NAT question
Our mail server currently has a entry for NAT (197.187.4.240) binded to
the Pubilc interface and 197.187.5.50 (Exchange) to the private. There
are filter sets that pass traffic port 25 from public to Exchange.
We have a new spam filter applicance (197.187.5.72) that needs to sit
between Exchange and the internet. I have added a NAT entry for this
197.187.4.72 (Public) to 197.187.5.72 (PRIVATE).
Do I need to simply adjust my filters to specify the new appliance which
will be a mail relay or do I need to adjust the NAT table and bind
197.187.4.240 to 197.187.5.72 (new mail host)?
In article <SjLVh.463$[email protected]>, Justin wrote:
> Do I need to simply adjust my filters to specify the new appliance which
> will be a mail relay or do I need to adjust the NAT table and bind
> 197.187.4.240 to 197.187.5.72 (new mail host)?
>
Could be both. You need to change the MX record to point to the new
address, or you need to NAT the old address to the appliance, and not nat
the mail server. If you change the NAT to point to a new internal address,
you will have to change the filter exceptions also. If you put the
appliance in at the old address for the mail server, you won't have to
change anything on the BMgr server, but you will have to readdress the mail
server. Your choice.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***
Similar Messages
-
NATTing Question version 9.x
Hello,
I have two external ISP interfaces and need help with some nat questions.
I have a webserver that I wish to advertise out both interfaces.
The issue I'm having is exactly how to do it on the ASA with version 9.x code
ISP 1: 9.9.9.0
ISP 2: 8.8.8.0
object network webserver
host 7.7.7.7
nat (dmz,isp1) static 9.9.9.9
nat (dmz,isp2) static 8.8.8.8
I can't seem to get this working. I'm new to this code but the old code was so much easier with this....Hi,
You wont be able to configure the Static NAT towards both ISP with a single NAT configuration. More specifically, you wont be able to configure 2 NAT statements under the same "object network"
You should configure it like this
object network WEBSERVER-ISP1
host 7.7.7.7
nat (dmz,isp1) static 9.9.9.9
object network WEBSERVER-ISP2
host 7.7.7.7
nat (dmz,isp2) static 8.8.8.8
If you want to read a bit about the new NAT format that was introduced from 8.3 onwards then you could have a look at a document I wrote here on the CSC
https://supportforums.cisco.com/docs/DOC-31116
Here is also another great document for someone that knows the old format but wants to know the corresponding new format
https://supportforums.cisco.com/docs/DOC-9129
I agree that the old NAT configuration format in some situations was a lot simpler and you potentially created a lot simpler configuration. In larger environments and more special setups I do think that the new NAT configuration format is far more simpler/safer to configure and provides more flexibility. There are some issues with it that I still dont have clear answer to but for the most part it seems to work just fine.
Hope this helps
- Jouni -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA IPsec Remote Access VPN | NAT Question
We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Dear All,
I HAVE cisco 1841.
it has 2 interfaces.
the first one which is f 0/0 is have public ip from my ISP.
the other one is normal, and i am going to give it 192.168.1.100 / 24.
now i have 3 subnets totally diffrent .
i want to create 3 subinterfaces from f0/1.
my question is , how many subinterfaces can i add under the f 0/1 ?
and can i make this Router work as NAT ( overloading ) but all the 4 subnet will use the same public IP Address ?
can it be done as per this diagram ?
please update me.THanks for your reply.
i have the followig results.
=============================================
HO-RO-Internet#sh idb
Maximum number of Software IDBs 1200. In use 12.
HWIDBs SWIDBs
Active 6 6
Inactive 6 6
Total IDBs 12 12
Size each (bytes) 2904 1280
Total bytes 34848 15360
Type SIdx Idx St,O,Sh Interface Name (subblocks)
H 1 1 U,D,R FastEthernet0/0 (HW SB CDP(4), MAC ADDR(2), Ether(1))
H 2 2 U,D,R FastEthernet0/1 (HW SB CDP(4), MAC ADDR(2), Ether(1))
H 3 3 A,D,R Serial0/0/0 (HW SB CDP(4), Serial(3))
H 4 6 U,D,R Loopback0
H 5 7 U,D,R Loopback1
H 6 8 U,D,R Loopback3
S 1 3 U FastEthernet0/0 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
), NetBIOS(2), KEEPALIVE(1))
S 2 4 U FastEthernet0/1 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
), NetBIOS(2), KEEPALIVE(1))
S 3 5 U Serial0/0/0 (SW CDP(5), NetBIOS(2), KEEPALIVE(1))
S 4 9 U Loopback0 (KEEPALIVE(1))
S 5 10 U Loopback1 (KEEPALIVE(1))
S 6 11 U Loopback3 (KEEPALIVE(1))
Key: SIdx=Sort Index, Idx=hw_if_index or if_number
St=Current State, O=Old State, Sh=Shadow State
A=Admindown, D=Down, G=Going Down, I=Init
R=Reset, T=Testing, U=Up, X=Deleted
HO-RO-Internet#
===========================================
so, from where can i know how many sub-interfaces i have ?
please update me . -
i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_ProdHello Tejas,
After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
I will need the output of the following commands:
1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
Please rate helpful posts,
Julio!! -
Static NAT Question - Public to Inside ASA 9.1x
Hi All.. I'm having hard time wrapping my head around the post 8.2 nat statements, please help.
I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server). It also need to be able to push the stream to a specific IP address as well. I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
Remote Public IP's: 77.88.99.11
Local Public IP: 12.12.12.1
Ports required:
object-group service srvgp-stream-remote
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destionation eq 8088
service-object tcp destination eq 1935
service-object udp destination range 6970 9999
service-object udp destination range 30000 65000
service-object udp destination eq 554
I can get this to work:
object network server-external-ip
host 12.12.12.1
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip service tcp 8088 8088
access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax. Additionally, would this provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
Any help is greatly appreciated.With that many ports, you should use the public IP exclusively for the Webserver:
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip
If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote -
8.2 to 8.3 static nat question
So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:
static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
What would this look like in 8.3?
