NAT destination IP address
I have this toplogy:
A ------ ASA -------- B
A's real IP is 1.1.1.1
B's real IP is 2.2.2.2
B's mapped IP is 3.3.3.3
How do I NAT it so that when A tries to connect to 3.3.3.3, the destination is translated to 2.2.2.2. But at the same time, when B connects to A, it is using its real IP of 2.2.2.2 and is not NAT.
I have a problem where A is getting its DNS information from an external server which is resolving it to an external IP address.
Thank you in advanced!
I think I found the answer. The "unidirectional" keyword is what I needed.
nat (outside,inside) source static any any destination static MAPPED REAL unidirectional
Similar Messages
-
Access another host on same subnet through Nat'd IP address
I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.
Borman,
Its more complicated than that, consider the following scenario:
20.20.20.0/24
ASA------------------------------Internet
| (DMZ)
Switch
Host A Host B
10.1.1.10 10.1.1.100
20.20.20.20 (Nat outside address)
Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
nat (DMZ,outside) 20.20.20.20 10.1.1.100
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
same-security-traffic permit intra-interface
Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
Global (DMZ) 1 interface
This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
If running version 8.3 or higher, the concept is the same, but the commands change a bit.
8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
So bottom line, configuration needed on 8.2
global (outside) 1 interface
same-security-traffic permit intra-interface
Configuration for 8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
Hope this helps a bit.
Mike -
Trusted RFC and Remote logon not possible due to Nat'd IP addresses
Hi,
We are trying to connect our SolMan 4 to our cusotmers ECC 6 and BI7 systems, the systems are off site and the IP addresses for the customers systems are nat'd when they come in and go out from our Network.
The problem we get is that we cannot set up Trusted systems or Remote Logon to these systems due to issues with the Nating of the IP adresses. We can set up all standard RFC's after adding the the appropriate addresses into the hosts file and they work fine. But the trusted RFC does not set up properly and the BACK rfc from the satelite system does not get set up properly. What appears to happen is that when you try to start a remote session SAP goes to the satelite system and finds the Instance Name and the local IP address rather than the NAT'd IP address and try's to open a session from there. I found this by going into the trusted RFC in SM59 and then going to Extra's, System Information, Target System, this then tells me the Target System information, where it shows the System ID and IP address (which is the incorrect IP address).
Anyone know how we can get the system to try to have the correct IP adress in the target system information so that we can get Remote Logon's to work??
CheersHi Carl,
Based on your explanation about Nating,, how will the RFC determine to connect to Solmans internal IP after it has been directed to the IP for the Router connection.
I feel it is like configuring a jump of RFCs from one IP to another in a single chain.
Can this be done ?? I mean we have to specify an IP in the RFC connection right.. so how will the automatic jumping of IPs be done.
Sorry not answering the question but its very interesting and wanted to know.
Also went trough note # 148832, might help.
Regards,
Kaustubh.
Edited by: Kaustubh Krishna on Aug 13, 2009 12:17 PM -
I work for a large enterprise organisation with dual layer firewalls. The Apple article titled "allowing well known ports through the firewall "does not provide enough information on what the destination ip addresses of Apple servers are which host Apple ICloud services.
Does anyone have information on the destination Apple Ip addresses? So that I can lock down my firewall rules, just so that Apple devices, access Apple services on the Internet.
Many thanksOne option is to use "connection-reuse" cli under sip-ua configuration mode.
sip-ua
connection-reuse
This will enable the 7200 to create a connection with source and destination udp port number set to 5060. This feature is available in IOS 12.4(25d) which requires minimum of 256 / 512MB DRAM (depends on the feature set) and flash of 48 MB. -
Hi, i'm currently on Infinity 2 with a hub 5 router, basically i use opendns on both my desktop and laptop with the ip updater software. Anyway recently i had an issue were other people seem to be affected by my dns settings even though i'm in Northern Ireland and they are in England. Following a fair amount of investigation by OpenDns support and tests from my PC they believe i'm on a NAT'd Ip address. Can this be looked into by someone in support. This issue occured around 2 weeks ago.
