[Question] Dynamic NAT on 2 different networks

Similar Messages

• Dynamic nat entire group

  Hello,
  Is there any way to setup dynamic nat for an entire group without having to setup dynamic nat for every single network?
  For example,
  network a: 10.168.32.0/24
  network b: 10.184.32.0/24
  network c: 10.16.38.0/24
  I want to setup dynamic nat for all of these subnets at one time.
  Of couse I have more than 3, more like 200 of them, so I don't want to have to setup dynamic nat individually.
  Thanks,
  Dan.

  Hi,
  Well if you want to perform Dynamic PAT to different public IP addresses based on source interface for example then you could do it in the following way
  object network INSIDE-PAT
  host 1.1.1.1
  object network DMZ-PAT
  host 1.1.1.2
  nat (inside,outside) after-auto source dynamic any INSIDE-PAT
  nat (dmz,outside) after-auto source dynamic any DMZ-PAT
  You could follow the above logic that applies to your network setup.
  Ofcourse if you have only one source interface but several different networks or groups of networks that you want to use different PAT IP addresses then you would have to create the source address group for those networks
  For example
  object network PRODUCTION-PAT
  host 1.1.1.1
  object network TESTING-PAT
  host 1.1.1.2
  object-group network PRODUCTION-NETWORKS
  network-object 10.10.0.0 255.255.0.0
  network-object 10.20.0.0 255.255.0.0
  object-group network TESTING-NETWORKS
  network-object 10.30.0.0 255.255.0.0
  network-object 10.40.0.0 255.255.0.0
  nat (inside,outside) after-auto source dynamic PRODUCTION-NETWORKS PRODUCTION-PAT
  nat (inside,outside) after-auto source dynamic TESTING-NETWORKS TESTING-PAT
  or was it something else that you were after?
  - Jouni

• Using both Dynamic and Static NAT with two Different Internet facing Subnets

  We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
  It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
  So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
  Public IP: 192.168.1.100/24
  Internal IP: 10.0.0.100/16
  Public IP: 192.168.5.101/24
  Internal IP: 10.0.0.101/16
  interface Ethernet0/0
  description 192.168.1.0/24 Network Outside IP
  nameif outside-1
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  description 192.168.5.0/24 Network Outside IP
  nameif outside-5
  security-level 0
  ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/2
  description inside 10.0.0.0/16
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.0.0
  object network serverA_o
  host 192.168.1.100
  object network serverA_i
  host 10.0.0.100
  object network serverB_o
  host 192.168.5.101
  object network serverB_i
  host 10.0.0.101
  object network 192-168-1-NAT-POOL
  range 192.168.1.50 192.168.1.239
  nat (inside,outside-1) source static serverA_i serverA_o
  nat (inside,outside-5) source static serverB_i serverB_o
  nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
  object network serverA_i
  nat (inside,outside-1) static serverA_o
  object network serverB_i
  nat (inside,outside-5) static serverB_o
  route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
  route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
  When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
  Any Suggestions?
  Thanks!

  Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
  We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
  I'm looking for a way to use both Subnets on the same ASA. 
  The Connection to the net looks like this:
  Internet -> Edge Router Layer3 VLAN Switch
  GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
  GE0/1.2 - 192.168.5.1 VLAN Tagged -^
  Layer3 VLAN Switch Firewall
  GE1 192.168.1.0/24 Untagged -> ASA Outside-1
  GE2 192.168.5.0/24 Untagged -> ASA Outside-5
  Firewall
  ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
  Hope that helps clarify.
  I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

• I need step by step instructions to set up Remote Desktop between 2 computers on 2 different networks. Please dumb it down for me.

  I need step by step instructions to set up Remote Desktop between 2 computers on 2 different networks. Please dumb it down for me.

  I need to do the same, but with more than one computer behind a dynamic-IP NAT:
  OS X Server A -|
                 |
  OS X Client 1  |- NAT Router Fixed IP ---|
                 |                         |
  OS X Client 2 -|                         |
                                           |
  OS X Client 3 -|                         |
                 |- NAT Router Dynamic IP -| Internet
  OS X Client 4 -|                         |
                                           |
  OS X Client 5 -|                         |
                 |- NAT Router Dynamic IP -|
  OS X Client 6 -|
  I have ARD installed on Client 1 and Client 3 (different locations where I'm at) and I need to manage Client 5 and 6 (and the others, but that amounts to the same problem). Since there are multiple computers behind the NAT, I cannot just patch a port through. I want a secure solution as the traffic goes via the internet.
  I have been thinking about letting the users of Client 5 and 6 set up a VPN link to the NAT Router of Client 1 when they need assistance, but when I want to manage this from Client 3, all traffic goes over two VPNs, let alone if the router at Client 1 can manage this in a stable way.
  Probably, two assignments in the router of client 5 & 6 would be nice, but can I tell ARD to use different ports for certain machines?

