Reverse PAT/NAT?

Someone save me from my confusion.
I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.
inbound port range: 10,000-20,000
destination ip: 10.10.10.15 "internal host, public IP accesible IP"
translated port: 440
translaed ip: 10.10.10.15 "same as original"
source ip: any "internet"
Basically, port forwarding for a range of ports to a single port.
Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host 10.10.10.15. When the packet arrives at 10.10.10.15 it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.

Hi,
I would imagine that you would need to have a firewall running a software level 8.3 or newer.
What you could try is the following
object network REAL-HOST
host 10.10.10.15
object network MAPPED-HOST
host 1.1.1.1
object service REAL-PORT
service tcp source eq 440
object service MAPPED-PORT-RAGE
service tcp source range 10000 20000
nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE
Where the 1.1.1.1 is the public NAT IP address.
This configuration would essentially mean that any connectiong coming to the destination IP address 1.1.1.1 on the destination port TCP/10000 - 20000 would be forwarded to the actual host 10.10.10.15 on destination port TCP/440
I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.
- Jouni

Similar Messages

  • Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

    Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505.   The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet).   I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
    The Error:
    5          Nov 12 2012          13:52:50                    192.168.9.19                                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
    I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes.   Here's my current running configuration.
    : Saved
    ASA Version 8.3(2)
    hostname fw1
    domain-name xxxxxxxx.xxx
    enable password <removed>
    passwd <removed>
    names
    interface Vlan1
    description Town Internal Network
    nameif inside
    security-level 100
    ip address 192.168.9.1 255.255.255.0
    interface Vlan2
    description Public Internet
    nameif outside
    security-level 0
    ip address 173.xxx.xxx.xxx 255.255.255.248
    interface Vlan3
    description DMZ (CaTV)
    nameif dmz
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Vlan10
    description Infrastructure Network
    nameif InfraNet
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan13
    description Guest Wireless
    nameif Wireless-Guest
    security-level 25
    ip address 192.168.1.1 255.255.255.0
    interface Vlan23
    nameif StateNet
    security-level 75
    ip address 10.63.198.2 255.255.255.0
    interface Vlan33
    description Police Subnet
    shutdown
    nameif PDNet
    security-level 90
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport trunk allowed vlan 1,5,10,13
    switchport trunk native vlan 1
    switchport mode trunk
    speed 100
    duplex full
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    switchport trunk allowed vlan 1,10,13
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/5
    switchport access vlan 23
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    switchport trunk allowed vlan 1
    switchport trunk native vlan 1
    switchport mode trunk
    shutdown
    banner exec                     Access Restricted to Personnel Only
    banner login                     Access Restricted to Personnel Only
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name xxxxxxx.xxx
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object service IMAPoverSSL
    service tcp destination eq 993
    description IMAP over SSL     
    object service POPoverSSL
    service tcp destination eq 995
    description POP3 over SSL     
    object service SMTPwTLS
    service tcp destination eq 465
    description SMTP with TLS     
    object network obj-192.168.9.20
    host 192.168.9.20
    object network obj-claggett-https
    host 192.168.9.20
    object network obj-claggett-imap4
    host 192.168.9.20
    object network obj-claggett-pop3
    host 192.168.9.20
    object network obj-claggett-smtp
    host 192.168.9.20
    object network obj-claggett-imapoverssl
    host 192.168.9.20
    object network obj-claggett-popoverssl
    host 192.168.9.20
    object network obj-claggett-smtpwTLS
    host 192.168.9.20
    object network obj-192.168.9.120
    host 192.168.9.120
    object network obj-192.168.9.119
    host 192.168.9.119
    object network obj-192.168.9.121
    host 192.168.9.121
    object network obj-wirelessnet
    subnet 192.168.1.0 255.255.255.0
    object network WirelessClients
    subnet 192.168.1.0 255.255.255.0
    object network obj-dmznetwork
    subnet 192.168.2.0 255.255.255.0
    object network FD_Firewall
    host 74.94.142.229
    object network FD_Net
