Nat (inside,outside) source dynamic any interface
Hi Everyone,
Does config below
ASA1(config)# nat (inside,outside) source dynamic any interface
Will do the PAT when source is any IP from inside interface of ASA and going to any destination IP address?
Regards
MAhesh
Hi Mahesh,
Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.
I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter
nat (inside,outside) after-auto source dynamic any interface
What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".
If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.
- Jouni
Similar Messages
-
Nat (DMZ,outside) source dynamic any interface
Hi Everyone,
Need to confirm NAT statement below
nat (DMZ,outside) source dynamic any interface in version 9.1.
So above line means NAT from DMZ to outside.
Need to know that source here means that we are NATing IP from DMZ?
any interface means NAT IP will be of outside interface IP?
Regards
MAheshHi Mahesh,
The below NAT configuration
nat (DMZ,outside) source dynamic any interface
Means the following
The NAT configuration is for connection between "DMZ" and "outside". Basicly for connection FROM "DMZ" to "outside"
The translation is a "dynamic" translation
It accepts "any" source address from behind the "DMZ" interface
It uses the "outside" "interface" IP address as the PAT address
So its a basic Dynamic PAT translations for the hosts behind "DMZ" interface and accepts any source address/network you might have behind "DMZ"
- Jouni -
Nat (inside,outside) static 200.x.x.x
Hi Everyone,
Say we have webserver which has internal IP of 172.16.10.10
If we need outside users from internet who need to access the webserver on IP say 200.x.x.x
We can config the NAT as below also
nat (inside,outside) static 200.x.x.x
Regards
MaheshHi Mahesh,
I would usually configure a normal Static NAT as Network Object NAT
You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
object network STATIC
host 172.16.10.10
nat (inside,outside) static 200.x.x.x
Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
You also have an option to configure the NAT in the following way
object network SERVER-REAL
host 172.16.10.10
object network SERVER-MAPPED
host 200.x.x.x
nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
- Jouni -
Remote Access VPN and NAT inside interface
Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
MaheshHi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.50.1 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar -
Friends,
Can anyone help me?
How do I configure "no nat" in version 8.4(4) of the ASA?
Example:
Local network: 192.168.135.0/24
Remote Network: 192.168.137.0/24
Before:
# access-list extended permit ip Nonat 192.168.135.0 255.255.255.0 192.168.137.0 255.255.255.0
#nat (inside) 0 access-list Nonat
How do these same settings in version 8.4(4) of the ASA?
When entering command "nat (inside) 0 access-list Nonat"
ERROR: This syntax of nat command Has Been deprecated.
Please refer to "help nat" command for more details.
Is this correct?
#object network network-local
#subnet 192.168.135.0 255.255.255.0
#object network network-remote
#subnet 192.168.137.0 255.255.255.0
#nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp
#nat (outside,inside) source static rede-remota rede-remota destination static rede-local rede-local no-proxy-arpYou typically need only one NAT for that:
nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp route-lookup
The other direction (outside,inside) is not needed. Depending on the rest of your setup you need to add the keyword "route-lookup".
And you should read Jounis very excellent document on ASA 8.3+ NAT:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli -
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C. -
Question about NAT Inside Source, Inside Destination, and Outside Source
I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
GaryHi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh -
I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz WattooTHIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz -
I'm struggling to figure out why you would need the 'ip nat outside source static' command. The 'inside source static' makes perfect sense, but why the outside. In what type of scenario would you use it?
Any help would be appreciatedh1 (192.168.10.2) -> R1 -> (ip nat inside) R2 (ip nat outside) -> R3 -> s1 (172.16.5.2)
On R2
ip nat outside source static 192.168.11.2 172.16.5.2
would mean -
h1 would send traffic to 192.168.11.2 and the destination IP would be translated to 172.16.5.2 and if s1 sends traffic to h1 the source IP would be 192.168.11.2.
One reason to do this would be, using the above example, your internal network uses 192.168.x.x IP addressing and you do not want to have to advertise the 172.16.5.x IP within your network.
So instead you choose an unused 192.168.x.x IP and as long as R1 routes traffic for that IP to R2 it is then translated to 172.16.5.2 on R2 which means your internal routers do not need to have external IP addresses in their routing tables.
Jon -
I have an iMac5,1 with an intel processor. For the last month or so, whenever I play a video from an outside source - e.g. YouTube, the picture jumps and breaks-up. All of my software is up-to-date. Any thoughts on how to fix this problem?
You're welcome. As to checking speed go to http://speedtest.net/ and it will choose the closest server for you. BTW, whatever you do, don't click on the robot icon that says "Start Scan" or MacKeeper below that. Only use the speed test in the middle that has the button BEGIN TEST on it. It will run a download speed test first and then an upload speed test. The download test will give a much faster response.
