NAT question

Similar Messages

• NATTing Question version 9.x

  Hello,
  I have two external ISP interfaces and need help with some nat questions.
  I have a webserver that I wish to advertise out both interfaces.
  The issue I'm having is exactly how to do it on the ASA with version 9.x code
  ISP 1:  9.9.9.0
  ISP 2: 8.8.8.0
  object network webserver
  host 7.7.7.7
  nat (dmz,isp1) static 9.9.9.9
  nat (dmz,isp2) static 8.8.8.8
  I can't seem to get this working. I'm new to this code but the old code was so much easier with this....

  Hi,
  You wont be able to configure the Static NAT towards both ISP with a single NAT configuration. More specifically, you wont be able to configure 2 NAT statements under the same "object network"
  You should configure it like this
  object network WEBSERVER-ISP1
  host 7.7.7.7
  nat (dmz,isp1) static 9.9.9.9
  object network WEBSERVER-ISP2
  host 7.7.7.7
  nat (dmz,isp2) static 8.8.8.8
  If you want to read a bit about the new NAT format that was introduced from 8.3 onwards then you could have a look at a document I wrote here on the CSC
  https://supportforums.cisco.com/docs/DOC-31116
  Here is also another great document for someone that knows the old format but wants to know the corresponding new format
  https://supportforums.cisco.com/docs/DOC-9129
  I agree that the old NAT configuration format in some situations was a lot simpler and you potentially created a lot simpler configuration. In larger environments and more special setups I do think that the new NAT configuration format is far more simpler/safer to configure and provides more flexibility. There are some issues with it that I still dont have clear answer to but for the most part it seems to work just fine.
  Hope this helps
  - Jouni

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• ASA IPsec Remote Access VPN | NAT Question

  We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
  Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
  We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
  I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
  Thank you.

  Hi,
  This depends on your ASA firewalls software version and partly on its current NAT configurations.
  I presume the following
  Interfaces "inside" and "outside"
  VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
  Software 8.2 and below
  access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
  access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
  static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
  Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
  This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
  Software 8.3 and above
  object network LAN
  subnet 10.0.0.0 255.255.255.0
  object network LAN-VPN
  subnet 192.168.10.0 255.255.255.0
  object-group network VPN-POOL
  subnet 10.10.100.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
  In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
  In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• NAT QUESTION - PLEASE HELP

  Dear All,
  I HAVE cisco 1841.
  it has 2 interfaces.
  the first one which is f 0/0 is have public ip from my ISP.
  the other one is normal, and i am going to give it 192.168.1.100 / 24.
  now i have 3 subnets totally diffrent .
  i want to create 3 subinterfaces from f0/1.
  my question is , how many subinterfaces can i add under the f 0/1 ?
  and can i make this Router work as NAT ( overloading ) but all the 4 subnet will use the same public IP Address ?
  can it be done as per this diagram ?
  please update me.

  THanks for your reply.
  i have the followig results.
  =============================================
  HO-RO-Internet#sh idb
  Maximum number of Software IDBs 1200. In use 12.
  HWIDBs SWIDBs
  Active 6 6
  Inactive 6 6
  Total IDBs 12 12
  Size each (bytes) 2904 1280
  Total bytes 34848 15360
  Type SIdx Idx St,O,Sh Interface Name (subblocks)
  H 1 1 U,D,R FastEthernet0/0 (HW SB CDP(4), MAC ADDR(2), Ether(1))
  H 2 2 U,D,R FastEthernet0/1 (HW SB CDP(4), MAC ADDR(2), Ether(1))
  H 3 3 A,D,R Serial0/0/0 (HW SB CDP(4), Serial(3))
  H 4 6 U,D,R Loopback0
  H 5 7 U,D,R Loopback1
  H 6 8 U,D,R Loopback3
  S 1 3 U FastEthernet0/0 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
  ), NetBIOS(2), KEEPALIVE(1))
  S 2 4 U FastEthernet0/1 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
  ), NetBIOS(2), KEEPALIVE(1))
  S 3 5 U Serial0/0/0 (SW CDP(5), NetBIOS(2), KEEPALIVE(1))
  S 4 9 U Loopback0 (KEEPALIVE(1))
  S 5 10 U Loopback1 (KEEPALIVE(1))
  S 6 11 U Loopback3 (KEEPALIVE(1))
  Key: SIdx=Sort Index, Idx=hw_if_index or if_number
  St=Current State, O=Old State, Sh=Shadow State
  A=Admindown, D=Down, G=Going Down, I=Init
  R=Reset, T=Testing, U=Up, X=Deleted
  HO-RO-Internet#
  ===========================================
  so, from where can i know how many sub-interfaces i have ?
  please update me .

• ASA vpn nat question

  i have an ASA 5520 ver 8.4 with the following config
  WAN
  207.211.25.34
  Production
  10.11.12.1 255.255.255.0
  Mgmt
  10.11.11.1 255.255.255.0
  i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
  what would my nat statement look like ?
  currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
  nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
  nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

  Hello Tejas,
  After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
  Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
  I will need the output of the following commands:
  1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
  2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
  Please rate helpful posts,
  Julio!!

