Policy based NAT to share 1 public between to two internal servers
Hello all,
I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.
I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?
This?
object-group service A_Bunch_O_Ports tcp
description Telemesis comms to-From Internet
port-object eq https
port-object eq www
port-object eq 8060
port-object eq 8070
access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
nat (inside) 3 access-list policyNAT-share
global (outside) 3 1.2.3.4 netmask 255.255.255.255
Or this?
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060
access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070
access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
nat (inside) 3 access-list policyNAT-share
global (outside) 3 1.2.3.4 netmask 255.255.255.255
Do you need both inbound and outbound connection for the server, or only outbound connection?
If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
nat (inside) 3 172.20.40.100 255.255.255.255
nat (inside) 3 172.20.40.200 255.255.255.255
global (outside) 3 1.2.3.4 netmask 255.255.255.255
However if you need both inbound and outbound connection for the server, then you should configure the following:
static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255
Similar Messages
-
Policy based nat - can't get it right...
Hi out there
I need to implement some policy based nat to hide a DMZ network on a site - to avoid routing problems. This should also be faily simple by defining a route-map and then looping the traffic around a loopback-interface which is defined as outside nat.
I define the LAN interface as inside - assign the route-map policy to it and loop the traffic around the loopback interface to get it nat'ed.
this also works - to some extend. The traffic is correctly natted and the traffic send out of the wan interface ( f0/1) - the remote site replies and sends the traffic back - and when it then enters my R2 router - it is dropped ????
I have ran out of ideas - please try to take a look - here is the config of R2 (I issue my test from R1 which is 80.0.0.1 and has a source-interface for 192.168.10.1)
Config of R2:
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
ip cef
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
interface Loopback2
ip address 192.168.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0
ip address 80.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map To_loop2
duplex auto
speed auto
interface FastEthernet0/1
ip address 81.0.0.2 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 192.168.10.0 255.255.255.0 80.0.0.1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Loopback2 overload
access-list 1 permit 192.168.10.0 0.0.0.255
route-map To_loop2 permit 10
match ip address 1
set interface Loopback2
On R2:
2#
*Mar 1 03:48:29.491: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
*Mar 1 03:48:29.495: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
*Mar 1 03:48:29.499: IP: route map To_loop2, item 10, permit
*Mar 1 03:48:29.499: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
*Mar 1 03:48:29.503: IP: FastEthernet0/0 to Loopback2 81.0.0.1
*Mar 1 03:48:29.507: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [204]
R2#
R2#
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
on R3:
*Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1the easiest way is constructing your menu with frame labels
now i have no way of knowing how you are constructing it ..so
this may not work for you ...i assume that you have created a main
button ...that has been converted into a symbol & then
duplicated to create all other buttons
okay here it goes ..i hope i dont confuse you
i will explain how to create 1 button with 4 submenu items
with the trems that i mentioned above
but iam not going to explain all the details of creating a
whole nav bar
because it just takes too much typing ...i assume you already
know this
sooo ! ...lets say this is the Portfoio button ...inside the
symbol now
create 8 layers ...the order is going from top to bottom
actions
labels
submenu Logos
submenu Illustration
submenu Animation
submenu Coolstuff ."you will name your button items how you
like" ...
main button....lets just say Portfolio !
invisible btn for main button
so now on with the hard stuff
create 20 frames ...stop action on frame 1 ...frame 9
...frame 20
on the labels layer now ....name frame1 "Closed" ...frame 10
"Open"
on the submenu Logos layer ...create a keyframe on frame 10
all frames before the 10th frame will be blank frames
repeat that for the rest of the submenu items
on the main button layer you will just place the main
Portfolio button on frame 1
& on the invisible button layer ..the inv btn is going to
be placed on frame 10
all this is iam hoping your have converted everything into1
symbol
all you need to do know is attach code to the main Portfolio
button & the invisible button
so click on the Portfolio button
on (rollOver) {
gotoAndStop("open");
invisible button
on (rollOver){
gotoAndPlay("closed");
& that should be good ...very simple !
then just repeat this process for every button that makes up
your nav bar ....& it doesn't matter if your inv buttons
overlap each other or your main nav buttons are touching each other
peace John -
We have 2 ITunes libraries on one computer. Is there a way to share movies, music, etc. between the two libraries?
To your second question, probably the easiest way is to set up another user account on your machine. Then when that user opens iTunes, it will be a new library (empty) that they can put anything they want into, and not corrupt your library.
With another user account, they can also customize their own desktop photo, desktop icons, etc. so lots of benefits doing it that way. Works out great for me and my 13 year old daughter so I don't have to see the latest Emo band hearthrob's face on my desktop.
Patrick -
HT1495 Already have 2 accounts on my non apple computer how do I share music between the two?
My friend and I both have iTune accounts but want to share the music WE bought off of iTunes. What's the easiest way to do this on a PC?
