Reverse PAT/NAT?
Someone save me from my confusion.
I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.
inbound port range: 10,000-20,000
destination ip: 10.10.10.15 "internal host, public IP accesible IP"
translated port: 440
translaed ip: 10.10.10.15 "same as original"
source ip: any "internet"
Basically, port forwarding for a range of ports to a single port.
Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host 10.10.10.15. When the packet arrives at 10.10.10.15 it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.
Hi,
I would imagine that you would need to have a firewall running a software level 8.3 or newer.
What you could try is the following
object network REAL-HOST
host 10.10.10.15
object network MAPPED-HOST
host 1.1.1.1
object service REAL-PORT
service tcp source eq 440
object service MAPPED-PORT-RAGE
service tcp source range 10000 20000
nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE
Where the 1.1.1.1 is the public NAT IP address.
This configuration would essentially mean that any connectiong coming to the destination IP address 1.1.1.1 on the destination port TCP/10000 - 20000 would be forwarded to the actual host 10.10.10.15 on destination port TCP/440
I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.
- Jouni
Similar Messages
-
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
Configuring PAT/NAT in cisco routers
hello, first sorry for my bad english
i just wanted to know how configuring PAT (port address translation)
like this :?
amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
or not?
2nd question i have is:
when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
and the last question for now is:
how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
i hope i was clear enough, tanks a lot!Hi Tiger,
1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
2) Coming to your 2nd question
"ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
"ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
3) Coming to your last question
For dynamic PAT you just need to configure overload command at the end of your nat statement.
This link will give you a very broad and nice picture of how NAT can be configured in different situation
http://www.cisco.com/warp/public/556/12.html#6
HTH
Ankur -
New BM3.9 Install - Site 2 Site via PAT/NAT/DMZ?
We are setting up 2 new BM3.9 VMs (initially for Site 2 Site VPN) for a client but there ADSL Routers at each site only have Single Static IPs which are bound to the Router's Public address. I believe the Routers are also providing 'Dynamic NAT' for outbound traffic.
Would it be possible to set-up a Site 2 Site VPN and perhaps get the Routers to pass all VPN traffic (either using PAT or an all traffic DMZ LAN scenario) to the BM Servers. I am presuming within the Site 2 Site config of VPN Server - Site A you would point it at the Public address of Router - Site B (instead of the BM Server Public).....and vice versa.
Any comments would be greatly appreciated.
Cheers,
Richard.In article <[email protected]>, Rsargeant wrote:
> Would it be possible to set-up a Site 2 Site VPN and perhaps get the
> Routers to pass all VPN traffic (either using PAT or an all traffic DMZ
> LAN scenario) to the BM Servers. I am presuming within the Site 2 Site
> config of VPN Server - Site A you would point it at the Public address
> of Router - Site B (instead of the BM Server Public).....and vice
> versa.
>
Yes, it should work. While I've only configured one end of this (example
in my book of one BM server behind a Linksys port-forwarding router), it
should be ok to do on both ends. As long as you forward the proper ports
(or ALL traffic) to the BM, it will get the VPN traffic. The VPN
responses from the server tell the other side what public IP address to
use, which as you have surmised should be the public address of the
router in this case.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
how does PAT/NAT perform on ICMP packets if there are not ports like udp/tcp ?
best regards
francescoHave a look at these documents
http://tools.ietf.org/wg/behave/draft-ietf-behave-nat-icmp/draft-ietf-behave-nat-icmp-01-from-00.wdiff.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml
Both would help you understand
HTH
Hoogen
Do rate if this helps :) -
NAT outside to inside and inside to outside (in 8.4(2) version)
Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia -
Configuring PAT for VoIP got a Turn Up today!!!
Good Morning all,
I have a question, I've researched around the internet to find the CLI commands to open ports TCP 5060/5061 and UDP ports 1024 to 65535 to my SIP provider. I'm a voice guy so i'm VERY new to Security and I would like some assistance.
