complicate things by thinking things are more difficult than they really are.
    Can  anyone get me pointed in the right direction so I know how to assign  these cidr addresses and have then accessable from the outside???
    Thanks in advance
    Paul

    Hi,
    So from what I understand you should have your own public IP address range of /27 usable through your current connection. Yet it only works with setting the ASA outside to use DHCP and doesnt work when you staticly assign an IP address from the /27 address range and set the default route.
    If the above is the case I'm kinda wondering why you are even getting IP address with DHCP from the ISP if you are supposed to have your own public address block.
    You sure the ISP has its side configured correctly?
    - Jouni

  • Need help getting simple Nat config to work

    I can't seem to get the below Nat config to work. I removed the crypto from the fa0/0 for testing.
    Why can't i get xlates when I ping 192.168.1.5 or 192.168.1.1? As you can see my access list isnt getting touched?
    What am i missing?????
    ==============================================
    CCC#sh access-lists
    Standard IP access list 1
        10 permit 10.10.10.0, wildcard bits 0.0.0.255
    ==============================================
    CCC#sh ip nat t
    CCC#
    ==============================================
    CCC#sh ip nat s
    Total active translations: 0 (0 static, 0 dynamic; 0 extended)
    Outside interfaces:
      FastEthernet0/0
    Inside interfaces:
      FastEthernet0/1
    Hits: 0  Misses: 0
    CEF Translated packets: 0, CEF Punted packets: 0
    Expired translations: 0
    Dynamic mappings:
    -- Outside Destination
    [Id: 2] access-list 1 interface FastEthernet0/0 refcount 0
    [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
    0, flags 1
    [0] prot 6: port #9 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
    0, flags 1
    [0] prot 6: port #11 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
    .0, flags 1
    [0] prot 6: port #13 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
    .0, flags 1
    [0] prot 6: port #19 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
    .0, flags 1
    [0] prot 6: port #21 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
    .0, flags 1
    =============================================================================
    CCC#sh run
    Building configuration...
    Current configuration : 1490 bytes
    version 12.4
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname CCC
    boot-start-marker
    boot system flash c2600-adventerprisek9-mz.124-25d.bin
    boot-end-marker
    no aaa new-model
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    archive
    log config
      hidekeys
    crypto isakmp policy 2
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 400
    crypto isakmp key cisco123 address 1.1.1.3
    crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
    crypto map Petaluma_1 1 ipsec-isakmp
    ! Incomplete
    set peer 1.1.1.3
    set transform-set Petaluma_VPN
    match address 100
    interface FastEthernet0/0
    ip address 1.1.1.2 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    speed auto
    half-duplex
    interface Serial0/0
    no ip address
    shutdown
    clock rate 56000
    interface FastEthernet0/1
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    router rip
    network 1.0.0.0
    network 10.0.0.0
    no ip forward-protocol nd
    ip route 192.168.1.0 255.255.255.0 1.1.1.3
    no ip http server
    no ip http secure-server
    ip nat source list 1 interface FastEthernet0/0 overload
    access-list 1 permit 10.10.10.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    login
    end

    I am getting same issure:
    Dynamic mappings:
    -- Outside Destination
    [Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
    [0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
    0, flags 1
    [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
    0, flags 1 Dynamic mappings:
    -- Outside Destination
    [Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
    [0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
    0, flags 1
    [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
    0, flags 1
    I don't know what this means and will try debug ip nat and get a readout.