    subnet 192.168.6.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network obj-TownHallNet
    subnet 192.168.9.0 255.255.255.0
    object network obj_InfraNet
    subnet 192.168.10.0 255.255.255.0
    object-group service EmailServices
    description Normal Email/Exchange Services
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq https
    service-object tcp destination eq imap4
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group service DM_INLINE_SERVICE_1
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq pop3
    service-object tcp destination eq https
    service-object tcp destination eq smtp
    object-group service DM_INLINE_SERVICE_2
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq https
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group network obj_clerkpc
    description Clerk's PCs
    network-object object obj-192.168.9.119
    network-object object obj-192.168.9.120
    network-object object obj-192.168.9.121
    object-group network TownHall_Nets
    network-object 192.168.10.0 255.255.255.0
    network-object object obj-TownHallNet
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.9.0 255.255.255.0
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
    access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
    access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
    pager lines 24
    logging enable
    logging asdm debugging
    logging mail errors
    logging from-address hostmaster@xxxxxxxxx
    logging recipient-address john@xxxxxxxxx level errors
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu Wireless-Guest 1500
    mtu StateNet 1500
    mtu InfraNet 1500
    mtu PDNet 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-635.bin
    no asdm history enable
    arp timeout 14400
    nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
    nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
    object network obj_any
    nat (inside,outside) static interface
    object network obj-claggett-https
    nat (inside,outside) static interface service tcp https https
    object network obj-claggett-imap4
    nat (inside,outside) static interface service tcp imap4 imap4
    object network obj-claggett-pop3
    nat (inside,outside) static interface service tcp pop3 pop3
    object network obj-claggett-smtp
    nat (inside,outside) static interface service tcp smtp smtp
    object network obj-claggett-imapoverssl
    nat (inside,outside) static interface service tcp 993 993
    object network obj-claggett-popoverssl
    nat (inside,outside) static interface service tcp 995 995
    object network obj-claggett-smtpwTLS
    nat (inside,outside) static interface service tcp 465 465
    object network obj-192.168.9.120
    nat (inside,StateNet) static 10.63.198.12
    object network obj-192.168.9.119
    nat (any,StateNet) static 10.63.198.10
    object network obj-192.168.9.121
    nat (any,StateNet) static 10.63.198.11
    object network obj-wirelessnet
    nat (Wireless-Guest,outside) static interface
    object network obj-dmznetwork
    nat (any,outside) static interface
    object network obj_InfraNet
    nat (InfraNet,outside) static interface
    access-group outside_access_in in interface outside
    access-group StateNet_access_in in interface StateNet
    route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
    route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable 5443
    http 192.168.9.0 255.255.255.0 inside
    http 74.xxx.xxx.xxx 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set pfs
    crypto map outside_map 2 set peer 173.xxx.xxx.xxx
    crypto map outside_map 2 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.9.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.9.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd lease 10800
    dhcpd auto_config outside
    dhcpd address 192.168.2.100-192.168.2.254 dmz
    dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
    dhcpd enable dmz
    dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
    dhcpd enable Wireless-Guest
    threat-detection basic-threat
    threat-detection statistics host number-of-rate 2
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 63.240.161.99 source outside prefer
    ntp server 207.171.30.106 source outside prefer
    ntp server 70.86.250.6 source outside prefer
    webvpn
    group-policy FDIPSECTunnel internal
    group-policy FDIPSECTunnel attributes
    vpn-idle-timeout none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    username support password <removed> privilege 15
    tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 173.xxx.xxx.xxx general-attributes
    default-group-policy FDIPSECTunnel
    tunnel-group 173.xxx.xxx.xxx ipsec-attributes
    pre-shared-key *****
    smtp-server 192.168.9.20
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
    : end
    Any ideas would be appreciated.
    John

