NAT/ Proxy

Hello,
I'm not sure if this is possible, but here is a diagram and
explanation of what I would like to achieve.
(Inside) --- Cisco Router --- (Outside) ----[Public Internet]---- Host A
|
|
------ Host B
1) Host A connects to Cisco Router on port 5555
2) Cisco Router translates/forwards the request to Host B on port 7777
- Cisco Router is acting like a proxy/boarder gateway for Host A
- Host B only see Cisco Router connecting to it.
- Host A has no idea it's actually connecting to Host B
Any ideas would be appreciated.
--Matteo

Hi,
Yes, it's a NAT feature.
Your config would look something like this:
ip nat inside source static tcp (192.168.10.1) 777 (171.69.232.209) 555
Where 192.168.10.1 is Host B's address. 171.69.232.209 is the outside Router's address used as gateway by the Host A.
In additon to this, you would need to configure your nat inside and outside interfaces. If both hosts are connected via the same interface then you could use a feature called NAT on a stick. The following link has info on configuration NAT on a stick.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
Hope that helps!
Regards,
Sundar

Similar Messages

How to manage VM servers in DMZ through NAT proxy?

Dear all,
We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers.
In fact, there is no management network for OVM manager. So, I seem no workaround.
Have you any idea about this deployment?
Mike

mtktang wrote:
We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers. We do not support Oracle VM Server via NAT, because the Servers get the IP address of the Manager to connect to (and not the NAT'd address). So the API python binding download and notifications will fail. It is very unlikely that this would work.

NAT proxy and secondary IP

Hello!
I have 2 NIC on my BM38SP5 box
Internal has 1 IP
External has 2 IP (primary and secondary)
I am using dynamic NAT.
Now dinamic NAT and proxy use one IP address together - primary.
I want make dynamic NAT use one external IP (primary) and proxy use another
external IP - seconadary (some billing reasons)
How can I do that thing?
WBR, Viktor

Thanks, Craig
"Craig Johnson" <[email protected]> ???????/???????? ? ????????
?????????: news:[email protected]..
> In article <BQlii.2059$[email protected]>, Tanin Viktor
> wrote:
>> I want make dynamic NAT use one external IP (primary) and proxy use
>> another
>> external IP - seconadary (some billing reasons)
>>
>> How can I do that thing?
>>
> You cannot make dynamic NAT use one, and proxy use a different address,
> for
> outbound browsing. Basically, the proxy will send on the primary public
> IP
> address.
>
> You CAN use static NAT to map one internal host to the secondary public
> address. OR, you can set up a generic or reverse proxy to listen on the
> secondary public address for inbound connections.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
>

User Initiated Remote Control - Behind NAT

I must be missing something. I am try to allow a laptop to request a
remote control session when it is disconnected from the network. When I
right-click on the remote management agent the option to request a
session is greyed out. Our user and workstation policy allow for the
user requested session and the ability to accept connections accross
NAT/Proxy. Assigning a password to the remote management agent also does
not help. Any ideas?

I keep seeing that if a machine is behind a NAT'd firewall, like home for
instance, the user should be able to click on the Remote Management icon
and select Request Session. If the machine is on the local network, all RC
functions are fine. As soon as it's disconnected and behind a home
firewall or not even that, connected via dial-up to the net these options
go away. I have logged into the middle-tier via these methods and that
produces no change in my remote control options.
The error logs indicate that the workstation is not authenticated, which is
obvious, and that neither policies will be active.
Hope that helps...
> On Tue, 25 Jan 2005 21:05:57 GMT, [email protected] wrote:
>
> > I am try to allow a laptop to request a
> > remote control session when it is disconnected from the network.
>
> so how do you remote control?
>
> note: you need middletier installed to allow access from the outside of
> your network... and IIRC running client32 will not really help in your
> case...
> --
>
> Marcus Breiden
>
> Please change -- to - to mail me.
> The content of this mail is my private and personal opinion.
> http://www.edu-magic.net

JMF or flash media server? Why JMF

Hi all,
I was studing about jmf since 2 months in order to make a live video and audio broadcast. But recently I found out about flash media server.
It seems that is verygood for those kind of web applications.
I am so confused about which one I shoud use. I have no idea about FMS.
There are some I want to learn.
Whe we develop an JMF application how all clients of this web site use JMF? For developing purposes I setup JMF.
Do all the clients have to install JMF in order to use my site or others which done using JMF?
After all, probably everyone has a flash installed and no problem if a site developed by flash.
Can you enlight me please?
and I have no Idea about NAT, PROXY for developing RTP live video web application.

