NAT vs. no NAT
Earlier this week, I posted a question in this newsgroup titled 'Clustering only
works 1 way!'
Well, it turned out that the issue was due to our firewall doing IP translation.
We turned off NAT and it seems to work now.
My configuration is:
Web Server ---> Firewall ---> Cluster of 2 App Servers
Web Server = Apache w/ WL Plug in
App Servers = WLS 5.1 SP9 (on Solaris 2.7)
I am not sure why the issue is resolved by not doing NAT in the firewall. Does
anyone know? Are the physical IP addresses of the weblogic servers stored in the
cookie? If so, that would explain it. I looked for cookies on my PC - couldn't
find any.
-Bob
Yes, the IP addresses are stored in the cookie.
The cookies are 'in-memory' cookies. You can see them by turning on 'warn me whenever
a site sends a cookie' also, Netscape 6 can display them for you. The 4 byte
IP addresses are stored as a decimal number - in betwee the first two / in the
WebLogicSession cookie.
Mike
"bob malik" <[email protected]> wrote:
>
>Earlier this week, I posted a question in this newsgroup titled 'Clustering
>only
>works 1 way!'
>
>Well, it turned out that the issue was due to our firewall doing IP translation.
> We turned off NAT and it seems to work now.
>
>My configuration is:
>
>Web Server ---> Firewall ---> Cluster of 2 App Servers
>
>Web Server = Apache w/ WL Plug in
>App Servers = WLS 5.1 SP9 (on Solaris 2.7)
>
>I am not sure why the issue is resolved by not doing NAT in the firewall.
> Does
>anyone know? Are the physical IP addresses of the weblogic servers stored
>in the
>cookie? If so, that would explain it. I looked for cookies on my PC
>- couldn't
>find any.
>
>-Bob
Similar Messages
-
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
NAT 8.0 to 9.2 convert help
I have the below config on ASA 8.0 I need to convert it to 9.2
name 10.2.17.80 BV-DVR
name 10.2.13.80 SE-DVR
name 10.2.23.80 ES-DVR
name 10.2.10.80 NW-DVR
name 10.2.10.81 NW-DVR2
name 10.2.1.76 C-DVR1
name 10.2.1.78 C-DVR2
name 10.2.1.80 C-DVR3
name 10.2.19.80 WS-DVR1
name 10.2.19.81 WS-DVR2
name 10.2.15.80 SW-DVR
name 10.2.11.80 M-DVR
object-group network Camera_DVRs
network-object host SE-DVR
network-object host BV-DVR
network-object host ES-DVR
network-object host C-DVR1
network-object host C-DVR2
network-object host C-DVR3
network-object host WS-DVR1
network-object host WS-DVR2
network-object host NW-DVR
network-object host NW-DVR2
network-object host SW-DVR
network-object host M-DVR
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8000
port-object eq www
port-object eq 8001
port-object eq 8100
port-object eq 8101
port-object eq 8200
port-object eq 8201
port-object eq 8202
port-object eq 8203
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8000
port-object eq www
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3
static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255
Here is a bit of what I think I need to do....
object network OBJ-10.2.17.80
host 10.2.17.80
object network OBJ-1.1.1.172
host 1.1.1.172
object service OBJ-TCP-8000
service TCP source eq 8000
object service OBJ-TCP-8000
service TCP source eq 8000
nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000
access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000
Thanks,
MikeI did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.
Mike -
What is solution of nat failover with 2 ISPs?
Now I have lease line link to 2 ISPs for internet connection. I separate packets of users by accesslist such as www go to ISP1 and mail or other protocol go to ISP2 . Let's say link go to ISP1 down I need www traffics failover to ISP2 and vice versa.
Problem is acl on nat statement?
If you config about this.
access-l 101 permit tcp any any www -->www traffic to ISP1
access-l 101 permit tcp any any mail --> back up for mail packet to ISP2 down
access-l 102 permit tcp any any mail -->mail packet to ISP2
access-l 102 permit tcp any any www --> back up for www traffic go to ISP2
ip nat inside source list 101 interface s0 overload
ip nat inside source list 102 interface s1 overload
In this case is links of ISP1 and ISP2 are UP.
when you apply this acl on nat statement then nat will process each statement in order( if I incorrect please correct me) so mail traffics will match in this acl and then nat with ip of ISP1 only.
please advice solution about this
TIAHi,
If you have two serial links connecting to two diff service provider , then you can try this .
access-l 101 permit tcp any any www
access-l 102 permit tcp any any mail
route-map isp1 permit 10
match ip address 101
set interface s0
route-map isp2 permit 10
match ip address 102
set interface s1
ip nat inside route-map isp1 interface s0 overload
ip nat inside source route-map isp2 interface s1 overload
ip nat inside source list 103 interface s0 overload
ip nat inside source list 104 interface s1 overload
ip route 0.0.0.0 0.0.0.0 s0
ip route 0.0.0.0 0.0.0.0 s1 100
In case if any of the link fails , automatically the other traffic would prefer the other serial.