This picture will show if you are on CG-NAT.
http://forumhelp.dyndns.info/networking/cgnat.jpg
and this how to check and opt out http://btsupport.custhelp.com/app/answers/detail/a_id/44044/c/6433
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’ -
Permit / Allow email from a Source email address to destination email address
I need to permit all emails from a specific source email address to also a specific destination email address within Ironport. How can this be achieved? I am inclined in using outgoing mail policy but I need to permit specific source and destination emails addresses.
The @icloud.com address is additional to your existing @me.com address: both deliver into the same inbox, and there is absolutely no need to use the @icloud.com address if you don't want to - you can go on using the @me.com one exactly as before.
-
Setting up static nat for ip addresses
We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA.
We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports.
Can anyone help me as to why I cannot ping these IP addresses?
I can ping the private IP's from the private network (CA) that the printers are on.
Solved!
Go to Solution.No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now.
-
Site to Site VPN with Natting Internal IP address range?
This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
Translated address: 10.254.9.64.255.255.255.192(Internal)
Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
Based on above parameters I done this configuration
access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
static (inside,outside) 10.254.9.64 access-list policy-nat
I got all the Phase1 and Phase 2 parameters required and peer public ip add,
I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPNHi mate,
yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
config is as folllows:
access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
static (inside,outside) 10.254.7.64 access-list policy-nat
crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
crypto map outside_map 20 match address pp-vpn
crypto map outside_map 20 set peer 172.162.1.2
crypto map outside_map 20 set transform-set vpn1
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp policy 65 encyptio
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel type ipsec-l2l
tunnel-group 172.162.1.2 ipsec-attributes
pre-shared-key *
Thank you immensly for all your assitance
ven -
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside) 2 202.1.1.2
access-list acl extended permit ip any host 202.1.1.2
access-list policy exetended permit ip 10.10.10.1 192.168.1.1
global (inside) 5 172.16.1.1 netmask 255.255.255.255
nat (outside) 5 access-list policy
requirement is whenever the lan ip goes out it should be natted to 202.1.1.2
and whenever the source 10.10.10.1 goes to 192.168.1.1 the destination ip should be changed to 172.16.1.1
does it work ?Yes, you have the configuration correct. It should work. But you need to add the outside keyword in the nat statement.
access-list policy exetended permit ip host 10.10.10.1 host 192.168.1.1
global (inside) 5 172.16.1.1 netmask 255.255.255.255
nat (outside) 5 access-list policy outside
Thanks,
Varun -
Tunning signature- set number of destination ip addresses
Any way to set IDS signature to fire only if same source address scanning more then say 50 different destinations in given time like 10 minute?
I guess you can do this using the 'custom signature' wizad using the IDM. I do not remember the available options, but you might see there once you get there.
-
Change Lync 2013 Edge Server Natted public ip addresses
we changed public ip addresses for Lync 2013 edge. I changed only a/v edge service NAT-Enabled public ipv4 address to the new public ip address .
published the topology
run
Invoke-CsManagementStoreReplication command
restarted edge server.
what else to do to solve it ?
Error:
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.*****.com on port 5061.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.Hi,
Please re-run Step 2-Setup or Remove Lync Server Components after changing IP in topology.
Kent Huang
TechNet Community Support -
Routes, NAT & Sec IP Address lost at reboot
Hi
I don't know if this is the correct forum but I have BM installed
I have a NW 6.5sp1 Bordermanager 3.8. Everytime I reboot the server I
loose the configuration of one of my entries on the static routing table.
The NAT is set up to dynamic and it is lost just sometimes. The secondary
ipaddress are commented on the autoexec.ncf (I dont want them anymore)and
they are configured after each reboot even if I comment them.
tcpcfg.nlm Version 6.50.24
inetcfg Version 6.50.19
Any HELP would be really appreciated
Best Regards
Mariandrea> In article <U7Qhc.870$[email protected]>, wrote:
> > But I still don't know what to do with the problem of my route, it
keeps
> > disappearing every time I boot my server. All other route are OK is
just
> > one that I configure last week
> >
> Do you have rip or ospf enabled?