  • Identity NAT config from Destination to Source

    Hi Everyone,
    In one of Client Network Environment i need to config static Identity NAT below to fix the traffic flow from PC to server
    statitc(X,Y) 192.168.3.1 192.168.3.1 netmask 255.255.255.255
    Traffic flow from PC to server was below
    PC was connected to interface Y of Firewall and Server was connected to interface X of Firewall.
    Where 192.168.3.1 is server IP.
    Need to confirm that above Identity NAT config is normal in network design?
    Regards
    Mahesh

    Hi Mahesh,
    This is similar to no-nat or nat exempt..... it can be done if the requirement is like this......
    Normally we do this for a inside to dmz zone in most cases...... or denying access from un-trusted zones....
    You can use that.... that should not be a problem....
    Regards
    Karthik

  • Proper TLS Config for IronPort C170

    I inherited an infrastructure a little bit ago that uses an IronPort C170 cluster for email security. I have been tasked with configuring TLS connections with our new medical benefits provider and have some issues doing so. We have 3 MX records, let's call them mail1, mail2 and mail3. Mail1 and mail2 are configured normally on our firewall to pass SMTP traffic on port 25 to the MailListener port on the IronPort which is 25. Mail3, however, is configured on the firewall to translate SMTP traffic on port 25 to port 3600 which is sent to the TLS Listener port 3600 on the IronPort. The IronPort MailInterfaces are configured as such (25,3600) Reverse configuration on the firewall takes any port 3600 traffic from the IronPort and translates it to port 25 traffic for the rest of the world.
    I configured the IronPort with a new Sender Group named TLS_ACCEPT,  added all the medical provider domain names/IPs to it and assigned it to  the ACCEPTED Mail Flow Policy where TLS is set to Required. Likewise,  for outgoing, I specified the same domain names/IPs within the  Destination Controls to require TLS for sending purposes.
    I replaced the guy who originally configured this so I am not too sure how it is setup on the other end for TLS connections already established. We do have a few in place that are active. I am assuming that the other end is configured to send email only to the mail3 MX record. This configuration, however, is not possible with our medical provider so I need an alternative. They have verified that they cannot contact us on mail1 or mail2 via TLS but can with mail3.
    The obvious problem is if a sender from these new domains tries to send TLS_required emails to us over the mail1 and mail2 MX IPs, they will receive an NDR. If I configure the firewall to translate mail1 and mail2 incoming connections from port 25 to 3600, any email sent with TLS not prefered/required will get an NDR. This was actually tested and domains like Yahoo and Hotmail could not send to us.
    Are there any options for me on the IronPort to allow these connections to be sent from all our MX IPs without having to translate the ports? If not, what would happen if I changed the TLS Listener port on the IronPort to 25 instead of 3600 and disabled all the NAT rules on the firewall for mail3? I am only to assume this translation was another security step added by the previous admin here but am not too sure what would happen if I eliminated it.
    Any advice, help, questions, assistance or fun-poking would be greatly appreciated!! Thank you in advance!

    Kevin,
    OMG there's so much unneeded complication here...You can totally ditch the port translation
    Here's what I did:
    Under Network/IP interfaces, I have 3 interfaces:  managment, Public, Private.
         Public is exposed to the net, only port 25 allowed in/out, with 1 A  record for a Domain1 which I have a certificate for.
    Under Network/Listener I have 2 Listeners: 
         Outbound on the Private interface not really relavent for the rest of this discussion
         Inbound on the Public interface
              listening on port 25
              using an Accept query pointed at my Active Directory (all the various email domains in 1 AD)
              using a cert that matches the hostname on the Public interface
              Mail flow polices in HAT all set to TLS preferred with an address list configed for the "required" ones
    Mail Policies/Destination Controls to force sending as TLS
    In my external DNS
         Domain1
              A  mail.domain1.com  x.x.x.
              mx domain1.com  mail.domain1.com pref 10 weight 10 TTL 86400
         Domain2-10
              mx domain2.com mail.domain1.com
              mx domain3.com mail.domain1.com
         etc....
    Hope that helps...
    Ken    