To give other users read-only access to your iTunes library, use the Sharing features of iTunes. Sharing works over the local network as well as on the same computer. See the built-in help for details.
If you want to give full read/write access to more than one user, see the support article linked below.
iTunes: How to share music between different accounts on a single computer
There is a way to share the library without moving it to a secondary volume. If you really need to do that, ask for instructions. -
Policy based NAT on cisco2901/k9
Hello collegues,
i have a problem with configuring following application:
(192.168.0/24)--->
outside[ 10.0.0.1 tcp/500 ]inside ----> [172.16.0.1 tcp/501,tcp/502]
(192.168.1/24)--->
what i am trying to get, is to make tcp-connections
from outside network 192.168.0/24 to 10.0.0.1:500 forwarded to inside host 172.16.0.1:501 and
from outside network 192.168.1/24 to 10.0.0.1:500 forwarded to inside host 172.16.0.1:502
connections originated from outside to 10.0.0.1, which is virtual ip on cisco2901/k9
any ideas how to configure this?
thanx in advance
TimaHi,
You should really make a new post for asking an question.
But to my understanding with the new NAT format your above configuration would be done like this.
object-group network POLICY-PAT-SOURCE
network-object 192.168.10.0 255.255.255.0
object-group network POLICY-PAT-DESTINATION
network-object 172.27.15.0 255.255.255.0
network-object 10.125.81.0 255.255.255.0
nat(inside,outside) source dynamic POLICY-PAT-SOURCE interface destination static POLICY-PAT-DESTINATION POLICY-PAT-DESTINATION
The above things are doing the following (from top down)
Define the source addresses for the Policy PAT
Define the destination addresses for the Policy PAT
Define the actual Policy PAT that will translate traffic coming from "inside" interface from the source addresses defined in POLICY-PAT-SOURCE to interface "outside" IP address WHEN connecting to the destination addresses defined in the object-group POLICY-PAT-DESTINATION
Please rate if it helps
- Jouni -
How do I share files between my two computers?
I have one computer (which is somewhat old) that doesn't have wireless capabilities as well as a newer laptop and a Wii which are both connected to the internet wirelessly. How do I share files and such between these machines?
Enable File and Printer Sharing on each computer.Also make sure both the computer's are in the same workgroup...
The default workgroup name in Windows Vista has been changed to WORKGROUP. In WindowsXP, the default workgroup name is MSHOME...
Also go into the computer software firewall on each computer, and set it to "trust" the other computers on your network.
If your firewall or PC security program keeps a list of trusted applications (also known as a "trusted zone"), then make sure that your router is in the trusted zone on your firewall... -
I need to know how to share apps between my two Ipads and Iphone 6.
I have and Ipad and my wife has an Ipad2 and an Iphone6. I need to know how to share my apps between all devices. I have heard of family sharing but don't know how to start.
The following may help:
Family Sharing - Apple Support
Set up Family Sharing - Apple Support -
How do I share info between my two computers over my network?
Hello !
I have an iMac, my husband has a Macbook. I just recently got an AEBS so that we could share the internet in the house. We are both wirelessy connected (thanks to the help on this forum). But I am wondering HOW can I share info on my computer...with his macbook? On HIS computer I can see a "shared" option on his HD, and my iMac is listed. It asks for password to access it. But I never set up this sort of sharing. I tried looking around on the iMac last night to figure out where I would do this, but to no avail. And I'm afraid to do something in fear of messing something else up !
I guess I have no idea how this "networking" thing really works. Any help would be appreciated !
Thanks for your help in advance.
Christine+Ok...so I went to the system pref/account tab. and I see where the password is for my iMac. Is that the password he would use to access the computer from his? the same one I use to access my own computer?+
Yes, correct. When he "logs on" to your computer from his, he will be given the option for KeyChain access on his computer to "remember" the password so he won't have to manually enter the password each time he connects to your computer.
Same thing in reverse when you connect to his.
In most cases, the only thing you really need to share are the "printer" and "files", but you have a number of other options as well. -
Can I create a second Apple ID and share content between the two?
We have an Apple ID that's used by the whole family to buy music etc from iTunes, but we also have 3 separate Apple devices, two iPhones and an iPad. Hence, ideally we would have 3 separate ID's that could all use the content currently on the family one. Is anything like this possible? Many thanks in advance.
Well yes, but if you want to update those apps, you'd need to sign in under your old Apple ID to update them. It's really best to just stick to one Apple ID, or you'll run into association complications down the road.
-
Service Insertion/Service Graphs & Policy based traffic redirection
Hi,
My question is to use policy based service insertion/service graphs between the EPGs communications to redirect traffic to ASA firewall & F5 slb.
