Need help on NAT.
Hello folks,
I still messing about with my GSN3 lab here. My topolgy is like this : (cloud)-----(router)-----(ASA FW)----(SW)------LAN.
I can ping out from the router and from the ASA firewall, but I cant figure it out how to make my LAN to ping outside. I searched too.
I greatly appreciated!!!
Here are my basic config on the FW and Router:
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.168.1.1 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
object network inside_mapped
subnet 172.168.1.0 255.255.255.0
object network internal_lan
subnet 172.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d751984bd942d8b192f58d6b2e8afe8a
Router1:
Current configuration : 1108 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
description To Internet
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1
description inside edge router
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.137.1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
access-list 1 permit 172.168.0.0 0.0.255.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 172.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
Hi,
Your router doesnt have a route for your LAN network behind the ASA. Since the ASA is not doing Dynamic PAT or similiar at the moment the LAN will show with its original IP address to the Router so it needs a route pointing back towards the ASA to be able to return the ICMP Echo reply messages back to LAN users.
Try adding
ip route 172.168.1.0 255.255.255.0 10.10.10.1
On the router
Also the ASA seems to have some route that is not needed
no route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
Hope this helps
Remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
Similar Messages
-
Need help opening NAT type to OPEN on a model WRT54GS router for xbox 360
I have tried from other people's advice and when i test Xbox Live i always get a Moderate NAT type. I am becoming frustrated with how it is not working and I am hoping someone can help me. Please leave advice/suggestions and thank you for your time.
Open the setup page of the router using 192.168.1.1 by putting the password as admin with username as blank & click the Administration tab & on the same page you will see UPNP.You need to select it as disable in order to help opening NAT type to OPEN.
-
Need Help Opening Nat for Xbox 360
I've searched these threads and found some solutions but it looks like my router's homepage has been updated and I cannot find some of the options needed. Anyone have an updated soultion for opening an xbox nat to open?
Thanks!What is the brand and model of this router?
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
It seems that everytime i call, the techs dont know what im talking about. So i'm gonna ask you guys, how do i open the NAT on my westell 7500 modem/router
#1 For what?
A game console (for example an xbox), a Web Server, a FTP Server?
#2 If game console, for only one of them OR least two?
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
Need help changing NAT type (3 -- 2)
Dear,
I'm new to this forum so forgive me if this is misplaced
Before I bought my router the NAT type was 2 which was fine. Using this router it's NAT type 3 which makes online matchmaking difficult (PS3).
I would like to change it to NAT type 2 but I don't have any experience with ports and changing settings in a router. So if anyone of you could help me out that would be great!
Router:
Model number: WRT120N
Version: 1.0
Model name: Wireless-N Home router
ThanksTry upgrading the firmware of the router first. for instructions, try this
Then, do the port forwarding of port triggering. These links might help you with it:
Differences between Port Forwarding and Port Triggering
How to Set up Port Forwarding for Game Consoles and other Devices on your Valet or Linksys Wireless-...
How to Set up Port Triggering for Game consoles and other devices on your Valet or Linksys Wireless-... -
Need help for NAT, ACL for VoIP
Dear experts
I configure my PBX server to work with one VoIP provider. When I put the server in blank network, mean that without VLANs.
The IP PBX server can register to the VoIP provider system normally and I can make call out and receive calls normally.
However, when I put the PBX behind the Cisco router with some configuration. The PBX cannot register with the VoIP provider system.
Eventhough I can receive calls from outside but can not make a call from inside to outside, because of the PBX cannot register.
Could you please help me to point out what is wrong with my Cisco router configuration.
Thanks a lot
Building configuration...