Thanks!Hi,
In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.
If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured
- Jouni -
We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
2 devices are
Airport Extreme
Cisco - DPC3825
I was just upgrarding firmware and I get this message.
Problem 1/1 - Double Nat
Screenshot attached of error
So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
Appreciate the help on this.You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
That....is a virtual guarantee that you will have multiple conflicts on the network. -
IPSec tunnel and policy NAT question
Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10 (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside -
I'm looking at this as a possibility... Ideas?
CallManager---> 2600GW W ADSL WIC ---> Internet ---> netgear router ----> IP Phone
The Callmanager is 10.0.0.1, iphone 192.168.10.1 both NAT.
Even possible? Thoughts?Not all the firewalls allow skinny. Some like Linksys allows. Not sure about NAT, but IOS 12.3(15)T could have support for such configuration.
-
Nat Question: Is this doable?
Here is the scenarion:
- would like to route any internal traffic thats SMTP based only to internal email server ( x 2 )
- The default gateway is already set on the email server to go out the outside interface
Can this be done on an ASA, I am thinking this more of a routing issue that NAT statement.
NAT LAN_Traffic_port25 --> INT_MailServer_Only (I am thinking its not posssible or it even make sense).
What do you think?
Thank you very much guys for you answers in advanceThanks Jay! I will try it again...
I have 3 email servers on my network, all 3 has hub roles and transport roles. One server with hub, transport and CAS role (sorry I know this is not a a Windows forum but I want people to get the picture).
- Affectively I want ONLY 2 of the 3 Exchange Servers to handle all SMTP traffic from internal and external clients (inside network and outsite network).
- routing inbound to port 25 is easy to do, but how would I tell all of my internal (LAN) to go to INT_IP of mail server?
- I dont think I can set a default GW specifically for SMTP traffic...can I?
Hope that helps
Thank you -
We're out of IP addresses! I need to implement NAT on the 2801 router and cannot find any examples for my exact situation. I don't want to just start trying things. I might take down the network. See my attachment. I've simplified it quite a bit. Right now, our public IP space is on the inside of the router as the switches were configured as layer 2. I want to create a pool within this space and NAT the 10.10.10.0/24 network to "the cloud". This should be extra simple, but all of the examples show NAT translated using the outside interface. My ISP does not want me to use the outside firewall interface for translation. Will this work? Here is what I've done:
int fa0/0
ip add 192.168.100.2 255.255.255.0
ip nat inside
int s0/1/1
ip add 172.16.100.9 255.255.255.252
ip nat outside
access-list 1366 permit 10.10.10.0 0.0.0.255
ip nat pool NET192 192.168.100.8 192.168.100.9 netmask 255.255.255.0 (rfc1918 for example)
ip nat inside source list 1366 pool NET192 overload
OSPF routing to "the cloud"
ip route 10.10.10.0 255.255.255.0 192.168.100.1
Thanks for any help
AndrewAndrew
Yes you config will work fine. Personally i would use an access-list number between 1 -> 99 ie. a standard acl for your NAT.
One thing -
OSPF routing to "the cloud"
ip route 10.10.10.0 255.255.255.0 192.168.100.1
not sure what this is for. Is 192.168.100.1 the next-hop from you router to get to the 10.10.10.0/24 network ? If so there is no need to advertise this to the clould as the 10.10.10.x addresses will be not be seen in the cloud.
Jon -
Will Nexus 3048 support NAT in future release?
yes, it does
From the doc:
Algo Boost technology is a set of hardware functions that provide an ultra-low latency as low as 190 nanoseconds (ns), even with features such as Network Address Translation (NAT) in hardware.
more info
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/ps12581/white_paper_c11-715262.html
HTH -
Traffic orginating from service addresses are not being NAT'd to the VIP address - is this normal?
what you need is a group config with a vip matching your content rule vip and use 'add service' under the group to add all the servers that should be nated.
No need for acl at this point.
ACL are only required if you sometimes need nat and sometimes you don't.
Here is a link to documentation.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_command_reference_chapter09186a00800e4515.html#wp1674400
Gilles.
Maybe you are looking for
-
ITunes crashes when I plug in my iPod mini to my Mac
In the last week or so I have not been able to update my iPod mini, as plugging it in to my Mac makes iTunes crashes. My Mac still recognises the iPod, as it shows up on the desktop. I have updated iTunes to 6.0.5 but this hasn't helped. I am having
-
How to get the ANSI codes in the program
Hi, In my program, I have to get the ANSI codes 30 and 31 in the program. After getting those codes, I have to concatenate with some other text and display in the report. Can someone tell me how to get these ANSI codes in the program..? Is there any
-
Trynig to access a variable in another mxml
Hi All, I'm looking for some guidance here as I am new to Flex. I have a datagrid with two colums at the end that contain item renderers. The idea is to allow the user to cick an edit or delete icon to edit or delete that row. I"m using a component m
-
Oracle.ldap.util - Add User to Group
Hi, I am using the Subscriber to create a new User in the OID. ( User usr = subscriber.createUser(.....) ) Also I am getting a reference to the main group of the application. Group appPublic = subscriber.getGroup(getCtx(), Util.IDTYPE_SIMPLE,"APP_PUB
-
I want to replace "\" with "/" in a string.
I tried this... String whatever = myString.replace("\\", "/"); ...and this... String whatever = myString.replace("\", "/"); ...but I get an error. I was able to get it to work doing it this way... String slashStr = "\\/"; char slashArr[] = slashStr.t