Nat inside to outside, IP not in same subnet as outside IP
I already posted this but cant seem to find the post now, so re-posting.
We have 10 IP's being NAT'd, all working ok. I need a servers outbound source address to be translated to an IP that is not in the same subnet as the outside IP:
Outside IP = 193.xxx.xxx.99/23
Translated IP = 195.xxx.xxx.64/24
I have created the NAT rule to translate traffic source address from 192.168.2.55 to 195.xxx.xxx.64 packet trace shows it getting through, but this is not working in practice. The host that I have set the NAT rule up for can no longer access wan.
Is this possible on an ASA?
It should work. I'd run capture on the outside and see if the packet is leaving the ASA and it's coming back or not. If it is, then it's ASA config within the NAT, and you need to look at proxy-arp parameter. If the packet doesn't come back, then it's maybe the router outside the ASA. You might need to take care of manual arp (ASA outside MAC and the new translate IP) and the routing to the new subnet back to ASA outside IP.
Similar Messages
-
Nat (inside,outside) static 200.x.x.x
Hi Everyone,
Say we have webserver which has internal IP of 172.16.10.10
If we need outside users from internet who need to access the webserver on IP say 200.x.x.x
We can config the NAT as below also
nat (inside,outside) static 200.x.x.x
Regards
MaheshHi Mahesh,
I would usually configure a normal Static NAT as Network Object NAT
You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
object network STATIC
host 172.16.10.10
nat (inside,outside) static 200.x.x.x
Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
You also have an option to configure the NAT in the following way
object network SERVER-REAL
host 172.16.10.10
object network SERVER-MAPPED
host 200.x.x.x
nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
- Jouni -
Nat (inside,outside) source dynamic any interface
Hi Everyone,
Does config below
ASA1(config)# nat (inside,outside) source dynamic any interface
Will do the PAT when source is any IP from inside interface of ASA and going to any destination IP address?
Regards
MAheshHi Mahesh,
Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.
I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter
nat (inside,outside) after-auto source dynamic any interface
What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".
If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.
- Jouni -
I wear my watch on the INSIDE of my wrist, not the OUTSIDE - Will the heart rate monitor work
I wear my watch on the INSIDE of my wrist, not the OUTSIDE - Will the heart rate monitor work/
hello,
my 4s was in os6 and when os7 first released, i have updated it. during update from os6 to os7 after 98% my wifi got disconnected and then phone automatically restarted. since then my back camera is not working. front on is working perfectly. after that i reinstall os7 properly following step by step procedure but no positive result came out.
then i tried to change the camera with a new one but still with new camera the problem is same. then they used my camera in some other 4s and it is working fine. now i dont know what to do.
right now using os7.1.2
please advise.
Salman -
NAT (INSIDE To OUTSIDE)
I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz WattooTHIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz -
Question about NAT Inside Source, Inside Destination, and Outside Source
I read the Cisco command references about "ip nat inside source", "inside destination", and "outside source", but couldn't have a clear understanding of how to associate the commands with "ip nat inside" and ip nat outside" configured for interfaces.
Does "ip nat inside source ..." translation only happen on the interface configured as "ip nat inside"?
Since NAT is a bidirectional action, what's the difference between "ip nat inside cource ..." and "ip nat inside destination ..."?
I've never used "ip nat outside source ...". In what cases would it be needed?
On an interface where there are NAT translation and also other actions such as policy map or IP Sec crypto map, would NAT happen before or after other actions?
Thanks for help with any questions.
GaryHi Gary,
The following documents may help you to understand some of the terminology:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml
Also, the following document has a clear explanation of the order of operations when using NAT:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Hope that helps - pls rate the post if it does.
Paresh -
VPN ASA inside Interface and ip pool are one same Subnet
Hi Everyone,
I have configured RA VPN full tunnel.
Inside interface of ASA is
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
Need to know is it good design to have both on same subnet?
When i access the Switch connecting to VPN ASA inside interface via--https://10.0.0.2
which has IP 10.0.0.2 while using Remote VPN connection to ASA it does not work gives error
message as below
Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK on interface outside
Current NAT config is
nat (inside,outside) source dynamic any interface
Regards
MAhesh
Message was edited by: mahesh parmarHi Mahesh,
It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
I would suggest changing the VPN Pool first and then configuring this
object network LAN
subnet 10.0.0.0 255.255.255.0
object network VPN-POOL
subnet
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
In the future it would be best if you changed your current Dynamic PAT configuration to this
nat (inside,outside) after-auto source dynamic any interface
We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
- Jouni -
Friends,
Can anyone help me?
