Policy nat address pool

Similar Messages

• CSCut55025 - CSM 4.8 - Error loading page NAT - Address Pools

  We did experience this bug and have reverted back to 4.7.  I've been told by TAC that it is scheduled to be fixed in 4.9.

  Hi,
  You can try this packet Tracer:-
  packet input outside udp <External Source Ip on the internet>  45657 <Outside interface IP> 43139 det
  For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
  For more information on captures:-
  https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
  Let me know if you have any further queries.
  Thanks and Regards,
  Vibhor Amrodia

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• Two separate address pools on the same interface?

  I'm something of a routing novice so bear with me...
  We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP.  The addresses are not contiguous.  Is there a way to configure an interface on the ASA to handle both sets of public address pools?  If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool?  Then just NAT/PAT to my heart's content?   At that point I would want both to route to our inside network.  So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network...  Right now the outside interface is configured with our first set of IP addresses.  We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool.  Hence the question.  I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?
  I've never done something like this before - that's why I'm asking the question!  Any help/direction would be appreciated!
  Thank you!

  Hi,
  You shoud not create subinterfaces for this purpose. You will only complicate your setup and cause problems.
  To  be able to use the new public IP address range its basicly mostly up to  the ISP configurations. As long as the ISP has routed the new public  subnet towards ASA outside interface it should be usable. What you do  with it is up to you.
  You could
  Start  using the new public IP address range for server NAT addresses directly  on the ASA firewall and configure Static NAT when a new LAN/DMZ server  needs it.
  You can also route the new public subnet further in to  your LAN behind the ASA and use the public subnet directly as some  subnet for server etc.
  You could also configure the public  subnet directly to some interface on the ASA if you want the ASA to be  the gateway of the network. (This would be ofcourse some other interface than the current "outside" interface)
  All of the above  depends on how your network is built. Meaning for example how your link  to ISP is configured and what kind of devices you have on your network.
  Pleare rate if the information was helpfull and/or ask more questions if the above didnt answer your questions.
  - Jouni

• Policy Nat on cisco router

  Hi Dears.
  I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be  10.193.115.11 but our local subnet is
  10.103.70.0/24. our local subnet is also access to internet.
  local subnet: 10.10.3.70.0/24
  peer local  subnet: 10.193.128.11/23
  i think that i must be do policy nat.
  1. ip access-list extended vpn-traffic  
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  2. ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  3.ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  And i have also PAT Nat for local user.
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  is this configuration rigth?
  please write your comment.
  thanks.

  ok. thanks.
  at last our configuration is that:
  access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  for vpn traffic:
  ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  ip access-list extended vpn-traffic 
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  you said that this configuration is help me for my aim.
  thanks again.

• Can ISE 1.2 Virtual Appliance assign VPN address pool like ACS does?

  Dear friends,
  I have observed that Cisco ISE Virtual Appliance (VMware) can act as a RADIUS server in the same manner as ACS does, but I cannot find the way of assigning an IP address to a remote VPN client (only assigning a VLAN).
  At this point I don't know if it is strictly necessary to have the IP address assignment for the remote VPN clients done in the external firewall (i. e. Cisco ASA) in this case.
  Is there any way of defining an IP address pool in the ISE itself for VPN clients authenticated against that ISE?
  If the answer is not, which ones could be the options for that assignment other than the ASA pool assignment? Could it be possible defining the corresponding address pool in an internal DHCP server that could provide the IP address to the VPN client after successful authentication through ISE?
  Any help would be really appreciated to clarifying these questions.
  Thank you and best regards.

  Please find the link below for the may help you to get the answer related to comparision and even for deployment.
  http://pmbuwiki.cisco.com/Products/ISE/Technical/Design-Config/Guest_and_Web_Portal_Services

• Can we assign IPv4 IP address pool to IPv6 VPN Client

  We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
  We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
  LAN Server are in IPv4 only..
  Requirement :
  Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
  Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
  Qus:
  1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
  2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
  Thanks
  Sankar

  AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
  Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

• SA520 NAT/PAT not working with NAT address

  The SA520 I have is configured on one public IP address and an exchange server is behind it.  THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520.  It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address.  When this happens the email gets blocked due to spam lists.  Then the email will work again correctly.. and then go back.  If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
  Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)?  I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25.  How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?

  Hi John,
  In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN.  Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address.  Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s).  See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server.  As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
  We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace)  After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture.  Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com.  On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button.  Open file with Wireshark/Ethereal and observe the source and destination address of the packets.  They should have the ALIAS address and not the WAN IP address.
  If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
  If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
  If there are issues, you can post the captures as a personal message to me.
  I hope the above will help narrow the issue a bit.
  Best regards,
  Julio

• RRAS 2012 With DHCP Works, Cannot Get Static Address Pool To Connect Completely

  Hello Forums Users:
  I have set up RRAS/DA 2012 successfully incorporating my AD DHCP server.   Every connection works and I see all networks that I have VPN tunnels set up with, which is totally cool.    However, I want to assign remote VPN users IP's from a
  static address pool - and while the setup completes without issue and the client connects, I can see absolutely nothing.    No good pings, no connect to Lync client, Outlook, etc. etc.
  I am OBVIOUSLY missing something but have no idea what that is.   Do I need to add something (and I really have no idea what that "something" is) to RRAS config so the static address pool (192.168.40.0 in this case) has the same access as
  the AD DHCP pool does?
  Thanks again for taking the time to check this out and comment.