• How do I access a USB server on a "different network segment"?

  I have tried posting this question in the Server community but with no response, however I believe the solution will be achived through Terminal and I believe there will be those versed in the use of Terminal here, so here goes.
  I have a USB Server with four ports attached to my ethernet LAN. If I enter the IP address into Safari it shows me the Server details and the details of any item attached to any of the ports. However I cannot access anything on the server. If I put the IP address into Connect to Server I get an error message. Apparently the Server is on a "different network segment". How can I overcome this?
  Attached pages from Safari.

  MyBook USB=junk.
  If you search the forums you will find many users with problems with this particular brand.
  Does this drive have an external AC power supply brick? If not, Apple recommends the use of a powered USB hub.

• Best way to merge 2 different networks/companies in same building

  I would like to get some thoughts on best practice regarding joining 2 different networks in the same building.  2 different companys 2 different networks, we are merging. Once networks are joined we will trust the windows domains.
  Both networks are using 3750's for core switching. So i would assume running fiber from Company1 core to Company2 core via  trunking and sharing select vlans across the cores would be least expensive and most secure route?
  Other ideas or flaws in the idea I have presented?
  Thanks!

  Other than the usual subnet and routing issues, stringing trunk fiber between the switches sounds good.
  If there are multiple firewalls and ISP's involved, you'll have to pay close attention to the routing topology, or reengineer to reduce the complexity.
  If there is overlap in subnet usage, you might want to renumber one side.  Using NAT internally will be an ongoing maintenance headache.
  -- Jim Leinweber, WI State Lab of Hygiene

• Dynamic NAT ASA 8.4 Packet Tracer not working

  Hi guys,
  I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
  Thanks!
  ASA Version 8.4(2)
  hostname ciscoasa
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.0.0.0
  object network inside-subnet
  subnet 192.168.1.0 255.255.255.0
  object network inside-subnet
  nat (inside,outside) dynamic interface
  telnet timeout 5
  ssh timeout 5
  dhcpd address 192.168.1.5-192.168.1.35 inside
  dhcpd auto_config outside

  Thanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working. 
  Does anyone have a suggestion? My updated config is below.
  Thanks!
  ASA Version 8.4(2)
  hostname ciscoasa
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.0.0.1 255.0.0.0
  object network inside-subnet
  subnet 192.168.1.0 255.255.255.0
  object network outside-subnet
  subnet 10.0.0.0 255.0.0.0
  access-list TEST extended permit icmp any any echo-reply
  access-list TEST extended permit tcp any any eq www
  access-list http extended permit tcp any any eq www
  access-list http2 extended permit udp any any eq www
  access-group TEST in interface outside
  object network inside-subnet
  nat (inside,outside) dynamic interface
  telnet timeout 5
  ssh timeout 5
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.35 inside
  dhcpd enable inside

• Problem using Tuxedo from different network

  We are using Tuxedo (7.1) with Clarify eFrontOffice.
  We are trying to access Tuxedo from a different network. We have a NAT address and opened the port for WSL (48800) and also a range (specified in the ubbconfig and compiled) specified for the WSH. When the Clarify client is started, it is connecting to the WSL on port 48800. When tuxedo returns the WSH port to the Client, it is also returning the IP of the server. Since the IP is not recognized in the 2nd network the communication is failing. Is there a way to retun server name instead of IP or a different IP?
  Thanx

  Raju,
  When using Network Address Translation with /WS you should specify the -H
  option to WSL (after the -- option) so that the address of the WSH can be
  mapped back to an address that the client will understand. A bug related to
  the WSL -- -H option was fixed at Tuxedo 7.1 rolling patch level 165, so you
  should obtain the latest 7.1 rolling patch if you are running at an earlier
  patch level.
  The description of the -H option at
  http://e-docs.bea.com/tuxedo/tux71/html/rf537.htm is as follows:
  [-H external-netaddr]
  Specifies the complete network address to be used as a well known address
  template of the WSH process. The address will be combined with a WSH network
  address to generate a well known network address used by the Workstation
  client to connect to a WSH process. It has the same format as the -n option
  except that it substitutes the port number with same length of character M
  to indicate the position of the combined network address will be copied from
  the WSH network address. For example when address template is
  0x0002MMMMdddddddd and WSH network address is 0x00021111ffffffff then the
  well known network address will be 0x00021111dddd dddd. When address
  template starts with "//" network address type assumes to be IP based and
  the TCP/IP port number of WSH network address will be copied into the
  address template to form the combined network address. This feature is
  useful when Workstation client needs to connect to a WSH through a router
  which performs Network Address Translation.
  <Raju Vatsavayi> wrote in message news:[email protected]...
  We are using Tuxedo (7.1) with Clarify eFrontOffice.
  We are trying to access Tuxedo from a different network. We have a NATaddress and opened the port for WSL (48800) and also a range (specified in
  the ubbconfig and compiled) specified for the WSH. When the Clarify client
  is started, it is connecting to the WSL on port 48800. When tuxedo returns
  the WSH port to the Client, it is also returning the IP of the server. Since
  the IP is not recognized in the 2nd network the communication is failing. Is
  there a way to retun server name instead of IP or a differen
  t IP?
  Thanx

