NAT destination IP address

Similar Messages

• Access another host on same subnet through Nat'd IP address

  I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.

  Borman,
  Its more complicated than that, consider the following scenario:
                              20.20.20.0/24
                 ASA------------------------------Internet
                    | (DMZ)
               Switch
       Host A          Host B
     10.1.1.10      10.1.1.100
                        20.20.20.20 (Nat outside address)
  Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
  nat (DMZ,outside) 20.20.20.20 10.1.1.100
  nat (DMZ) 1 0.0.0.0 0.0.0.0
  global (outside) 1 interface
  When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
  same-security-traffic permit intra-interface
  Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
  Global (DMZ) 1 interface
  This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
  If running version 8.3 or higher, the concept is the same, but the commands change a bit.
  8.3
  same-security-traffic permit intra-interface
  object network Server_Public
  host 20.20.20.20
  object network Server_Private
  host 10.1.1.100
  object network Any
  subnet 0.0.0.0 0.0.0.0
  Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
  So bottom line, configuration needed on 8.2
  global (outside) 1 interface
  same-security-traffic permit intra-interface
  Configuration for 8.3
  same-security-traffic permit intra-interface
  object network Server_Public
  host 20.20.20.20
  object network Server_Private
  host 10.1.1.100
  object network Any
  subnet 0.0.0.0 0.0.0.0
  Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
  Hope this helps a bit.
  Mike

• Trusted RFC and Remote logon not possible due to Nat'd IP addresses

  Hi,
  We are trying to connect our SolMan 4 to our cusotmers ECC 6 and BI7 systems, the systems are off site and the IP addresses for the customers systems are nat'd when they come in and go out from our Network.
  The problem we get is that we cannot set up Trusted systems or Remote Logon to these systems due to issues with the Nating of the IP adresses. We can set up all standard RFC's after adding the the appropriate addresses into the hosts file and they work fine. But the trusted RFC does not set up properly and the BACK rfc from the satelite system does not get set up properly. What appears to happen is that when you try to start a remote session SAP goes to the satelite system and finds the Instance Name and the local IP address rather than the NAT'd IP address and try's to open a session from there. I found this by going into the trusted RFC in SM59 and then going to Extra's, System Information, Target System, this then tells me the Target System information, where it shows the System ID and IP address (which is the incorrect IP address).
  Anyone know how we can get the system to try to have the correct IP adress in the target system information so that we can get Remote Logon's to work??
  Cheers

  Hi Carl,
  Based on your explanation about Nating,, how will the RFC determine to connect to Solmans internal IP after it has been directed to the IP for the Router connection.
  I feel it is like configuring a jump of RFCs from one IP to another in a single chain.
  Can this be done ?? I mean we have to specify an IP in the RFC connection right.. so how will the automatic jumping of IPs be done.
  Sorry not answering the question but its very interesting and wanted to know.
  Also went trough note # 148832, might help.
  Regards,
  Kaustubh.
  Edited by: Kaustubh Krishna on Aug 13, 2009 12:17 PM

• TS1629 Apple destination ip addresses for well known TCP and UDP ports used by Apple software products

  I work for a large enterprise organisation with dual layer firewalls. The Apple article titled "allowing well known ports through the firewall "does not provide enough information on what the destination ip addresses of Apple servers are which host Apple ICloud services.
  Does anyone have information on the destination Apple Ip addresses? So that I can lock down my firewall rules, just so that Apple devices, access Apple services on the Internet.
  Many thanks

  One option is to use "connection-reuse" cli under sip-ua configuration mode.
  sip-ua
    connection-reuse
  This will enable the 7200 to create a connection with source and destination udp port number set to 5060. This feature is available in IOS 12.4(25d) which requires minimum of 256 / 512MB DRAM (depends on the feature set) and flash of 48 MB.

