NATTing Question version 9.x

Similar Messages

• ASA IPsec Remote Access VPN | NAT Question

  We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
  Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
  We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
  I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
  Thank you.

  Hi,
  This depends on your ASA firewalls software version and partly on its current NAT configurations.
  I presume the following
  Interfaces "inside" and "outside"
  VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
  Software 8.2 and below
  access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
  access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
  static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
  Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
  This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
  Software 8.3 and above
  object network LAN
  subnet 10.0.0.0 255.255.255.0
  object network LAN-VPN
  subnet 192.168.10.0 255.255.255.0
  object-group network VPN-POOL
  subnet 10.10.100.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
  In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
  In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• Basic Question - Version Control

  Hello,
  I've inherited a Dreamweaver controlled Contribute
  application. I work in DW, the client works in Contribute. This is
  how I thought file sharing process would work:
  If my client modifies a page and uploads it to the remote
  server, and I open Dreamweaver and click on the file in my local
  file panel (green icons), DW would go out there and give me the
  most recent file from the server. Note that this file in question
  has a green check box next to it before I double clicked on it.
  However, it seems Dreamweaver does not perform that
  operation. Instead, I have to "Get" the file first.
  So how am I supposed to know which files the client modified
  so I don't overwrite his changes (again!)? The end result is that
  we keep overwriting each others work. Thanks in advance for any
  assistance.
  Andy

  Hi there,
  There shouldn't be a problem with checking files in and out
  for a period of
  time. I've got a very similar setup with a number of sites I
  have created.
  What should happen, if you've got checking in/checking out
  setup correctly,
  is:
  If you check out a file from a server in Dreamweaver it does
  2 things; It
  downloads the file you your local machine and also it locks
  the file on the
  server. If someone else then tries to edit the file using
  Contribute they
  will receive a message saying you have currently got the file
  checked out
  and they will not be given edit access.
  Likewise if someone is editing a file in Contribute and you
  try to check the
  file out, you'll also receive a message saying the file is
  checked out and
  you should also be supplied with a name and email address of
  the person
  editing the file.
  Once you have finished with the file, you check it in, which
  uploads it to
  the server and also locks it on your local system.
  The upshot being, you should never be able to overwrite each
  other's work.
  You should never have an instance where you can edit a file
  on your local
  system and upload it, overwriting any changes on the remote
  server.
  Hope that helps.
  @ndyB
  "Androo" <[email protected]> wrote in
  message
  news:f07pcs$ssd$[email protected]..
  > I've pretty much determined that I've not used the Check
  Out/In process
  > correctly, and that DW users should not leave any files
  checked out for
  > any
  > period of time, lest the server version of the file be
  overwritten by
  > another
  > user. Rather, check out the file that you're going to
  modify at the time
  > you're
  > modifying it. This is the easy way not to overwrite
  someone else's work
  > with
  > your own by modifying an old file you checked out a week
  ago that someone
  > else
  > modified yesterday.
  >

• NAT QUESTION - PLEASE HELP

  Dear All,
  I HAVE cisco 1841.
  it has 2 interfaces.
  the first one which is f 0/0 is have public ip from my ISP.
  the other one is normal, and i am going to give it 192.168.1.100 / 24.
  now i have 3 subnets totally diffrent .
  i want to create 3 subinterfaces from f0/1.
  my question is , how many subinterfaces can i add under the f 0/1 ?
  and can i make this Router work as NAT ( overloading ) but all the 4 subnet will use the same public IP Address ?
  can it be done as per this diagram ?
  please update me.

  THanks for your reply.
  i have the followig results.
  =============================================
  HO-RO-Internet#sh idb
  Maximum number of Software IDBs 1200. In use 12.
  HWIDBs SWIDBs
  Active 6 6
  Inactive 6 6
  Total IDBs 12 12
  Size each (bytes) 2904 1280
  Total bytes 34848 15360
  Type SIdx Idx St,O,Sh Interface Name (subblocks)
  H 1 1 U,D,R FastEthernet0/0 (HW SB CDP(4), MAC ADDR(2), Ether(1))
  H 2 2 U,D,R FastEthernet0/1 (HW SB CDP(4), MAC ADDR(2), Ether(1))
  H 3 3 A,D,R Serial0/0/0 (HW SB CDP(4), Serial(3))
  H 4 6 U,D,R Loopback0
  H 5 7 U,D,R Loopback1
  H 6 8 U,D,R Loopback3
  S 1 3 U FastEthernet0/0 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
  ), NetBIOS(2), KEEPALIVE(1))
  S 2 4 U FastEthernet0/1 (SW CDP(5), DSS(4), Dynamic DNS Updates(3
  ), NetBIOS(2), KEEPALIVE(1))
  S 3 5 U Serial0/0/0 (SW CDP(5), NetBIOS(2), KEEPALIVE(1))
  S 4 9 U Loopback0 (KEEPALIVE(1))
  S 5 10 U Loopback1 (KEEPALIVE(1))
  S 6 11 U Loopback3 (KEEPALIVE(1))
  Key: SIdx=Sort Index, Idx=hw_if_index or if_number
  St=Current State, O=Old State, Sh=Shadow State
  A=Admindown, D=Down, G=Going Down, I=Init
  R=Reset, T=Testing, U=Up, X=Deleted
  HO-RO-Internet#
  ===========================================
  so, from where can i know how many sub-interfaces i have ?
  please update me .