    I don't see any inspection-commands in your config. Is there a reason for not using any of them?
    If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
    Sent from Cisco Technical Support iPad App

  • Configuring PAT/NAT in cisco routers

    hello, first sorry for my bad english
    i just wanted to know how configuring PAT (port address translation)
    like this :?
    amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
    or not?
    2nd question i have is:
    when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
    and the last question for now is:
    how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
    i hope i was clear enough, tanks a lot!

    Hi Tiger,
    1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
    2) Coming to your 2nd question
    "ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
    "ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
    3) Coming to your last question
    For dynamic PAT you just need to configure overload command at the end of your nat statement.
    This link will give you a very broad and nice picture of how NAT can be configured in different situation
    http://www.cisco.com/warp/public/556/12.html#6
    HTH
    Ankur

  • New BM3.9 Install - Site 2 Site via PAT/NAT/DMZ?

    We are setting up 2 new BM3.9 VMs (initially for Site 2 Site VPN) for a client but there ADSL Routers at each site only have Single Static IPs which are bound to the Router's Public address. I believe the Routers are also providing 'Dynamic NAT' for outbound traffic.
    Would it be possible to set-up a Site 2 Site VPN and perhaps get the Routers to pass all VPN traffic (either using PAT or an all traffic DMZ LAN scenario) to the BM Servers. I am presuming within the Site 2 Site config of VPN Server - Site A you would point it at the Public address of Router - Site B (instead of the BM Server Public).....and vice versa.
    Any comments would be greatly appreciated.
    Cheers,
    Richard.

    In article <[email protected]>, Rsargeant wrote:
    > Would it be possible to set-up a Site 2 Site VPN and perhaps get the
    > Routers to pass all VPN traffic (either using PAT or an all traffic DMZ
    > LAN scenario) to the BM Servers. I am presuming within the Site 2 Site
    > config of VPN Server - Site A you would point it at the Public address
    > of Router - Site B (instead of the BM Server Public).....and vice
    > versa.
    >
    Yes, it should work. While I've only configured one end of this (example
    in my book of one BM server behind a Linksys port-forwarding router), it
    should be ok to do on both ends. As long as you forward the proper ports
    (or ALL traffic) to the BM, it will get the VPN traffic. The VPN
    responses from the server tell the other side what public IP address to
    use, which as you have surmised should be the public address of the
    router in this case.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • ICMP and NAT/PAT

    how does PAT/NAT perform on ICMP packets if there are not ports like udp/tcp ?
    best regards
    francesco

    Have a look at these documents
    http://tools.ietf.org/wg/behave/draft-ietf-behave-nat-icmp/draft-ietf-behave-nat-icmp-01-from-00.wdiff.html
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml
    Both would help you understand
    HTH
    Hoogen
    Do rate if this helps :)

  • NAT outside to inside and inside to outside (in 8.4(2) version)

    Thanks a lot and i attached a diagram here
    Requirement:
    need to pass through traffic from outside to inside and inside to outside.
    I also attached a diagram with the ip 
    and also tell me one thing that natting is only for private to public or public to private.

    Hi,
    I think i replied on your post earlier as well.
    As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
    For Bidirectional traffic , you always need static NAT
    When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
    For the Inside to Outside Traffic , you can use this NAT:-
    object network LAN
    subnet 0 0
    nat (inside,outside) dynamic interface
    FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
    For this , you can either use , Static PAT/NAT:-
    object network host
    host 10.10.10.10
    nat (inside,Outside) static interface service tcp 3389 3389
    access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
    This will enable you to take the RDP access for your PC from the internet.
    Is this what you want ?
    Thanks and Regards,
    Vibhor Amrodia

  • Configuring PAT for VoIP got a Turn Up today!!!

    Good Morning all,
    I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.
    I'm using a ASA 5505, and below is my Show Run:
    ------------------ show running-config ------------------
    : Saved
    ASA Version 8.3(2)
    hostname ECSASA-5505
    domain-name hostedatandvoice.local
    enable password <removed>
    passwd <removed>
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.252
    interface Ethernet0/0
    description COMCAST
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    banner exec EnterCloud Solutions ASA
    banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.
    banner motd EnterCloud Solutions ASA Applicance.  Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.
    banner motd Contact [email protected] for additional help or support.
    banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name hostedatandvoice.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network Internet
    subnet 0.0.0.0 0.0.0.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object service NTP
    service tcp source eq 123 destination eq 123
    description Time Clock     
    object network STATIC-PAT
    subnet 192.168.1.0 255.255.255.0
    object network VPN-Pool
    subnet 190.168.10.0 255.255.255.240
    description VPN IP Address    
    object network SSL-VPN-POOL
    description SSL-VPN-POOL   
    object network SSL-VPN-POOL1
    object network SSL-VPN-NET1
    subnet 192.168.10.0 255.255.255.240
    object network outside_to_inside_VoIP
    host 192.168.1.8
    object-group network PRIVATE-LAN
    network-object 192.168.1.0 255.255.255.0
    object-group network SSL-VPN-NETWORKS
    description SSL VPN NETWORKS
    object-group network VPN-NETWORK
    network-object object SSL-VPN-NET1
    access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp
    access-list ECSSLVPN remark Allow VPN Access to LAN
    access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffer-size 1000000
    logging buffered debugging
    logging asdm debugging
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK
    object network STATIC-PAT
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 x.x.x.x1
    route inside 192.168.10.0 255.255.255.255 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    email [email protected]
    subject-name CN=ESCASA-5505
    ip-address x.x.x.x
    keypair ECS-KP
    proxy-ldc-issuer
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 59203f51
        308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105
        05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609
        2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648
        86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476
        6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330
        33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535
        3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138
        35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374
        65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
        01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6
        972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1
        f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2
        08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d
        de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301
        01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
        04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d
        0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648
        86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd
        0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee
        8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce
        e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0
        a1f15a01 4ba8960a ec9771bb
      quit
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd dns 4.2.2.2 8.8.1.1
    dhcpd domain hostedatandvoice.local
    dhcpd address 192.168.1.12-192.168.1.130 inside
    dhcpd dns 4.2.2.2 8.8.1.1 interface inside
    dhcpd domain hostedatandvoice.com interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 199.249.224.123 source outside prefer
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
    svc enable
    group-policy DfltGrpPolicy attributes
    dns-server value 4.2.2.2
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ECSSLVPN
    default-domain value hostedatandvoice.local
    split-dns value hostedatandvoice.com
    address-pools value VPN-Pool
    webvpn
      svc ask enable default webvpn
    username khayes password <removed> privilege 15
    username mharrell password <removed> privilege 15
    username bdillard password <removed> privilege 15
    username skonti password <removed> privilege 15
    tunnel-group ECSSLVPN type remote-access
    tunnel-group ECSSLVPN general-attributes
    address-pool VPN-Pool
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:977f2a92875a8c744753124c94adbb09
    : end

