NAT STATIC ISM

Similar Messages

• Nat static por dos ISP

  Tengo la siguiente situacion tengo dos ASA 5520
  Cisco Adaptive Security Appliance Software Version 8.4(2)
  Device Manager Version 6.4(5)
  los cuales estan en funcionamiento stand-alone pero ambos comparten la misma dmz a nivel de vlan y a nivel de segmento ip , ahora existe alguna solucion de que servidores de la dmz respondan requerimientos desde internet por los dos ASA sabiendo que el servidor de la dmz solo posee un defalu gateway en este caso es uno de los ASA que comparten la dmz

  Hola Alexis,
  EDIT: Durante mi hora de almuerzo estaba pensando en esta discusion y llegue a la conclusion de que si hay una forma en la cual le podemos hacer saber al servidor que le responda al otro asa ( el q no es el default gateway.
  Para ello ocupas configurar Outside NAT:
  Esta es la configuracion  que ocupas  en el asa
  NAT (outside,inside) source dynamic any any destination static Global_Ip_Server Local_Ip_Server
  Saludos
  Julio

• Carrier grade nat - static port block allocation.

  Hello,
  Is it possible to configure nat (cgn) on ASR 1k to permit the same private address always  get the same port block allocation from the same public address? With that You dont need nat logging.
  regards

  ADAM619,
  At the moment we're unable to answer these questions.  When we have more information we will provide it here in the forums, and make it available at www.verizon.com.  Thanks for your patience during this transition. ~Ian
  Ian_VZ
  Verizon Support
  Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan.

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• STATIC NAT PROBLEM

  Hi All,
  We are having a problem with a static NAT statement and or ACL not allowing traffic to the port configured to the inside host on the LAN.
  NETWORK SETUP
  We have a 3CX IP PBX behind a Pix firewall and need remote hosts to be able to connect to the 3CX over the 3CX tunnel protocol that uses port 5090. 3CX internal IP Address is 172.16.0.254 and the port it is listening on for the tunnel traffic is 5090. We have configured static NAT to the 3CX which is listening on port 5090 and created the ACL and applied this to the Outside interface. 3CX tunnel protocol uses a mixture of TCP and UDP so we have these both configured. Here are the various lines of configuration.
  access-list Outside_In extended permit tcp any host 172.16.0.254 eq 5090
  access-list Outside_In extended permit udp any host 172.16.0.254 eq 5090
  static (Inside,Outside) tcp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
  static (Inside,Outside) udp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
  access-group Outside_In in interface Outside
  ISSUE
  We have configured static NAT to the 3CX which is listening on port 5090 and created an ACL to permit inbound traffic to the 3CX. Inbound traffic is not traversing the firewall and therefore not reaching the 3CX on the inside LAN.
  TROUBLE SHOOTING SO FAR
  We have tried a number of different ACL and NAT configurations, but the above configs are not permitting the traffic through the firewall. We have done a number of captures on the firewall and we can see the traffic from remote hosts getting to the Outside interface, but not traversing to the Inside interface and therefore not reaching the 3CX on the inside LAN. The xlate shows the static NAT entry correctly.
  Any suggestions anyone??
  Regards,

  Hi,
  If you are doing a Static NAT or Static PAT towards the Internet on your ASA or PIX, this is how the different firewall software versions behave
  Software 8.2 and earlier: When you configure a Static NAT / Static PAT and want to allow traffic from the Internet to the NATed host, you use the NAT IP address as the destination IP address in the ACL attached to the "outside" interface you are using.
  Software 8.3 and later: NAT and ACLs changed in the 8.3 software and in those software levels you are required to use the actual real IP address of the host in the ACLs you configure. Using the NAT IP address in the newer software levels wont work anymore.
  As you mentioned your software level to be 8.0 we can see that you need to use the NAT IP address as the destination address of the "outside" interface ACL.
  I guess you could try for example
  access-list Outside_In permit tcp any interface Outside eq 5090
  access-list Outside_In permit udp any interface Outside eq 5090
  You can also use the "packet-tracer" command like I mentioned above to simulate what the firewall would do to the traffic.
  The command tested could be for example
  packet-tracer input Outside tcp 1.2.3.4 1234 5090
  The only situation where I could see the need to use the real IP address in the ACL statement of the "outside" interface would be if you had a L2L VPN / Site-to-Site VPN configured between your firewall and the remote end. But as I cant see your configuration I dont know if thats the case. Though since you have configured Static PAT to use the public IP address of your firewalls "outside" interface it would lead me to believe that you are trying to open/share this service from the LAN device to the Internet.
  Guess you could next try the above mention ACL lines I listed and test the traffic again. Also the "packet-tracer" command should tell you if theres any problems with your firewall configurations.
  - Jouni