How do I configure "no nat" in version 8.4(4) of the ASA?
Example:
Local network: 192.168.135.0/24
Remote Network: 192.168.137.0/24
Before:
# access-list extended permit ip Nonat 192.168.135.0 255.255.255.0 192.168.137.0 255.255.255.0
#nat (inside) 0 access-list Nonat
How do these same settings in version 8.4(4) of the ASA?
When entering command "nat (inside) 0 access-list Nonat"
ERROR: This syntax of nat command Has Been deprecated.
Please refer to "help nat" command for more details.
Is this correct?
#object network network-local
#subnet 192.168.135.0 255.255.255.0
#object network network-remote
#subnet 192.168.137.0 255.255.255.0
#nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp
#nat (outside,inside) source static rede-remota rede-remota destination static rede-local rede-local no-proxy-arpYou typically need only one NAT for that:
nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp route-lookup
The other direction (outside,inside) is not needed. Depending on the rest of your setup you need to add the keyword "route-lookup".
And you should read Jounis very excellent document on ASA 8.3+ NAT:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli -
Weird, speed not identical same AP, help
Leaseline = 4mb speed and ADSL=40mb speed
When I connect using my mobile via AP, i will get the ADSL speed 40mb in speedtest.net, but when I connect my laptop same AP, i will get leaseline speed of 4mb. Both configured with no proxy, Both gets the same Public IP from ADSL. All LAN http speed also is 4mb with ADSL public ip when testing in speedtest.net My configuration below.
interface GigabitEthernet0/0.5
description SERVERSNETWORK
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.5.11
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
ip policy route-map REROUTE-HTTP
interface GigabitEthernet0/0.70
description NATIVE
encapsulation dot1Q 70 native
ip address 192.168.70.1 255.255.255.0
ip helper-address 192.168.5.11
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
ip policy route-map REROUTE-HTTP
interface GigabitEthernet0/1
description MAIN
ip address 213.42.34.abc 255.255.255.abc
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1/0
description ADSL
no ip address
ip flow egress
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 10
no cdp enable
interface FastEthernet0/1/1
description BACKUP
ip address 213.42.68.abc 255.255.255.abc
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/0/0
no ip address
interface GigabitEthernet0/0/1
no ip address
interface GigabitEthernet0/0/2
no ip address
interface GigabitEthernet0/0/3
description MAIN
switchport access vlan 50
no ip address
interface Vlan1
no ip address
interface Vlan50
ip address 83.111.165.abc 255.255.255.abc
ip flow ingress
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-fragments 64 max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
ppp authentication pap callin
ppp pap sent-username abcde password 7 abcde
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
router bgp 65200
bgp log-neighbor-changes
network 83.111.165.abc mask 255.255.255.abc
network 94.56.22.abc mask 255.255.255.abc
neighbor 213.42.34.abc remote-as 5300
neighbor 213.42.34.abc update-source GigabitEthernet0/1
neighbor 213.42.34.abc route-map MAINLL in
neighbor 213.42.68.abc remote-as 5300
neighbor 213.42.68.abc update-source FastEthernet0/1/1
neighbor 213.42.68.abc route-map BACKUPLL in
maximum-paths 2
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map ADSL interface Dialer1 overload
ip nat inside source route-map BACKUP interface FastEthernet0/1/1 overload
ip nat inside source route-map MAIN interface GigabitEthernet0/1 overload
ip access-list extended COMMON-TRAFFIC
deny tcp any any eq www
deny tcp any any eq 443
permit ip any any
ip access-list extended HTTP-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
route-map ADSL permit 10
match ip address HTTP-TRAFFIC
match interface Dialer1
route-map MAIN permit 10
match ip address COMMON-TRAFFIC
match interface GigabitEthernet0/1
route-map BACKUP permit 10
match ip address COMMON-TRAFFIC
match interface FastEthernet0/1/1
route-map MAINLL permit 10
set local-preference 110
route-map BACKUPLL permit 10
set local-preference 90
route-map REROUTE-HTTP permit 10
match ip address HTTP-TRAFFIC
set interface Dialer1NIC card is updated. Is this a vlan issue?
What's the model of your NIC card?
Some NIC cards can behave differently. This gets worst when the cards are not configured properly.