  • Config for Production client

    Dear all,
    I'm a new basis and now I'm working in big project ERP. I have a disturbed about config for Production client.
    In scc4 we must set client role is Production and No change allowed for Objects. But in production some time we need do Open and Close Period, or change following business requirement, ... This is not allowed to do in Production client.
    How do we config for Production client to cover this requirements ?
    Do we need a config client for maintain Production client ? Example: Production client is 500, Config client is 100. When we need Open or Close Period or change anything, we do in 100 and transfer request to 500.
    Thank you very much.
    Regards,
    Thanh.
    Do not use text message language, the next time your thread will be deleted.
    Read the "Rules of Engagement"
    Edited by: Juan Reyes on Dec 1, 2010 11:06 AM

    You can customize transaction to be executable although the setting in SCC4 is "productive", this is accomplished by using transaction SOBJ:
    Note 1497640 - Open and close periods in productive client
    You can theoretically put every customizing view there and make it "executable" in a production system.
    Markus

  • How to use the same services-config for the local and remote servers.

    My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
    <?xml version="1.0" encoding="UTF-8"?>
    <services-config>
        <services>
            <service id="amfphp-flashremoting-service"
                class="flex.messaging.services.RemotingService"
                messageTypes="flex.messaging.messages.RemotingMessage">
                <destination id="amfphp">
                    <channels>
                        <channel ref="my-amfphp"/>
                    </channels>
                    <properties>
                        <source>*</source>
                    </properties>
                </destination>
            </service>
        </services>
        <channels>
        <channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
            <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
        </channel-definition>
        </channels>
    </services-config>
    I think the problem  is the line
            <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
    but I'm not sure how to use the same services-config for the local and remote servers.

    paul.williams wrote:
    You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
    The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
    Hi Paul,
    In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
    -services=path/to/services-config.xml
    IF
    services-config.xml
    have tokens in it and user have not specified additional
    -context-root
    and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
    Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
    for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
    -services=path/to/services-config.xml
    have been specified durring compilation.
    I dont know any better way to exmplain this, but in summary there is two places that you can tell swf  about service confogiration,
    1) pass -services=path/to/services-config.xml  parameter to compiler this way you tell swf file up front about all that good stuff,
    or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime .

  • Config for Dispatch Intrastat

    Hello Experts,
    Our client has a manufacturing plant in France which is already in SAP. Now they are planning to come up with another plant in France. We will be creating a new Company Code and Sales Org. My question is that since France is already in SAP and uses Intrastat reporting so do we need to make any config for new Plant/Sales Org or is the Intrastat setting defined at country level only.
    Regards,
    Karan

    Hello Karan,
    We are going to create a new Plant as well as a new Sales Organisation. In Intrastat there is one setting where we assign Business Transaction Type to Sales Org/Item Category combination. For the reference Sales Org this setting is already in place so do we need to do this setting for new Sales Org also or does it get copied when we create new sales org with reference to existing sales org?
    In my view on the current set up which you are incorporating for new plant at France, there is no need to have new Company Code and Sales organization unless and untill there is some legal requirement at EU(If export process needs to be triggered). There is not much information available on Intrastat functionality but as i understand from you, you create Business transaction type at Intrastat, and then assign business transaction type to Sales organization, My suggestion would be :- most likely you would have to extend and include the newly created Sales Organization for Business transaction type.
    Thanks,
    Sarthak

  • Best practice for data migration install v1.40 - Error 2732 Directory manag

    Hi
    I'm attempting to install SAP Best Practice for Data migration 1.40 on Win Server 2008 R2 (64 bit).
    Prerequisite error
    Installation program stops with missing file error
    The following file was not found
    ... \migration\InstallationWizard\BusinessObjects Data Services\setup.exe
    The file is necessary for successful installation. Please connect to internet or refer to Quick Guide (available on SAP note 1527151) for information regarding the above file.
    Windows installer log displays
    Error 2732 Directory Manager not initialized
    SAP note 1527151 does not exist or is internal.
    Any help appreciated  on what is the root cause of the error as the file does not exist in that folder in the installation zip file.
    Other prerequisite of .NET 3.5.1 met already.
    Patch is released since 20.11.2011 so I presume that it is a good installation set.
    Thanks,
    Alan

