NAT/PAT question
I have a new firewall I am turning up. On the firewall I have 3 dmz interfaces (2 are turned up currently) and an inside interface towards the customers interanl network.
What I am attempting to do is to send traffic to the customers internal networks 10.0.0.0/8 networks, 172.16.0.0/12 and 192.168.0.0/16 networks without doing any NAT.
I want to send any INET destined traffic as the PAT address using the inside interface IP of 10.91.13.17 such as google.com. The DMZ source for this communication is 192.168.14.0/27 CETCNET. I've attached a config. I was thinking a NONAT acl and NAT definition and a global definition along these lines:
object-group network ATK_PRIVATE_NETS
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.240.0.0
network 192.168.0.0 255.255.0.0
access-list NONAT_CETC permit ip 192.168.14.0 255.255.255.224 object-group ATK_PRIVATE_NETS
access-list CETC_INET_NAT permit ip 192.168.14.0 255.255.255.224 any
nat (CETCNET) 0 access-list NONAT_CETC
nat (CETCNET) 10 access-list CETC_INET_NAT
global (inside) 10 interface
But I still get the feeling I'm missing something. Version is 8.2.(5)29. Looking forward to reading any suggestions anyone might have. I like to keep it simple as possible on firewalls like this.
Hi,
Thanks for your response and for your help. I own a Pix too. It works fine. It changes the source port to a port belonging to the port pool.
But, the Catalyst 6506 doesn't behave as it should. Into the logs, I see that :
(...) wanted 32838 got 1027 (...)
Allocated Port for xxx.235.225.25 -> xxx.xxx.84.225: wanted 32840 got 1024
i: tcp (xxx.235.225.25, 32840) -> (xxx.2.0.36, 21) [27171]
created edit_context (xxx.235.225.25,32840) -> (xxx.2.0.36,21)
TCP s=32840->1024, d=21
where xxx.xxx.84.225 is my NAT address.
So, Catalyst 6506 tries to keep the source port but it fails. As I look the translation table (show ip nat translation), I see that the source port isn't allocated, so why the Catalyst didn't keep it.
My big issue is that there's an ACL on a router above my own router. I can't change this ACL which denies any request to tcp port 1025. So, as long as the Catalyst 6506 will NAT on this port, my users won't be able to access to the Internet.
That's the reason why I do need to find a workaround.
Thanks for helping.
Similar Messages
-
Shared Public IP to two Servers - ASA 5510 8.3. NAT/PAT
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?OK, so I beleive I've truncated this down to what you need in order to give me a hand. Remember that I must configure this using ADSM for screenshot purposes. There is currently a temporary static one-to-one NAT in place for NCAFTP01 until we resolve the outbound issue, but I realize this must be removed to properly test. I'll explain the desired topology below the config.:
: Saved
ASA Version 8.3(1)
hostname ASA-SVRRM-5510
domain-name domain.corp
names
name 10.20.1.23 NCASK333
name 10.20.1.40 Barracuda
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.3 255.255.255.248
interface Ethernet0/1
description DMZ
nameif DMZ
security-level 20
ip address 172.16.10.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif Inside
security-level 100
ip address 10.20.1.249 255.255.0.0
object network mail.domain.com
host 10.20.1.40
object network NCASK333
host 10.20.1.23
object network obj-10.20.1.218
host 10.20.1.218
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.192.0.0_16
subnet 10.192.0.0 255.255.0.0
object network NETWORK_OBJ_10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network Remote Site
host 10.1.1.1
object network NCAFTP01:80
host 172.16.10.10
object network 1.1.1.5
host 1.1.1.5
object network NCASK820
host 10.20.1.61
description Exchange Server/ KMS
object service AS2
service tcp source eq 8800 destination eq 8800
object network NCAFTP01:21
host 172.16.10.10
object network NCAFTP01:443
host 172.16.10.10
object network NCAFTP01:53
host 172.16.10.10
object network NCAFTP01:53UDP
host 172.16.10.10