What is the model of your NIC card and the version of the driver you are using. -
Hello
I am trying to learn something new here. We have web server inside our organization its IP address is 172.16.0.35. We want outside Internet users to access web server, How is it possible? Please have a look at the running configuration. Web server is working inside the organization but not at outside. Our Static Public IP is 197.255.232.15 it is assigned to Inetrface Gigabit ATM0.1 and ISP default GW is 197.255.232.1. Let me know whats next? How do I make web server inside the organization available for outside Internet users. Thank you.
Building configuration.
Current configuration : 1983 bytes
! Last configuration change at 17:57:15 UTC Sat Jan 24 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router_test
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
ip dhcp excluded-address 172.16.0.34
ip dhcp pool test
network 172.16.0.32 255.255.255.224
dns-server 197.255.224.18 197.255.224.66
default-router 172.16.0.34
lease 9
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn FGL1818236L
controller VDSL 0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Internet
ip address 197.255.232.15 255.255.248.0
ip access-group netin in
ip access-group netout out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
atm route-bridged ip
bridge-group 1
bridge-group 1 spanning-disabled
pvc 0/35
encapsulation aal5snap
protocol ip inarp
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description Lan
ip address 172.16.0.34 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1454
interface Dialer1
no ip address
ip default-gateway 197.255.232.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list natlist interface ATM0.1 overload
ip nat inside source static tcp 172.16.0.35 443 197.255.232.15 443 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1 197.255.232.1
ip access-list extended natlist
permit ip 172.16.0.32 0.0.0.31 any
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
end
http://pastie.org/9858814Hi Karsten Iwen
I deleted ( ip access-group netin in and ip access-group netout out) but it still does not work
my config :
Building configuration...
Current configuration : 2267 bytes
! Last configuration change at 15:43:06 UTC Wed Jan 28 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
ip dhcp excluded-address 172.16.0.34
ip dhcp pool my
network 172.16.0.32 255.255.255.224
dns-server 197.255.224.18 197.255.224.66
default-router 172.16.0.34
lease 9
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn FGL1818236L
controller VDSL 0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Internet
ip address 197.255.232.15 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
no protocol ip inarp
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description
ip address 172.16.0.34 255.255.255.224
ip nat inside
no ip virtual-reassembly in
ip tcp adjust-mss 1414
interface Dialer1
no ip address
ip default-gateway 197.255.232.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list natlist interface ATM0.1 overload
ip nat inside source static tcp 172.16.0.35 443 197.255.232.15 443 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1 197.255.232.1
ip access-list extended natlist
permit ip 172.16.0.32 0.0.0.31 any
line con 0
no modem enable
line aux 0
line vty 0 4
end
Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 197.255.232.15:5183 172.16.0.33:5183 212.95.74.5:80 212.95.74.5:80
tcp 197.255.232.15:5196 172.16.0.33:5196 212.95.74.5:80 212.95.74.5:80
tcp 197.255.232.15:5602 172.16.0.33:5602 174.129.246.27:80 174.129.246.27:80
tcp 197.255.232.15:5785 172.16.0.33:5785 31.13.93.3:443 31.13.93.3:443
tcp 197.255.232.15:443 172.16.0.35:443 --- --- -
Dual nat instance in an router (not working)
Hi Guys,
I'm having a problem w/ the design i'm currently working on. As you can see in the diagram below, I was trying to somehow perform load balancing on WAN links. What I'm trying to do is basically for all VLAN 1 users to use the WAN 1 link as their primary wan connection while VLAN 2 users must use WAN 2 link as their primary wan connection. To achieve this, I've configure a PBR on each subinterfaces on my router indicating that VLAN 1 subnet must use the WAN1 as next-hop and VLAN 2 subnet must use WAN2 as next hop for their respective WAN traffics.
In relationship to my PBR configurations, I've also included "track" command to monitor whether each WAN link still active. Everything works fine until I've defined two "ip nat inside" command on my router. I noticed that only one vlan subnet could communicate on WAN. I don't know if there's an effect for using two NAT instance on the router.
Hope you could help me on this.
Thank you so much
RexA lot of the 960's don't have 2 DVI's. However most have an additional HDMI and DisplayPort. I recommend you get an adapter from amazon or something. Just make sure that it will convert HDMI or DP to DVI. Usually amazon products have a good amount
of questions already answered by buyers.
Interesting that they'd go that route, I guess I just assumed since my 760 has two.
I've set up dual monitors using one DVI and one HDMI before, but I ran into issues with screen sizing. Despite having two identical monitors set at the same resolution the mouse would not transmit over to the second monitor at the same height as it was on
the first, so I had to buy an adapter like Joshua suggested. -
Access another host on same subnet through Nat'd IP address
I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.