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• Static NAT with port translation

  Hello All,
  I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.
    10.1.1.2:443         10.1.1.1    2.2.2.5
  Server -------------------------- ASA --------------------- Internet router --Cloud
  Config  i am planing      
  static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
  Thanks
  JD

  Thanks Harish and Jouni,
  I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
  A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
  1. FLOW-LOOKUP - [] - Check for existing connections, if none found
  create a
  new connection.
  2. UN-NAT - [static] -
  2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
  3. ACCESS-LIST - [log] - ACL Lookup
  4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
  5. IP-OPTIONS - [] -
  6. NAT - [rpf-check] -
  7. NAT - [host-limits] -
  8. IP-OPTIONS - [] -
  9. FLOW-CREATION - [] - If everything passes up until this point a
  connection
  is created.
  10. ROUTE-LOOKUP - [output and adjacency]
  access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
  but if i go by the flow which i come to know it should be like
  access-list OUTSIDE-IN permit tcp any host eq 443
  What is your opion ?
  Thanks
  Jagdev

• Static Nat and VPN conflict

  Hi
  I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
  I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
  I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
  Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
  Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
  I hope the above makes sense.

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• ACE 4710 A3 outbound static NAT with Port redirection

  Hi
  I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
  I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
  When I try to configure this:
  ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
  I get the error: Error: Invalid real port configured for NAT static
  Any ideas what it means anyone?

  Right. Forget about the previous question. I have an update.
  I get this output on show nat policies at the moment:
  NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
  ID:64 Static port translation
  Real addr:172.21.7.11 Real port:26 Real interface:18
  Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
  Netmask:255.255.255.255
  where x.x.x.x - is the Public, external IP address on the ACE.
  I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
  Something is telling me I am looking at it from a wrong direction altogether.
  This is the config I have at the moment:
  access-list 130 line 20 extended permit ip any any
  access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
  class-map match-any Class_Port26
  2 match access-list Source_NAT
  policy-map multi-match Policy_Port26_Static
  class Class_Port26
  nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
  interface vlan 107
  ip address 172.21.7.2 255.255.255.240
  peer ip address 172.21.7.1 255.255.255.240
  access-group input 130
  service-policy input Policy_Port26_Static
  no shutdown
  No server farms, no load balancing. Just that.
  Any ideas?

• ACE and static NAT

  Hello
  I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
  I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
  I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
  I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
  I analyzed three examples at the and of this document. My questions:
  1. how do i choose if it's source or destination NAT ?
  2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
  3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
  4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
  5. Could anybody give me a simple example of static DNAT ? (or any links?)
  Thanx

  Destination nat is equivalent to loadbalancing to one server.
  I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
  Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
  For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
  By the way, I don't see anything wrong with it.
  Those commands are in A1 and also the new A2 release.
  ACE is really a loadbalancer with some firewall features and not the opposite.
  This is why pure nating functions are not straightfoward to configure.
  Gilles.

• STATIC-FORWARD IOS-XR

  Hi guys, 
  A want to know how can configure a NAT statics on the ASR9000, the ASR have de IOS-XR 4.3.4 and the configuration is the next:
  hw-module service cgn location 0/4/CPU0
  interface ServiceInfra 1
  ipv4 address 100.10.200.253 255.255.255.252
  service-location 0/4/CPU0
  interface Gigabitethernet 0/0/0/19
  description INSIDE
  vrf ivrf1
  ipv4 address 192.168.0.254 255.255.255.0
  interface ServiceApp1
  desciption INBOUND INSIDE TO ISM
  vrf ivrf1
  ipv4 address 100.10.200.1 255.255.255.252
  service cgn prueba service-type nat44
  interface ServiceApp2
  description OUTBOUND OUTSIDE
  ipv4 address 100.10.200.5 255.255.255.252
  service cgn prueba service-type nat44
  router static
  address-family ipv4 unicast
  191.20.20.0/24 ServiceApp2
  vrf ivrf1
  address-family ipv4 unicast
  0.0.0.0/0 ServiceApp1
  service cgn prueba
   service-location preferred-active 0/4/CPU0
   service-type nat44 nat1
    portlimit 65535
    alg ActiveFTP
    alg rtsp
    alg pptpAlg
    inside-vrf ivrf1
     map address-pool 191.20.20.0/24
    protocol udp
     session initial timeout 30
     session active timeout 120
    protocol tcp
     session initial timeout 120
     session active timeout 1800
    protocol icmp
     timeout 60
    refresh-direction Outbound
  The configuration above is working perfect and i can reach internet, now a need to migrate the next configuration of nat static to the ASR9000
  ip nat inside source static tcp 192.168.0.205 3299 191.20.20.205 3299 extendable
  Can help please..
  Would greatly appreciate if you could help me
  Thanks.
  Fredy Caceres