object network NCAFTP01:8080
host 172.16.10.10
object network NCAFTP01:8500
host 172.16.10.10
object network NCAFTP01:5080
host 172.16.10.10
object network NCADMZ02:8800
host 172.16.10.11
object network NCAFTP01
host 172.16.10.10
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq domain
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 8080
service-object tcp destination eq 8500
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object tcp destination eq 5080
service-object object AS2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8080
port-object eq www
port-object eq https
port-object eq echo
object-group network DM_INLINE_NETWORK_5
network-object 172.16.10.0 255.255.255.0
nat (Inside,any) source static any any destination static obj-10.192.0.0 obj-10.192.0.0
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
nat (Inside,ATTOutside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
object network mail.domain.com
nat (Inside,ATTOutside) static 1.1.1.4
object network NCASK333
nat (Inside,ATTOutside) static 1.1.1.6
object network obj-10.20.1.218
nat (Inside,ATTOutside) static 1.1.1.2
object network obj_any
nat (Inside,ATTOutside) dynamic interface
object network NCAFTP01:80
nat (any,ATTOutside) static 1.1.1.5 service tcp www www
object network NCAFTP01:21
nat (any,ATTOutside) static 1.1.1.5 service tcp ftp ftp
object network NCAFTP01:443
nat (any,ATTOutside) static 1.1.1.5 service tcp https https
object network NCAFTP01:53
nat (any,ATTOutside) static 1.1.1.5 service tcp domain domain
object network NCAFTP01:53UDP
nat (any,ATTOutside) static 1.1.1.5 service udp domain domain
object network NCAFTP01:8080
nat (any,ATTOutside) static 1.1.1.5 service tcp 8080 8080
object network NCAFTP01:8500
nat (any,ATTOutside) static 1.1.1.5 service tcp 8500 8500
object network NCAFTP01:5080
nat (any,ATTOutside) static 1.1.1.5 service tcp 5080 5080
object network NCADMZ02:8800
nat (any,ATTOutside) static 1.1.1.5 service tcp 8800 8800
object network NCAFTP01
nat (any,ATTOutside) static 1.1.1.5
nat (DMZ,ATTOutside) after-auto source dynamic obj_any interface
timeout xlate 3:00:00
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
: end
Coming from the outside to public IP 1.1.1.5, we want ports 80, 443, 8080, 8500, 21, and 53 to translate to NCAFTP01/ 172.16.10.10. We want traffic sent to 1.1.1.5 on "AS2" (tcp port 8800) to translate to NCADMZ02/172.16.10.11.
This part is functional, as you instructed above, I simply needed to create individual PAT statements.
My current issue lies in the outbound translation. When we send a request out from NCAFTP01/ 172.16.10.10 on any port, we want it to translate to a public IP of 1.1.1.5. When we send a request out from NCADMZ02/172.16.10.11, we also want it to translate to 1.1.1.5. So in effect, we want it to NAT both devices outbound to the same public IP, but use PAT inbound. These are the only two devices in our DMZ, so if I can simply translate all traffic from the DMZ network outbound to 1.1.1.5, I feel it would be the simplest solution. My question is if we do this, when a request comes inbound from the outside, would the translation fall over to PAT?
This comes about because the client on the outside requires us to use a specific IP to connect to thier EDI server on port 5080. -
NAT/PAT Two private IP's to one Real on the same port.
Hello all.
I have the following situation. A colleagues installed a spam block (Norton something) and he put two ip's on itsinterfaces. 192.168.2.20 and 192.68.2.21. One will be used to receive and one to send mail but both on port 25. They use a sinlge real IP 175.75.67.32. I am using a 5540 ASA with 8.2 IOS.
I am pretty sure this cannot happen but i got some advice to NAT the outgoing IP/Port and then PAT the incoming port to both IP's and it will work. I tried to do it with no success. I know that ASA 8.4 changes everything in NAT/PAT but is there any way with the newer OS my setup can work or not???