Below are Cisco ACI components:
1- Spines & Leafs
2- APIC Controllers
3- Cisco ASA Firewall attached to the APIC via device package
4- F5 SLB attached to the APIC via device package
I have the below scenario for the communication between the EPGs e.g:
WEB-EPG (consumer)
APP EPG (provider) (consumer for DB)
DB (provider)
I want to use contract that includes filter on port 80 to permit and action for service insertion to provide SLB (F5) service between the WEB & APP communications.
I want to use contract that includes filter on port any* to permit and action for service insertion to provide firewall (ASA) service between the APP & DB communications.
Can I do policy based "traffic redirection" through service graphs in the contract's service insertion?
Is it supported in version 1.0(3i)?
I believe, NSH (Network services header) will add in the VXLAN header before reaching the dest VNID and redirect the traffic to the clusters of the services node i.e. SLB or FW, Then traffic will reach the destination address after striping all services.
Regards,
AnserHello Muhammad,
traffic redirection is not supported on 1.0(3i) , while NSH is still submitted to IETF as a draft from industry vendors , I think try to avoid waiting for it.
Regards
Mohammed ElSherbiny -
Can I share files between two different networks at same location?
Until TWC can offer DOCSIS 3.0 later this year or next...
- In my home I have a closet where all my audio, video and network come together.
- I have two cable modems from Time Warner
- Modem A goes to a WRT320N; 192.168.0.1
-- This router connects all my "heavy" downloads, ie. DirecTV receivers, Netflix, home server w/videos, gaming, etc.
- Modem B goes to a E2000; 192.168.1.1
-- This router connects my everyday use computers so they don't suffer poor speeds from all the traffic on Modem A
My question is, how or can I somehow share files between these two routers without the need for hitting the modems? Obviously I can just push files over the Internet but I am doing it at a much slower speed due to upload restrictions on the modem.
Thank you for any help on this!The easiest way would be to assign LAN IP 192.168.1.2 to the WRT320N and disable the DHCP server. Then assign static IP addresses in 192.168.1.* to all devices connected to the WRT at the moment, e.g. 192.168.1.10, 255.255.255.0, gateway 192.168.1.2, DNS 192.168.1.2 (or DNS servers of your ISP).
Now you can connect a LAN port of the WRT to a LAN port of the E2000. All DHCP clients get the IP address from the E2000 which will assign the E2000 as gateway, i.e. they use the E2000 for internet. All other devices will have static IP addresses and use the WRT as gateway. -
TS2972 How can I share playlists between two users on the same laptop?
I have a work account and a home account on my laptop in Windows 7. After the new version of iTunes was released this week, I"m unable to share playlists between the two accounts. HELP.
iTunes: How to share music between different accounts on a single computer - http://support.apple.com/kb/HT1203 - relocating iTunes' media folder to a shared area but leaving separate library files - extra tip at https://discussions.apple.com/message/17331189
-
Can i share files between two macs via airport express?
hi. we have an imac and a macbook connected to the internet with airport express. all is well with that, but i'd like to be able to share files between the two computers. it seems like i should be able to, but i can't figure out how. can someone help?
thanks.Hello smw380. Welcome to the Apple Discussions!
Yes. You just need to enable "Personal File Sharing" on both Macs.
o System Preferences > Sharing > Services tab
o Personal File Sharing: On (checked) -
We are having Google Drive issues (some files won't sync) and it's causing us trouble with our business communication. Is there any way to use a Mac Mini to share documents between two people in different areas similar to google drive? Would this just be done through iCloud?
If you use Numbers, Pages and KeyNote it si very easy to sync those document among all the Apple devices. You need montain Lion on the Mac and at least iOS 5 on the mobile devices.
I show those document on my Mac, iPad 4 and iPhone 4S -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit
Maybe you are looking for
-
hi abapers please guide me 1. what is process code why use this? 2. what is collect idoc in partner profile? 3. diffrences between enhance idoc custom idoc and extending idoc?
-
Column headers be vertical in firefox and IE and fit the size as per text
I want to make my columns vertical as shown in the below link https://apex.oracle.com/pls/apex/f?p=39006:1 I am making two regions in a page, and based on the first region data, I submit and get the next displayed region, I am not showing that in the
-
I am trying to create a DVD using a mixture of video clips and photos in slideshows and when I preview the completed DVD, the video resolution is fine but the slideshow photos are blurred and low resolution. When I view the same photos in iPhoto, the
-
Problem Opening and Running Adobe Reader XI
I am using Windows 8 and Adobe Reader XI (Version 11.0.03). At first, I was able to use Reader just fine. Then yesterday the program would freeze just after I tried opening it. I would see a spinning wheel on the right of the window that would stop s
-
Hi, I'm working in SRM 5.0 version, SP 13. Here is my issue: When a PO is created the PO output is set as the vendor output medium, which is SRM standard functionality. Lets say the vendor output medium is set to Fax. The buyer changes to ouput from