I'm using a ASA 5505, and below is my Show Run:
------------------ show running-config ------------------
: Saved
ASA Version 8.3(2)
hostname ECSASA-5505
domain-name hostedatandvoice.local
enable password <removed>
passwd <removed>
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
interface Ethernet0/0
description COMCAST
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec EnterCloud Solutions ASA
banner login AAA is enabled, Local access has been restricted to local Administrators and Engineers of ECS, LLC.
banner motd EnterCloud Solutions ASA Applicance. Unauthorized users will be logged and flagged for unauthorized access. IP's are tracked and logged and will be reported to local State and Federal agencies.
banner motd Contact [email protected] for additional help or support.
banner asdm WELCOME TO ECS ASA 5505 SECURITY APPLICANCE!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name hostedatandvoice.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Internet
subnet 0.0.0.0 0.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service NTP
service tcp source eq 123 destination eq 123
description Time Clock
object network STATIC-PAT
subnet 192.168.1.0 255.255.255.0
object network VPN-Pool
subnet 190.168.10.0 255.255.255.240
description VPN IP Address
object network SSL-VPN-POOL
description SSL-VPN-POOL
object network SSL-VPN-POOL1
object network SSL-VPN-NET1
subnet 192.168.10.0 255.255.255.240
object network outside_to_inside_VoIP
host 192.168.1.8
object-group network PRIVATE-LAN
network-object 192.168.1.0 255.255.255.0
object-group network SSL-VPN-NETWORKS
description SSL VPN NETWORKS
object-group network VPN-NETWORK
network-object object SSL-VPN-NET1
access-list OUTSIDE-IN extended permit udp any object STATIC-PAT eq ntp
access-list ECSSLVPN remark Allow VPN Access to LAN
access-list ECSSLVPN standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.10.1-192.168.10.12 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static PRIVATE-LAN PRIVATE-LAN destination static VPN-NETWORK VPN-NETWORK
object network STATIC-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x1
route inside 192.168.10.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=ESCASA-5505
ip-address x.x.x.x
keypair ECS-KP
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 59203f51
308202a8 30820211 a0030201 02020459 203f5130 0d06092a 864886f7 0d010105
05003066 31143012 06035504 03130b45 53434153 412d3535 3035314e 301b0609
2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138 35302f06 092a8648
86f70d01 09021622 45534341 53412d35 3530352e 686f7374 65646174 616e6476
6f696365 2e6c6f63 616c301e 170d3133 30333132 31333233 34375a17 0d323330
33313031 33323334 375a3066 31143012 06035504 03130b45 53434153 412d3535
3035314e 301b0609 2a864886 f70d0109 08130e35 302e3139 342e3234 352e3138
35302f06 092a8648 86f70d01 09021622 45534341 53412d35 3530352e 686f7374
65646174 616e6476 6f696365 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100dd 432f3bbc 24f0329f 81f0faea 27555dd6
972dfcc0 697dd74b 8ebdfe7a b7adb611 a97b3881 baef9373 d6442571 7da6d0b1
f74e9ff9 6602d832 6a092719 2460ecb1 0088a4f0 fbf0c2b0 13586c87 c23d69b2
08525422 f66e735c 46f3b3c8 d3f41c21 5a204fea cd798c7b e15c018a 6f6d344d
de24ac87 12cc69a7 b07023a4 302a0702 03010001 a3633061 300f0603 551d1301
01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
04183016 80149724 66a81b45 e402da6f f9e47a87 6c01af08 5476301d 0603551d
0e041604 14972466 a81b45e4 02da6ff9 e47a876c 01af0854 76300d06 092a8648
86f70d01 01050500 03818100 517b691a 285b035e 5e4ffaba 02467a5a 45d1d4fd
0e39838d caf77bf1 4cc2f5a6 2fefb926 d0a2fdc4 ebabc75a 28380c06 60df23ee
8be72ddc b3587956 1eb1df89 d7b4293a ad0db500 bf651885 0a44ba2c 4b94f8ce
e27b8242 4abead6b a1af0468 5ed4a8ef 013f2d08 59df2f2e e6afcc21 2df6bbd0
a1f15a01 4ba8960a ec9771bb
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2 8.8.1.1
dhcpd domain hostedatandvoice.local
dhcpd address 192.168.1.12-192.168.1.130 inside
dhcpd dns 4.2.2.2 8.8.1.1 interface inside
dhcpd domain hostedatandvoice.com interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 199.249.224.123 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.0.11042-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ECSSLVPN
default-domain value hostedatandvoice.local
split-dns value hostedatandvoice.com
address-pools value VPN-Pool
webvpn
svc ask enable default webvpn
username khayes password <removed> privilege 15
username mharrell password <removed> privilege 15
username bdillard password <removed> privilege 15
username skonti password <removed> privilege 15
tunnel-group ECSSLVPN type remote-access
tunnel-group ECSSLVPN general-attributes
address-pool VPN-Pool
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:977f2a92875a8c744753124c94adbb09
: endKenneth,
If that's the case you can use a range of port and create a NAT using your outside interface IP.
