Policy based NAT to share 1 public between to two internal servers

Similar Messages

• Policy based nat - can't get it right...

  Hi out there
  I need to implement some policy based nat to hide a DMZ network on a site - to avoid routing problems. This should also be faily simple by defining a route-map and then looping the traffic around a loopback-interface which is defined as outside nat.
  I define the LAN interface as inside - assign the route-map policy to it and loop the traffic around the loopback interface to get it nat'ed.
  this also works - to some extend. The traffic is correctly natted and the traffic send out of the wan interface ( f0/1) - the remote site replies and sends the traffic back - and when it then enters my R2 router - it is dropped ????
  I have ran out of ideas - please try to take a look - here is the config of R2 (I issue my test from R1 which is 80.0.0.1 and has a source-interface for 192.168.10.1)
  Config of R2:
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  ip cef
  no ip domain lookup
  ip domain name lab.local
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  interface Loopback2
  ip address 192.168.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  interface FastEthernet0/0
  ip address 80.0.0.2 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip policy route-map To_loop2
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 81.0.0.2 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 192.168.10.0 255.255.255.0 80.0.0.1
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Loopback2 overload
  access-list 1 permit 192.168.10.0 0.0.0.255
  route-map To_loop2 permit 10
  match ip address 1
  set interface Loopback2
  On R2:
  2#
  *Mar 1 03:48:29.491: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
  *Mar 1 03:48:29.495: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
  *Mar 1 03:48:29.499: IP: route map To_loop2, item 10, permit
  *Mar 1 03:48:29.499: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
  *Mar 1 03:48:29.503: IP: FastEthernet0/0 to Loopback2 81.0.0.1
  *Mar 1 03:48:29.507: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [204]
  R2#
  R2#
  R2#sh ip nat translations
  Pro Inside global Inside local Outside local Outside global
  icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
  on R3:
  *Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
  *Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
  *Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1

  the easiest way is constructing your menu with frame labels
  now i have no way of knowing how you are constructing it ..so
  this may not work for you ...i assume that you have created a main
  button ...that has been converted into a symbol & then
  duplicated to create all other buttons
  okay here it goes ..i hope i dont confuse you
  i will explain how to create 1 button with 4 submenu items
  with the trems that i mentioned above
  but iam not going to explain all the details of creating a
  whole nav bar
  because it just takes too much typing ...i assume you already
  know this
  sooo ! ...lets say this is the Portfoio button ...inside the
  symbol now
  create 8 layers ...the order is going from top to bottom
  actions
  labels
  submenu Logos
  submenu Illustration
  submenu Animation
  submenu Coolstuff ."you will name your button items how you
  like" ...
  main button....lets just say Portfolio !
  invisible btn for main button
  so now on with the hard stuff
  create 20 frames ...stop action on frame 1 ...frame 9
  ...frame 20
  on the labels layer now ....name frame1 "Closed" ...frame 10
  "Open"
  on the submenu Logos layer ...create a keyframe on frame 10
  all frames before the 10th frame will be blank frames
  repeat that for the rest of the submenu items
  on the main button layer you will just place the main
  Portfolio button on frame 1
  & on the invisible button layer ..the inv btn is going to
  be placed on frame 10
  all this is iam hoping your have converted everything into1
  symbol
  all you need to do know is attach code to the main Portfolio
  button & the invisible button
  so click on the Portfolio button
  on (rollOver) {
  gotoAndStop("open");
  invisible button
  on (rollOver){
  gotoAndPlay("closed");
  & that should be good ...very simple !
  then just repeat this process for every button that makes up
  your nav bar ....& it doesn't matter if your inv buttons
  overlap each other or your main nav buttons are touching each other
  peace John

• HT202213 Two Itunes libraries on one computer.  Any way to share content between the two libraries?

  We have 2 ITunes libraries on one computer.  Is there a way to share movies, music, etc. between the two libraries?

  To your second question, probably the easiest way is to set up another user account on your machine. Then when that user opens iTunes, it will be a new library (empty) that they can put anything they want into, and not corrupt your library.
  With another user account, they can also customize their own desktop photo, desktop icons, etc. so lots of benefits doing it that way. Works out great for me and my 13 year old daughter so I don't have to see the latest Emo band hearthrob's face on my desktop.
  Patrick

• HT1495 Already have 2 accounts on my non apple computer how do I share music between the two?