I have not tried the config , just worked out the config on logic .pls go through and try if possible
pls see the note2 column
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#related
Hope it helps
regards
vanesh k -
NAT IN CATALYST 6509-HOW TO DO IT?
Hello friends,
The LAN CAMPUS is conformed by more than 20 VLANS and all the PCs can go to Internet.
Now I have a new network cloud and I have to attach that network into my campus.
To do that, I have a Public IP Pool to do translation.
But I just need that some IPs (from diferent Vlans)could go to the new Network while keep having connecivity to Internet.
So my Question is:
I am not interested in perform Static NAT.
I wonder if I can NAT a group of IPs (in different subnets) with the Public POOL. i.e: group to group.
I have a PIX 525. I could do it in that PIX but I think It could be better to do it in the Catalyst 6509. (Because the Pix CPU percentage is High-and sometimes I have problems)
How can I do NAT in C 6509?
I am attaching a referecial picture.Hi bosalaza:
yes, I think ACL will help so much...
Look I need to translate only this IPs:
172.16.8.56
172.16.24.85
172.16.33.95
172.16.86.56
172.16.125.81
172.16.157.89
To this Public IPs:
200.xx.45.170
200.xx.45.171
200.xx.45.172
200.xx.45.173
200.xx.45.174
200.xx.45.175
But whitout Static NAT.
And do it but in the C6509.
I have no enough experience to perform NAt in C6509.
Thanks in advance. -
How do I get rid of the moderate nat setting on my xbox 360?
I tried following the link in a previous threads but it doesn't seem to work. I have wrt54g wireless G braodband router. I'm also running on firefox. I want my router to say open not moderate, so I can play Halo with my friend.
Open routers set up page using http://192.168.1.1 ….you will get username & password screen …leave username blank & under password use admin.
Click on “applications & gaming” tab…under port range forward use 88 & 3074 ports forwarded for Ip – 192.168.1.50….check enable….click save settings.
Click on set up look for MTU …make it manual …change the size to 1365
On X-BOX use static Ip …subnet mask…gateway & DNS numbers as on routers set up page.
Also configure the wireless settings same as in router.
Let me know if the connection still shows NAT moderate. -
Question regarding NAT and directed-mode
Hello,
I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.
I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL
ASA.
Example
Branch WAE Private 192.68.1.45
Branch WAE Public 206.99.88.10
CM private 192.168.20.9
CM public 240.10.10.20
PIX log
an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.
Do you have any idea what could be causing this ?
Best regards
Stephen
Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]
Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]
Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)
Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface eHi Stephen,
To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.
Regards
Daniel -
IpSec VPN and NAT don't work togheter on HP MSR 20 20
Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab -
How do I clean up my new FIOS connection? I just cahnged ISP Fios and they reqquired a router of thier own in front of my AirPort Extreme. Since then I have blinking yellow light on the AirPort and AirPort utility keeps promting for an edit. Suggests canging from NAT to "Bridge mode". Obviuosly U have some internet or this post would not go anywhere, my knowledge base is not enought to feel comfortable with changing the settings. Correctly editing can be tricky, so how do I make necessary changes?
How do I clean up my new FIOS connection?
The FIOS router needs to be in Bridge Mode to prevent the Double NAT error from occurring when two routers are both fighting with each other for control of the network.
Unfortunately, the likely problem from the FIOS side is that FIOS support will either tell you that their router cannot be configured to operate in Bridge Mode, or if it can, they will not tell you how to do it.
But, it could not hurt to check with FIOS to see if anything might have changed recently in this regard, so your first call would be to FIOS support.