Thanks very much in advance for your help.ASA 8.4:
receive mail:
nat (inside,outside) source static obj-192.68.2.20 obj-175.75.67.32 service src25 src25
send mail:
nat (inside,outside) source dynamic obj-192.68.2.21 obj-175.75.67.32 service dst25 dst25 -
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
MalcolmI cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup. -
NAT/PAT Setup with internal web server.
Environment:
Web Server inside and 10 internal workstations.
One external public IP address.
Cisco Router 806 with HTTP server enable.
Conditions:
External users have to be able to access the web server.
The internal users have to be able to access the web server via the "EXTERNAL" IP address. Since they are using an external DNS.
Scenario:
The internal workstation request from external DNS address for the web server.
DNS replies with external IP address.
Workstation attempts to connect to web server via external IP address.
Connection fails at the router showing the router's HTTP logon page.
We are trying to implement NAT/PAT inside, with static assignment to port 80 to the internal web server.
Thanks, Pat Askins.You need to use cisco NAT virtual interface,
Example:
your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1
here is what you need to configure in NAT router to resolve your issue:
int fa0
ip nat enable
no ip redirects
int fa 1
ip nat enable
no ip redirects
ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload
ip nat source list 1 interface fa0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
now you can try access to your 1.1.1.1:80 from inside network. -
What is the problem between NAT/PAT-ed network with SIP?
Hi guys,
I'm not really good at voice - so please bare with me :)
I have a situation where I cant make a voip call via SIP using class4/5 softswitch behind NAT/PAT network.
The diagram :
NAT/PAT --- cloud/MPLS --- softswitch.
the softswitch provides IP centrex service - so there will be caller-group. the 2nd problem was that in a caller-group It cant establish a call origin from ip 1.1 back to ip 1.1. And i cant touch that softswitch (its xener - i dont exactly know what type). I'm wondering this softswitch capability - anyone using it?.
We have tested using other SIP server (using asterisk-based softswitch) and sniffed all SIP-related traffic - we have 403 error and the like - but my opinion its the PEs NAT router that dropped the SIP handshake - so the RTP wont pass-thru both caller/called party.
Modifying a single PE probably easy - but my catch is that - as long as I have some NAT router/firewall along the PE and softswitch path it will not work, correct?
Before i go further with Cisco Unified Border Element and Session Border Controller proposal - anyone would like to give me a comment about my understanding from above scenario?
any help would be appreciated,
thanks.The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with Network Address Translation (NAT) to be translated and encoded back to the packet. An application layer gateway (ALG) is used with NAT to translate the SIP or SDP messages.
See the following url for more details about NAT support for SIP:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftnatsip.html -
Question on best practice for NAT/PAT and client access to firewall IP
Imagine that I have this scenario:
Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
One of my users is complaining about the following:
When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
Best practices for NAT/PAT?
Greetings:
My setup is
Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.
The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.
On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.
Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?
My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.
Here is the NAT section of the show run:
ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable
ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable
ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable
ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable
ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable
ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable
Would appreciate any and all comments on the way it is currently configured ass well as:
-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.
TIAHi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
I have a Cisco PIX 520 that I know nothing about. The problem I have come into is that my NAT pool is running dry and I am getting clients without access to the internet. I would like to add a PAT but I have no idea what I am doing or where to start.
Could someone give me the proper commands to do this?
I don't know what more information you need so please ask questions!
Thanks.Ok, I added the PAT on Monday morning. First I ran 'global (outside) 1 123.123.123.63 netmask 255.255.255.255' and I got a warning which I can't remember the exact wording of but it was something to the effect of being an IP that is broadcast off. So instead of saving that setting I exited out of the system and the added 'global (outside) 1 123.123.123.14 netmask 255.255.255.255' and then did the 'write memory' command. I ran 'sh global' and got:
pix# sh global
global (outside) 1 123.123.123.35-123.123.123.62 netmask 255.255.255.0
global (outside) 1 123.123.123.63 netmask 255.255.255.255
global (outside) 1 123.123.123.14 netmask 255.255.255.255
As you can see it saved both the PAT enteries, not sure if this is going to be a problem and I am not sure what the command is to delete the entry.
