NAT outside to inside and inside to outside (in 8.4(2) version)
Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.
Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia
Similar Messages
-
ASA 5505 NAT rules blocking inside traffic
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
Embarq : Network xxx.xxx.180.104
Gateway: xxx.xxx.180.105
Subnet Mask: 255.255.255.248
Our Static IP's: xxx.xxx.180.106 to xxx.xxx.180.110
Cisco Pix for VPN tunnels : xxx.xxx.180.107 outside IP
used for DataBase Servers : 100.1.0.2 Inside IP/ Gateway 2
Cisco ASA 5505: xxx.xxx.180.106 outside IP
all other traffic : 100.1.0.1 Inside IP/ Gateway 1
Inside Network: 100.1.0.0/24
Application Server: 100.1.0.115 uses Gateway 1
BackUp AppSrvr: 100.1.0.116 uses Gateway 1
DataBase Server: 100.1.0.113 uses Gateway 2
BackUp DBSrvr: 100.1.0.114 uses Gateway 2
Cobox/Receiver: 100.1.0.140
BackUp Cobox: 100.1.0.150
Workstation 1: 100.1.0.112
Workstation 2: 100.1.0.111
Network Speaker1,2,3,4: 100.1.0.125 to 100.1.0.128
Future Workstations: 100.1.0.0/24
1. Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
2. All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
3. All Workstations/Network Speakers need to be able to communicate with all four servers, and the Cobox/Receiver.
4. The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login securely and edit their account info.
5. The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule created NAT'ing them to xxx.xxx.180.109.
A. The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside IP address.
B. The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
6. The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
A. The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
B. The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
7. Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
8.
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 100.1.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.180.106 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object udp
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
static (inside,outside) xxx.xxx.180.109 access-list inside_nat_static_1
static (outside,inside) 100.1.0.115 access-list outside_nat_static_1
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 100.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 100.1.0.5-100.1.0.15 inside
dhcpd dns 71.0.1.211 67.235.59.242 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
call-home reporting anonymous
Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
: end
no asdm history enableOK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
In the meantime I will Close and Rate this post for now so others can get this info also.
If we have any further issues after the upgrade, then I will open a new post.
Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now. -
I'm struggling to figure out why you would need the 'ip nat outside source static' command. The 'inside source static' makes perfect sense, but why the outside. In what type of scenario would you use it?
Any help would be appreciatedh1 (192.168.10.2) -> R1 -> (ip nat inside) R2 (ip nat outside) -> R3 -> s1 (172.16.5.2)
On R2
ip nat outside source static 192.168.11.2 172.16.5.2
would mean -
h1 would send traffic to 192.168.11.2 and the destination IP would be translated to 172.16.5.2 and if s1 sends traffic to h1 the source IP would be 192.168.11.2.
One reason to do this would be, using the above example, your internal network uses 192.168.x.x IP addressing and you do not want to have to advertise the 172.16.5.x IP within your network.
So instead you choose an unused 192.168.x.x IP and as long as R1 routes traffic for that IP to R2 it is then translated to 172.16.5.2 on R2 which means your internal routers do not need to have external IP addresses in their routing tables.
Jon -
Nat (outside,outside) dynamic interface, equivalent in IOS
For a remote vpn user who just want to access the internet for now. now I know you have to put the following in config when using ASA, what is the equivalent in IOS?
nat (outside,outside) dynamic interface.
thanks,
HanHello.
I think you wanted to achieve hairpinning for the ipsec remote access vpn users to access internet via vpn router..There is no direct way of doing this like we have in ASA.
Please follow the below cisco document where you can make use of nat on a stick configuration to achieve.. this
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Regards
Harish
Please rate helpful posts! -
My Time Capsule is giving me a warning that double NAT situation is occurring and recommends that I set it to bridge mode What is all this about please can it be explained in layman's terms and not martian thank you.
You have two devices....the Netgear and Time Capsule both configured to act as routers on the network. You only want one device providing this service.
I suggest that you configure the Time Capsule in Bridge Mode as suggested to eliminate the Double NAT error. Unfortunately, the Guest Network cannot be enabled in this setting.
No other adjustments are needed and everything else will operate normally...and the Time Capsule will still be providing your wireless network signal.
Once the Time Capsule is configured in Bridge Mode, it would be an excellent idea to perform a complete power cycle on the network to allow things to reset properly.
Just power off all devices on the network in any order that you want
Wait a minute
Start the Netgear device first, and let it run a minute by itself
Start the Time Capsule next the same way
Continue starting devices one at a time the same way until everything is powered backup
The other option you have is to "ignore" the error and the light will turn green. The Double NAT error may...or may not cause some issues for you down the line. The next time that you update the Mac operating system, or update the firmware in the Time Capsule, it may likely change the Time Capsule to Bridge Mode automatically.
If your Guest Network "disappears", you will know why this happened, and you will have to manually configure the Time Capsule again in Router Mode to provide DHCP and NAT services.