    Kenneth,
    If that's the case you can use a range of port and create a NAT using your outside interface IP.
    object network CUCM_Private
      host 10.10.10.10
    object service Range_1024_65535
    service udp source range 1024 65535
    object service SIP_range
    service tcp source range 5060 5061
    nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535
    nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range
    access-list outside_access_in permit tcp any object CUCM_Private eq 5060
    access-list outside_access_in permit tcp any object CUCM_Private eq 5061
    access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535
    Take in consideration that I am using different IP address, please use the correponding IP's.
    Hope it helps,
    Juan Lombana

  • NAT with 8.6(1) ASA5515-X

    I want to NAT only those nets which are deployed as opposed to a
    'nat (inside) 1 0 0' as in IOS 8.2 for example.
    So I have possibly two choices.
    I can create a network object-group with my INSIDE NETS and add to it as I expand the IP usage.
    object-group network GRP_OBJECT_INSIDE_NETS
    network-object 10.16.0.0 255.255.192.0
    network-object 10.64.0.0 255.255.240.0
    network-object 10.64.64.0 255.255.240.0
    network-object 10.64.128.0 255.255.240.0
    nat (inside,outside) source dynamic GRP_OBJECT_INSIDE_NETS interface
    Or I can create separate network objects and the associated object NAT for each.
    object network N_OBJ_10.16.0.0_18
    subnet 10.16.0.0 255.255.192.0
    object network N_OBJ_10.64.0.0_20
    subnet 10.64.0.0 255.255.240.0
    object network N_OBJ_10.64.64.0_20
    subnet 10.64.64.0 255.255.240.0
    object network N_OBJ_10.64.128.0_20
    subnet 10.64.128.0 255.255.240.0
    object network N_OBJ_10.16.0.0_18
    nat (inside,outside) dynamic interface
    object network N_OBJ_10.64.0.0_20
    nat (inside,outside) dynamic interface
    object network N_OBJ_10.64.64.0_20
    nat (inside,outside) dynamic interface
    object network N_OBJ_10.64.128.0_20
    nat (inside,outside) dynamic interface
    The question is which is possibly preferred and why.
    The second would create more in-line code than the first, but there have to be other concerns.
    Thx

    Hi,
    I personally always use "object-group" to define the source addresses for the basic PAT/NAT configurations. Pretty much for the reason you have already stated. The NAT configuration is easier to manage and we create a lot less configurations.
    Though I would do a minor change to the NAT configuration you mentioned first.
    I would add the "after-auto" parameter to the NAT configuration. This would move the NAT rule to Section 3 instead of Section 1 (where it would go without the "after-auto" parameter)
    nat (inside,outside) after-auto source dynamic GRP_OBJECT_INSIDE_NETS interface
    Being in Section 3 of the NAT rules it would be one of the last NAT rules to be matched against connections coming through the ASA. And I would consider this natural as we are configuring a Default PAT rule to which any connection should hit IF it did not have a more specific rule.
    If the NAT configuration you mention was inserted in the format in the original post, it might potentially override any other translations for those "inside" networks towards "outside" networks.
    The second way you mention doing the same uses Network Object NAT, which is an Section 2 NAT. I see it used in simple network setups but personally I would only suggest it to be used with Static NAT and Static PAT.
    The Section 2 Network Object NAT operates a bit like the old NAT format. It gives higher priority to "static" configurations instead of "dynamic". Inside those mentioned types it again prefers to the more specific number of source address. In the end it might even match on the basis of how the "object" is named. In other words look at the alphabetical order of the name of the configured "object" for the NAT.
    But as I said before, I prefer to leave Network Object NAT only for Static NAT and Static PAT. Section 1 NAT I use for NAT0 / Identity NAT / Policy NAT / Policy PAT configurations usually. And Section 3 I use for the Default PAT / NAT rules.
    If you want to read some more about the subject I could suggest a document I created on the forums.
    https://supportforums.cisco.com/docs/DOC-31116
    Naturally you can ask more on these forums.
    Please remember to rate helpfull answers and mark questions as answered if they did.
    - Jouni