-
ASA5510 - Verifying NAT is fully disabled between two interfaces
Hello,
I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.
I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.
So far I have the following NAT related running-config command (in regards to these two interfaces):
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface inside
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-test
access-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list NAT_Exempt_2
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Inside-test) 0 access-list NAT_Exempt
nat (Inside-test) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (Inside-test) 1 interface
Let me know if more information is needed for you to assist me futher.
Thank you.Thank you Jennifer for your responses.
Do I need to include access-list commands for both directions for each interface as listed in my full config above, or do I just need one for one direction on one and one direction on the other interface (plus the exempt for the 69.x.x.x network)?
Would this config suffice?
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list NAT_Exempt_2 permit ip 192.168.3.0 255.255.255.0 69.87.157.192 255.255.255.224
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NAT_Exempt permit ip 192.168.12.0 255.255.255.0 69.87.157.192 255.255.255.224
nat (inside) 0 access-list NAT_Exempt_2
nat (inside-test) 0 access-list NAT_Exempt
Will I need to clear xlate to see the results of this or will this take affect immediately? I can't really do that during business hours, but should be able to after hours if I need to.
Can you clarify what the global commands do? I keep thinking that it adds the IP of the Interface to packets as they go through the interface and that I should use a different config for the Inside-test network.
I will try the xlate detail to verify and let you know what I find.
Thank you. -
Hello,
here's a little teaser for user interface experts out there:
I wonder what kind of techniques ABAP offers for creating dynamic user interfaces.
When talking of 'dynamic' I imagine something like an arbitrary number of 'containers' where other programs (classes f.ex.) can draw their own user interface into.
In Java this could be realized with the container concept in swing.
I have done some research on this topic and the results are so far:
a plain dynpro: seems to have no dynamic at all -> not an option
a plain dynpro with a tabstrip: in case the number of tabs CAN be set at runtime AND the subscreens CAN be drawn from inside separate classes -> a definite option otherwise not an option
any kind of web-frontend (BSP, JSP etc.): web-frontends are not allowed by company restrictions -> not an option
dynamic documents: I could not find many information on these yet (also not on sdn). In case that an arbitrary number of parts of the dynamic document can be created from inside separate classes -> an option otherwise not an option
I will be happy about any further information on this topic.
Best regards,
Patrick BaerI spent some time today doing research on BSP's and built a "BSP-Viewer" embedded into the SAP-GUI. Though I like the concept of BSP's a lot (like I did already with JSP's) but company restricitions are too strict. So BSP's are out of the play.
After the discussion I started to play around with the different containers and basically I'm quite pleased with them and the "cl_gui_container_bar" allows an arbirtary number of "subscreens" which matches my requirements.
But as usual there's still a downside:
I found no option to built text labels and text fields into a container. Unless this is possible I can't give this approach a chance. I already found some postings which seemed to confirm that this is in fact not possible but I can't really believe it. At least from what it looks like it seems to me that the object navigator utilizes both: splitters, containers and all the stuff AS WELL AS the "classical" elements like text boxes, labels and so on.
Any ideas on how to combine the container concept with text fields, labels maybe whole dynpros or subscreens ?
Best regards,
Patrick Baer -
Performance checking inside the source code
performance checking inside the source code who to check it.
thanks and regards
chandra sekharI guess you are asking how to check it, then here is the answer
SQL Trace transaction ST05
The trace list has many lines that are not related to the SELECT statement in the ABAP program. This is because the execution of any ABAP program requires additional administrative SQL calls. To restrict the list output, use the filter introducing the trace list.
The trace list contains different SQL statements simultaneously related to the one SELECT statement in the ABAP program. This is because the R/3 Database Interface - a sophisticated component of the R/3 Application Server - maps every Open SQL statement to one or a series of physical database calls and brings it to execution. This mapping, crucial to R/3s performance, depends on the particular call and database system. For example, the SELECT-ENDSELECT loop on the SPFLI table in our test program is mapped to a sequence PREPARE-OPEN-FETCH of physical calls in an Oracle environment.
The WHERE clause in the trace list's SQL statement is different from the WHERE clause in the ABAP statement. This is because in an R/3 system, a client is a self-contained unit with separate master records and its own set of table data (in commercial, organizational, and technical terms). With ABAP, every Open SQL statement automatically executes within the correct client environment. For this reason, a condition with the actual client code is added to every WHERE clause if a client field is a component of the searched table.