Borman,
Its more complicated than that, consider the following scenario:
20.20.20.0/24
ASA------------------------------Internet
| (DMZ)
Switch
Host A Host B
10.1.1.10 10.1.1.100
20.20.20.20 (Nat outside address)
Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
nat (DMZ,outside) 20.20.20.20 10.1.1.100
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
same-security-traffic permit intra-interface
Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
Global (DMZ) 1 interface
This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
If running version 8.3 or higher, the concept is the same, but the commands change a bit.
8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
So bottom line, configuration needed on 8.2
global (outside) 1 interface
same-security-traffic permit intra-interface
Configuration for 8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
Hope this helps a bit.
Mike -
Remote Access VPN and NAT inside interface
Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
MaheshHi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.50.1 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar -
GetClientID not the same with request map in a dataTable
Hi,
I have a dataTable with multiple rows of same input text box (which has a required="true" validation attribute), the generated id in request map is something like (because it's repeating in a dataTable)
formname:_id0:0:firstname
formname:_id0:0:lastname
but the .getClientId() method of UIComponet is NOT the same! When I try to getClientID, for the same componet (recusively gong the tree), I get
formname:_id0:firsntame
formname:_id0:lastname
how do I retreive the correct id? or why is it not getting the right client ID?
The reason I'm manually going through the tree is because I need to do some custom logic of checking each componet in the page, see if it's required, if it is, I'm going to do add custom required messge for them (all this is implemented in a phaseListener)
thanks.Hi,
thanks for replying.
Basically, I have need to customize error message for validation, so I adopted the code here by implmenting a phaseListener.
http://www.jroller.com/comments/ksevindik/Weblog/customizing_jsf_required_field_messages
which in turn derived from
http://www.oracle.com/technology/pub/articles/masterj2ee/j2ee_wk7.html
If take a look at the code above, in the validateValue() method, it's checking for component .submittedValue properties. This normally works for forms by itself.... but when the form field are repeated inside a dataTable, the
inputComponent.getSubmittedValue() becomes null.
I was confused, so I tried to output the clientID of the inputComponent by
inputComponent.getClientID(),
Only then, i noticed that the ID is not the same as the ID in requestMap, mabye that's why inputComponent.getSubmittedValue() is null.
Let me rephrase the question, how do I access the text box value in any row of a dataTable? (Note, the value has NOT been updated into the model yet because I'm trying to get the value in validation phase)
Thanks again. REALLY appreicate it. -
Flex mobile 4.6 app works inside flash builder but not in android emulator
Originally posted on stackoverflow: http://stackoverflow.com/questions/8663892/flex-mobile-4-6-app-works-inside-flash-builder- but-not-in-android-emulator
I have a basic flex mobile 4.6 app and it works fully fine in the flash builder built-in emulator using an android device profile like aria...
It also launches fine in the android emulator but one particular view shows blank (and this view works fine in flash builder).
Before I get in to many details of the view are there any categorical gotchas that can be causing this?
I can't seem to get the trace statements from the app to show in 'adb logcat'. It seems I need to compile a debug version of the apk but I don't know how to do this. I use the 'Export Release Build' from the Project menu in flash builder and it doesn't seem to have an option for debug=true.
The problematic/blank view basically uses the stagewebview and iotashan's oauth library to call linkedin rest apis... A different (and working) view can make restful web service calls in the emulator fine, so it doesn't seem to be an internet permission.
The source code contained in the problematic/blank view is almost identical to the tutorial found at:http://www.riagora.com/2011/01/air-and-linkedin/
The differences are: a) The root tag is a View b) I use StageWebView instead of HtmlContainer c) I use my own linkedin key and tokens.
I would appreciate it if someone can provide me with some pointers on how to troubleshoot this situation. Perhaps someone can tell me how to debug the app while running in the emulator (I think I need the correct adt command arguments for this which matches the 'Export Release Build' menu but adds the debug param?)
Thanks for your help in advance.
Comment Added:
I suspect that this has to do with connections to https:// api.linkedin.com and https:// www.linkedin.com. The only reason I can think of that the same code is not having issues inside of Flex Builder but indeed having issues in the Android emulator is something to do with certificates. Any ideas?Thanks er453r,
I have created a project that clearly reproduces the bug. Here are the steps:
1) Create a UrlLoader and point it to https://www.google.com (HTTPS is important because http works but HTTPS does not)
2) Load it
3) Run in Flash Builder 4.6/Air 3.1 and then run in Android emulator. The former works with an http status 200. The latter gives you an ioerror 2032. I am assuming what works in Flash Builder is supposed to work in the Android Emulator and what what works in the emulator is supposed to work in a physical device (plus or minus boundary conditions).