If you cannot change the FIOS router to Bridge Mode, the alternate plan would be to change the AirPort Extreme to Bridge Mode. If you are using the Guest Network feature on the AirPort Extreme at this time, that feature will not work correctly when the AirPort is set up in Bridge Mode. -
Cant ping inside hosts from client vpn. Think its a NAT issue
Hello all, I am running into what I think is a NAT/nat exclusion issue with an IOS IPSEC VPN. I can connect to the VPN with the cisco IPSEC VPN client, and I am able to authenticate. Once I authenticate, I am not able to reach any of the inside hosts. My relevant config is below. Any help would be greatly appreciated.
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group businessVPN
key xxxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group businessVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.1.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0/0
ip address 111.111.111.138 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface BVI1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
ip nat inside source route-map nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended nonat
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit tcp any any eq 443
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
permit esp any host 111.111.111.138
permit udp any host 111.111.111.138 eq isakmp
permit udp any host 111.111.111.138 eq non500-isakmp
permit ahp any host 111.111.111.138
permit gre any host 111.111.111.138
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map nat permit 10
match ip address nat
bridge 1 route ipI believe the acl applied to the client group is backwards. It should permit traffic from the internal network to the clients pool.
To confirm you can open the Cisco VPN client statistics(after connecting) then go to the route details tab. You should see there the networks that you should be able to reach from the client. Make sure the correct ones are in there.
Regards, -
Hi Guys,
Me again asking for some more help, thanks.
I am trying to deploy a Polycom Access Director behind an ASA 5505 firewall and am having some problems configuring inbound NAT for this device.
Currenlty I am able to dial from an endpoint outbound through the ASA with no problem but am unable to dial into the VC endpoint by the IP address (Traffic is not hitting the Access Director)
This blog post shows what I am trying to achieve along with the ACLs that I have applied.
http://blog.networkfoo.org/2014/02/deploy-polycom-rpad-single-nic-with.html#!/2014/02/deploy-polycom-rpad-single-nic-with.html
These are my NAT Rules
nat (Wireless_LAN,VC_INFRA) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (Wireless_LAN,VC_DMZ) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.239.0 obj-10.255.239.0
nat (Wireless_LAN,VC_LAN) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (VC_INFRA,any) source static obj-10.255.243.0 obj-10.255.243.0 destination static VPNPool-Network VPNPool-Network
object network obj-10.255.222.0
nat (outside,outside) dynamic interface
object network obj-10.255.243.0
nat (outside,outside) dynamic interface
object network obj_any
nat (Wireless_LAN,outside) dynamic interface
object network obj_any-01
nat (VC_DMZ,outside) dynamic interface
object network obj_any-02
nat (VC_INFRA,outside) dynamic interface
object network obj_any-03
nat (VC_LAN,outside) dynamic interface
nat (outside,VC_DMZ) after-auto source static any any destination static interface obj-CV2RPAD1
This is my ACLs
access-list outside_access_in extended permit udp any eq 1719 object-group RPAD_SERVERS_EXT eq 1719
access-list outside_access_in extended permit udp any eq 1720 object-group RPAD_SERVERS_EXT eq 1720
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq h323
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT range 10001 13000
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT range 20002 30001
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5061
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5222
access-list outside_access_in extended permit icmp any any object-group DefaultICMP
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 20002 30001
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 16386 25386
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1719 any eq 1719
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1720 object-group DMA_SERVERS_INT eq 1720
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT eq h323
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT range 36000 61000
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 13001 15000 any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq sip any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 5070 object-group DMA_SERVERS_INT eq sip
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 30001 60000 object-group RM_SERVERS_INT eq https
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 any gt 1023
access-list dmz_access_in extended permit icmp object-group RPAD_SERVERS_EXT any object-group DefaultICMP
If I move my NAT statement as follows
no nat after-auto 1
nat (outside,VC_DMZ) 5 source static any any destination static interface obj-CV2RPAD1
I am able to dial outbound still with no issues and am also able to intiate a call inbound which partially connects. The call seems to fail at the Capabilities exchange so the RTP media stream does not start up so there is some additional troubleshooting to be done.
However moving this NAT statement has the side effect of breaking the IPSec VPN that I have configured for the Cisco VPN Client, I would like to be able to keep my VPN working and be able to do a port forwards/Static 1:1 NAT towards my RPAD.
Once this is happy and working I can then go and troubleshoot why inbound calls are failing at the cpabilities exchange.Thanks a lot Jon, for assisted me solve this problem.