  • Asa5512, ver. 8.6(1)2, SMTP over NAT problem

    hi guys,
    i have a weird issue while trying to organize smtp-server behind my asa 5512.
    the most interesting thing is that all other services like ssh, http, https, etc works just fine...except smtp....and yes, i've disabled inspect esmtp feature.
    object network obj-10.100.22.19
    host 10.100.22.19
    object network PAT
    subnet 10.100.22.16 255.255.255.248
    access-list inet-in extended permit tcp any host 10.100.22.19 eq smtp
    access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq ssh
    access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq imap4
    access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq 993
    access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq www
    access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq https
    object network obj-10.100.22.19
    nat (serv2,inet) static Y.Y.Y.Y
    object network PAT
    nat (serv2,inet) dynamic interface
    access-group inet-in in interface inet
    what i see in logs:
    %ASA-6-302013: Built inbound TCP connection 1733 for inet:X.X.X.X/47056 (X.X.X.X/47056) to serv2:10.100.22.19/25 (Y.Y.Y.Y/25)
    %ASA-6-302014: Teardown TCP connection 1733 for inet:X.X.X.X/47056 to serv2:10.100.22.19/25 duration 0:00:30 bytes 0 SYN Timeout
    %ASA-6-106015: Deny TCP (no connection) from 10.100.22.19/25 to X.X.X.X/47056 flags SYN ACK  on interface serv2
    so it looks like smtp-client doesn't receive TCP ACK while building the session and in 30 sec issues SYN Timout message...
    and i am sure, that everything is OK with sendmail, because tcp/25 is opened and working from another dmz of this ASA, the only difference is that dmz connected without NAT...
    any ideas?
    thanx in advance.

