PAT issue on an ISA550

I need a little assistance. I am using an ISA550 with a Static IP block assigned using Static NAT and everything thing seems fine EXCEPT for 1 program. This program needs port 443 mapped to port 22 on the private address however I can't determine how to do that. The server that program is on is assigned a Static address so I need to access it through the public address. I hope this is clear. Does anyone know how to do this?

Jim,
Thanks for your reply. I have tried all the examples on those pages to no avail. The issue I run into is that I am using Static NAT and when I run a scan on the public or private address of any server, I show these ports to be open. I am trying to configure a product that is designed to be port mapped from 443 to 22, however when I try Dynamic PAT, Port Forwarding, Triggering, Advanced NAT, etc., I get an error that the port is configured using Static NAT (which is as it should be) but I am stumped. This is the error I am getting.
External port 443 is closed. Manually configure your broadband router to map external port 443 (TCP) to port 22 on internal host.
Since I am using Static NAT, this should happen automatically.

Similar Messages

PAT Issues

We have a MPLS network which is having some issues for customers using PAT. The case is if I have a CE configured with public IP address or static NAT they have no problems to navigate or do anything on Internet. But if I configure PAT they simply cannot open some pages like hotmail, etc. in that case if I adjust MTU or MSS they can navigate. There is some solution to avoid this?? or somebody knows why it can be happening? as long as I know the packet size doesnt change with PAT.
Thanks for the help.

Every device in a IP path intercepting TCP, needs to advertise the MSS option. Or if this segment size is not used then segement of any size may be received.
And such packets which upon receipt have DF bit set then you have a problem and you will have be able to browse such packets from content rich websites.
What you can do is:
1) use this command on you ip nat inside and ip nat outside interface
interface x/x
ip add x.x.x.x x.x.x.x
ip nat inside
ip tcp adjust-mss 1452
interface x/x
ip add x.x.x.x x.x.x.x
ip nat outside
ip tcp adjust-mss 1452
This should solve your problem without changing any MTU or MSS on the customer CE.
1) Now two questions, you had a problem before beause of the MTU right, now what is this NAT/PAT.
2) Where are you doing this NAT and PAT.
Can u explain the data path, for eg
CE<-->NAT<-->PE<--MPLS-->PE-ASBR<-->Internet.
HTH-Cheers,
Swaroop

Static PAT issue with 8.4

I have a simple small network setup here, and trying to setup a simple Static PAT on HTTPS, for some reason the NAT rule is dropping the packet. Here is the setup.
Internal Subnet: 172.31.0.0/24
External Internet DHCP
Host object: 172.31.0.13
There is also a SSL anyconnect VPN setup but is using port 444.
object network obj_any-01
nat (inside,outside) dynamic interface
object network LD-App01
nat (inside,outside) static interface service tcp https https
nat (inside,any) after-auto source static obj-172.31.0.0 obj-172.31.0.0 destination static Personal-VPN Personal-VPN no-proxy-arp
object network obj-172.31.0.0
subnet 172.31.0.0 255.255.255.0
object network Personal-VPN
subnet 172.31.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network LD-App01
host 172.31.0.13
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 object Personal-VPN
access-list Personal-VPN-ACL standard permit 172.31.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object LD-App01 eq https
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
Here is the packet trace
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object LD-App01 eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LD-App01
nat (inside,outside) static interface service tcp https https
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Please Help...
Thanks,
Lee

Here is the current object list and the nat command with the failure message. I'm also running the current 8.4(3)
LD-FW01# show run ob
object network obj-172.31.0.0
subnet 172.31.0.0 255.255.255.0
object network Personal-VPN
subnet 172.31.1.0 255.255.255.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network LD-App01
host 172.31.0.13
description Spiceworks
object service https
service tcp source eq https
object network outside_int_ip
host 76.188.84.144
LD-FW01# con t
LD-FW01(config)# object network LD-App01
LD-FW01(config-network-object)# nat (inside,outside) 1 source static LD-App01 $
ERROR: Address 75.188.84.144 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Recovering mtu/PAT issues

Hello, after reading previous post about NAT, i don't have very clear how to resolve my problem.
I'm using a MPLS-VPN to connect different sites to a central site providing internet access with a PIX (old device, PIX 520 6.1), anf i've found those known problems when using PAT (users not nagating in www.hotmail.com and more)
USER - CE - PE - MPLS - PE - PIX - INET
i have configured every link in the MPLS path with MTU 1516 and tag-switching mtu 1512. And links over pure IP with MTU 1500