To see a statement's execution plan, just position the cursor on the PREPARE statement and choose Explain SQL. A detailed explanation of the execution plan depends on the database system in use -
Auto NAT and outside pool ip address
Hi Everyone,
If i do Auto NAT from DMZ interface to outside interface using config below
object network Auto_NAT
subnet 192.168.70.0 255.255.255.0 *********************DMZ subnet
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.51.3 192.168.51.100
object network Auto_NAT
nat (DMZ,outside) dynamic Outside_pool
My outside interface has IP of 192.168.71.2
I am unable to access the internet using above config
when i change the range in outside_pool to 192.168.71.3 192.168.71.100 i am able to access the internet.
Does this mean that using auto nat using dynamic NAT the outside pool range should be in same subnet as outside interface ip address?
Regards
MAheshHi Julio,
Thanks for replying back
ciscoasa# sh cap capdmz
4 packets captured
1: 23:36:38.000350 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
2: 23:36:42.849779 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
3: 23:36:47.841860 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4: 23:36:52.849428 802.1Q vlan#3 P0 192.168.70.6 > 4.2.2.2: icmp: echo
request
4 packets shown
ciscoasa# sh cap capout
36 packets captured
1: 22:03:42.616057 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
2: 22:03:47.348538 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
3: 22:03:52.340741 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
4: 22:03:57.348233 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
5: 22:06:25.034544 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
6: 22:06:29.839144 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
7: 22:06:34.846864 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
8: 22:06:39.838854 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
9: 22:08:08.405313 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
10: 22:08:13.345929 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
11: 22:08:18.337842 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
12: 22:08:23.345486 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
13: 22:08:28.337491 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
14: 22:51:16.824237 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
15: 22:51:21.333799 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
16: 22:51:26.333066 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
17: 22:51:31.334409 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
18: 22:52:32.936276 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
19: 22:52:37.844743 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
20: 22:52:42.834734 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
21: 22:52:47.834185 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
22: 22:52:52.834307 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
23: 22:52:57.834643 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
24: 22:53:02.834917 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
25: 22:53:07.834246 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
26: 22:53:12.834536 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
27: 22:53:17.845979 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
28: 22:53:22.834154 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
29: 22:53:27.834475 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
30: 22:53:32.834780 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
31: 22:53:37.834078 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
32: 22:53:42.833422 802.1Q vlan#1 P0 192.168.72.56 > 4.2.2.2: icmp: echo
request
33: 23:36:38.000671 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
34: 23:36:42.850084 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
35: 23:36:47.842104 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36: 23:36:52.849733 802.1Q vlan#1 P0 192.168.72.73 > 4.2.2.2: icmp: echo
request
36 packets shown
ciscoasa#
Regards
Mahesh -
Nat (inside) 0 access-list NoNAT_inside
Can someone Explain what the following does on my PIX firewall
nat (inside) 0 access-list NoNat_Inside
access-list NoNat_Inside line 1 permit ip lan 255.255.0.0 dmz 255.255.255.0
Lan = 10.10.0.0
DMZ= 172.172.172.0
I'm am under the impression it denies the DMZ from being nated as I can't access the internet directly from a server within the DMZ.
Kind regards,
JakeThat exempt traffic from LAN and DMZ and vice versa from being NATed.
If you would like to access internet from a server in DMZ, then you would need to configure NAT statement on DMZ:
nat (dmz) 1 172.172.172.0 255.255.255.0
Assuming that you already have "global (outside) 1 interface", or "global (outside) 1 " command.
Maybe you are looking for
-
Internal microphone keeps on changing to external microphone when headset with mic is plugged in
Hey I want to use the built-in microphone on my macbook pro but whenever I plug in a headset with a microphone it changes the internal microphone into external in System Preferences>Sound>Input. There is no option available to change it back to the b
-
Hi Guys, I have successfully created a bean and deployed it in J2EE server. My next step according to the head first ejb is to create a client. I compiled AdviceClient successfully (Thanks to grava). However when I try to run the compiled class I get
-
Oracle 10g and JAWS -- use of Up and Down Arrow keys
We are in the process of converting an Oracle 6i application to 10g and applying Accessibility standards to our application so that it will work with the JAWS screen reader. The version of JAWS we are using is 7.10.452 Unicode, The Java Access Bridge
-
Setting Things up on a Power Mac G5
I'm a newbie to server administration, and would like to do the following: 1) I have a Power Mac G5 with two internal hard drives. I want to dedicate one of the hard drives to Apple OS X Server. How do I go about doing this? 2) Once I have the second
-
Regarding select single and select upto???
HI All, Cud u pls let me know the differences between select single and select upto?? and which is the better option?? pls its quite urgent..plss plss plss Thanx in Advance Prasad