    hi,
    i've tried to capture via tcpdump on smtp-client and server interfaces and have seen on client side that SYN ACK never comes and on the server side that it does issue this SYN ACK. so it's been dropped somewhere on the way...
    server connected directly into ASA interface and client just in few hops on internet.
    here's configuration:
    ASA Version 8.6(1)2
    hostname ________
    no names
    interface GigabitEthernet0/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/1
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/1.1011
    vlan 1011
    nameif vlan1011
    security-level 75
    ip address 10.100.10.11 255.255.255.0
    interface GigabitEthernet0/1.1035
    vlan 1035
    nameif inet
    security-level 50
    ip address X.X.X.Y 255.255.255.248
    interface GigabitEthernet0/2
    nameif serv1_mng
    security-level 100
    ip address 10.100.22.5 255.255.255.252
    interface GigabitEthernet0/3
    nameif serv2_mng
    security-level 100
    ip address 10.100.22.1 255.255.255.252
    interface GigabitEthernet0/4
    nameif serv1
    security-level 100
    ip address 10.100.22.13 255.255.255.252
    interface GigabitEthernet0/5
    nameif serv2
    security-level 100
    ip address 10.100.22.17 255.255.255.248
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa861-2-smp-k8.bin
    ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    dns domain-lookup inet
    dns server-group DefaultDNS
    name-server 8.8.8.8
    same-security-traffic permit inter-interface
    object network obj-10.100.22.19
    host 10.100.22.19
    object network PAT
    subnet 10.100.22.16 255.255.255.248
    object-group network vlan1011-grp1
    network-object 10.0.0.0 255.255.255.0
    network-object 10.100.10.0 255.255.255.0
    object-group network vlan1011-grp2
    network-object host 10.0.0.238
    network-object host 10.0.0.239
    object-group network vlan1011-grp3
    network-object host 10.100.13.50
    network-object host 10.100.14.50
    object-group network vlan1011-grp4
    network-object host 10.100.10.1
    network-object 10.0.0.0 255.255.255.0
    object-group service backup-tcp tcp
    port-object range 10080 10083
    port-object range 10100 10108
    object-group service backup-udp udp
    port-object range 10080 10083
    port-object range 10100 10108
    object-group network inet-grp1
    network-object host ____________
    network-object host ____________
    access-list inet-in extended permit icmp any any
    access-list inet-in extended permit tcp any host 10.100.22.19 eq smtp
    access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq ssh
    access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq imap4
    access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq 993
    access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq www
    access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq https
    access-list vlan1011-in extended permit icmp any any
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 10.100.22.16 255.255.255.248 eq ssh
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp2 10.100.22.16 255.255.255.248 eq 10050
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp3 10.100.22.16 255.255.255.248 object-group backup-tcp
    access-list vlan1011-in extended permit udp object-group vlan1011-grp3 10.100.22.16 255.255.255.248 object-group backup-udp
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq www
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq https
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq imap4
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq 993
    access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq smtp
    tcp-map Exp_MSS
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 100000
    logging console warnings
    logging monitor informational
    logging buffered informational
    logging trap errors
    logging history informational
    logging asdm informational
    logging device-id hostname
    mtu vlan1011 1500
    mtu inet 1500
    mtu serv1_mng 1500
    mtu serv2_mng 1500
    mtu serv1 1500
    mtu serv2 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-66114.bin
    no asdm history enable
    arp timeout 14400
    object network obj-10.100.22.19
    nat (serv2,inet) static X.X.X.X
    object network PAT
    nat (serv2,inet) dynamic interface
    access-group vlan1011-in in interface vlan1011
    access-group inet-in in interface inet
    route inet 0.0.0.0 0.0.0.0 X.X.X.Z 1
    route vlan1011 10.0.0.0 255.0.0.0 10.100.10.100 1
    route vlan1011 10.0.0.0 255.255.255.0 10.100.10.1 1
    timeout xlate 9:00:00
    timeout conn 48:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca
      quit
    telnet 10.100.10.0 255.255.255.0 vlan1011
    telnet timeout 30
    ssh 10.100.10.0 255.255.255.0 vlan1011
    ssh timeout 30
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server __________ prefer
    webvpn
    class-map Exp_MSS
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class Exp_MSS
      set connection advanced-options Exp_MSS
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
      inspect pptp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous

  • ACE PAT to two IP-number

    Hi all,
    ACE20 module with A2(3.3)
    I have tried to config a NAT-pool with two adresses, but only one is used.
    class-map match-all NAT015_VLAN702
      2 match source-address 192.168.137.93 255.255.255.255
      3 match destination-address 192.168.137.0 255.255.255.255
    policy-map multi-match lb-int-vlan802
      class V13700080
        loadbalance vip inservice
        loadbalance policy V13700080-l7slb
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options PAMHTTP001
        connection advanced-options PAMCONNSV
      class NAT015_VLAN702
        nat dynamic 70203 vlan 702
      interface vlan 702
      bridge-group 802
      no normalization
      access-group input BPDU
      access-group input alla
      access-group output alla
      nat-pool 70202 192.168.32.1 192.168.32.2 netmask 255.255.255.255 pat
      nat-pool 70203 192.168.32.5 192.168.32.6 netmask 255.255.255.255 pat
      nat-pool 70204 192.168.32.9 192.168.32.10 netmask 255.255.255.255 pat
      nat-pool 70205 192.168.32.13 192.168.32.14 netmask 255.255.255.255 pat
      nat-pool 70206 192.168.32.17 192.168.32.18 netmask 255.255.255.255 pat
      nat-pool 70207 192.168.32.21 192.168.32.22 netmask 255.255.255.255 pat
      service-policy input lb-int-vlan802
      no shutdown
    Can someone tell me what is wrong?
    Regards
    Mats