  My friend and I both have iTune accounts but want to share the music WE bought off of iTunes. What's the easiest way to do this on a PC?

  To give other users read-only access to your iTunes library, use the Sharing features of iTunes. Sharing works over the local network as well as on the same computer. See the built-in help for details.
  If you want to give full read/write access to more than one user, see the support article linked below.
  iTunes: How to share music between different accounts on a single computer
  There is a way to share the library without moving it to a secondary volume. If you really need to do that, ask for instructions.

• Policy based NAT on cisco2901/k9

  Hello collegues,
  i have a problem with configuring following application:
  (192.168.0/24)--->                
                             outside[ 10.0.0.1 tcp/500 ]inside ----> [172.16.0.1 tcp/501,tcp/502]
  (192.168.1/24)--->
  what i am trying to get, is to make tcp-connections
  from outside network 192.168.0/24 to 10.0.0.1:500  forwarded to inside host 172.16.0.1:501 and
  from outside network 192.168.1/24 to 10.0.0.1:500  forwarded to inside host 172.16.0.1:502
  connections originated from outside to 10.0.0.1, which is virtual ip on cisco2901/k9
  any ideas how to configure this?
  thanx in advance
  Tima

  Hi,
  You should really make a new post for asking an question.
  But to my understanding with the new NAT format your above configuration would be done like this.
  object-group network POLICY-PAT-SOURCE
  network-object 192.168.10.0 255.255.255.0
  object-group network POLICY-PAT-DESTINATION
  network-object 172.27.15.0 255.255.255.0
  network-object 10.125.81.0 255.255.255.0
  nat(inside,outside) source dynamic POLICY-PAT-SOURCE interface destination static POLICY-PAT-DESTINATION POLICY-PAT-DESTINATION
  The above things are doing the following (from top down)
  Define the source addresses for the Policy PAT
  Define the destination addresses for the Policy PAT
  Define the actual Policy PAT that will translate traffic coming from "inside" interface from the source addresses defined in POLICY-PAT-SOURCE to interface "outside" IP address WHEN connecting to the destination addresses defined in the object-group POLICY-PAT-DESTINATION
  Please rate if it helps
  - Jouni

• How do I share files between my two computers?

  I have one computer (which is somewhat old) that doesn't have wireless capabilities as well as a newer laptop and a Wii which are both connected to the internet wirelessly.  How do I share files and such between these machines?

  Enable File and Printer Sharing on each computer.Also make sure both the computer's are in the same workgroup...
  The default workgroup name in Windows Vista has been changed to WORKGROUP. In WindowsXP, the default workgroup name is MSHOME...
  Also go into the computer software firewall on each computer, and set it to "trust" the other computers on your network.
  If your firewall or PC security program keeps a list of trusted applications (also known as a "trusted zone"), then make sure that your router is in the trusted zone on your firewall...

• I need to know how to share apps between my two Ipads and Iphone 6.

  I have and Ipad and my wife has an Ipad2 and an Iphone6.  I need to know how to share my apps between all devices.  I have heard of family sharing but don't know how to start.

  The following may help:
  Family Sharing - Apple Support
  Set up Family Sharing - Apple Support

• How do I share info between my two computers over my network?

  Hello !
  I have an iMac, my husband has a Macbook. I just recently got an AEBS so that we could share the internet in the house. We are both wirelessy connected (thanks to the help on this forum). But I am wondering HOW can I share info on my computer...with his macbook? On HIS computer I can see a "shared" option on his HD, and my iMac is listed. It asks for password to access it. But I never set up this sort of sharing. I tried looking around on the iMac last night to figure out where I would do this, but to no avail. And I'm afraid to do something in fear of messing something else up !
  I guess I have no idea how this "networking" thing really works. Any help would be appreciated !
  Thanks for your help in advance.
  Christine

  +Ok...so I went to the system pref/account tab. and I see where the password is for my iMac. Is that the password he would use to access the computer from his? the same one I use to access my own computer?+
  Yes, correct. When he "logs on" to your computer from his, he will be given the option for KeyChain access on his computer to "remember" the password so he won't have to manually enter the password each time he connects to your computer.
  Same thing in reverse when you connect to his.
  In most cases, the only thing you really need to share are the "printer" and "files", but you have a number of other options as well.