Current configuration : 1982 bytes
! Last configuration change at 17:18:27 UTC Mon Feb 24 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable secret 5 $1$ZJEF$8np0QvQTD1nTaOosa9yGW1
no aaa new-model
memory-size iomem 20
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
license udi pid CISCO2911/K9 sn FTX1603AH9C
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description internal-LAN
ip address x.x.x.4 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip address 172.x.x.1 255.255.240.0
interface GigabitEthernet0/2
description internet
ip address 50.x.x.93 255.255.x.x
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/2 overload
ip nat inside source static udp x.x.x.8 5060 50.x.x.93 5060 extendable
ip route profile
ip route 0.0.0.0 0.0.0.0 50.x.x.94
ip route 172.16.240.0 255.255.x.0 x.x.x.5
ip route 172.16.242.0 255.255.x.0 x.x.x.5
access-list 100 permit ip x.x.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.240.0 0.0.0.255 any
access-list 100 permit ip 172.16.242.0 0.0.0.255 any
access-list 100 permit udp any any range 5004 5090
access-list 100 permit udp any any range 10000 20000
control-plane
line con 0Hello.
Do you have the same static NAT mapping for TCP 5060? -
global (outside) 2 interface
nat (inside) 2 access-list dmz
access-list dmz permit ip 21.21.0.0 255.255.0.0
nat (inside) 0 0.0.0.0 0.0.0.0
static(inside,outside) 3.3.3.0 3.3.3.0 netmask 255.255.255.0
static(inside,outside) 3.3.4.0 3.3.4.0 netmask 255.255.255.0
The problem here is I am unable to translate the 21.21.0.0 network to its global interface address.
Is the nat (inside) 0 0.0.0.0 0.0.0.0 the cause for not able to translate? Is it safe to remove this command?
thanks,Hello Kope,
Yes, that is the cause of the issue, please remove it!
Removing this you will start making translation from the inside of your ASA, that is all that is going to change.
Regards,
Do rate helpful posts
Julio -
Need help with setting up 2 xboxs to open NATS with my Cisco DPC3825
Hey,
I have 2 xboxs, 1 is wired and one has the microsoft adapter for wireless.. I have been searching tons of forums to try to solve this issue, and I'm at my end if it! I really need both my nats open, so far I can get 1 nat open while the other one is strict. I have a Cisco DPC3825. Any help would be great!! Thanks!Hi Casteel,
Thank you for your question. However this community is for Cisco Small Business Products and the DPC3825 is not a Cisco Small Business Product.
Your product is an internet service provider (ISP) supported product. In otherwords you need to contact your ISP or technology reseller that you purchased this from to help you with your question.
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Need help Setting up Multiple Static Ip , 1 for each port of the fios router
Need help Setting up multiple Static Ip on my fios router
I have been trying to figure out how to set up multiple ip in my fios router.
However I kind of managed how to set up multiple static ip However the way I want it is for each port of my router to have an external ip signed to it. ( like 4 different modem in 1 )
Verizon gave me 5 static ip but they can not help me how to set it up.
Have anyone here done more then one static ip on different ports? I assume that the process will be the after the second static ip.You want to set up Static Nat. You will not assign the IP to a port, but rather to a local machine. Figure out what machines you want your IP's to go to. Under the firewall section you will see static nat. Pick the machine you want and enter one of the IP's you were assigned.
-
Help: Strict NAT 360 Xbox WRT54Gv2 Wired
Need help opening the NAT settings on the router. I have 2 xboxs wired to the router. I am able to get an open NAT on either 1 of the 2 xboxs, but never both at the same time. Seems like the port forwarding only works on the first static IP entered on the router setup. The DMZ settings sometimes provide for a moderate NAT, but never lasts. Have read many posts and tried several settings.
How you have configured the settings on your Router and on XBOX? Have you assigned Static IP to your XBOX or your XBOX getting IP address from the Routers DHCP ?
If you have already assigned Static IP to your both the XBOX and already Opened Ports and still its not working, then you can try to Upgrade the firmware of your Router.
Once you upgrade the firmware on your Router, then you need to reset your router and re-configure all the settings on it from scratch. -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post. -
Need an open NAT for 3 consoles and computer
Have 2 Xbox 360's Ps3 and cant get aOpen NAT on any of them. I have done what I needed to do for the open but both xboxs read Moderate or strict Nat rating and the same for the Ps3. I need help. I am using a E1000 Linksys Router.