Hi,
Another aproach is to enable the core routers to accommodate all packets.
The MTU should be greater than or equal to the total bytes of the items in the following equation:
Core MTU >= (Edge MTU + Transport header + AToM header + (MPLS label stack * MPLS label
size))
Edge MTU + Transport header + AToM header + (MPLS label stack * MPLS Label) = Core MTU
1500 + 18 + 0 + (2 * 4 ) = 1526
You must configure the P and PE routers in the core to accept packets of 1526 bytes. See the following section for setting the MTU size on the P and PE routers.
As you have indicated some interfaces (such as FastEthernet interfaces) require the mpls mtu command to change the MTU size.
Hope this helps.
Regards Bjornarsb

SATA and PATA issue

I currently have system set up running XP Pro on Neo-2LS motherboard and a Western Digital 80meg SATA hard drive. I want to add my old 80 meg IDE (PATA) harddrive. However, I cannot get my regular IDE harddrive to be recognized in windows or in the BIOS. My SATA drive still fine after I connected the second harddrive. I have my Bios setting set to PATA and SATA in native mode. I searched through the forums but have not found anything that worked. Your suggestions on how to solve this would be much appreciated.
Thanks in advance.

All that you need is one software utility ,for hard drive automated installation , visit the site of your hard disk maker , in order to download the software .
You will end up with one boot diskette, that it will boot your system and will guide you all the way..

Renewed Cert on ASA, Upgraded from AnyConnect 2.5 to 3.1

We had been running AnyConnect 2.5 against our ASA and the Cert on our ASA Expired. the 2.5 Client (and all of the iPad Clients) had a way of saying, its cool, connect anyway if the Cert is not valid.
I finially got around to renewing the cert on the ASA. We have an Internal CA that I renewed it against. So if the CA's Cert was not installed in your trusted Cert Store you would get an error. Many Clients can Connect just fine with the new 3.1 client, Auto-upgrade, etc (besides it lopping off the /vpn from the connection URL)
We have a few of the clients that cannot connect. they get an error like:
The certificate on the secured gateway is invalid. A VPN connection will not be established
They have the CA's Root Cert installed in their trusted Cert Store. The Cert on the ASA has the proper CN, and Expiration date, so that should not be the issue.
When I look in the Syslog I see:
%ASA-7-725008: SSL client outside-interface:<Client Public IP>/50088 proposes the following 8 cipher(s).
%ASA-6-725001: Starting SSL handshake with client outside-interface:<Client Public IP>/50088 for TLSv1 session.
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags FIN ACK on interface outside-interface
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags PSH ACK on interface outside-interface
%ASA-6-725007: SSL session with client outside-interface:<Client Public IP>/50089 terminated.
%ASA-4-113019: Group = SSL-VPN, Username = <userID>, IP = <Client Public IP>, Session disconnected. Session Type: SSL, Duration: 0h:00m:31s, Bytes xmt: 9787, Bytes rcv: 3991, Reason: User Requested
%ASA-6-716002: Group #%cLt#%SSLVPNGrpPolicy> User #%cLt#%<UserID>> IP #%cLt#%<Client Public IP>> WebVPN session terminated: User Requested.
%ASA-6-725002: Device completed SSL handshake with client outside-interface:<Client Public IP>/50089
The other Interesting thing is in ADSM when I monitor the VPN Connections, All of the Trouble users show up in the "Clientless SSL VPN/Clientless" Section, where as the users that work fine are all in the "SSL VPN Client/WithClient" section. Though all of the ones in the
"SSL VPN Client/WithClient" section have 'Clientless SSL-Tunnel DTLS-Tunnel' as the Protocol.
We have completely removed AnyConnect and Manually installed the Client.
We have connected to the ASA's SSLVPN URL and had it install the Client.
All the same result. It Connects, Asks for a Username/Password, Displayes the Warning Banner to accept, checks for pgrads, then on the Establishing VPN comes up with the Server's Certificate is invalid.
Is this a NAT/PAT issue on the remote end?
Any Suggestions for these guys?
Thank you,
Scott<-

AnyConnect 3.1 is a significant upgrade, even over 3.0.
Over 3.0 it adds an enhanced GUI (common between Windows and Mac), NAM enhancement, crypto suite B enhancements, HostScan/Posture performance enhancements, IPv6 support, better untrusted certificate handling, plug-in component tiles, etc.
3.0+ offers IPSec VPN client as opposed to SSL VPN.

Officejet 6000 wireless and WPA2-Enterprise network security

I own an Officejet 6000 wireless printer. The manual says that it should be compatible with a wireless network with WPA2-Enterprise network security but when setting up the connection (I am using a macbook and am setting the printer up via usb connection) the newtork is listed but the security type is "unsupported." For whatever its worth it is listed 5 or 6 times but probably thats a different issue.
I can still select the right network but it only asks for a security key, but my network security requires a log-in name and password.
What can I do to get my printer connected to the network?