• Can I create a second Apple ID and share content between the two?

  We have an Apple ID that's used by the whole family to buy music etc from iTunes, but we also have 3 separate Apple devices, two iPhones and an iPad. Hence, ideally we would have 3 separate ID's that could all use the content currently on the family one. Is anything like this possible? Many thanks in advance.

  Well yes, but if you want to update those apps, you'd need to sign in under your old Apple ID to update them. It's really best to just stick to one Apple ID, or you'll run into association complications down the road.

• Service Insertion/Service Graphs & Policy based traffic redirection

  Hi,
  My question is to use policy based service insertion/service graphs between the EPGs communications to redirect traffic to ASA firewall & F5 slb.
  Below are Cisco ACI components:
  1- Spines & Leafs
  2- APIC Controllers
  3- Cisco ASA Firewall attached to the APIC via device package
  4- F5 SLB attached to the APIC via device package
  I have the below scenario for the communication between the EPGs e.g:
  WEB-EPG (consumer)
  APP EPG (provider) (consumer for DB)
  DB (provider)
  I want to use contract that includes filter on port 80 to permit and action for service insertion to provide SLB (F5) service between the WEB & APP communications.
  I want to use contract that includes filter on port any* to permit and action for service insertion to provide firewall (ASA) service between the APP & DB communications.
  Can I do policy based "traffic redirection" through service graphs in the contract's service insertion?
  Is it supported in version 1.0(3i)?
  I believe, NSH (Network services header) will add in the VXLAN header before reaching the dest VNID and redirect the traffic to the clusters of the services node i.e. SLB or FW, Then traffic will reach the destination address after striping all services.  
  Regards,
  Anser

  Hello Muhammad, 
  traffic redirection is not supported on 1.0(3i) , while NSH is still submitted to IETF as a draft from industry vendors , I think try to avoid waiting for it.
  Regards
  Mohammed ElSherbiny

• Can I share files between two different networks at same location?

  Until TWC can offer DOCSIS 3.0 later this year or next...
  - In my home I have a closet where all my audio, video and network come together.
  - I have two cable modems from Time Warner
  - Modem A goes to a WRT320N; 192.168.0.1
  -- This router connects all my "heavy" downloads, ie. DirecTV receivers, Netflix, home server w/videos, gaming, etc.
  - Modem B goes to a E2000; 192.168.1.1
  -- This router connects my everyday use computers so they don't suffer poor speeds from all the traffic on Modem A
  My question is, how or can I somehow share files between these two routers without the need for hitting the modems? Obviously I can just push files over the Internet but I am doing it at a much slower speed due to upload restrictions on the modem.
  Thank you for any help on this!

  The easiest way would be to assign LAN IP 192.168.1.2 to the WRT320N and disable the DHCP server. Then assign static IP addresses in 192.168.1.* to all devices connected to the WRT at the moment, e.g. 192.168.1.10, 255.255.255.0, gateway 192.168.1.2, DNS 192.168.1.2 (or DNS servers of your ISP).
  Now you can connect a LAN port of the WRT to a LAN port of the E2000. All DHCP clients get the IP address from the E2000 which will assign the E2000 as gateway, i.e. they use the E2000 for internet. All other devices will have static IP addresses and use the WRT as gateway.

• TS2972 How can I share playlists between two users on the same laptop?

  I have a work account and a home account on my laptop in Windows 7.  After the new version of iTunes was released this week, I"m unable to share playlists between the two accounts.  HELP.

  iTunes: How to share music between different accounts on a single computer - http://support.apple.com/kb/HT1203 - relocating iTunes' media folder to a shared area but leaving separate library files - extra tip at https://discussions.apple.com/message/17331189

• Can i share files between two macs via airport express?

  hi. we have an imac and a macbook connected to the internet with airport express. all is well with that, but i'd like to be able to share files between the two computers. it seems like i should be able to, but i can't figure out how. can someone help?
  thanks.

  Hello smw380. Welcome to the Apple Discussions!
  Yes. You just need to enable "Personal File Sharing" on both Macs.
  o System Preferences > Sharing > Services tab
  o Personal File Sharing: On (checked)

• Can you use a Mac Mini to share documents between several devices? iPhones, MacBooks, iPads, etc...? We are a home based business with several locations across the state and are having Google Drive issues, looking into Mac Mini options.