• Static NAT Question - Public to Inside ASA 9.1x

  Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
  I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
  Remote Public IP's: 77.88.99.11
  Local Public IP: 12.12.12.1
  Ports required:
  object-group service srvgp-stream-remote
   service-object tcp destination eq www
   service-object tcp destination eq https
   service-object tcp destionation eq 8088
   service-object tcp destination eq 1935
   service-object udp destination range 6970 9999
   service-object udp destination range 30000 65000
   service-object udp destination eq 554
  I can get this to work:
  object network server-external-ip
   host 12.12.12.1
  object network webserver
   host 192.168.1.100
   nat (dmz,outside) static server-external-ip service tcp 8088 8088
  access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
  But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
  Any help is greatly appreciated.

  With that many ports, you should use the public IP exclusively for the Webserver:
  object network webserver
  host 192.168.1.100
  nat (dmz,outside) static server-external-ip
  If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
  nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

• 8.2 to 8.3 static nat question

  So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:
  static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  What would this look like in 8.3?
  Thanks!

  Hi,
  In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.
  If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
  If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured
  - Jouni

• Double Natting Question

  We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
  2 devices are
  Airport Extreme
  Cisco - DPC3825
  I was just upgrarding firmware and I get this message.
  Problem 1/1 - Double Nat
  Screenshot attached of error
  So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
  Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
  Appreciate the help on this.

  You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
  If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
  That....is a virtual guarantee that you will have multiple conflicts on the network.

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• SCCP over NAT Question

  I'm looking at this as a possibility... Ideas?
  CallManager---> 2600GW W ADSL WIC ---> Internet ---> netgear router ----> IP Phone
  The Callmanager is 10.0.0.1, iphone 192.168.10.1 both NAT.
  Even possible? Thoughts?

  Not all the firewalls allow skinny. Some like Linksys allows. Not sure about NAT, but IOS 12.3(15)T could have support for such configuration.

• Nat Question: Is this doable?

  Here is the scenarion:
  - would like to route any internal traffic thats SMTP based only to internal email server ( x 2 )
  - The default gateway is already set on the email server to go out the outside interface
  Can this be done on an ASA, I am thinking this more of a routing issue that NAT statement.
  NAT LAN_Traffic_port25 --> INT_MailServer_Only    (I am thinking its not posssible or it even make sense).
  What do you think?
  Thank you very much guys for you answers in advance

  Thanks Jay!  I will try it again...
  I have 3 email servers on my network, all 3 has hub roles and transport roles. One server with hub, transport and CAS role (sorry I know this is not a a Windows forum but I want people to get the picture).
  - Affectively I want ONLY 2 of the 3 Exchange Servers to handle all SMTP traffic from internal and external clients (inside network and outsite network).
  - routing inbound to port 25 is easy to do, but how would I tell all of my internal (LAN) to go to INT_IP of mail server?
  - I dont think I can set a default GW specifically for SMTP traffic...can I?
  Hope that helps
  Thank you

• 2801 NAT Question

  We're out of IP addresses!  I need to implement NAT on the 2801 router and cannot find any examples for my exact situation.  I don't want to just start trying things.  I might take down the network.  See my attachment.  I've simplified it quite a bit.  Right now, our public IP space is on the inside of the router as the switches were configured as layer 2.  I want to create a pool within this space and NAT the 10.10.10.0/24 network to "the cloud".  This should be extra simple, but all of the examples show NAT translated using the outside interface.  My ISP does not want me to use the outside firewall interface for translation.  Will this work?  Here is what I've done:
  int fa0/0
  ip add 192.168.100.2 255.255.255.0
  ip nat inside
  int s0/1/1
  ip add 172.16.100.9 255.255.255.252
  ip nat outside
  access-list 1366 permit 10.10.10.0 0.0.0.255
  ip nat pool NET192 192.168.100.8 192.168.100.9 netmask 255.255.255.0   (rfc1918 for example)
  ip nat inside source list 1366 pool NET192 overload
  OSPF routing to "the cloud"
  ip route 10.10.10.0 255.255.255.0 192.168.100.1
  Thanks for any help
  Andrew

  Andrew
  Yes you config will work fine. Personally i would use an access-list number between 1 -> 99 ie. a standard acl for your NAT.
  One thing -
  OSPF routing to "the cloud"
  ip route 10.10.10.0 255.255.255.0 192.168.100.1
  not sure what this is for. Is 192.168.100.1 the next-hop from you router to get to the 10.10.10.0/24 network ? If so there is no need to advertise this to the clould as the 10.10.10.x addresses will be not be seen in the cloud.
  Jon

• Nexus 3048 NAT question

                     Will Nexus 3048 support NAT in future release?

  yes, it does
  From the doc:
  Algo Boost technology is a set of hardware  functions that provide an ultra-low latency as low as 190 nanoseconds  (ns), even with features such as Network Address Translation (NAT) in  hardware.
  more info
  http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps11541/ps12581/white_paper_c11-715262.html
  HTH

• CSS11500 NAT Question

  Traffic orginating from service addresses are not being NAT'd to the VIP address - is this normal?

  what you need is a group config with a vip matching your content rule vip and use 'add service' under the group to add all the servers that should be nated.
  No need for acl at this point.
  ACL are only required if you sometimes need nat and sometimes you don't.
  Here is a link to documentation.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_command_reference_chapter09186a00800e4515.html#wp1674400
  Gilles.