Monday afternoon I found out that some clients were still having trouble connecting to the internet. I did some investigating and found that I need to run 'clear xlate' for the PAT to work. I did so and everything has seemed fine until today.
On my test machine I wasn't able to connect to the internet. I ran 'sh xlate' and got this:
pix# sh xlate
87 in use, 99 most used
Global 123.123.123.38 Local 192.168.74.87
Global 123.123.123.58 Local 192.168.74.58
Global 123.123.123.61 Local 192.168.74.99
Global 123.123.123.46 Local 192.168.74.14
Global 123.123.123.41 Local 192.168.74.95
Global 123.123.123.39 Local 192.168.74.124
Global 123.123.123.52 Local 192.168.74.123
Global 123.123.123.35 Local 192.168.74.17
Global 123.123.123.43 Local 192.168.74.43
Global 123.123.123.48 Local 192.168.74.105
Global 123.123.123.47 Local 192.168.74.128
Global 123.123.123.30 Local 192.168.74.30
Global 123.123.123.33 Local 192.168.74.33
Global 123.123.123.45 Local 192.168.74.31
Global 123.123.123.50 Local 192.168.74.101
Global 123.123.123.37 Local 192.168.74.93
Global 123.123.123.60 Local 192.168.74.60
Global 123.123.123.10 Local 192.168.74.10
Global 123.123.123.57 Local 192.168.74.89
Global 123.123.123.56 Local 192.168.74.56
PAT Global 123.123.123.63(1469) Local 192.168.74.94(1890)
PAT Global 123.123.123.63(1471) Local 192.168.74.94(1892)
PAT Global 123.123.123.63(1470) Local 192.168.74.94(1891)
PAT Global 123.123.123.63(1497) Local 192.168.74.94(1918)
PAT Global 123.123.123.63(1496) Local 192.168.74.94(1917)
PAT Global 123.123.123.63(1499) Local 192.168.74.94(1920)
PAT Global 123.123.123.63(1498) Local 192.168.74.94(1919)
PAT Global 123.123.123.63(1501) Local 192.168.74.94(1923)
PAT Global 123.123.123.63(1500) Local 192.168.74.94(1921)
PAT Global 123.123.123.63(1503) Local 192.168.74.94(1925)
PAT Global 123.123.123.63(1502) Local 192.168.74.94(1924)
PAT Global 123.123.123.63(1489) Local 192.168.74.94(1910)
PAT Global 123.123.123.63(1488) Local 192.168.74.94(1909)
PAT Global 123.123.123.63(1491) Local 192.168.74.94(1912)
PAT Global 123.123.123.63(1490) Local 192.168.74.94(1911)
PAT Global 123.123.123.63(1493) Local 192.168.74.94(1914)
PAT Global 123.123.123.63(1492) Local 192.168.74.94(1913)
PAT Global 123.123.123.63(1495) Local 192.168.74.94(1916)
PAT Global 123.123.123.63(1494) Local 192.168.74.94(1915)
PAT Global 123.123.123.63(1481) Local 192.168.74.94(1902)
PAT Global 123.123.123.63(1480) Local 192.168.74.94(1901)
PAT Global 123.123.123.63(1483) Local 192.168.74.94(1904)
PAT Global 123.123.123.63(1482) Local 192.168.74.94(1903)
PAT Global 123.123.123.63(1485) Local 192.168.74.94(1906)
PAT Global 123.123.123.63(1484) Local 192.168.74.94(1905)
PAT Global 123.123.123.63(1487) Local 192.168.74.94(1908)
PAT Global 123.123.123.63(1486) Local 192.168.74.94(1907)
PAT Global 123.123.123.63(1473) Local 192.168.74.94(1894)
PAT Global 123.123.123.63(1472) Local 192.168.74.94(1893)
PAT Global 123.123.123.63(1475) Local 192.168.74.94(1896)
PAT Global 123.123.123.63(1474) Local 192.168.74.94(1895)
PAT Global 123.123.123.63(1477) Local 192.168.74.94(1898)
PAT Global 123.123.123.63(1476) Local 192.168.74.94(1897)
PAT Global 123.123.123.63(1479) Local 192.168.74.94(1900)
PAT Global 123.123.123.63(1478) Local 192.168.74.94(1899)
PAT Global 123.123.123.63(1513) Local 192.168.74.94(1935)
PAT Global 123.123.123.63(1512) Local 192.168.74.94(1934)
PAT Global 123.123.123.63(1515) Local 192.168.74.94(1937)
PAT Global 123.123.123.63(1514) Local 192.168.74.94(1936)
PAT Global 123.123.123.63(1517) Local 192.168.74.94(1939)