regerybets wrote:
..Whe we develop an JMF application how all clients of this web site use JMF? .. The first thing you need to understand is that JMF is effectively an abandoned API. It works fine for some older formats of media, but does not support the later (more compressive) formats.
I am guessing by 'in web site' you mean you want the media embedded in a web page (and by the way - yuck!). That means using applets.
1) Embedded applets cannot use natives unless the end user has either
a) Also installed JMF, which is usually impractical for the purposes of just 'showing some media in a web page', or
b) The applet is using a plugin-2 JRE and hooks into the JNLP API to install the natives.
2) If the cross-platform version of JMF is used, you just need to add the JMF Jars to the archive attribute of the applet element. The x-plat version of JMF supports (even) less formats than the one using natives, but at least it should also work on the Mac.
..For developing purposes I setup JMF.
Do all the clients have to install JMF in order to use my site or others which done using JMF?Yes. In one form or another, as detailed above.
After all, probably everyone has a flash installed and no problem if a site developed by flash.That is a rash assumption for either Flash or Java. I did not have Flash installed for a long time since I could not spare the bandwidth to be watching media in web pages. I only installed it recently when a friend convinced me to upload some of [my time-lapse animations|http://www.youtube.com/user/DrewTubeish] (3) to YouTube.
There are other reasons people either do not have, cannot install, or refuse to install, either plug-in. The best you can do for them, is to give them accurate and easy to understand information on why the page failed. Both Flash and Java have ways to do that - usually with the help of JacvaScript.
3) Shameless plug. ;)

Full NAT dns proxy is not working in Windows 7

Back in XP, I can activate the Windows full blown NAT service via RemoteAccess and IpNat (I turned off SharedAccess as it's not compatible with RemoteAccess) and use netsh to configure it. I activated the dns proxy via 'netsh routing ip dnsproxy' context.
It works very well all these years.
Now using Windows 7, I can't make it work anymore. I have copied over both ipmontr.dll & ippromon.dll from Windows 2K8 R2, and install those helper to my Windows 7 netsh. I can access 'netsh routing ip dnsproxy' context. But enabling the the DNS proxy
doesn't do anything. DNS Request (UDP port 53) coming form the client in the private LAN served by this PC just sinked in, no response. I don't see any DNS request attempt on the public network interface of this PC.
From 'netstat -na', I don't see UDP port 53 on private network interface is opened. In XP, I can see it's opened and closed as I enable or disable the DNS proxy on 'netsh routing ip dnsproxy' context. I enable the firewall log to see if the firewall block
it, but I see absolutely nothing related to the DNS request.
Is there a missing step to enable a full blown NAT service in Windows 7 that I missed? Pls help.
Thx

Thank you all for replies, but ICS is NOT an option. It can only handle 1 private network and limited to 192.168.0.0/24. In our test framework we need 2 private network and use 172.20.0.0/14. Using Windows Server is way too expensive, we have so many test
benches that each having their private network the above for test isolation. We only need NAT functionality, not the whole Windows Server functionality.
I also found out, despite netsh manage to configure the NAT, but actually no NATing is taken any place. Not only the DNS proxy, but the whole NAT just not happening.
IMHO, removing it from Win7 is a mistake, not every one need the whole server functionality. We have decided to use linux instead. So we cancel the plan to upgrade to Win7 and go linux. Microsoft could have got some license fee from the Win7 we plan to puchase,
but this is a deal killer for us as NAT is the core of our test framework based on. Not ideal for us as we have many win native based tools, but since we are already moving to python, I guess moving to linux is the answer for us.
Had Win7 still has the full NAT capability as in WinXP, I do prefer to stay on windows, but we have to move on as WinXP is no longer supported.
I consider this thread is close. Thank you all.

Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:
object network WSA-HOST
      host 10.0.210.2
object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0
object service ORIG-HTTP-PORT
      service tcp destination eq www
object service WSA-HTTP-DEST-PORT
      service tcp destination eq 8080
object service ORIG-HTTPS-PORT
      service tcp destination eq https
object service WSA-HTTPS-DEST-PORT
      service tcp destination eq https << also tried 8080 etc.
nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT
nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT
This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:
Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.
Notification codes: (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,
https://www.rbsdigital.com/)
The access log gives me the following:
1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.
The WSA and the decryption policies work fine in explisit mode.
Thanks in advance!

The policy doesn't require authentication. Now here are two tests I did, seconds apart, from the same client on 10.0.4.140:
First one is where I use NAT as shown above:
1329757052.027 118 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
1329757052.311 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
Second test case is when I reconfigured the browser to explisitely use the WSA as a proxy on port 8080:
1329757138.274 344 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
1329757138.566 200 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
Non-categorised stuff should be passed through:
Global Policy
Identity: All
Pass Through: 1
Monitor: 65
Disabled
Pass Through
Any thoughts ?