I get the feeling that most of the people replying here don't know the difference between WPA2-Personal and WPA2-Enterprise.
Personal has a passkey.
Enterprise uses both a username and password, usually in conjunction with a Radius server (802.1X athentication).
What we've had to do solve this problem is create a second SSID on the network that authenticates on WPA2-Personal. We use a really long password to secure the network, one that I will never be able to memorize in my lifetime.
All we can hope for is that these enterprise-level vendors will, perhaps, gain a greater understanding of wireless authentication processes and the needs of actual enterprise customers who at least a percieved need for wireless printer capabilities. It used to be that customer was always right, though. Perhaps those days are gone...
The other problem that probably ought to be addressed on consumer end is the fact that multicast tools that make AirPrint work (such as Bonjour), are being blocked from crossing between your wired and wireless networks, perhaps by the wireless controller or due to inefficient routing hierarchy or NAT/PAT issues. Solve this issue and you won't have a need for wireless printers.

RV130W: 4 devices need to use the same ports.

I just started a video game streaming business and have 4 video game consoles connected and able to play online at the same time on my recently purchased Cisco RV130W.
There's only 2 games currently that we are streaming but NAT seems to be a really big issue and is causing connection problems.
I've tried leaving this in the hands of UPnP but it seems that this is an issue that cannot be resolved so simply.
All 4 consoles are Sony PS4s and to connect and play online I need them all to have access to the following ports:
TCP Outbound
TCP Inbound
UDP Outbound
UDP Inbound
80, 443, 1935, 3074-3077, 3478-3481,7500-17899, 10040-10060, 30000-40399
80, 443, 1935, 3074-3077, 3478-3481, 9293, 10040-10060
2001, 3074-3077, 3478-3481, 6000-7000, 10070, 50000-60000
2001, 3074-3077, 3478-3481, 6000-7000, 10070, 50000-60000
At best, I've got a NAT Type 2/Moderate... at worst, I can't even connect.
To answer any questions that may be coming up or rule out any suggestions I have already tried...
All devices on the LAN have a static DHCP address.
Only one console works perfectly with UPnP.
The DMZ can fix one console but makes the NAT or the other 3 unusable.
You can't forward the same ports to 4 different devices so I have to rule that out.
Port triggering doesn't work because [I am guessing] the TTL on the packets must be too long and is still hogging the ports while other consoles are trying to send data.
I made a separate VLAN20 for the consoles so I could unblock all outbound and inbound traffic with a firewall rule and that didn't fix it. ...that's why I think this is a NAT/PAT issue.
I used to be able to get 2 consoles working with my Asus RT-N56U using only UPnP.
All help is appreciated. I will provide whatever other info you need.
Thank you in advance.

UPnP seems to be implemented very differently with the vendors
I would see if disabling the following on the firewall helps under Basic Settings
as they may also be part of the issue,
I know that Xbox Live likes to be able ping the wan IP, as for the PS I'd bet things are similiar
DoS Protection
Block WAN Ping Request
IPv4 Multicast Passthrough:(IGMP Proxy)
IPv4 Multicast Immediate Leave:(IGMP Proxy Immediate Leave)
UPnP Allow Users to Configure
UPnP Allow Users to Disable Internet Access
I know that Open Nat for Xbox is something you don't actually want,
as the ones who have open nat end up getting all the traffic, and they are the ones that get laggy
Unless the game they are playing has to be the server host there is no choice for the most part
Also, on most routers in regards to gaming, I've found that one should use UPnP or Port Triggering, but not both at the same time

RV120W Administration Page The connection was reset

I have a problem with RV120W, I can connect to internet and all, but I cannot get into administration page, once I input the username and password, it always comes back with.
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
That happens with Firefox and IE, any idea how to get it fixed?