PAT Global 123.123.123.63(1516) Local 192.168.74.94(1938)
PAT Global 123.123.123.63(1518) Local 192.168.74.94(1940)
PAT Global 123.123.123.63(1505) Local 192.168.74.94(1927)
PAT Global 123.123.123.63(1504) Local 192.168.74.94(1926)
PAT Global 123.123.123.63(1507) Local 192.168.74.94(1929)
PAT Global 123.123.123.63(1506) Local 192.168.74.94(1928)
PAT Global 123.123.123.63(1509) Local 192.168.74.94(1931)
PAT Global 123.123.123.63(1508) Local 192.168.74.94(1930)
PAT Global 123.123.123.63(1511) Local 192.168.74.94(1933)
PAT Global 123.123.123.63(1510) Local 192.168.74.94(1932)
Global 123.123.123.59 Local 192.168.74.116
Global 123.123.123.9 Local 192.168.74.9
Global 123.123.123.54 Local 192.168.74.96
Global 123.123.123.18 Local 192.168.74.18
Global 123.123.123.15 Local 192.168.74.15
Global 123.123.123.11 Local 192.168.74.11
Global 123.123.123.24 Local 192.168.74.24
Global 123.123.123.32 Local 192.168.74.32
Global 123.123.123.44 Local 192.168.74.44
Global 123.123.123.49 Local 192.168.74.108
Global 123.123.123.36 Local 192.168.74.106
Global 123.123.123.55 Local 192.168.74.55
Global 123.123.123.51 Local 192.168.74.102
Global 123.123.123.40 Local 192.168.74.40
Global 123.123.123.42 Local 192.168.74.42
Global 123.123.123.53 Local 192.168.74.114
Global 123.123.123.62 Local 192.168.74.97
Global 123.123.123.34 Local 192.168.74.34
Global 123.123.123.26 Local 192.168.74.26
As you see I have 87 in use, 99 most used. I don't even have that many systems in the building. All the PAT global connections are my test machine.
After a few minutes I was able to connect to the internet without doing anything. I ran 'sh xlate' again and got:
pix# sh xlate
39 in use, 99 most used
Global 123.123.123.38 Local 192.168.74.87
Global 123.123.123.58 Local 192.168.74.58
Global 123.123.123.61 Local 192.168.74.99
Global 123.123.123.46 Local 192.168.74.94
Global 123.123.123.41 Local 192.168.74.95
Global 123.123.123.39 Local 192.168.74.124
Global 123.123.123.52 Local 192.168.74.123
Global 123.123.123.35 Local 192.168.74.17
Global 123.123.123.43 Local 192.168.74.43
Global 123.123.123.48 Local 192.168.74.105
Global 123.123.123.47 Local 192.168.74.128
Global 123.123.123.30 Local 192.168.74.30
Global 123.123.123.45 Local 192.168.74.31
Global 123.123.123.50 Local 192.168.74.101
Global 123.123.123.37 Local 192.168.74.93
Global 123.123.123.60 Local 192.168.74.60
Global 123.123.123.10 Local 192.168.74.10
Global 123.123.123.57 Local 192.168.74.89
Global 123.123.123.56 Local 192.168.74.56
PAT Global 123.123.123.63(1589) Local 192.168.74.94(2011)
PAT Global 123.123.123.63(1588) Local 192.168.74.94(2010)
PAT Global 123.123.123.63(1590) Local 192.168.74.94(2012)
Global 123.123.123.59 Local 192.168.74.116
Global 123.123.123.9 Local 192.168.74.9
Global 123.123.123.54 Local 192.168.74.96
Global 123.123.123.18 Local 192.168.74.18
Global 123.123.123.15 Local 192.168.74.15
Global 123.123.123.11 Local 192.168.74.11
Global 123.123.123.24 Local 192.168.74.24
Global 123.123.123.32 Local 192.168.74.32
Global 123.123.123.49 Local 192.168.74.108
Global 123.123.123.36 Local 192.168.74.106
Global 123.123.123.55 Local 192.168.74.55
Global 123.123.123.51 Local 192.168.74.102
Global 123.123.123.40 Local 192.168.74.40
Global 123.123.123.53 Local 192.168.74.114
Global 123.123.123.62 Local 192.168.74.97
Global 123.123.123.34 Local 192.168.74.34
Global 123.123.123.26 Local 192.168.74.26
So as soon as my test machine connected it dropped to 39 in use, 99 most used. I'm not sure why that happened.