• PcAnywhere and dynamic NAT

  I have Bordermanager 3.51 that uses dynamic NAT on the public interface
  connected to DSL with a static IP address. I have followed TID #
  10024898 " Creating filter exception for PCAnywhere".
  I have double checked settings of the filter exceptions but still cannot
  remote access a internal host using PcAnywhere v 11.0. My question is
  should I be using dynamic NAT or static nat or a static/dynamic nat
  configuration ?
  Thanks,
  Karl

  > In article <HmmFc.236$[email protected]>, wrote:
  > > . My question is
  > > should I be using dynamic NAT or static nat or a static/dynamic nat
  > > configuration ?
  > >
  > If you want inbound pcAW traffic, you have two choices when NAT is
  > involved: static NAT, or generic proxies. (Both are described in my
  > BMgr / Filtering books at the URL below).
  >
  > You will not be able to get to an internal PC with just dynamic NAT
  > enabled. There is no way to route the packets in then.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  Thanks Craig for your direction. I will check out the URL
  Happy 4th !
  >

• Dynamic NAT (1841 & n00b)

  Hi all. (waiting for TAC support to register me)
  I'm trying to find information on setting up a Dynamic NAT for my 1841 using the SDM. I know how to do the static NATs and they seem to work fine. However, our Japan office would like Dynamic NAT. Where can I find info on how to set this up?
  I have a range of server addresses on my network (E0) from 10.1.10.16 to 10.1.10.40/24. The addressing I have for these on the "outside" (E1) is 172.25.1.16 to 172.25.40/16.
  I tried to set this up, but it seemed that the router duplicated all of my server addresses and my systems weren't happy.
  Thanks for any assistance.
  BC

  OK.
  I had to attach it since it's too long to post.
  Thanks for any insight. The router for the Japan office is 172.25.1.1.

• Does tcp works on different networks

  Hello, 
  I have a problem with TCP/IP communication. 
  I write a program for TCP/IP communication (server-client) and it works fine when I tested in office (the same network). But when I tested program when server and client VI are connected to different network I dont have any communication.
  Does TCP/IP work when client.VI and server.VI are connected to different networks? If not, does anybody have suggestion which protocol to use? Problem is that server VI must be in exe format but client VI must be open for change.  
  Thanks
  Solved!
  Go to Solution.

  I think we have to clear up some things before going into detailed "debugging".
  First of, when talking about "networks", i expect you to refer to "LAN" (local area network). A LAN often uses a dedicated "subnet" identification, which is a combination of the IP address(es) and the subnet mask. The subnet mask defines which part of the IP address refers to the LAN identification, the "rest" of the IP refers to the specific PC.
  An IP(4) address consists of four bytes, a subnet mask gives instruction on how many bits and bytes are the "LAN ID". Subnet masks often are 255.255.255.0.
  So when saying "works in office (same network)", you do mean: same subnet. Correct?
  (All IP addresses share the same values in the bytes of the subnet mask, but differ in the rest. Example: PC A 192.168.1.12, subnet 255.255.255.0. PC B 192.168.1.15, subnet 255.255.255.0.)
  If the PCs are NOT within the same subnet, it depends on the network setup on how to proceed. If there is a "direct connection path" from A to B, simply the target IP address is sufficient (e.g. A 192.168.1.15, subnet 255.255.255.0, B 11.88.2.126, subnet 255.255.255.0 works if subnet 192.168.1 has direct connection to subnet 11.88.2).
  If there is NO direct connection, you require "port forwarding" on the hardware (router) inbetween. This can get quite difficult.
  So depending on the goal of this request, you maybe better re-architect the approach of loading dynamic components in your application.
  Norbert
  CEO: What exactly is stopping us from doing this?
  Expert: Geometry
  Marketing Manager: Just ignore it.

