Nat static por dos ISP

Tengo la siguiente situacion tengo dos ASA 5520
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
los cuales estan en funcionamiento stand-alone pero ambos comparten la misma dmz a nivel de vlan y a nivel de segmento ip , ahora existe alguna solucion de que servidores de la dmz respondan requerimientos desde internet por los dos ASA sabiendo que el servidor de la dmz solo posee un defalu gateway en este caso es uno de los ASA que comparten la dmz

Hola Alexis,
EDIT: Durante mi hora de almuerzo estaba pensando en esta discusion y llegue a la conclusion de que si hay una forma en la cual le podemos hacer saber al servidor que le responda al otro asa ( el q no es el default gateway.
Para ello ocupas configurar Outside NAT:
Esta es la configuracion que ocupas en el asa
NAT (outside,inside) source dynamic any any destination static Global_Ip_Server Local_Ip_Server
Saludos
Julio

Similar Messages

NAT STATIC ISM

Hi guys,
A want to know how can configure a NAT statics on the ASR9000, the ASR have de IOS-XR 4.3.4 and the configuration is the next:
hw-module service cgn location 0/4/CPU0
interface ServiceInfra 1
ipv4 address 100.10.200.253 255.255.255.252
service-location 0/4/CPU0
interface Gigabitethernet 0/0/0/19
description INSIDE
vrf ivrf1
ipv4 address 192.168.0.254 255.255.255.0
interface ServiceApp1
desciption INBOUND INSIDE TO ISM
vrf ivrf1
ipv4 address 100.10.200.1 255.255.255.252
service cgn prueba service-type nat44
interface ServiceApp2
description OUTBOUND OUTSIDE
ipv4 address 100.10.200.5 255.255.255.252
service cgn prueba service-type nat44
router static
address-family ipv4 unicast
191.20.20.0/24 ServiceApp2
vrf ivrf1
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
service cgn prueba
service-location preferred-active 0/4/CPU0
service-type nat44 nat1
portlimit 65535
alg ActiveFTP
alg rtsp
alg pptpAlg
inside-vrf ivrf1
map address-pool 191.20.20.0/24
protocol udp
session initial timeout 30
session active timeout 120
protocol tcp
session initial timeout 120
session active timeout 1800
protocol icmp
timeout 60
refresh-direction Outbound
The configuration above is working perfect and i can reach internet, now a need to migrate the next configuration of nat static to the ASR9000
ip nat inside source static tcp 192.168.0.205 3299 191.20.20.205 3299 extendable
Can help please..
Would greatly appreciate if you could help me
Thanks.
Fredy Caceres

Hi Fredy,
Please see link below,
https://supportforums.cisco.com/document/11939006/cgv6-ism-cgnnat44-deployment-guide#static-port-forwarding
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/cg_nat/command/reference/b_cgnat_cr43xasr9k/b_cgnat_cr42crs_chapter_01.html#wp2900083483
Best Regards,
Bheem

Trying to access server remotely. Have Static IP from ISP but if I type that address into browser I get router login page. How do I get RDP

Hi Guys, Please help. I am trying to run remote desktop from internet. I have just been given a static IP address from my ISP and when I type it into browser I get router login page. I want to be able to use Remote Desktop. I can
use RDP on the LAN and works great but not from external (internet). I don't know how to get static IP address to open windows login page or RDP to connect when I put IP address into RDP.. I have Windows 2003 server running.

Check your router for free ports. You may use http port number "80" to port forward the request to your server. In your firewall settings, create a new rule to allow incoming http request. Before that enable NAT in your router for LAN and assign
a static IP address for the server machine. It would make port forwarding easier.

Setup with Static IP from ISP, need help

I'm trying to setup my WRT54G to act as my main router on my home network. Currently, I use it as an access point behind my Sonicwall Tele3, but want to remove the Tele3 entirely because it's limited to 5 IP addresses going through it. The trick is, I get a static IP from my ISP.
My Tele3 works fine and plays nice with my DSL router. The Tele3 settings include a "WAN Gateway (Router)" address of x.x.x.49 and a "WAN IP (NAT Public)" address of x.x.x.50. The tele3 then has a local IP address of 192.168.1.1, and so on. What I'm struggling with is how to setup my WRT54G to act as the main router. I've tried a Static IP setup in the "Basic Networking" section of the linksys admin console, but no matter what I try, I can't get out to the Internet.
Thanks in advance for your advice.