Well it is not recommended to play two (2) Xbox 360® units on the same network connected to the same game server since the modem will only generate a single WAN IP address. But still you can do certain settings on router to make (2) Xbox 360 working.
Here is the link which can help you in opening NAT: http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&login=1&vw=1&app=search&articleid=23787&userrole=Links... -
Need Help for redirect to HTTPS
Hello forum members,
i have difficulty while configuring http to https while accessing specific url.
the case:
i have www.foo-bar.com.god in http, in the web page there is www.foo-bar.com.god/trust/* that must be accessing in https
is there any spesific line of config to apply in my config,
my config is below.
### start
access-list INBOUND line 8 extended permit ip any any
parameter-map type http PERSISTENCE-REBALANCE
persistence-rebalance
parameter-map type ssl SSL_END_to_END
cipher RSA_WITH_RC4_128_SHA priority 10
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7
cipher RSA_WITH_AES_128_CBC_SHA priority 9
cipher RSA_WITH_AES_256_CBC_SHA priority 8
session-cache timeout 600
rserver host PORTAL-A
ip address 10.49.30.200
inservice
action-list type modify http FORCE-HTTPS
ssl url rewrite location "www\.foo\-\bar\.com\.god\trust\*"
header insert response Cache-Control header-value "private, no-cache, no-store, must-revalidate"
header rewrite response Server header-value "" replace "BLANK"
serverfarm host PORTAL-SFARM
rserver PORTAL-A 80
inservice
ssl-proxy service PORTAL-CERT
key portal.key
cert portal.crt
sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
replicate sticky
serverfarm PORTAL-SFARM
class-map match-all SSL-VIP
2 match virtual-address 10.49.30.230 tcp eq https
class-map match-all HTTP-VIP
2 match virtual-address 10.49.30.230 tcp eq www
class-map type management match-any remote_access
202 match protocol icmp any
204 match protocol ssh any
207 match protocol snmp any
208 match protocol telnet any
209 match protocol http any
210 match protocol https any
211 match protocol xml-https any
policy-map type management first-match management
class remote_access
permit
policy-map type loadbalance first-match LB-PORTAL-L7-POLICY
class class-default
sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
action FORCE-HTTPS
policy-map multi-match LB-PORTAL-L4-POLICY
class SSL-VIP
loadbalance vip inservice
loadbalance policy LB-PORTAL-L7-POLICY
loadbalance vip icmp-reply
nat dynamic 1 vlan 260
appl-parameter http advanced-options PERSISTENCE-REBALANCE
ssl-proxy server PORTAL-CERT
interface vlan 260
description "User-Access"
ip address 10.49.30.231 255.255.255.192
peer ip address 10.49.30.232 255.255.255.192
access-group input INBOUND
nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255
service-policy input management
service-policy input LB-PORTAL-L4-POLICY
no shutdown
### End
need for review the config
thanks and regards
hamzahHi Singh,
thank you for reply,
i just change the config so hope fully the web can redirecting properly.
but when i apply the config, the Browser say, the connection was reset.