    Hi Chris,
    Been away a couple of days.
    I'm doing show xlate global 192.168.32.5 and 192.168.35.6 and I never see xlate's on 192.168.32.6.
    A#1/prod1# sho xlate global 192.168.32.5
    TCP PAT from vlan702:192.168.137.93/22524 to vlan702:192.168.32.5/62357
    TCP PAT from vlan702:192.168.137.93/22565 to vlan702:192.168.32.5/62396
    TCP PAT from vlan702:192.168.137.93/22600 to vlan702:192.168.32.5/62433
    TCP PAT from vlan702:192.168.137.93/22686 to vlan702:192.168.32.5/62519
    TCP PAT from vlan702:192.168.137.93/22814 to vlan702:192.168.32.5/62645
    TCP PAT from vlan702:192.168.137.93/21368 to vlan702:192.168.32.5/61201
    TCP PAT from vlan702:192.168.137.93/22514 to vlan702:192.168.32.5/64626
    TCP PAT from vlan702:192.168.137.93/22605 to vlan702:192.168.32.5/64720
    TCP PAT from vlan702:192.168.137.93/22527 to vlan702:192.168.32.5/64644
    TCP PAT from vlan702:192.168.137.93/21935 to vlan702:192.168.32.5/64052
    TCP PAT from vlan702:192.168.137.93/22863 to vlan702:192.168.32.5/64978
    TCP PAT from vlan702:192.168.137.93/22882 to vlan702:192.168.32.5/64998
    TCP PAT from vlan702:192.168.137.93/22893 to vlan702:192.168.32.5/65008
    TCP PAT from vlan702:192.168.137.93/22996 to vlan702:192.168.32.5/65113
    TCP PAT from vlan702:192.168.137.93/23012 to vlan702:192.168.32.5/65129
    A#1/prod1#
    A couple of seconds later it start over with low portnumbers
    A#1/prod1# sho xlate global 192.168.32.5
    TCP PAT from vlan702:192.168.137.93/23673 to vlan702:192.168.32.5/1279
    TCP PAT from vlan702:192.168.137.93/23728 to vlan702:192.168.32.5/1334
    TCP PAT from vlan702:192.168.137.93/23984 to vlan702:192.168.32.5/1588
    TCP PAT from vlan702:192.168.137.93/24113 to vlan702:192.168.32.5/63943
    A#1/prod1#
    This server has about 140 conn/sec at this moment, but under high load about 250 conn /sec.
    As You can see from my show command, that the connectionstime are very short
    Regards
    Mats Ruuth

  • NAT on ASR-1002

    Hello,
    Does anyone who uses NAT/PAT (nat overload) limit the max number of NAT translations that any one internal IP address can have?  We have had issues where people do port scans and utilise a large majority of our NAT pool.  We are doing NAT on a ASR 1002 with an ESP5.  It can do up to 250,000 NAT translations total and 50,000 new a second.  
    Now I found out that the ASR in a pool will only use the last available IP to do PAT.. The rest of the IP addresses are used for 1-1 NAT.
    Here is our NAT config
    > ip nat translation tcp-timeout 1800
    > ip nat translation udp-timeout 1800
    > ip nat translation max-entries 250000
    > ip nat pool Level3Pool some-ip-address some-ip-address netmask 255.255.255.248
    > ip nat inside source list NAT pool Level3Pool overload
    Any idea about: 
    ip nat settings mode cgn
    ip nat settings mode cgn
    Thanks

    Firewall or NAT: 250,000 sessions and 50,000 sessions-per-sec setup rate
    This is from the datasheet. Pls check.
    Table 3. Cisco ASR 1000 Series 5-Gbps ESP Module Performance and Scaling
    Regards
    Durga Prasad - Datasoft Comnet
    Pls rate helpful posts
    Sent from Cisco Technical Support Android App

  • ASA supports NAT in bridge mode??

    any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??

    Hi Hans,
    Yes it does, from version 8.0 and higher.
    Unsupported Features
    These features are not supported in transparent mode:
    NAT /PAT
    NAT is performed on the upstream router.
    Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
    Here is the document:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
    Mike

  • Dynamic nat entire group

    Hello,
    Is there any way to setup dynamic nat for an entire group without having to setup dynamic nat for every single network?
    For example,
    network a: 10.168.32.0/24
    network b: 10.184.32.0/24
    network c: 10.16.38.0/24
    I want to setup dynamic nat for all of these subnets at one time.
    Of couse I have more than 3, more like 200 of them, so I don't want to have to setup dynamic nat individually.
    Thanks,
    Dan.