  We are having Google Drive issues (some files won't sync) and it's causing us trouble with our business communication. Is there any way to use a Mac Mini to share documents between two people in different areas similar to google drive? Would this just be done through iCloud?

  If you use Numbers, Pages and KeyNote it si very easy to sync those document among all the Apple devices. You need montain Lion on the Mac  and at least iOS 5 on the mobile devices.
  I show those document on my Mac, iPad 4 and iPhone 4S

• Policy Based Routing with VPN Client configuration

  Hi to all,
  We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
  The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
  The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
  Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
  Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
  This is our sanitized config
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group dc
  key ***
  dns 192.168.5.7
  domain corp.local
  pool SDM_POOL_1
  acl 101
  max-users 3
  netmask 255.255.255.0
  crypto isakmp profile sdm-ike-profile-1
     match identity group dc
     isakmp authorization list sdm_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile SDM_Profile1
  set security-association idle-time 3600
  set transform-set ESP-3DES-SHA
  set isakmp-profile sdm-ike-profile-1
  interface Loopback0
  ip address 10.10.10.1 255.255.255.0
  interface FastEthernet0/0
  description *WAN*
  no ip address
  ip mtu 1396
  duplex auto
  speed auto
  interface FastEthernet0/0.3
  description FAST-WAN-11D-11U
  encapsulation dot1Q 3
  ip address 88.XX.XX.75 255.255.255.248
  ip load-sharing per-packet
  ip nat outside
  ip virtual-reassembly
  interface FastEthernet0/0.4
  description SLOW-WAN-10D-1U
  encapsulation dot1Q 4
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  no cdp enable
  interface FastEthernet0/1
  description *LOCAL*
  no ip address
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1.10
  description VLAN 10 192-168-5-0
  encapsulation dot1Q 10
  ip address 192.168.5.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly max-reassemblies 32
  no cdp enable
  interface FastEthernet0/1.20
  description VLAN 20 10-10-0-0
  encapsulation dot1Q 20
  ip address 10.10.0.254 255.255.255.0
  ip access-group PERMIT-MNG out
  ip nat inside
  ip virtual-reassembly
  !!! NOTE: This route map is used to PBR the http traffic for our server
  ip policy route-map REDIRECT-VIA-FAST-WAN
  no cdp enable
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Virtual-Template3
  no ip address
  interface Virtual-Template4
  no ip address
  ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
  ip forward-protocol nd
  !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
  !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
  ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
  ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
  ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
  access-list 101 remark SDM_ACL Category=4
  access-list 101 permit ip 192.168.5.0 0.0.0.255 any
  access-list 101 permit ip 10.10.0.0 0.0.0.255 any
  ip access-list extended FAST-WAN-NAT
  permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
  permit icmp 192.168.5.0 0.0.0.255 any
  permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
  permit icmp 10.10.0.0 0.0.0.255 any
  ip access-list extended REDIRECT-VIA-FAST-WAN
  deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
  permit tcp host 10.10.0.43 eq 443 9675 any
  ip access-list extended SLOW-WAN-NAT
  permit ip 192.168.5.0 0.0.0.255 any
  permit ip 10.10.0.0 0.0.0.255 any
  route-map FAST-WAN-NAT-RMAP permit 10
  match ip address FAST-WAN-NAT
  match interface FastEthernet0/0.3
  route-map REDIRECT-VIA-FAST-WAN permit 10
  match ip address REDIRECT-VIA-FAST-WAN
  set ip next-hop 88.XX.XX.73
  route-map SLOW-WAN-NAT-RMAP permit 10
  match ip address SLOW-WAN-NAT
  match interface FastEthernet0/0.4

  Can you try to use PBR Match track object,
  Device(config)# route-map abc
  Device(config-route-map)# match track 2
  Device(config-route-map)# end
  Device# show route-map abc
  route-map abc, permit, sequence 10
    Match clauses:
      track-object 2
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  Additional References for PBR Match Track Object
  This feature is a part of IOS-XE release 3.13 and later.
  PBR Match Track Object
  Cisco IOS XE Release 3.13S
  The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
  The following commands were introduced or modified: match track tracked-obj-number
  Cheers,
  Sumit