Double NAT can also cause a slow down of web page loading. You may...or may not....notice this. -
hello,
i restored and updated my iphone 4 to the latest version of 5.1.1 and after that when i connect my mobile to i tunes all i see is a big rectangle and a apple logo on left and a small lock on right side please help me fix this problem.I sloved this issue by resting my phone from settings>general>reset>reset all settings...the problem will be fixed
-
I'm trying to update my iphone 3GS to the 4.3.4 version and I am getting the error message "This version of itunes (version 9.1.1) is the current version. How do I update my PHONE and why is an itunes update being confused for my iphone?
You need iTunes 10.0 or greater to update your phone...iTunes isn't confused at all. If you're on a Mac, you'll need OS X 10.5.8 or greater to update iTunes to 10.0 or greater.
-
I am using an Mac PPC version 10.5.8 and I am trying to download the correct version of Flash Player. I did once but I had to install a "Clean Install" of my computer and when finished I had put back the new Flash Player I just installed well every time I try install the new player it is place in my Trash Folder and I can not get Player to work. I did everything I was to install it correctly but it still does not install it correctly. Can some help me. Bob
Some MacBook Pro versions cannot be upgraded past 10.6.8; others are maxed out at 10.7.5. newer models can go all the way to 10.10. So it is important to know exactly what version you have--there may be close to 40 variants produced since the MB made its debut in 2006.
You can safely give us a snapshot of your model and its current config that will allow us to deternmmine your model and its upgrade potential, plus show it you have any software that may impede any upgrades. Please download and install this free utility:
http://www.etresoft.com/etrecheck
It is secure and written by one of our most valued members to allow users to show details of their computer's configuration in Apple Support Communities without revealing any sensitive personal data.
Run the program and click the "Copy report to clipboard" button when it displays the results. Then return here and paste the report into a response to your initial post. It can often show if any harmful files/programs are dragging down your performance.
Remember that, on leaving OS10.6.8, you lose the ability to run older softare written for older PowerPC Macs (yours in Intel-based). Programs such as Office 2004 will no longer work (min of Office 2008 needed to work on newer OS versions), and AppleWorks will stop working completely -
Hello,
Please help me figure this out. I'm very unhappy at the moment. I'm fustrated and don't have any idea how to revert to the original version before the update was done on iMovie 10. I NEVER hated APPLE until NOW!! I love APPLE products and apps so please help me stay in that mindset. So I worked on some movie projects when I got my macbook pro 6 months ago. I update reguarly. I saw the update prompt and honestly, I did not think I would have ANY issuess with opening my previous files that I created only a few months ago with this updated version.The new updated version of iMovie 10 won't let me open my previous files I created before the update today. I have a wedding that I'm trying to finish and deliver and now I can't because that file version won't open. I keep getting an error message and the iMovie app closes. Last night I saw the file and tried to open it but no luck. Error message came up again. I reboot and turned off my laptop for the evening and tried again just now but nothing!! I need that video. My job depends on it! I worked so hard on this wedding video and now it's lost and won't open. I work another job and don't have much time. I really don't want to start all over again. Please help me. Thanks so much for your assistance.
Fustrated APPLE customer
Jolly A. RuppI also have Jolly's problem. I found the iMovie 9.0.9 folder and tried to launch the older version of iMove. It would not launch. I removed all of the iMovie preferences from the Preferences folder, removed iMove 10 from the applications folder, and restarted my Mac. iMove 9.0.9 still won't launch and I can't access my videos created with the older version of iMovie. Is there a way to uninstall iMovie 10 and reinstall iMovie 9.0.9?
I am running Yosemitie on a iMac.
Paul -
I have recently updated the new apps via creative cloud now photoshop and bridge no longer work, they open then say they have encountered a problem and close, I also tried opening the old version of photo shop but getting the same result
What OS version? What's the exact error? Exactly when does the error occur? What previous versions? What is on the screen when the error displays? Does Photoshop get fully open?
Try opening Photoshop holding down Shift key immediately to turn off plug-ins. Lots of good suggestions here: Photoshop: Basic Troubleshooting steps to fix most issues -
Would Like to Get Report of Daily Emails In and Out from Members to a DL
Exchange version : 2007
I am the supervisor for the group and want to quantify this information. I do not need to see the content, just quantity
is it possible ?Well, distribution groups don't really have a concept of "in" or "out". They only serve to distribute messages sent to them -- unless you're asking to know who was a member of the distribution group at the time a message was sent to the DL.
Message tracking logs hold the information you want, though. You'd have to look for EXPAND events that reference the distribution group and take the sender's e-mail address from that event. If the DL is a simple one that's not a member of any other groups
you could also look for RECEIVE events sent to the e-mail address of the group and get the sender's name from that event.
You can use Powershell extract the rows of data from the logs, but you'll have to write the code to get the data out of those rows and into a format you want. Perhaps LogParser could be useful in place of Powershell?
--- Rich Matheisen MCSE&I, Exchange MVP -
Went to open a file in words and got message. "You need a newer version of Pages to open this document." I have latest version. All other files in words open w/o a problem. Please help.