I see a certificate exception in adb logcat but not sure if it's related...
Here is the self contained View code which works with a TabbedViewNavigatorApplication:
<?xml version="1.0" encoding="utf-8"?>
<s:View xmlns:fx="http://ns.adobe.com/mxml/2009"
xmlns:s="library://ns.adobe.com/flex/spark"
xmlns:mx="library://ns.adobe.com/flex/mx"
xmlns:ns1="*"
xmlns:local="*"
creationComplete="windowedapplication1_creationCompleteHandler(event) "
actionBarVisible="true" tabBarVisible="true">
<fx:Script>
<![CDATA[
import mx.events.FlexEvent;
protected var requestTokenUrl:String = "https://www.google.com";
protected function windowedapplication1_creationCompleteHandler(event:FlexEvent):void
var loader:URLLoader = new URLLoader();
loader.addEventListener(ErrorEvent.ERROR, onError);
loader.addEventListener(AsyncErrorEvent.ASYNC_ERROR, onAsyncError);
loader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
loader.addEventListener(HTTPStatusEvent.HTTP_RESPONSE_STATUS, httpResponseStatusHandler);
loader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
var urlRequest:URLRequest = new URLRequest(requestTokenUrl);
loader.load(urlRequest);
protected function requestTokenHandler(event:Event):void
protected function httpResponse(event:HTTPStatusEvent):void
label.text += event.status;
// TODO Auto-generated method stub
private function completeHandler(event:Event):void {
label.text += event.toString();
trace("completeHandler data: " + event.currentTarget.data);
private function openHandler(event:Event):void {
label.text += event.toString();
trace("openHandler: " + event);
private function onError(event:ErrorEvent):void {
label.text += event.toString();
trace("onError: " + event.type);
private function onAsyncError(event:AsyncErrorEvent):void {
label.text += event.toString();
trace("onAsyncError: " + event);
private function onNetStatus(event:NetStatusEvent):void {
label.text += event.toString();
trace("onNetStatus: " + event);
private function progressHandler(event:ProgressEvent):void {
label.text += event.toString();
trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
private function securityErrorHandler(event:SecurityErrorEvent):void {
label.text += event.toString();
trace("securityErrorHandler: " + event);
private function httpStatusHandler(event:HTTPStatusEvent):void {
label.text += event.toString();
//label.text += event.responseHeaders.toString();
trace("httpStatusHandler: " + event);
private function httpResponseStatusHandler(event:HTTPStatusEvent):void {
label.text += event.toString();
trace("httpStatusHandler: " + event);
private function ioErrorHandler(event:IOErrorEvent):void {
label.text += event.toString();
label.text += event.text;
trace("ioErrorHandler: " + event);
]]>
</fx:Script>
<fx:Declarations>
<!-- Place non-visual elements (e.g., services, value objects) here -->
</fx:Declarations>
<s:Label id="label" y="185" width="100%" color="#0A0909" horizontalCenter="0" text=""/>
</s:View>
Maybe you are looking for
-
Cost of Stock Missing ( Zero)
Dear Expert, I am facing problem when performing MB52. The cost of goods is missing (zero) in particular batch (valuation type). My user performed MM01to create valuation type(VT), let say VT A. After that performing MSC1N to assign batch and VT, the
-
Hi SAP Gurus, While I am trying to clear the customer invoice with F-28. It is giving me the error. <u>The difference is too large for clearing</u>. It is just clearing the 100% amount. Where can I fixed this problem. Regards, Sim Me
-
Epson printer software update 2.11 crashing my computer!
Hi there Thanks in advance for the help. I have been trying for a few days to download and install the latest software update called "epson printer software update 2.11" It will not finish installing and ends up crashing my computer. I have OS 10.7.4
-
XDCAM HD Export in Premiere CC
Hallo, Soll ein XDCAM HD422 codiertes, im .mov-Container verpacktes File ausliefern. Das funktionierte z.B. in Premiere Pro CS6 perfekt, die CC-Version lässt XDCAM HD meines Wissens aber nur als .mxf zu. Gibt es hier Erfahrungen oder Lösungen? Danke
-
Recovering serial number for Web Premium CS4 on OSX Lion
First of all hello everyone! After upgrading my MacBook to the newest OSX Lion I wanted to install one more time my Web Premium Suite CS4. Unfortunatelly my serial number registered on my Adobe account doesn't work anymore, I don't know why. From FAQ