Airport Extreme best practice configuration for Sleep Proxy, DHCP/NAT and PPPOE

Hi
I have recently bought a Airport Extreme and it is working well. One of the reasons I bought is to take advantage of the Bonjour Sleep Proxy on it so I can wake my MAC up remotely from my iPad using the REMOTE app to stream things like iTunes etc... I followed the set up instructions and basically let it configure itself. I have an ISP router / modem which currently is providing DHCP services, NAT and PPPOE.
The Airport detected all of this and set itself up as bridge only. The speed of the network outo to the internet is fine (more or less what it was before). However, in doing a bit of research, I have found out that if I want the Airport to act as a sleep proxy, I need it to "host" the network. I am not an expert in networking but from what I understand I need the Airport to be moved from "Bridge Only" to at least be providing DHCP to my internal network clients.
This has prompted me to ask what is "Best practice" when it comes to configuring the Airport given I want to have Sleep Proxy enabled. I think the two options I have are as follows but would really welcome feedback on which is the best option to go for or if there are other options I should be thinking of
(1) Have the Airport perform DHCP for my internal clients and leave the ISP router/modem doing NAT
(2) Have the Airport perform DHCP and NAT. I think to do this I need to turn the ISP router / modem into Bridge mode only. (I've looked and I seem to have this option on the device. It's an Irish ISP branded device but I think it is a Zyxel)
I have no reason to believe the ISP router / model is doing a bad job but given I understand the Airport Extreme is a reasonably high-end device (I think?) I am wondering if option 2 is the way to go.
In addition, during my research, I have also discovered that many people seem to have their Airport Extreme also handle PPPOE. This is currently being done by my ISP router/modem. I am inclined to leave it this way (following the mantra if it isn't broken, don't fix it) but if there was a good reason to have the Aiport do this, perhaps I should make the switch? Having said this, I have seen on this forum and others, some posts about problems with Internet connection drops when the Airport is handling PPPOE.
So, a bit of a long post, but if anyone has any information or perspective on this, I'd very much appreciate it.
Thanks
Dave

I forgot to thank you, John Galt. Yap, it solve my problem by restoring back the original firmware to 7.6.1. My unit is Airport Extreme 2012. I am still using double NAT because I cannot figure it out on how to set DHCP only in the Network tab.
My goal it to use the airport extreme to the internet and to share the internet to all my devices in the house. Just like my previous Accesspoints. Before I use AP+router Linksy$ WRT54G and D-l!nk DIR-655 without activating the NAT to share my internet connection and they work.
My problem is that when I set it to DHCP in the internet tab and DHCP in the Network tab in Airport Utility inorder to solve the double NAT situation, only one of all my devices (wired or wireless) can connect to the internet. Each time I connect the other device(s) to the internet my subscriber will verify my subscription (web browser based verification) in which I have to manually enter my account number, etc to validate my subscription.
So I stick to double NAT so that I can share the internet
Our broadband provider uses DHCP to link us to the internet. If I change the settings to Static in the Internet Tab, my broadband provider will not let me connect to the internet. In the Airport Utility if I set to static in the Internet Tab inorder to set it to solve the double NAT, a message box appear informing me that I have invalid beginning IP address in the DCHP range in the Network Tab when it appears that only the last 3 digits of the DHCP range is editable.
Is there any way of configuring the Airport Utility's Internet TAB to DHCP and Network TAB to DHCP to connect to the internet with all my devices without the double NAT and without the aid of another device such as AP or router or switch connected to the Airport or vice versa?

NAT slooows over time (2 days) for http users. Proxy users OK.

We recently applied NW6 sp4 to a stable BM 3.7 server. Now internal
dynamic NATed http users experience a progressive slow down over about 2
days at which time browsing is functional but not usable. Proxy users
still get screamingly fast performance.

> How much traffic is going out via dynamic NAT?
>
> Have you tried using non-stateful http filter exceptions?
>
> BM37FP4A?
>
> Backrev NAT?
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
Problem appears to be resolved. I applied BM37FP4A and after 3 days NATed
HTTP connections are normal. Proxy performance is still very fast. I had
previously reapplied bm37sp3 which did not solve the problem.
FYI: About 1/2 of our 800 or so connections use dynamic NAT. We plan on
switching all users to proxy this week. Thanks Craig.