• NAT'd IP Address

  Hi, i'm currently on Infinity 2 with a hub 5 router, basically i use opendns on both my desktop and laptop with the ip updater software. Anyway recently i had an issue were other people seem to be affected by my dns settings even though i'm in Northern Ireland and they are in England. Following a fair amount of investigation by OpenDns support and tests from my PC they believe i'm on a NAT'd Ip address. Can this be looked into by someone in support. This issue occured around 2 weeks ago.

  This picture will show if you are on CG-NAT.
  http://forumhelp.dyndns.info/networking/cgnat.jpg
  and this how to check and opt out http://btsupport.custhelp.com/app/answers/detail/a_id/44044/c/6433
  If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

• Permit / Allow email from a Source email address to destination email address

  I need to permit all emails from a specific source email address to also a specific destination email address within Ironport.  How can this be achieved?  I am inclined in using outgoing mail policy but I need to permit specific source and destination emails addresses.

  The @icloud.com address is additional to your existing @me.com address: both deliver into the same inbox, and there is absolutely no need to use the @icloud.com address if you don't want to - you can go on using the @me.com one exactly as before.

• Setting up static nat for ip addresses

  We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA. 
  We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports. 
  Can anyone help me as to why I cannot ping these IP addresses?
  I can ping the private IP's from the private network (CA) that the printers are on.
  Solved!
  Go to Solution.

  No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now. 

• Site to Site VPN with Natting Internal IP address range?

  This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
  Translated address: 10.254.9.64.255.255.255.192(Internal)
  Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
  Based on above parameters I done this configuration
  access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
  access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
  static (inside,outside) 10.254.9.64 access-list policy-nat
  I got all the Phase1 and Phase 2 parameters required and peer public ip add,
  I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

  Hi mate,
  yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
  One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
  config is as folllows:
  access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
  access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
  static (inside,outside) 10.254.7.64 access-list policy-nat
  crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
  crypto map outside_map 20 match address pp-vpn
  crypto map outside_map 20 set peer 172.162.1.2
  crypto map outside_map 20 set transform-set vpn1
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp policy 65 encyptio
  authentication pre-share         
  encryption des
  hash md5
  group 2
  lifetime 86400
  tunnel type ipsec-l2l
  tunnel-group 172.162.1.2 ipsec-attributes
  pre-shared-key *
  Thank you immensly for all your assitance
  ven

• To nat destination ip

  nat (inside) 2 0.0.0.0 0.0.0.0
  global (outside) 2 202.1.1.2
  access-list acl extended permit ip any host 202.1.1.2
  access-list policy exetended permit ip 10.10.10.1 192.168.1.1
  global (inside) 5 172.16.1.1 netmask 255.255.255.255
  nat (outside) 5 access-list policy
  requirement is whenever the lan ip goes out it should be natted to 202.1.1.2
  and whenever the source 10.10.10.1 goes to 192.168.1.1 the destination ip should be changed to 172.16.1.1
  does it work ?

  Yes, you have the configuration correct. It should work. But you need to add the outside keyword in the nat statement.
  access-list policy exetended permit ip host 10.10.10.1 host 192.168.1.1
  global (inside) 5 172.16.1.1 netmask 255.255.255.255
  nat (outside) 5 access-list policy outside
  Thanks,
  Varun

• Tunning signature- set number of destination ip addresses

  Any way to set IDS signature to fire only if same source address scanning more then say 50 different destinations in given time like 10 minute?

  I guess you can do this using the 'custom signature' wizad using the IDM. I do not remember the available options, but you might see there once you get there.

• Change Lync 2013 Edge Server Natted public ip addresses

  we changed public ip addresses for Lync 2013 edge. I changed only a/v edge service NAT-Enabled public ipv4 address to the new public ip address .
  published the topology
  run
  Invoke-CsManagementStoreReplication command
  restarted edge server.
  what else to do to solve it ?
  Error:
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.*****.com on port 5061.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
  Additional Details
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

  Hi,
  Please re-run Step 2-Setup or Remove Lync Server Components after changing IP in topology.
  Kent Huang
  TechNet Community Support