Rene,
Thank you for posting the fix. I tend to do that without even thinking about it so I forget that it can solve the problem. I had the same issue with an ISA550 recently and using https solved it.
- Marty

ACE - UDP loadbalancing without NAT

HI, I want to get source port of client from Real server, but it is changed by ACE
matched port of VIP set to 8070 same as RIP, it is fine.
I want to know is it posible to keep souce port unchanged when port translation is configured
any help will be appreciated
below is the config
probe udp udp-8070
port 8070
interval 5
rserver server01
ip address 192.168.1.15
inservice
rserver server02
ip address 192.168.1.16
inservice
serverfarm host sf-UDP-8070
failaction purge
probe udp-8070
rserver server01 8070
    inservice
rserver server02 8070
    inservice
policy-map type loadbalance first-match pL7-UDP-8070
class class-default
    serverfarm sf-UDP-8070
class-map match-any c4-UDP-1270
match virtual-address 192.168.2.100 udp eq 1270
policy-map multi-match pL4-UDP
class c4-UDP-1270
    loadbalance vip inservice
    loadbalance policy pL7-UDP-8070
    loadbalance vip icmp-reply
interface vlan 211
service-policy input pL4-UDP

Dears,
I had this issue with SIP traffic
to solve the Impicit PAT issue you may try the following,
1) Direct Server Return on ACE Configure servers with VIP address as a secondary IP address on interfaces
directly connected to the ACE (that is, interfaces which have an ARP entry
for the ACE.) Then configure the ACE to forward to that VIP address as a
transparent serverfarm.
or 2) Configure the "hw-module cde-same-port-hash" on the Admin context, this will disable Hashing based on Src. and Dst. port the ACE will use a new Hash method

875 neo & 4200 memory problems

Hi, everybody. I did picked up a lot of usefull information from this bord, but was lucky enough not to run intoo problems untill now. Before recently I was using pc3200 memory and was able to oc it up to 450 (in auto mode) but that was the limit. When I changed settings from auto to 333, I was able to reach 260 on Cpu and memory read was still 400. Performance sucked, but it is not the question I want to ask, it was just for the sake of knowing that my 2.8 capable of 3.62.
The problem is that couple days ago I purchased ddr4200/533 by OCZ Technologies that supposedly is supported by 875 neo board.
When I set ddr frq auto, 500, 533 it will not boot, or boot with bios defaullts.
When I set ddr on 400 everything is just fine until I reach 250/500 on those settings it runs rock solid. But don't you know that it is not enough? As soon as I try to change fsb to 255-251(tried them all) it boots, starts loading windows and gives me a blue screen of death. Tried to encrease voltage, change latency, nothing works, the only settings that windows loads compleatly was 251/505 but it crashed in the middle of 3dmark3 back to blue screen of death.
I am quite willing to provide you with more extensive Bios settings of my system if you will just tell me what you all want to know. Any help will be greatly appreciated.

Unfortunately, This is a MAT / PAT issue.
You can try:-
Dynamic Overclocking: Disabled
Performance Mode: Slow
and memory timings of 3-4-4-8, but even at slow performance mode still affects your timings.
Quote
The problem is that couple days ago I purchased ddr4200/533 by OCZ Technologies that supposedly is supported by 875 neo board
This simply is not the case the 875P boards only officially support upto DDR400. The only board to support higher memory speeds are the 865PE Neo2-PS series.
I would use CPU-Z to verify your actual memory timings and Memtest to ensure your memory is actually performing as it should, but I suspect this is a mobo issue.
Join the club waiting for MSI to sort out a BIOS that actually works with this memory.

What's wrong with MSI?

I bought my board back on June 30th and because of lacking BIOS releases have not been able to take full advantage of the system I have spent good money on since. First the MAT/PAT issue and now I can't run a SATA & PATA HD at the same time? Is this for real?
Does anyone have an idea when MSI will have it's act together? Right now I'm really considering going with Asus for my next board.

Quote
Originally posted by maesus
Can you tell your problem first before push to \'MSI problem\'?
Have you tried BIOS 1.8?
Everyone can run PATA and SATA drives. Why can\'t you?? Should you describe your problem more along with your BIOS settings and drivers?
There seems to be a problem with 1.8 and running a single master SATA and concurrent PATAs.
See these threads:
http://www.msi.com.tw/program/e_service/forum/index.php?threadid=28911&boardid=10&styleid=1&sid=b97fa54a4d13adc078e155a405aa35be
http://www.msi.com.tw/program/e_service/forum/index.php?threadid=28974&boardid=10&styleid=1&sid=b97fa54a4d13adc078e155a405aa35be
If you can figure it out, please let me know. I tinkered with it for about 90 minutes without success.
See if you can get a single SATA to be primary master, and run a PATA and CD drive at the same time. 1.7 works fine, 1.8 won't let me do it.

Cisco asa 5505 issues ( ROUTING AND PAT)

I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license          Base
Maximum Physical Interfaces          8          perpetual
VLANs          3      DMZ Restricted
Inside Hosts          Unlimited          perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: end

Thank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end

ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
    30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
    0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
    355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
    4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
    aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
    f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
    0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
    78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
    0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
    0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
    02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
    d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
    e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
    5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
    781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

Hi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

PAT issue on an ISA550

Similar Messages

Maybe you are looking for