• ASA vpn nat question

  i have an ASA 5520 ver 8.4 with the following config
  WAN
  207.211.25.34
  Production
  10.11.12.1 255.255.255.0
  Mgmt
  10.11.11.1 255.255.255.0
  i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
  what would my nat statement look like ?
  currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
  nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
  nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

  Hello Tejas,
  After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
  Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
  I will need the output of the following commands:
  1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
  2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
  Please rate helpful posts,
  Julio!!

• Static NAT Question - Public to Inside ASA 9.1x

  Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
  I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
  Remote Public IP's: 77.88.99.11
  Local Public IP: 12.12.12.1
  Ports required:
  object-group service srvgp-stream-remote
   service-object tcp destination eq www
   service-object tcp destination eq https
   service-object tcp destionation eq 8088
   service-object tcp destination eq 1935
   service-object udp destination range 6970 9999
   service-object udp destination range 30000 65000
   service-object udp destination eq 554
  I can get this to work:
  object network server-external-ip
   host 12.12.12.1
  object network webserver
   host 192.168.1.100
   nat (dmz,outside) static server-external-ip service tcp 8088 8088
  access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
  But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
  Any help is greatly appreciated.

  With that many ports, you should use the public IP exclusively for the Webserver:
  object network webserver
  host 192.168.1.100
  nat (dmz,outside) static server-external-ip
  If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
  nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

• Adobe Flash Security Update Question Version 9 and 10

  How are you? So I was checking out a security website at the Washington Post when I came upon this article http://voices.washingtonpost.com/securityfix/2009/02/adobeissues_security_updatef.html#comments
  In the article it detailed that Adobe issued a security update for its Flash Player. This was on February 26, 2009.
  Why were we unaware of this update? So I went to the link to find out what version of Flash did I have on my Macbook Pro, it was this: You have version 9,0,151,0 installed
  I was unsure of whether to update to Flash 10, do you recommend updating to Flash 10, what are the pros and cons?
  The article had a link if you wanted to keep Flash 9 but get the security update. So I tried to download and install the Flash 9 update. When I got to the install part it said it was unable to install, something of a preinstall failure, I did not write down the error message. Why is it not installing?
  Is it because in the last Leopard security update this issue was resolved? Is that also the reason we were notified of this Adobe security update?
  What other programs come preinstalled with Leopard or Safari that we need to check the security on our own????
  Thanks for your time.

  Yes, you should update your FlashPlayer. The latest version includes the security update but doesn't say so.
  You should also ensure you have installed Apple's security update 2009-001.
  The latest version of Adobe FlashPlayer can be obtained from here:
  http://www.adobe.com/shockwave/download/download.cgi?P1ProdVersion=ShockwaveFlash
  (You can check here: http://www.adobe.com/products/flash/about/ to see which version you should install for your Mac and OS.
  Note that Adobe requires you to uninstall any previous version of Flash Player, as mentioned here:
  http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157&sliceId=1
  using the uninstaller from here (make sure you use the correct one!):
  http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157
  and also that you follow the instructions closely, such as closing ALL applications first before installing. You must also carry out a permission repair after installing anything from Adobe.

• 8.2 to 8.3 static nat question

  So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:
  static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  What would this look like in 8.3?
  Thanks!

  Hi,
  In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.
  If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
  If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured
  - Jouni

• Lion Address Book question (version 6.1.2)

  In Lion's address book (version 6.1.2), after importing a v-card, the application doesn't automatically navigate to the newly imported v-card (like it did in Leopard).  How can I get it to navigate automatically to the newly imported v-card, right after importing??

  Then restore from you Mac laptop's backup, if you have not been backing up then you may be in for a very painful lesson on why backing up is the VERY FIRST thing you should do with any new Mac. Create a backup plan and use it on a regular basis. If the laptop was using 10.5.x or later then you have absolutely no excuse for not backing up. Sorry for being terse and blunt but Time Machine has been built into 10.5.x, 10.6.x and 10.7.x so we have had years to have a seamless and mindless method of backing up. If you have been using an earlier verision of OS X there are quite a number of methods of backing up.
  If you aren't successful then take the laptop and iMac to your local Apple Store or AASP and they may be able to help you recover your contacts. 