  Hi Fredy,
  Please see link below,
  https://supportforums.cisco.com/document/11939006/cgv6-ism-cgnnat44-deployment-guide#static-port-forwarding
  http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/cg_nat/command/reference/b_cgnat_cr43xasr9k/b_cgnat_cr42crs_chapter_01.html#wp2900083483
  Best Regards,
  Bheem

• ASA rpf-check DROP, ASA checking NAT in the incorrect interface

  Hi
  My current architecture is :
  Internet <--> FW <--> ASA <--> LAN
                        FW <--> ASA
  we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
  the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
  the "vpn" interface is used to grant access to our LANs from remote Offices
  let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
  below the current configuration :
  interface GigabitEthernet0/0
    nameif inside
   security-level 100
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 192.168.11.2 255.255.255.0
  interface GigabitEthernet0/2
   nameif vpn
   security-level 0
   ip address 192.168.12.2 255.255.255.0
  object-group network Inside_LANs
   network-object 192.168.3.0 255.255.255.0
   network-object 192.168.4.0 255.255.255.0
   network-object 192.168.5.0 255.255.255.0
  access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo 
  access-list Inside-to-outside extended permit udp any host TimeServer eq ntp 
  access-list Inside-to-outside extended permit ip object-group Inside_LANs any 
  global (outside) 1 interface
  global (outside) 2 192.168.11.60 netmask 255.255.255.255
  nat (inside) 1 access-list Inside-to-outside
  nat (inside) 2 192.168.6.0 255.255.255.0
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255 
  route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
  route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
  our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
  example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.13
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match udp inside any inside host TimeServer eq 123
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.10
  Phase: 6
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
    match ip inside host 192.168.2.10 outside any
      static translation to 192.168.11.10
      translate_hits = 76643, untranslate_hits = 188597
  Additional Information:
  example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.4.40
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match ip inside 192.168.4.0 255.255.255.0 vpn any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 1, untranslate_hits = 0
  Additional Information:
  example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.6.30
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 2 192.168.6.0 255.255.255.0
    match ip inside 192.168.6.0 255.255.255.0 vpn any
      dynamic translation to pool 2 (No matching global)
      translate_hits = 117, untranslate_hits = 0
  Additional Information:
  our questions :
  1) why ASA don't check the reverse path route before checking the NAT ?
   if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
  2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
  when ASA check a server with static NAT it find  a match in the outside interface but even so it discard it and the connection Work. (example 2)
  when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
  3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
  why ASA checking the global NAT even if it's not the correct interface ?
  Why it's working for static NAT and not working for the dynamic one ?
  Thanks a lot

  Hi,
  It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
  But to me the situation in its current form looks the following.
  Example 1
  To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
  Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
  Example 2
  This seems to be working as expected also.
  According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
  Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
  Example 3 and 4
  These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
  In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
  Hope this helps :)
  - Jouni

• Problems with NAT and UDP

  hi Everyone,
  I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
  ip nat inside source static udp 192.168.100.26 14000 interface Dialer1  14000
  ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14001
  ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14002
  when I receive traffic through those ports, I see the following in
  show ip nat translations | include 14000
  udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1040      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  udp  64.7.136.227:1041     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1043      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  udp  64.7.136.227:1044     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
  How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
  Any help is greatly appreaciated.
  Aleks

  Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
  (d) port on the same router:
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50183  xxx.xxx.xxx.xxx:50183
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50891  xxx.xxx.xxx.xxx:50891
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
  Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
  ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
  the only difference is that this one gets properly assigned to the requested port, whereas these rules
  ip nat inside source static udp 192.168.100.26 14000 interface  Dialer1  14000
  ip nat inside source static udp 192.168.100.26  14001 interface Dialer1  14001
  ip nat inside source static udp  192.168.100.26 14001 interface Dialer1  14002
  have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
  udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564     67.163.252.29:62564
  udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1040       192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  Basically how do I get the three rules to behave the same way as the one on top does...
  Thank you,
  Aleks

• ACE Drop (Dest nat fail):

  Hi All,
  I'm using ACE module A2(2.4)
  I'm trying to use parameter server-conn reuse, but clients get sometimes statuscode 503.
  A#1/Test1# show np 1 me-stats "-socm -v"
  OCM Statistics: (Current)
  Errors:                                           0             0
  Connection create received:               231121503          1142
  LB dest decision received:                365473159          1473
  Nat app fixup recieved:                           0             0
  Connection unproxy received:               52997475           393
  Connection reproxy received:               51249279           375
  IPCP received:                                83227             2
  ACK trigger received:                      52733008           390
  TCP connected received                    218498529          1065
  Unknown message received:                         0             0
  Drop [LB dest decision fail]:                 29392             0
  Drop [invalid ifid]                               0             0
  Drop [Out of buffers]:                            0             0
  Dest decision transmitted:                248735645          1174
  TCP connect transmitted:                  212827881           828
  ACK trigger transmitted:                         12             0
  IPCP transmitted:                             83227             2
  NAT[static mapped]:                               0             0
  NAT[static real]:                                 0             0
  NAT[xlate alloc fail]:                            0             0
  NAT[xlate real hit]:                              0             0
  NAT[xlate mapped hit]:                            0             0
  NAT[invalid xlate]:                               0             0
  NAT[dump xlate]:                                  0             0
  NAT[xlate release failed]:                        0             0
  NAT Pool Alloc [fail]:                            0             0
  NAT Pool Alloc [addr]:                            0             0
  NAT Pool Alloc [addr/port]:                33689970            81
  NAT Pool Free [addr]:                             0             0
  NAT Pool Free [addr/port]:                 33689214            88
  NAT Pool Free [orphan IP]:                        0             0
  Reuse retrieve link update conn invalid           0             0
  Reuse retrieve link update conn not on r          0             0
  Reuse retrieve success but conn invalid:          0             0
  Drop [Next Hop queue full]:                       0             0
  Reuse retrieve miss:                         845627             3
  OCM Packet count (Hi & Lo):               976499360          4850
  Packet forward received:                    4343180            10
  NAF Error [no route or unresolved adjace          0             0
  NAF Error [nat resp fail]:                        0             0
  UDP Chaser received:                          10406             0
  (Context 1 Statistics)
  Drop [out of connections]:                        0             0
  Drop [out of proxies]:                            0             0
  Drop [out of ssl]:                                0             0
  Drop [mac lookup fail]:                           0             0
  Drop [route lookup fail]:                         0             0
  Drop [nat fail]                                   0             0
  Drop [ip sanity check fail]                       0             0
  Drop [acl deny]:                                  0             0
  Drop [redundant connection]:                      0             0
  Connection inserted:                         862670             3
  Packet message transmitted:                 6409302           230
  Reuse conns retrieved:                      6390611           238
  Drop [Reproxy fail]:                            171             0
  Drop [dest nat fail]:                         58286             2
  The last counter is increasing. What does it mean? Can this be the problem?
  I do not get 503 in the retcode map of the servers.
  Regards
  Mats

  Hi Mats,
  I find it very strange that the ACE is sending a 503 message back to the client, because, in case of issues, it normally just resets the connection. With that in mind, we should also investigate the server itself.  This is not trivial, so, you should open a TAC case.
  Let me just explain the meaning of the "Drop [dest nat fail]" counter. It will be incremented if, after a connection has been natted, one of the servers tries to open a new connection against the natted IP and port. This shouldn't happen unless you are using a protocol composed of several connections (for example, FTP)
  Regards
  Daniel

• ACE: as firewall and NAT. inbound and outbound originals

  Hi Team,
  This time no load balancing is required.
  Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
  Both of our servers will work indipendently for this purpose.
  I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
  Regards to all
  SS

  Gilles,
  Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
  The above real server with private IP is now going to make a different connection to the internet. ie,
  outbound traffic and related reply traffic need handling. (no load balancing planned).
  Detination NAT, Static NAT sounds interesting
  Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
  SS