Need help
here is my full config
crypto chaingroup portal-verySign
cert portal.pem
access-list everyone line 8 extended permit ip any any
rserver host PORTAL-A
ip address 10.49.30.200
inservice
rserver redirect PORTAL_REDIR_HTTPS
webhost-redirection https://%h%p 302
inservice
serverfarm redirect PORTAL_HTTPS_SFARM
rserver PORTAL_REDIR_HTTPS
inservice
serverfarm host WWW_PORTAL_SFARM
rserver PORTAL-A 80
inservice
parameter-map type http PERSISTENCE-REBALANCE
persistence-rebalance
parameter-map type ssl SSL_END_to_END
cipher RSA_WITH_RC4_128_SHA priority 10
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7
cipher RSA_WITH_AES_128_CBC_SHA priority 9
cipher RSA_WITH_AES_256_CBC_SHA priority 8
session-cache timeout 600
sticky http-cookie PORTAL-STICKY STICKY-PORTAL-1
serverfarm WWW_PORTAL_SFARM
sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
replicate sticky
serverfarm WWW_PORTAL_SFARM
action-list type modify http HTTP_MODIFICATION
header insert request X-Forwarded-Proto header-value "%pd"
header insert request Via header-value "1.1 web:%pd"
header insert response Via header-value "1.1 web:ps"
ssl url rewrite location ".*"
ssl header-insert session Id
ssl-proxy service CLIENT_PORTAL
ssl advanced-options SSL_END_to_END
ssl-proxy service SERVER_PORTAL
key portal-key.pem
cert portal.pem
chaingroup portal-verySign
ssl advanced-options SSL_END_to_END
class-map type http loadbalance match-any PORTAL-SSL
2 match http url .*
class-map match-all VIP-SSL-PORTAL
2 match virtual-address 10.49.30.230 tcp eq https
class-map match-all VIP-WWW-PORTAL
2 match virtual-address 10.49.30.230 tcp eq www
policy-map type loadbalance first-match PORTAL_HTTPS_DEFAULT
class class-default
compress default-method gzip
sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
action HTTP_MODIFICATION
ssl-proxy client CLIENT_PORTAL
policy-map type loadbalance first-match PORTAL_HTTP_DEFAULT
class class-default
serverfarm PORTAL_HTTPS_SFARM
policy-map multi-match L4_PORTAL_LB
class VIP-WWW-PORTAL
loadbalance vip inservice
loadbalance policy PORTAL_HTTP_DEFAULT
loadbalance vip icmp-reply active
nat dynamic 1 vlan 260
class VIP-SSL-PORTAL
loadbalance vip inservice
loadbalance policy PORTAL_HTTPS_DEFAULT
loadbalance vip icmp-reply active
nat dynamic 1 vlan 260
appl-parameter http advanced-options PERSISTENCE-REBALANCE
ssl-proxy server SERVER_PORTAL
interface vlan 260
description User-Access
ip address 10.49.30.231 255.255.255.192
peer ip address 10.49.30.232 255.255.255.192
access-group input everyone
nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255
service-policy input L4_PORTAL_LB
no shutdown
ip route 0.0.0.0 0.0.0.0 10.49.30.195
ip route 10.0.0.0 255.255.255.0 10.49.30.193
need your advice
Maybe you are looking for
-
Deleted ~usr folder and now i have a dead mdd.... need help
So i was impatiently going through and cleaning up my mdd and for some reason seen the ~usr folder on my home page and had never seen it before, opened it up didnt look important, checked info and it seemed small so it couldnt be much??? Deleted it a
-
OSX Mountain Lion update...please help
Hi there, I have OSX 10.8.2 on my current MacBook Pro 13 inch. The problem I am having is I cannot update it because in the appstore Mountain Lion was purchased through a different account. I would like to purchase it from my account but it won't let
-
Compare PI 7.1 with IBM Message Broker (WBI)
Hi, I need some help on understanding the advantages and disadvantages of using PI 7.1 over Message Broker. (MB) I would like to a kind of comparative study for both the produts. Could any one help me to understand the two system in terms of a. Scala
-
Data pump export full RAC database in window single DB by network_link
Hi Experts, I have a window 32 bit 10.2 database. I try to export a full rac database (350G some version with window DB) in window single database by dblink. exp syntax as exdpd salemanager/********@sale FULL=y DIRECTORY=dataload NETWORK_LINK=sale.ne
-
Work Order Material Availability Check Customizing
Hi, I am currently trying to set up material availability check in the work order before saving. I am testing it by entering a material in the work order for which there is zero stock. Then clicking on ORDER > FUNCTIONS > AVAILABILITY > CHECK STOCK M