Thank you.
<Email Edited by Host>You have 2 versions of Pages on your Mac.
Pages 5.2 is in your Applications folder.
Pages '09/'08 is in your Applications/iWork folder.
You are alternately opening the wrong versions.
Pages '09/'08 can not open Pages 5 files and you will get the warning that you need a newer version.
Pages 5.2 can open Pages '09 files but may damage/alter them. It can not open Pages '08 files at all.
Older versions of Pages 5 can not open files from later versions of Pages 5.
Once opened and saved in Pages 5 the Pages '09 files can not be opened in Pages '09.
Anything that is saved to iCloud and opened in a newer version of Pages is also converted to Pages 5 files.
All Pages files no matter what version and incompatibility have the same extension .pages.
Pages 5 files are now only compatible with themselves on a very restricted set of hardware, software and Operating Systems and will not transfer correctly on any other server software than iCloud.
Apple has removed almost 100 features from Pages 5 and added many bugs:
http://www.freeforum101.com/iworktipsntrick/viewforum.php?f=22&sid=3527487677f0c 6fa05b6297cd00f8eb9&mforum=iworktipsntrick
Peter -
I currently have iPhoto 8.1.2 on my macbook pro and am trying to update to the latest version. I have had to work backward, but I can only get back to 9.1, which will not install because it says I need at least 9.0 to install it. Is 9.0 available? Will I need to go back even further? Thanks
Upgrading from iPhoto 8 to iPhoto 9 requires a purchase. There are two ways to get to iPhoto 9:
1 - purchase a copy of the iLife 11 disk from a 3rd party retailer like Amazon.com or eBay.com.
2 - if your MBP meets the requirements upgrade you system for free to Mavericks. Then you can purchase the latest iPhoto version, 9.5.1, from the App Store.
OT -
I am using Windows 7 Home Premium 64-bit OS.I've never had this problem before... today I opened iTunes and it prompted me to download the newest version. I use iTunes all the time and have updated it multiple times with no issues. During the installation process it gave me an error message that said:
Runtime error!
Program C:\Program Files\iTunes.exe
R0634
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
I quit the installation, uninstalled iTunes and rebooted my computer. I now receive a similar message with a slight difference:
Runtime error!
Program C:\Program Files (x86)...
R0634
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
I did not leave anything out from the error message. It doesn't point to a specific file, it just ends with "(x86)..." Every time I boot up my computer, this error message pops up on my desktop.
How do I repair this issue? I have found multiple suggested solutions but am unsure which one is the best, and I don't want to try a bunch of different things for fear I may make the problem worse. I would like to try and fix this myself if possible but I need to know if that is really possible or if I need to take my computer to someone for repairs. Any suggestions will be greatly appreciated!!Hi lustyln,
I'm having a little trouble understanding all of what you are trying to explain. From what I can tell, it sounds like your PC has a lot of software problems and you want to know what is supposed to be there and what isn't.
For reference, here are your product specifications:
http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&dlc=en&docname=c01893242&lc=en&product=4043282
To get your PC software back to how it was when it was first purchased, run a system recovery:
http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&dlc=en&docname=c01867418&lc=en&product=4043282
I hope this helps.
...an HP employee just trying to help where I can, but not speaking on behalf of HP. -
After upgrading to Yosemite I have lost iPhoto. It has a cross through it in Finder, but I clicked on it and I was directed to download the latest version from the App store, but it is not available in the Australian store. Can anyone please help? I am not an advanced user and I would like my photos back, having had no idea I would lose iPhoto in the upgrade!
Thanks petermac87...but for some reason, the only purchases showing are OS. So assuming iPhoto is in Mountain Lion, I was hoping to look under Hidden Items there as you suggested, but there is no option for that. Only option is to download Mountain Lion again, not iPhoto specifically. Any ideas welcome!
Maybe you are looking for
-
When i try to sync my Iphone on my macbook pro I am told that I will lose any apps previously purchased while I was using a since crashed pc harddrive. I have authorized my macbook as a second computer but am not able to sync. Is there a way I can tr
-
External monitor initially flashes on waking from sleep
I recently upgraded to 10.4.8. My PowerBook is connected to an external monitor and now often flashes when I wake the machine from sleep. It takes a while too settle down but then works fine. If I wake from sleep without the external monitor, there a
-
Mavericks upgrade doesn't continue after restart.
I've downloaded the Mavericks upgrade and clicked to install it. It prompts me to accept the EULA, then says a restart is required. I restart, but when the machine reboots I'm greeted by my PGP disk encryption screen, then a logon screen. At no point
-
As a new user, although far from a neophyte as computers go, I thought it might be useful to recount some of the problems I ran into starting out in iWeb. Every new piece of software I encounter has its own syntax so it's like going from country to c
-
Reliability of broadband speed tests
I had BT Infinity installed yesterday. It is only 24 hys I know but I hve been running speed tests on a regular basis to see what download speeds I am getting. Before signing up to Infinity I was told by bT I 'should' get around 27MB based on my te