• Routes, NAT & Sec IP Address lost at reboot

  Hi
  I don't know if this is the correct forum but I have BM installed
  I have a NW 6.5sp1 Bordermanager 3.8. Everytime I reboot the server I
  loose the configuration of one of my entries on the static routing table.
  The NAT is set up to dynamic and it is lost just sometimes. The secondary
  ipaddress are commented on the autoexec.ncf (I dont want them anymore)and
  they are configured after each reboot even if I comment them.
  tcpcfg.nlm Version 6.50.24
  inetcfg Version 6.50.19
  Any HELP would be really appreciated
  Best Regards
  Mariandrea

  > In article <U7Qhc.870$[email protected]>, wrote:
  > > But I still don't know what to do with the problem of my route, it
  keeps
  > > disappearing every time I boot my server. All other route are OK is
  just
  > > one that I configure last week
  > >
  > Do you have rip or ospf enabled?
  >
  > Are you setting routes with TCPCON (which does not make permanent
  changes)?
  > Use INETCFG, Protocols, TCPIP, LAN Static Routing instead.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  >
  RIP is disabled
  OSPF is disabled
  I am alwasy using INETCFG to configure the routes and some of the routes
  get saved but the one I configured lately don't stay
  Thanks
  Mariandrea

• NAT object with destination address exclusion (ASA)

  Hello,
  can you please advice how to make a NAT object where I want map all traffic from one address a.b.c.d to address x.y.v.z exluding that traffic which is going to k.l.m.n.
  It is like this BSD rule:
  map xl3 from a.b.c.d/24 ! to k.l.m.n/13 -> x.y.v.z/32
  Thank you.

  Hi,
  Seems that your original NAT rule above is a Static PAT configuration.
  Its also configured that this translation will apply to any destination interface. I personally tend to use only the required destination interface in the "nat" command so that it doesnt apply to traffic from other interfaces.
  So to know that I am giving the right instructions I would need to know behind which interface are the destination networks to which your example NAT should apply to and behind which interface is the destination k.l.m.n address that this NAT should not apply to?
  I am still a bit confused on the NAT configuration you have provided. Its a Static PAT configurations that is usually configured to enable connections incoming from the destination interface of the command and it usually doesnt apply to connections formed from the source host a.b.c.d (except when its replying to the connection coming from behind the other interface)
  If you had said that you had this Static NAT configurations (that doesnt mention the service)
  object network obj_name
  host a.b.c.d
  nat (GE0/1,any) static x.y.v.z
  Then the example would have been clearer.
  Just to give an example
  I have a Static NAT configurations that binds a local address to public address
  object network STATIC
  host 10.10.10.10
  nat (LAN,WAN) static 1.1.1.1
  Now if the host 10.10.10.10 connects to any network behind interface "WAN" it will always have this NAT applied.
  If we want to avoid this from happening and have some certain destination IP address to which we dont want to do any translation then we would configure
  object network DESTINATION
  host k.l.m.n
  object network HOST
  host 10.10.10.10
  nat (LAN,WAN) source static HOST HOST destination DESTINATION DESTINATION
  The above configure is most commonly used in situation where the host needs to be contacted from behind a VPN Client or L2L VPN Connection.
  - Jouni

• Cisco ASA 8.2. Destination NAT (network - network)

  Hi Guys,
  Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
  For example, will destination NAT like this work:
  static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
  I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
  So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
  If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
  Etc.
  Thanks.

  Hello,
  Yes, that is possible.. In fact that is the way it works.
  Regards,
  Julio

• Change destination address

  Hello,
  I would know: It would be possible to implement in a Catalyst 6500, when a packet reaches with destination IP address 10.2.2.20 is redirected to IP 10.2.2.58 (are servers)
  Is that possible making some kind of NAT ?
  Regards,
  S.

  Hi
  There is a function called SLB ( server load balancing ) that You can investigate. It might be what You are looking for.
  here are 2 links to start with.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080093de3.shtml
  http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a0080134735.shtml?referring_site=bodynav
  /Mikael