• Profile Manager on Devices on a Different Network

  Hello,
  I currently have profile manager setup and working on 266 iPads. After I set them all up, 66 of those iPads moved to a temporary location accross the street. They are using a different network then my server. (different line, gateway, firewall ect).
  My question is, is there any way I can push out apps / update profiles to those 66 iPads? I do not want to change any settingso on the iPads if possible. Please let me know any suggestions you guys have.
  I have a mac mini server 10.8.5
  iPads are running 7.0.2
  Profile mangager works completely fine on the devices in the network.

  I to am having this issue. My Mac mini server is hosted in a datacenter off-network from my other devices. Currently, the only way to grab updates is to VPN into the server to have them pull down to the client machines. I run a mix of MacBook Pros, iPhones and desktop Macs.
  A solution on this would be extremely helpful, as I do not want the end users to have to VPN in to pull an update from the Profile Manager all the time.

• How to use two different network cards on RT?

  Hi everyone... I'm currently working on a project where I have to deal with the issue mentioned in the thread's topic: I have a PC with RT LabVIEW that has to be able to establish network connections using two different network cards. One will be used to connect via TCP/IP with a host computer that will show the data transmitted through shared variables; the other will communicate with another PC through Modbus protocol. The key is that each communication is done through a separate network card.
  So far I haven't been able to figure out how to configure both things to happen. Does anyone know how to do this? Any tips will help.
  For the RT communication I'm using a standard RT project, with the RT PC being given one of the IPs, and for the Modbus part, I created an I/O server with a master and a slave. Separately everything works fine, but when I get them together it simply won't work.
  Thanks for your help!
  Solved!
  Go to Solution.

  Sorry it took me so long to answer, I've been busy lately....I've found a solution to the problem I mentioned, and just in case anyone has similar problems in the future, I'll shortly describe what happened.
  As Caseyw suggested, it was necessary to enable both network cards through the Measurement and Automation Explorer. The cause of the connections malfunction was actually that I wasn't using the "right" protocol for the Modbus communication, which ran on the secondary adapter. The solution was to use the URL protocol with the correct path on the field, addressing the right IP address. To avoid making this post a mixture of topics, I won't elaborate futher, but I got the gist of it, so if anyone is having similar problems whether it is working with several network cards or with Modbus communication protocols, feel free to contact me, I'll be glad to help.
  Thanks

• When i put my own contacts into my iphone 3gs and deleted existing ones, the same happened on my mums iphone 4? my iphone was hers previously, but has been unlocked by o2, we have different networks and were 12 miles apart when i did it!

  My mum upgraded last week from iphone 3gs to iphone 4, I got the iphone 3gs unlocked as of this morning and proceeded to remove her contacts and put my own in.
  Several hours later she came home from work to find her contacts on the iphone 4 had been replaced with the same list i had put on mine!
  We have different networks, different itunes accounts etc, I can't understand why or how this has happened or most importantly how to fix it as she has lost all her numbers and is understandably very very cross....

  contacts are not visible in back up, but if she restores from that back up - contacts will come back to phone. Then all her apps and music have to be synced back again. She will also have all other personal info return to the phone, but all that info will be as old, as back up itself.

• How do I set up different network locations with different wifi?

  I am having an issue setting up different network locations with different wifi profiles on each. I want to do this to enable fast switching of wireless networks. In my house I have two wireless networks, my own personal one and one that is created by using a wifi modem supplied by my company. If I use the company wifi network then I can get into all my work applications without having to enable VPN access separately. It is also faster. However, they also block many applications including sending email from my personal email account, dropbox, etc. So throughout the day I need to switch wireless networks back and forth.
  I was looking for a faster way to switch and thought I would try network locations. Was able to set up a new network location without issue. However it seems that whatever wireless preferences, changes, or wifi network order I put into my "Work" location it carries over to my other location which is the standard "Automatic".
  What I would like it to have my "Work" location only to be able to connect to my work wifi and my other network (Automatic) to just connect to my home wifi only. That way I can enable faster wifi switching and can even use my launcher program (Alfred) to provide shortcuts.
  Anyway to do this?
  Thanks in advance for any help or advice.

  Just thought I would bump this up in the conversation. Doing a further search I came across this discussion which is similar: Connecting to a wireless network via applescript?
  However, I tried to build the Automator application as discussed and cannot get it to work. Very much a novice at Applescript and Shell Script but have created customized Automator services before. All I get now is "Shell Script command encountered an error". No more detail. I copied and pasted the script as shown in the email thread. Is there any other line or command I need to place in front of it?
  Thanks again for any help