In order to setup a static WAN (Internet) IP address on your WRT54G, you will need the following info from your ISP:
Internet IP address
Subnet Mask
Gateway
and at least one DNS address
Additionally, some users have been told that they have a "Static" Internet address, when in fact they have a PPPoE connection, and their ISP is simply giving them the same IP address each time they connect. Please clarify with your ISP whether or not you have this. If you have it, you will need your PPPoE
User Name, and
Password
from your ISP.
Hope this helps.
Message Edited by toomanydonuts on 02-26-2008 01:52 AM

What is solution of nat failover with 2 ISPs?

Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
Problem is acl on nat statement?
If you config about this.
access-l 101 permit tcp any any www -->www traffic to ISP1
access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
access-l 102 permit tcp any any mail -->mail packet to ISP2
access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
ip nat inside source list 101 interface s0 overload
ip nat inside source list 102 interface s1 overload
In this case is links of ISP1 and ISP2 are UP.
when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
please advice solution about this
TIA

Hi,
If you have two serial links connecting to two diff service provider , then you can try this .
access-l 101 permit tcp any any www
access-l 102 permit tcp any any mail
route-map isp1 permit 10
match ip address 101
set interface s0
route-map isp2 permit 10
match ip address 102
set interface s1
ip nat inside route-map isp1 interface s0 overload
ip nat inside source route-map isp2 interface s1 overload
ip nat inside source list 103 interface s0 overload
ip nat inside source list 104 interface s1 overload
ip route 0.0.0.0 0.0.0.0 s0
ip route 0.0.0.0 0.0.0.0 s1 100
In case if any of the link fails , automatically the other traffic would prefer the other serial.
I have not tried the config , just worked out the config on logic .pls go through and try if possible
pls see the note2 column
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
Hope it helps
regards
vanesh k

AirPort Extreme to Static IP from ISP (MegaPath)

Hello,
We have just purchased MegaPath's Ethernet service. We would like to pair our Modem with our new AirPort Extreme.
MegaPath provided us with 5 IP addesses. We would like to only assign one to our Airport Extreme and run off of that.
This is for a buisness and we're running around 25 iMacs and 30 devices. (all trying to connect wirelessly)
Can someone please help provide instructions on how to configure our Airport Extreme.
Really could use some help here --- Please

Please let us know what version(s) of AirPort Utility you have available for the task.
The short version is that you just need to tell your AirPort Extreme to use static addressing and the IP addresses for itself, the router, and its DNS servers. You may also need to configure your MegaPath modem/router to match.

E4200 static ip from ISP help...

Hi, all.
I have an E4200 that used to work properly with our ISP until we had to perform a reset. It lost all of its settings, of course and now we're just trying to get it back online.
The info provided from our ISP is as follows:
Network ip address
Gateway
Subnet
Usable Range
DNS1
DNS2
I entered the above info. into the network setup fields (with the exception of the usable range ip addresses since there were no fields for that), saved, and rebooted the router. It still will not work properly. I can't get past the router and in the Cisco quick utility on my phone, for instance, shows no ip address provided from the ISP.
Any ideas? Is there some setting I overlooked?
Thanks for the help!

Hi there! Are those settings for the router configuration or for your computer? If those are for the router, this article from Linksys is helpful : http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=91dbbf0c772e48b9bebee106abb837c9_3979.xml&pid=80&r...

Carrier grade nat - static port block allocation.

Hello,
Is it possible to configure nat (cgn) on ASR 1k to permit the same private address always get the same port block allocation from the same public address? With that You dont need nat logging.
regards

ADAM619,
At the moment we're unable to answer these questions. When we have more information we will provide it here in the forums, and make it available at www.verizon.com. Thanks for your patience during this transition. ~Ian
Ian_VZ
Verizon Support
Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan.

Static-nat and vpn tunnel bound traffic from same private address?

Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks

NAT and Routed Network with Two ISP's on one router

I'm sure this has been done covered many times, but I am not finding it.
I have two ISP connections.
With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
Everything on 192.168.100.x should use NAT and go out ISP-B
I have tried
ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
route-map ISP-B permit 10
match ip address 101
match interface GigabitEthernet0/1
set ip next-hop 100.0.0.1
route-map ISP-A permit 10
match ip address 111
match interface Multilink1
set ip next-hop 1.1.1.1
The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
HTH

STATIC NAT PROBLEM

Hi All,
We are having a problem with a static NAT statement and or ACL not allowing traffic to the port configured to the inside host on the LAN.
NETWORK SETUP
We have a 3CX IP PBX behind a Pix firewall and need remote hosts to be able to connect to the 3CX over the 3CX tunnel protocol that uses port 5090. 3CX internal IP Address is 172.16.0.254 and the port it is listening on for the tunnel traffic is 5090. We have configured static NAT to the 3CX which is listening on port 5090 and created the ACL and applied this to the Outside interface. 3CX tunnel protocol uses a mixture of TCP and UDP so we have these both configured. Here are the various lines of configuration.
access-list Outside_In extended permit tcp any host 172.16.0.254 eq 5090
access-list Outside_In extended permit udp any host 172.16.0.254 eq 5090
static (Inside,Outside) tcp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
static (Inside,Outside) udp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
access-group Outside_In in interface Outside
ISSUE
We have configured static NAT to the 3CX which is listening on port 5090 and created an ACL to permit inbound traffic to the 3CX. Inbound traffic is not traversing the firewall and therefore not reaching the 3CX on the inside LAN.
TROUBLE SHOOTING SO FAR
We have tried a number of different ACL and NAT configurations, but the above configs are not permitting the traffic through the firewall. We have done a number of captures on the firewall and we can see the traffic from remote hosts getting to the Outside interface, but not traversing to the Inside interface and therefore not reaching the 3CX on the inside LAN. The xlate shows the static NAT entry correctly.
Any suggestions anyone??
Regards,

Hi,
If you are doing a Static NAT or Static PAT towards the Internet on your ASA or PIX, this is how the different firewall software versions behave
Software 8.2 and earlier: When you configure a Static NAT / Static PAT and want to allow traffic from the Internet to the NATed host, you use the NAT IP address as the destination IP address in the ACL attached to the "outside" interface you are using.
Software 8.3 and later: NAT and ACLs changed in the 8.3 software and in those software levels you are required to use the actual real IP address of the host in the ACLs you configure. Using the NAT IP address in the newer software levels wont work anymore.
As you mentioned your software level to be 8.0 we can see that you need to use the NAT IP address as the destination address of the "outside" interface ACL.
I guess you could try for example
access-list Outside_In permit tcp any interface Outside eq 5090
access-list Outside_In permit udp any interface Outside eq 5090
You can also use the "packet-tracer" command like I mentioned above to simulate what the firewall would do to the traffic.
The command tested could be for example
packet-tracer input Outside tcp 1.2.3.4 1234 5090
The only situation where I could see the need to use the real IP address in the ACL statement of the "outside" interface would be if you had a L2L VPN / Site-to-Site VPN configured between your firewall and the remote end. But as I cant see your configuration I dont know if thats the case. Though since you have configured Static PAT to use the public IP address of your firewalls "outside" interface it would lead me to believe that you are trying to open/share this service from the LAN device to the Internet.
Guess you could next try the above mention ACL lines I listed and test the traffic again. Also the "packet-tracer" command should tell you if theres any problems with your firewall configurations.
- Jouni

Static Policy NAT in VPN conflicts with Static NAT

I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?

Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni

Static NAT with port translation

Hello All,
I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443, I am thinking that following configuration should be fine, can anyone comment on it.
10.1.1.2:443 10.1.1.1 2.2.2.5
Server -------------------------- ASA --------------------- Internet router --Cloud
Config i am planing
static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
Thanks
JD

Thanks Harish and Jouni,
I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
10. ROUTE-LOOKUP - [output and adjacency]
access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
but if i go by the flow which i come to know it should be like
access-list OUTSIDE-IN permit tcp any host eq 443
What is your opion ?
Thanks
Jagdev

Static Nat and VPN conflict

Hi
I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
I hope the above makes sense.

Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks

ACE 4710 A3 outbound static NAT with Port redirection

Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?

Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas?

Nat static por dos ISP

Similar Messages

Maybe you are looking for