So my next questions for you are,
1. Do you know what that error is that I got from the first PAT entry?
2. Is it bad that I currently have two PAT's?
3. If I have to remove one of the PAT's what is the command for doing so?
4. Why did it take a few minutes before I could get out to the internet from my test machine?
5. Why did the PAT show so many IP's running through it before it connected and so few after?
Everything is going well so far and I appreciate everything you have done for me this far. I would still be banging my head against a wall if it wasn't for you.
Thank you. -
ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP
8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
TYVM -
Dear All,
i have the following question regarding the NAT Configuration.
as Every One Knows we have in NAT Terminology the following Terms :-
1- Inside Local Address, which is Private Network or which is MY LAN IP Address .
2- Inside Global Address, which is the legitimate IP Address assigned by the NIC Or the ISP Provider, which is the Real IP Address.
now, the 2 terms which i mention is used only in STATIC ,Dynamic , Overloading NAT.
Now, My question is :-
1- if i have this real IP Address assigned by my ISP, 64.202.88.20 , and i have an Internal WEB SERVER inside My Company and the WEB SITE is on it.
i want to make NAT to let all the People from out side access this Server through NAT it self by http. how can i wrote the IP NAT COMMAND ?
which one is the OUTSIDE LOCAL ADDRESS & which one is the OUTSIDE GLOBAL ADDRESS ?
Please Reply .Thanks For your reply.
i have only 2 question here.
1- this will allow any one from OUTSIDE like internet, when he type in the Browser :-
( this IP is assign for example to this Domain www.FAS200.COM ).
http://www.fas200.com ,
the Request will come to this Router and there will be a translation from this Real IP address to this Internal IP Address, and the User will Not never know that there was a internal IP. is that correct ?
2- if i have my Exchange server, and i did the MX record to map to this IP, how the command is ?
3- what is the meaning of OUTSIDE LOCAL ADDRESS & OUTSIDE GLOBAL ADDRESS ?
please update me . -
SA520 NAT/PAT not working with NAT address
The SA520 I have is configured on one public IP address and an exchange server is behind it. THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520. It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address. When this happens the email gets blocked due to spam lists. Then the email will work again correctly.. and then go back. If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)? I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25. How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?Hi John,
In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN. Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address. Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s). See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server. As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace) After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture. Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com. On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button. Open file with Wireshark/Ethereal and observe the source and destination address of the packets. They should have the ALIAS address and not the WAN IP address.
If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
If there are issues, you can post the captures as a personal message to me.
I hope the above will help narrow the issue a bit.
Best regards,
Julio -
I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address. When the rServer responds, it sends traffic back through the ACE via the sNat. How exactly does this work? I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way? How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way. And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet? Just trying to understand so we can make good design decisions.Tbone,
When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
Let me know if this helps with your understanding or if you have more questions.
Best regards
Jim -
Hairpin with NAT (PAT)
I have a L2L tunnel setup with a customer where we access a web based application. To get to the app, we PAT the traffic from our inside interface before sending it to them. I need to extend access to users who are sitting at another site on another L2L tunnel. How can I accomplish this?