    Hi Alan,
    There are details on data migration v1.4 installations on SAP website and market place. The below link should guide to the right place. It has a power point presentation and other useful links as well.
    http://help.sap.com/saap/sap_bp/DMS_V140/DMS_US/html/index.htm
    Arun

  • Vendor Payment Terms config for 30%advance 70% after GR

    Hi Guys,
    How to configure Vendor Payment Terms for " Vendor Payment Terms config for 30%advance 70% after GR "
    Please suggest your expert comments.
    Thanks in advance.
    Regards,
    Jackie

    sappassion2011 wrote:
    Hi Guys,
    >
    > How to configure Vendor Payment Terms for " Vendor Payment Terms config for 30%advance 70% after GR "
    >
    > Please suggest your expert comments.
    >
    > Thanks in advance.
    >
    > Regards,
    >
    > Jackie
    Hi Jackie,
    Do them in trxn OME2
    Regards
    Shiva

  • What's the best Mac Pro config for Fireworks?

    What's the best Mac config for Fireworks?
    I can pretty much get whatever Mac I want at work... My boss is sick and tired of watching Fireworks crash all the time... I figure a hefty processor and lots of RAM and maybe a SSD will help…
    I should get a Mac Pro right? Which processor?
    • Two 2.40GHz 6-Core Intel Xeon processors (12 cores)
    • Two 2.66GHz 6-Core Intel Xeon processor (12 cores)
    • Two 3.06GHz 6-Core Intel Xeon (12 cores)
    Should I get 24GB RAM?? Or is that overkill?
    I'll get a 2TB serial hard drive…
    I should get a 512 GB solid state drive offered by Apple right?
    Or is it possible to get a larger better 3rd party SSD?
    And then maybe two 21" Displays… Two 27s seems a little much… or does it?
    Thanks in advance.

    Oh and what about video cards? Or is Apple's default ok? (I'm not doing hard core PhotoShop retouching or anything).

  • How to get the exact sql developer which used for data migration?

    Hi all,
    Hope doing well,
    Sir i seen a link for data migration that is : http://www.oracle.com/technetwork/developer-tools/sql-developer/sql-server-connection-viewlet-swf-089886.html
    in this link when they are connecting to sql database so after clicking on new connection four tab is showing that is oracle, access, my sql, sql server.
    i downloaded latest version of sql developer which version is: 3.02.09.30 when i opened this i am not getting those option.
    and one more thing i am not getting miragation menu name in menu items.
    please help me.
    thanks and regards

    Hi,
    To connect to non-Oracle databases from SQL*Developer youneed to download the relevant JDBC driver.
    This is detailed in the documentation in the User Guide -
    http://docs.oracle.com/cd/E35137_01/appdev.32/e35117.pdf
    in the section -
    Database: Third Party JDBC Drivers
    The Third Party JDBC Drivers pane specifies drivers to be used for connections to third-party (non-Oracle) databases, such as IBM DB2, MySQL, Microsoft SQL Server, or Sybase Adaptive Server. (You do not need to add a driver for connections to Microsoft Access databases.) To add a driver, click Add Entry and select the path for the driver:
    ■For IBM DB2: the db2jcc.jar and db2jcc_license_cu.jar files, which are available from IBM
    ■For MySQL: a file with a name similar to mysql-connector-java-5.0.4-bin.jar, in a directory under the one into which you unzipped the download for the MySQL driver
    ■For Microsoft SQL Server or Sybase Adaptive Server: jtds-1.2.jar, which is included in the jtds-1.2-dist.zip download
    ■For Teradata: tdgssconfig.jar and terajdbc4.jar, which are included (along with a readme.txt file) in the TeraJDBC__indep_indep.12.00.00.110.zip or TeraJDBC__indep_indep.12.00.00.110.tar download
    To find a specific third-party JDBC driver, see the appropriate website (for example, http://www.mysql.com for the MySQL Connector/J JDBC driver for MySQL, http://jtds.sourceforge.net/ for the jTDS driver for Microsoft SQL Server and Sybase Adaptive Server, or search at http://www.teradata.com/ for the JDBC driver for Teradata). For MySQL, use the MySQL 5.0 driver, not 5.1 or later, with SQL Developer release 1.5.
    You must specify a third-party JDBC driver or install a driver using the Check for Updates feature before you can create a database connection to a third-party database of that associated type. (See the tabs for creating connections to third-party databases in the Create/Edit/Select Database Connection dialog box.)
    Regards,
    Mike