The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
How you explain that? -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
ASA 5505 (8.3+): Problems getting internal server NAT'd properly
I have an internal VOIP voicemail/presence server I want accessible from outside my internal network. Connecting internally works great, but when a user tries connecting from outside, there's no availability. When I try to use NAT, the voicemail-to-email service can't reach our cloud email service.
We have a /28 public IP address range. The ASA is our external device, the WAN side is .220, with our ISP's gateway set at .222. I've tried NATting the server to a .217 address, but that's when things go wrong.
With the current config, our VM-to-email works. Here's some snippets of my config:
ASA Version 9.0(3)
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.220 255.255.255.248
object network OUTSIDE
host xxx.xxx.xxx.220
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network VMSERVER
host 192.168.200.59
object network VMSERVER_PUBLIC
host xxx.xxx.xxx.217
object service VMSERVER_Bitmessage
service tcp source eq 8444 destination eq 8444
description Bitmessage
object service VMSERVER_XMPP_client
service tcp source eq 5222 destination eq 5222
description Extensible Messaging and Presence Protocol (client)
object service VMSERVER_XMPP_server
service tcp source eq 5269 destination eq 5269
description Extensible Messaging and Presence Protocol (server)
object service VMSERVER_HTTP
service tcp source eq 8080 destination eq 8080
object-group service VMSERVER
service-object object VMSERVER_Bitmessage
service-object tcp-udp destination eq 5222
service-object tcp-udp destination eq 5269
service-object object VMSERVER_HTTP
access-list INBOUND extended permit object-group VMSERVER any4 object VMSERVER
no arp permit-nonconnected
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_XMPP_client VMSERVER_XMPP_client no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_XMPP_server VMSERVER_XMPP_server no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_Bitmessage VMSERVER_Bitmessage no-proxy-arp
nat (inside,outside) source static VMSERVER VMSERVER destination static OUTSIDE OUTSIDE service VMSERVER_HTTP VMSERVER_HTTP no-proxy-arp
object network INSIDE
nat (inside,outside) dynamic interface
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.222 1
It seems to me that it's a NAT issue, but I could be wrong. If I try adding a static route for the public address for the server, the VM-to-email stops working. And, the presence server still doesn't work externally.
Any help is appreciated,
LaneRPacket tracer output to mapped (public) address:
ASA# packet-tracer input outside tcp 1.1.1.1 8080 xxx.xxx.xxx.217 8080 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network VMSERVER
nat (inside,outside) static xxx.xxx.xxx.217
Additional Information:
NAT divert to egress interface inside
Untranslate xxx.xxx.xxx.217/8080 to 192.168.100.59/8080
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any any eq 8080
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd332f78, priority=13, domain=permit, deny=false
hits=1, user_data=0xc922afc0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=8080, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc7668a30, priority=1, domain=nat-per-session, deny=true
hits=1294404, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x
0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb250c18, priority=0, domain=inspect-ip-options, deny=true
hits=837081, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbbc8378, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=697, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network VMSERVER
nat (inside,outside) static xxx.xxx.xxx.217
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd333dc0, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xcaaa0950, cs_id=0x0, use_real_addr, flags=0x0, proto
col=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.100.59, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc7668a30, priority=1, domain=nat-per-session, deny=true
hits=1294406, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x
0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb227388, priority=0, domain=inspect-ip-options, deny=true
hits=858219, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 856605, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Actually using a browser and port 8080, no access... -
NAT outside to inside and inside to outside (in 8.4(2) version)
Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia -
NAT (INSIDE To OUTSIDE)
I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz WattooTHIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz
Maybe you are looking for
-
Hi I had a power failure 2 days ago, my computer is running again, but now I cannot send email from my iPad using Cox or my gmail account. I am receiving mail in my Cox account but not my gmail account.It was working fine until the power failure. It
-
Iphoto 11 crashes when trying to import
I have been importing fine but just now iPhoto 11 shuts down/crashes. this happens when i just select the import from the menu and don't even get a chance to select the target destination. I have looked on forums and it talks about 3ivx file to delet
-
Does the Mac Mini have a camera?
Thinking about getting a Mac Mini because it is very affordable, and I hate my PC, does the Mac Mini have a camera for facetime?
-
Process Flow for Subcontracting
I need help in the process flow for Subcontracting With Regards Maya
-
i have a problem with my mac i have too many archives and programs and i want to delete all files and start at the begin my mac with out do format