object network CUCM_Private
host 10.10.10.10
object service Range_1024_65535
service udp source range 1024 65535
object service SIP_range
service tcp source range 5060 5061
nat (inside,outside) source static CUCM_Private interface service Range_1024_65535 Range_1024_65535
nat (inside,outside) source static CUCM_Private interface service SIP_range SIP_range
access-list outside_access_in permit tcp any object CUCM_Private eq 5060
access-list outside_access_in permit tcp any object CUCM_Private eq 5061
access-list outside_access_in permit tcp any object CUCM_Private range 1024 65535
Take in consideration that I am using different IP address, please use the correponding IP's.
Hope it helps,
Juan Lombana -
NAT with 8.6(1) ASA5515-X
I want to NAT only those nets which are deployed as opposed to a
'nat (inside) 1 0 0' as in IOS 8.2 for example.
So I have possibly two choices.
I can create a network object-group with my INSIDE NETS and add to it as I expand the IP usage.
object-group network GRP_OBJECT_INSIDE_NETS
network-object 10.16.0.0 255.255.192.0
network-object 10.64.0.0 255.255.240.0
network-object 10.64.64.0 255.255.240.0
network-object 10.64.128.0 255.255.240.0
nat (inside,outside) source dynamic GRP_OBJECT_INSIDE_NETS interface
Or I can create separate network objects and the associated object NAT for each.
object network N_OBJ_10.16.0.0_18
subnet 10.16.0.0 255.255.192.0
object network N_OBJ_10.64.0.0_20
subnet 10.64.0.0 255.255.240.0
object network N_OBJ_10.64.64.0_20
subnet 10.64.64.0 255.255.240.0
object network N_OBJ_10.64.128.0_20
subnet 10.64.128.0 255.255.240.0
object network N_OBJ_10.16.0.0_18
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.0.0_20
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.64.0_20
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.128.0_20
nat (inside,outside) dynamic interface
The question is which is possibly preferred and why.
The second would create more in-line code than the first, but there have to be other concerns.
ThxHi,
I personally always use "object-group" to define the source addresses for the basic PAT/NAT configurations. Pretty much for the reason you have already stated. The NAT configuration is easier to manage and we create a lot less configurations.
Though I would do a minor change to the NAT configuration you mentioned first.
I would add the "after-auto" parameter to the NAT configuration. This would move the NAT rule to Section 3 instead of Section 1 (where it would go without the "after-auto" parameter)
nat (inside,outside) after-auto source dynamic GRP_OBJECT_INSIDE_NETS interface
Being in Section 3 of the NAT rules it would be one of the last NAT rules to be matched against connections coming through the ASA. And I would consider this natural as we are configuring a Default PAT rule to which any connection should hit IF it did not have a more specific rule.
If the NAT configuration you mention was inserted in the format in the original post, it might potentially override any other translations for those "inside" networks towards "outside" networks.
The second way you mention doing the same uses Network Object NAT, which is an Section 2 NAT. I see it used in simple network setups but personally I would only suggest it to be used with Static NAT and Static PAT.
The Section 2 Network Object NAT operates a bit like the old NAT format. It gives higher priority to "static" configurations instead of "dynamic". Inside those mentioned types it again prefers to the more specific number of source address. In the end it might even match on the basis of how the "object" is named. In other words look at the alphabetical order of the name of the configured "object" for the NAT.
But as I said before, I prefer to leave Network Object NAT only for Static NAT and Static PAT. Section 1 NAT I use for NAT0 / Identity NAT / Policy NAT / Policy PAT configurations usually. And Section 3 I use for the Default PAT / NAT rules.
If you want to read some more about the subject I could suggest a document I created on the forums.
https://supportforums.cisco.com/docs/DOC-31116
Naturally you can ask more on these forums.
Please remember to rate helpfull answers and mark questions as answered if they did.