  • Add file config for hole application?

    Hi everyone,
    Is there any one worked with build file config for hole fusion adf application? It is similar with web.config in .NET ASP web site. I think in jdeveloper, we can use web.xml for add some parameter but don't know how to read this parameter?
    Any help is appreciate!
    Thank.

    User, please tell us your jdeveloper version!
    In general you can read context or innit parameters from web.xml.
    You get to them via the servlet context
    String databaseHost =getServletContext().getInitParameter("database.host");
    And to get to the servlet context use
    FacesContext ctx = FacesContext.getCurrentInstance(); ServletContext servletContext = (ServletContext) ctx.getExternalContext().getContext();
    Timo

  • Hal config for Elantech/Eee 1000h touchpad?

    I've tried using the one that's in the 901-install Wiki page, and find it massively flakey (sorry no offense to anyone), compared to using xorg.conf.. It doesn't allow precise control at all, and for some reason (I'm sure it's the way I move my finger), seems to really jump up or down when I move side to side..
    So does anyone have a config for this that works real good, that cares to share?
    Thanks in advance.

    I know this problem occurs when I compile the elantech driver in the PS2/trackpoint driver:
    CONFIG_MOUSE_PS2_TRACKPOINT=y
    CONFIG_MOUSE_PS2_ELANTECH=y
    I was told you need the latest xf86-input-synaptics but Arch has the latest...
    My workaround was to disable elantech:
    CONFIG_MOUSE_PS2_TRACKPOINT=y
    # CONFIG_MOUSE_PS2_ELANTECH is not set

  • Cisco ISE configs for switch

    I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
    My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
    I am sure it will need but just wanted a confirmation..
    I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
    (config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.

    Yes, its needed.  The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal.  .
    ip http server
    ip http secure-server
    The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
    "Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch.  this may be accomplished by running the following two commands from global configuration mode:
    ip http active-session-modules none
    ip http secure-active-session-modules none"

Maybe you are looking for

  • Acrobat Pro X freezes up for 10-15 seconds shortly after opening PDF

    I believe my issue may be the same as or similar to http://forums.adobe.com/thread/867133 , but I'm not able to post to that forum. Running Acrobat 10.1.2 on a fully-patched Windows 7/64 Bit system (Office 2010/32 bit). Antivirus is eSet NOD32 4.0.43

  • IMPORT / EXPORT IN SCRIPTS

    Hi all. i have an issue in the scripts. is ir possible to use Import / export in scripts. If it is possible ,then how. can any body help me to solve this issue. Thanks, Eswar

  • Installment source item is changed while doing the Return lot Posting

    Hi Experts , We have a requirement to Change the Payment method for the Line item while doing any Return lot Posting(FP09) .So that we have enhanced the FQEVENT 292 to change the payment method in the line item and also configured the Lock(Payment/Du

  • Unblocking

    I have recently had my Blackberry unblocked for usage on all networks. Since having this done my phone does not receive incoming calls. The caller will just hear one ring then my phone will show a missed call.  I have tried different network SIMs on

  • "iCloud photo library (beta)" warning is unclear

    I'd like start uploading my iPhoto libraries so that I'm ready when Photos comes out.. But turning on "iCloud photo library (beta)" on my iPad warns that "photos synced from iTunes will be removed." 929 photos will be removed! It's not clear to me wh