= users on other l2l tunnel needing access to web host
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1
Make sure the web host they are accessing is part of the crytpo acl for the l2l tunnel on the local end.
access-list crypto extended permit ip host
and a mirror image on the far end.
access-list crpyto extended permit ip host
and also nat 0 for the far end...
access-list nat0 extended permit ip host
nat (inside) 0 access-list nat0 -
Hi,
I need to convert an IOS router configuration to a RV042G V01. Is there a way to implement these IOS 12.2 based commands below?
ip nat pool InternetInterface 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list OutboundInternetTrafficToTranslate interface Ethernet0/1 overload
ip nat inside source route-map nonat pool InternetInterface overload
ip nat inside source static tcp 192.168.1.60 143 interface Ethernet0/1 143
ip nat inside source static tcp 192.168.1.60 8000 interface Ethernet0/1 8000
ip nat inside source static tcp 192.168.1.60 25 interface Ethernet0/1 25
ip nat inside source static tcp 192.168.1.25 5631 208.a.b.c 5631 extendable
ip nat inside source static tcp 192.168.1.25 5632 208.a.b.c 5632 extendable
ip nat inside source static udp 192.168.1.25 5631 208.a.b.c 5631 extendable
ip nat inside source static udp 192.168.1.25 5632 208.a.b.c 5632 extendable
Since I normally configure enterprise products with CLI, I'm ineffective with this GUI and not even sure what this unit can do (PAT?).
Any help is appreciated. Thanks.Hi,
I need to convert an IOS router configuration to a RV042G V01. Is there a way to implement these IOS 12.2 based commands below?
ip nat pool InternetInterface 1.1.1.1 1.1.1.1 netmask 255.255.255.252
ip nat inside source list OutboundInternetTrafficToTranslate interface Ethernet0/1 overload
ip nat inside source route-map nonat pool InternetInterface overload
ip nat inside source static tcp 192.168.1.60 143 interface Ethernet0/1 143
ip nat inside source static tcp 192.168.1.60 8000 interface Ethernet0/1 8000
ip nat inside source static tcp 192.168.1.60 25 interface Ethernet0/1 25
ip nat inside source static tcp 192.168.1.25 5631 208.a.b.c 5631 extendable
ip nat inside source static tcp 192.168.1.25 5632 208.a.b.c 5632 extendable
ip nat inside source static udp 192.168.1.25 5631 208.a.b.c 5631 extendable
ip nat inside source static udp 192.168.1.25 5632 208.a.b.c 5632 extendable
Since I normally configure enterprise products with CLI, I'm ineffective with this GUI and not even sure what this unit can do (PAT?).
Any help is appreciated. Thanks.
Maybe you are looking for
-
When I open a tab, it doesn't automatically load the new page. What's wrong?
Exactly what the question states. When I open a new tab by right clicking a link and saying "open in a new tab", it doesn't load. It pops up a new tab, and the web address is in the address bar, but it doesn't load the page. I have to manually tell i
-
Can Final Cut Pro 7 be installed on more than one computer?
I am looking to purchase a Final Cut product, maybe Final Cut Pro 7, and wondering how many computers I can install the software on. I'm doing some basic video editing stuff for a sketch comedy team and we use more than one computer at times for edi
-
Mac Preview does not save PDFs correctly
When I try to save a webpage as a PDF using the Print dialog box on my Mac, ("Save as PDF"), the PDF is distorted. The first page is OK but on the second page, the text displays in a larger font and the text is cut off on the right. Apple tech says t
-
Max number of threads in Java?
Hi, I am running into a bug now that I am testing my working code. Basically, my program creates a bunch of objects that talk to each other. Each object is a thread, and at a given time (there is a one object that keeps track of time) a thread may ch
-
Ich habe ein Problem mit der Installation von Front Row
Ich habe ein Problem bei der In stallation von Front Row. Ich hbae die Updates heruntergeladen. Wenn ich die Updates installieren möchte, wird mir gesagt, dass man auf diesem laufwerk die Updates nicht installieren kann. Wo iegt das Problem?