    Hi,
    Well if you want to perform Dynamic PAT to different public IP addresses based on source interface for example then you could do it in the following way
    object network INSIDE-PAT
    host 1.1.1.1
    object network DMZ-PAT
    host 1.1.1.2
    nat (inside,outside) after-auto source dynamic any INSIDE-PAT
    nat (dmz,outside) after-auto source dynamic any DMZ-PAT
    You could follow the above logic that applies to your network setup.
    Ofcourse if you have only one source interface but several different networks or groups of networks that you want to use different PAT IP addresses then you would have to create the source address group for those networks
    For example
    object network PRODUCTION-PAT
    host 1.1.1.1
    object network TESTING-PAT
    host 1.1.1.2
    object-group network PRODUCTION-NETWORKS
    network-object 10.10.0.0 255.255.0.0
    network-object 10.20.0.0 255.255.0.0
    object-group network TESTING-NETWORKS
    network-object 10.30.0.0 255.255.0.0
    network-object 10.40.0.0 255.255.0.0
    nat (inside,outside) after-auto source dynamic PRODUCTION-NETWORKS PRODUCTION-PAT
    nat (inside,outside) after-auto source dynamic TESTING-NETWORKS TESTING-PAT
    or was it something else that you were after?
    - Jouni

  • Placing NAT statements in sections

    is there a rule of thumb or general guildline for where you place these NAT statements?
    I see 3 sections and after reading some posts I see a lot of "after-auto", which places the NAT statement in section 3.
    I read the part in this document (http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157)
    on the rule order, but I am still unclear.

    Hi,
    I would suggest reading a document I wrote here on the forums on the "Documents" section.
    https://supportforums.cisco.com/docs/DOC-31116
    It explain for example the NAT rule ordering and the way I use the different Sections.
    In general I would place the typical different types of NAT in the following way
    Section 1
    NAT0 / NAT Exempt
    Policy type NAT configurations
    Any other special/uncommon NAT configurations
    Section 2
    Static NAT
    Static PAT
    Section 3
    Default Dynamic PAT/NAT rules means for majority of the users. The last section is the natural place for them as this rule should be the "last resort" for basic traffic through the firewall.
    Hope this helps
    Remember to mark the reply as the correct answer if it answered your question.
    Naturally ask more here in this discussion if you want some more specific answers than the document provides.
    - Jouni

  • Policy Nat on cisco router

    Hi Dears.
    I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be  10.193.115.11 but our local subnet is
    10.103.70.0/24. our local subnet is also access to internet.
    local subnet: 10.10.3.70.0/24
    peer local  subnet: 10.193.128.11/23
    i think that i must be do policy nat.
    1. ip access-list extended vpn-traffic  
    permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
    2. ip access-list extended nat-ipsec
    permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
    3.ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
      ip nat inside source list nat-ipsec pool mswpool
    And i have also PAT Nat for local user.
    access-list 100 permit ip 10.103.70.0 0.0.0.255 any
    ip nat inside source list 100 interface GigabitEthernet0/0 overload
    is this configuration rigth?
    please write your comment.
    thanks.

    ok. thanks.
    at last our configuration is that:
    access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
    access-list 100 permit ip 10.103.70.0 0.0.0.255 any
    ip nat inside source list 100 interface GigabitEthernet0/0 overload
    for vpn traffic:
    ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
      ip nat inside source list nat-ipsec pool mswpool
    ip access-list extended vpn-traffic 
    permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
    ip access-list extended nat-ipsec
    permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
    you said that this configuration is help me for my aim.
    thanks again.

Maybe you are looking for

  • BRF+ Trigger via Event, change on field value, etc

    Hi, I'm implenting BRF+ for SPM Claims & Returns Process. It took me a while to understand how I can set up an application, Function from type event, Rulesets, rules, etc but at the end it seems that it is a tremendous improvement compared to BRF! So

  • Issue in Absence Quota generation wrt to actions (IT0000);using schema TQTA

    Hi I wanted some clarification on Absence Quota generation through schema-u201CTQTAu201D The client Scenario is that they want Earned leaves (absence Quota type 0002 and 0003) and Half-Pay leave (Absence Quota 0004) semi-annually. Whenever an action

  • Errors when entering responses manually

    I have been encountering an error, when manually entering responses to an existing (and open) Form in Adobe FormCentral. We are currently collecting registrations for an annual event, and the majority of people register online (via the form). However

  • X300 shuts down when switching into the presentation mode

    Hi, I wanted to switch my Laptop to the presentation mode so that only the external monitor is enabled and the monitor of the laptop is off. After putting FN+F7 and choosing one option from the menu my laptop totally shuted down which means blue scre

  • Camera RAW 7.2 occasionally opens images with old CR interface

    Not sure is this is normal, but I've noticed that if I try and edit an old shot that was previously edited in an older version of Camera RAW that I get the "old" interface in Camera RAW. ie: Exposure, Recovery, Fill Light, Blacks, Brightness, Contras