IOS static destination Port NAT for Proxy-Service

HTTP Internet-traffic (tcp 80) from Clients connected to interface1 (10.0.0.0/8) sould be transfered/ scaned via Proxy-Server(192.168.0.1) on interface2 which acts on Port tcp 8080.
HTTP Traffic form the clients is routed via PBR to the Proxy.
But I don`t know how to nat the detination-port from the clients (tcp 80) to the service-port used by proxy (8080) WITHOUT natting the original source- and destination-address.

object network nec1100_cpu
host 192.168.0.201
nat (inside,outside) static my-public-IP service udp 5060, 5080 5081
Or you can also do this in the same way.
object network nec1100_cpu
host 192.168.0.201
nat (inside,outside) static my-public-IP
Control udp port via the ACL on the outside interface.
Hope this helps.
thanks
Rizwan Rafeek

Cisco 2921 destination NAT for transparent proxy

Hi All,
I can successfully destination-nat all outbound port 80 and 443 connections to a remote proxy server without issue, provided I use a PBR first to push any of these connections off to a Linux box.
In iptables its easy:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <proxy ip>:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <proxy ip>:443
iptables -t nat -A POSTROUTING -o eth0 -d <proxy ip> -j SNAT --to <linux box IP>
I am however, trying to work out a way to do this without the need of a Linux box, except it seems at this stage that the Cisco 2900 series (IOS 15.0(1r)M16) is incapable of doing this. I just wanted to confirm from some of the experts in here if this is actually the case.
So to reiterate - I'm trying to intercept any outbound packets with destination port tcp 80 or 443 and change the destination IP to point to the remote proxy server.
The source address also needs to be changed to that of the outside interface of the router it is exiting (obviously).
Any ideas guys? I'm stuck.
Cheers,
Jordan.

Sounds like you need a route-map to change the next IP hop?
This would be the best way to do it which will also verify the remote proxy server is available as well.
ip sla monitor 1
type echo protocol ipIcmpEcho <ip address of your proxy server>
timeout 3000
frequency 3
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
interface FastEthernet0/1
ip address <x.x.x.x x.x.x.x>
ip policy route-map REDIRECT-TO-PROXY
ip access-list extended webtraffic
! Deny traffic from your proxy server from redirecting
deny tcp host <ip address of your proxy server> any eq www
deny tcp host <ip address of your proxy server> any eq https
permit tcp <your ip network> <subnet mask> any eq www
permit tcp <your ip network> <subnet mask> any eq https
route-map REDIRECT-TO-PROXY permit 10
match ip address webtraffic
set ip next-hop verify-availability <ip address of your proxy server> 1 track 123
If you don't already have a NAT rule setup to translate this traffic to the outside here is an example of that:
Here is how my router is configured.
interface FastEthernet0/0
ip address dhcp hostname home-rtr-1
ip nat outside
interface FastEthernet0/1
ip address 10.235.x.x 255.255.255.252
ip nat inside
ip nat inside source list 10 interface FastEthernet0/0 overload
access-list 10 permit <your ip network> <your ip subnet>
HTH

How get the external ip address of proxy (or nat) server with AppServer

Subject contains the basic question.
I need get ip adres (not in local net, but external) of client!
Wish with AppServer only. Becoze with java it less accurate.
Or I was wrong?
help me please!
Edited by: user13325288 on 29.06.2010 16:06
Edited by: user13325288 on 29.06.2010 16:07

Thank you, MLBrown. I have configured webutil and it works. But I read that the function webutil_clientinfo.Get_IP_Address; return address on the LAN. Address of network card in my local network. But what if I need to get the ip address if I connect through multiple networks or via the Internet??
I need to AppServer worked with an external ip address of the server, through which I connect to the AppServer
Edited by: Ihavoker on 30.06.2010 9:55

IpSec VPN and NAT don't work togheter on HP MSR 20 20

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab

Cant ping inside hosts from client vpn. Think its a NAT issue

Hello all, I am running into what I think is a NAT/nat exclusion issue with an IOS IPSEC VPN. I can connect to the VPN with the cisco IPSEC VPN client, and I am able to authenticate. Once I authenticate, I am not able to reach any of the inside hosts. My relevant config is below. Any help would be greatly appreciated.
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group businessVPN
key xxxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group businessVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.1.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0/0
ip address 111.111.111.138 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface BVI1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
ip nat inside source route-map nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended nonat
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit tcp any any eq 443
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
permit esp any host 111.111.111.138
permit udp any host 111.111.111.138 eq isakmp
permit udp any host 111.111.111.138 eq non500-isakmp
permit ahp any host 111.111.111.138
permit gre any host 111.111.111.138
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map nat permit 10
match ip address nat
bridge 1 route ip

I believe the acl applied to the client group is backwards. It should permit traffic from the internal network to the clients pool.
To confirm you can open the Cisco VPN client statistics(after connecting) then go to the route details tab. You should see there the networks that you should be able to reach from the client. Make sure the correct ones are in there.
Regards,

ASA 5505 9.1(2) NAT/return traffic problems

As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: end

Hi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni

NAT/ Proxy

Similar Messages

Maybe you are looking for