>
> Are you setting routes with TCPCON (which does not make permanent
changes)?
> Use INETCFG, Protocols, TCPIP, LAN Static Routing instead.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
RIP is disabled
OSPF is disabled
I am alwasy using INETCFG to configure the routes and some of the routes
get saved but the one I configured lately don't stay
Thanks
Mariandrea -
NAT object with destination address exclusion (ASA)
Hello,
can you please advice how to make a NAT object where I want map all traffic from one address a.b.c.d to address x.y.v.z exluding that traffic which is going to k.l.m.n.
It is like this BSD rule:
map xl3 from a.b.c.d/24 ! to k.l.m.n/13 -> x.y.v.z/32
Thank you.Hi,
Seems that your original NAT rule above is a Static PAT configuration.
Its also configured that this translation will apply to any destination interface. I personally tend to use only the required destination interface in the "nat" command so that it doesnt apply to traffic from other interfaces.
So to know that I am giving the right instructions I would need to know behind which interface are the destination networks to which your example NAT should apply to and behind which interface is the destination k.l.m.n address that this NAT should not apply to?
I am still a bit confused on the NAT configuration you have provided. Its a Static PAT configurations that is usually configured to enable connections incoming from the destination interface of the command and it usually doesnt apply to connections formed from the source host a.b.c.d (except when its replying to the connection coming from behind the other interface)
If you had said that you had this Static NAT configurations (that doesnt mention the service)
object network obj_name
host a.b.c.d
nat (GE0/1,any) static x.y.v.z
Then the example would have been clearer.
Just to give an example
I have a Static NAT configurations that binds a local address to public address
object network STATIC
host 10.10.10.10
nat (LAN,WAN) static 1.1.1.1
Now if the host 10.10.10.10 connects to any network behind interface "WAN" it will always have this NAT applied.
If we want to avoid this from happening and have some certain destination IP address to which we dont want to do any translation then we would configure
object network DESTINATION
host k.l.m.n
object network HOST
host 10.10.10.10
nat (LAN,WAN) source static HOST HOST destination DESTINATION DESTINATION
The above configure is most commonly used in situation where the host needs to be contacted from behind a VPN Client or L2L VPN Connection.
- Jouni -
Cisco ASA 8.2. Destination NAT (network - network)
Hi Guys,
Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
For example, will destination NAT like this work:
static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
Etc.
Thanks.Hello,
Yes, that is possible.. In fact that is the way it works.
Regards,
Julio -
Hello,
I would know: It would be possible to implement in a Catalyst 6500, when a packet reaches with destination IP address 10.2.2.20 is redirected to IP 10.2.2.58 (are servers)
Is that possible making some kind of NAT ?
Regards,
S.Hi
There is a function called SLB ( server load balancing ) that You can investigate. It might be what You are looking for.
here are 2 links to start with.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080093de3.shtml
http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a0080134735.shtml?referring_site=bodynav
/Mikael
Maybe you are looking for
-
Email:Text and PDF Forms
Hi Experts, There is a requirement for sending smartform as Text attachements from one action and smartform as PDF attachements from another action. Kindly let me know,How can I do this? Thanks, Adi.
-
Original Sp.Designer Impulse Responses. On Which Disc?
Hello! When I first installed LP7, I didn't install any Impulse Responses. I guess i must have done a "Custom Install". Now that I've started using Space Designer though, i need to find these and install them. Which Installation disc are they on? Log
-
Since I upgraded to iphoto 11, I have not be able to access my photos without the program locking up, not respondiong, and shutting down. iphoto has went into repair on its own, but still shuts down. I have sent in reports each time, but have not f
-
BTF: No Controller Transaction & Share data controls
Hi all, I have BTF with two options, like in the Subject of this thread. In that task flow, user create and edit records from separate ApplicationModule with regard to calling task flow. And all without commiting these changes to the database. Now wo
-
Updating infotype from userexit of PA30
in transaction PA30 when i create data in one infotype (say 0033) i want to create data in another infotype (0019) which user-exit do i need to use for the same can anyone please help me regarding the same thanks in advance