• Workflow question - versions in jpg

  Hello
  I am figuring out how Aperture works. Am not quite getting it yet. I have been using Bridge 4 (came with PS Elements 8) and I quite like that program to sort through my photos, but it is getting a bit slow....
  So, I thought perhaps try Aperture 3.
  But I am stuck on this one.
  If I want to edit a photo (my work is usually jpg) I can right-click and 'edit with photoshop' and then within PSE I can 'save'. I end up with huge tiff or psd files. Now, I have nothing against tiffs or psd (I often use those formats for my masters) but I usually edit my masters in order to create small jpg's for the web. So if I want to create a cropped jpg from my master file I'd have to edit in PSE and then import?
  there must be an easier way.
  In Bridge I am used to just double clicking, PSE opens, I edit, and 'save as'. job done.
  Is there an easy way in Bridge? My versions need to be small jpgs, not huge psd files. I keep that format for the masters...How do I create jpgs in Aperture?
  Thanks!!

  ploeg wrote:
  LOL, I certainly do not get what Aperture does. That's what I am trying to find out. I only recently got it and am finding my way, finding out if  this is for me or not.
  Corky - if you think of Aperture as a Bridge / Adobe Camera Raw combination, you would be more in line with what it is designed to do. Aperture adds export options including expansive preset options which are used to export your image with applied adjustments included for use outside of Aperture.
  I use 'free transform' a lot, so I skew, bend and rotate images. Also colour casts, replace color etc etc. My photos are often photos of paintings so they need to be straightened and corrected for colour.
  Corky - other than rotate, there is no tool in Aperture that replicates the Transform tool options. You can fix color casts as well as straighten and crop in Aperture.
  It seems like I perhaps should stick to bridge or just finder and try to speed things up by moving my stuff to an external drive or something.
  Corky - if you are running out of space on your hard drive, then any program will start to slow down (even Finder). Moving the files to an external for storage combined with purging the Bridge cache would certainly help Bridge if space is limited on the internal hard drive. Note - purging the Bridge cache will mean needing to let Bridge rebuild previews which could take some time.
  I would suggest viewing the various Aperture tutorials on the Apple site to try and understand just what adjustments Aperture can do that you now perform in PSE and see if that would work for you.
  I will add the link below as a possible replacement for Bridge, but it is currently $199 and may be more than you need (as well as being a new release by Phase One of a program that used to be called iView):
  http://www.phaseone.com/media-pro
  Hope this helps.

• Double Natting Question

  We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
  2 devices are
  Airport Extreme
  Cisco - DPC3825
  I was just upgrarding firmware and I get this message.
  Problem 1/1 - Double Nat
  Screenshot attached of error
  So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
  Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
  Appreciate the help on this.

  You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
  If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
  That....is a virtual guarantee that you will have multiple conflicts on the network.

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• NAT question

  Our mail server currently has a entry for NAT (197.187.4.240) binded to
  the Pubilc interface and 197.187.5.50 (Exchange) to the private. There
  are filter sets that pass traffic port 25 from public to Exchange.
  We have a new spam filter applicance (197.187.5.72) that needs to sit
  between Exchange and the internet. I have added a NAT entry for this
  197.187.4.72 (Public) to 197.187.5.72 (PRIVATE).
  Do I need to simply adjust my filters to specify the new appliance which
  will be a mail relay or do I need to adjust the NAT table and bind
  197.187.4.240 to 197.187.5.72 (new mail host)?

  In article <SjLVh.463$[email protected]>, Justin wrote:
  > Do I need to simply adjust my filters to specify the new appliance which
  > will be a mail relay or do I need to adjust the NAT table and bind
  > 197.187.4.240 to 197.187.5.72 (new mail host)?
  >
  Could be both. You need to change the MX record to point to the new
  address, or you need to NAT the old address to the appliance, and not nat
  the mail server. If you change the NAT to point to a new internal address,
  you will have to change the filter exceptions also. If you put the
  appliance in at the old address for the mail server, you won't have to
  change anything on the BMgr server, but you will have to readdress the mail
  server. Your choice.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• SCCP over NAT Question

  I'm looking at this as a possibility... Ideas?
  CallManager---> 2600GW W ADSL WIC ---> Internet ---> netgear router ----> IP Phone
  The Callmanager is 10.0.0.1, iphone 192.168.10.1 both NAT.
  Even possible? Thoughts?

  Not all the firewalls allow skinny. Some like Linksys allows. Not sure about NAT, but IOS 12.3(15)T could have support for such configuration.