  Bill:
  Thanks for the reply....  yes, the idea is to free up a pool of IP's large enough to accomodate all 170 staff.   Our current 192.168.2.x DHCP hands out 150, but I need to plan for DR/BCP when other locations (about 110 users) remote in when their
  location goes dark.
  I already have VPN tunnels between the main locations and a VPN user can see ALL of them when it gets an IP from DHCP.   Are you saying that I have to add routes to all the routers/firewalls to accomplish this?
  Or would I use IPv4 Static Routes?   A network I'd like access to is 192.168.14.0 /24.   Would the route look like any of these?   Sorry it's not clear what I would use as the gateway (192.168.2.1 is the RRAS server network gateway, 192.168.2.6
  is RRAS IP)
  Destination         Net Mask               Gateway                Interface
  192.168.14.0      255.255.255.0        192.168.2.1            LAN
  192.168.14.0    255.255.255.0
    192.168.14.254      LAN             (
  (.254 is the remote gateway)

• Load Balacing on VPN3000 with non-local address pools

  Is it possible to load balance when the VPN3000 does not have an interface in the address pools, i.e. using "non-local" address pools as the documentation puts it? I know this works without clustering by setting static routes to the pool on the nearest router. But in a clustering setup it seems to me there is no way to assign a static route since there is no way to pre-determine which cluster member the client will connect to (an additional virtual address on the private network would solve this but I suppose it's too late to hope for new features!)

  20 flows and a bit better result:
  IOS-XR               Monitor Time: 00:00:08          SysUptime: 133:33:44
                       Last Clear:   00:00:06
  Protocol:General
  Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
  Te0/1/0/0             11794         14977             0/44696         0/44484
  Te0/1/0/1             10682          8786             0/37924         0/25456
  Te0/1/0/2             18243         16958             0/44596         0/57579
  Quit='q',     Clear='c',    Freeze='f', Thaw='t',
  Next set='n', Prev set='p', Bytes='y',  Packets='k'
  (General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
  Can the ASR9K more or less normal balance on uneven number of links?

• Creating connection using NAT address

  Can we use ServerSockets to create a connection to a server using the NAT address ? If yes, then does it require something different ?

  Do you want to connect an external machine to a machine behind your NAT router? Or is this completely internal? If it's interal you should be able to use the machine's private ip address.

• Analyzer 7 Across the WAN using NAT addresses

  We have acquired several companies that have their own internal ip addresses that are duplicates of some of our internal ip addresses. To overcome this we use Network Address Translation (NAT). However, we cannot get Analyzer to work with these NAT addresses. The users receive the logon page, but the "domain" box is empty. We have tried adding entries to the remote DNS's that map the NAT addresses to our servers, but this hasn't worked. Does anyone have any suggestions? Thanks!

  We have acquired several companies that have their own internal ip addresses that are duplicates of some of our internal ip addresses. To overcome this we use Network Address Translation (NAT). However, we cannot get Analyzer to work with these NAT addresses. The users receive the logon page, but the "domain" box is empty. We have tried adding entries to the remote DNS's that map the NAT addresses to our servers, but this hasn't worked. Does anyone have any suggestions? Thanks!

• Wism version 2 support feature "enable NAT address?

  hi all
  i would like to ask some question that wism v 2 support feature nat address? because i see in configuration guide it just tell about wlc 5508. So, please give me or share information.
  Thanks.

  Well that is the thing... will it work if you are using multiple ap managers?  What I was told is that the ap's still need to communicate with the management interface with the 2504, 5508... the newer stuff.  Its not like the 4400's where if you break up the management and the ap manager, you can actually isolate the ap manager on a vlan with the aps and the aps will communicate with the ap manager interface only.  The newer controllers don't function like that.  We had a client that migrated  and wanted to keep everything the same.... well it didn't work.  We had to enable routing between the ap manager subnet and the management.  I never split them apart and don't know why people do
  Maybe we can get George to test it out
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Send RTP stream to NAT address

  Hi,
  i want to transmit a RTP stream from a server to a host in a LAN.
  This host has a NAT address and it's non real IP address, so i can't send any stream trought usage of SessionManager API because it need to know a public IP.
  The other issue is that in a LAN, in most popular cases, there is a firewall that close the connection from internet to their hosts.
  I think this solution:
  1) LAN's hosts can intiate the connection with server sending a non real RTP data
  2)Server store the SessionManager of this connection
  3)server can send your RTP stream now
  Someone have a more good solution or any suggestion?
  Thank for all
  [email protected]

  I have one appletTransmitter that capture video from webcam and transmit it to other client on internet.
  I try to transmit medialocator from appletTransmitter to servlet1 and then save MedialLocator as servlet attribute, then other client can connect to servlet2 that send saved MediaLocator to appletClient.
  APPLETTRANSMITTER:
  URL url=null;
  MediaLocator media=new MediaLocator("vfw://0");
  try{
  url = new URL("http://localhost:8080/servlet1");
  catch(MalformedURLException mue){mue.printStackTrace();}
  URLConnection conn=null;
  try{
  conn = url.openConnection();
  catch(IOException ioe){ioe.printStackTrace();}
  conn.setDoOutput(true);
  OutputStream os=null;
  ObjectOutputStream oos=null;
  InputStream in=null;
  ObjectInputStream iin=null;
  MediaLocator mResp=null;
  String r=null;
  try{
  os=conn.getOutputStream();
  oos=new ObjectOutputStream(os);
  oos.writeObject(media);
  //oos.writeObject("Prova Servlet");
  oos.flush();
  catch(IOException io){io.printStackTrace();}
  catch(ClassNotFoundException cn){cn.printStackTrace();}
  SERVLET1
  ObjectInputStream objin = new ObjectInputStream(request.getInputStream());
  MediaLocator ml =null;
  try{
  ml = (MediaLocator) objin.readObject();
  context.setAttribute("media",ml);
  catch(ClassNotFoundException e)
  {e.printStackTrace()}
  But on servlet1 there is a ClassNotFoundException: MediaLocator
  What do we think about the solution and exception problem?
  Best Regards,
  Nico from Italy