- Jouni -
Asa5512, ver. 8.6(1)2, SMTP over NAT problem
hi guys,
i have a weird issue while trying to organize smtp-server behind my asa 5512.
the most interesting thing is that all other services like ssh, http, https, etc works just fine...except smtp....and yes, i've disabled inspect esmtp feature.
object network obj-10.100.22.19
host 10.100.22.19
object network PAT
subnet 10.100.22.16 255.255.255.248
access-list inet-in extended permit tcp any host 10.100.22.19 eq smtp
access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq ssh
access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq imap4
access-list inet-in extended permit tcp host X.X.X.X host 10.100.22.19 eq 993
access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq www
access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq https
object network obj-10.100.22.19
nat (serv2,inet) static Y.Y.Y.Y
object network PAT
nat (serv2,inet) dynamic interface
access-group inet-in in interface inet
what i see in logs:
%ASA-6-302013: Built inbound TCP connection 1733 for inet:X.X.X.X/47056 (X.X.X.X/47056) to serv2:10.100.22.19/25 (Y.Y.Y.Y/25)
%ASA-6-302014: Teardown TCP connection 1733 for inet:X.X.X.X/47056 to serv2:10.100.22.19/25 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-106015: Deny TCP (no connection) from 10.100.22.19/25 to X.X.X.X/47056 flags SYN ACK on interface serv2
so it looks like smtp-client doesn't receive TCP ACK while building the session and in 30 sec issues SYN Timout message...
and i am sure, that everything is OK with sendmail, because tcp/25 is opened and working from another dmz of this ASA, the only difference is that dmz connected without NAT...
any ideas?
thanx in advance.hi,
i've tried to capture via tcpdump on smtp-client and server interfaces and have seen on client side that SYN ACK never comes and on the server side that it does issue this SYN ACK. so it's been dropped somewhere on the way...
server connected directly into ASA interface and client just in few hops on internet.
here's configuration:
ASA Version 8.6(1)2
hostname ________
no names
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.1011
vlan 1011
nameif vlan1011
security-level 75
ip address 10.100.10.11 255.255.255.0
interface GigabitEthernet0/1.1035
vlan 1035
nameif inet
security-level 50
ip address X.X.X.Y 255.255.255.248
interface GigabitEthernet0/2
nameif serv1_mng
security-level 100
ip address 10.100.22.5 255.255.255.252
interface GigabitEthernet0/3
nameif serv2_mng
security-level 100
ip address 10.100.22.1 255.255.255.252
interface GigabitEthernet0/4
nameif serv1
security-level 100
ip address 10.100.22.13 255.255.255.252
interface GigabitEthernet0/5
nameif serv2
security-level 100
ip address 10.100.22.17 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inet
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
object network obj-10.100.22.19
host 10.100.22.19
object network PAT
subnet 10.100.22.16 255.255.255.248
object-group network vlan1011-grp1
network-object 10.0.0.0 255.255.255.0
network-object 10.100.10.0 255.255.255.0
object-group network vlan1011-grp2
network-object host 10.0.0.238
network-object host 10.0.0.239
object-group network vlan1011-grp3
network-object host 10.100.13.50
network-object host 10.100.14.50
object-group network vlan1011-grp4
network-object host 10.100.10.1
network-object 10.0.0.0 255.255.255.0
object-group service backup-tcp tcp
port-object range 10080 10083
port-object range 10100 10108
object-group service backup-udp udp
port-object range 10080 10083
port-object range 10100 10108
object-group network inet-grp1
network-object host ____________
network-object host ____________
access-list inet-in extended permit icmp any any
access-list inet-in extended permit tcp any host 10.100.22.19 eq smtp
access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq ssh
access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq imap4
access-list inet-in extended permit tcp host A.A.A.A host 10.100.22.19 eq 993
access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq www
access-list inet-in extended permit tcp object-group inet-grp1 host 10.100.22.19 eq https
access-list vlan1011-in extended permit icmp any any
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 10.100.22.16 255.255.255.248 eq ssh
access-list vlan1011-in extended permit tcp object-group vlan1011-grp2 10.100.22.16 255.255.255.248 eq 10050
access-list vlan1011-in extended permit tcp object-group vlan1011-grp3 10.100.22.16 255.255.255.248 object-group backup-tcp
access-list vlan1011-in extended permit udp object-group vlan1011-grp3 10.100.22.16 255.255.255.248 object-group backup-udp
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq www
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq https
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq imap4
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq 993
access-list vlan1011-in extended permit tcp object-group vlan1011-grp1 host 10.100.22.19 eq smtp
tcp-map Exp_MSS
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging console warnings
logging monitor informational
logging buffered informational
logging trap errors
logging history informational
logging asdm informational
logging device-id hostname
mtu vlan1011 1500
mtu inet 1500
mtu serv1_mng 1500
mtu serv2_mng 1500
mtu serv1 1500
mtu serv2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
object network obj-10.100.22.19
nat (serv2,inet) static X.X.X.X
object network PAT
nat (serv2,inet) dynamic interface
access-group vlan1011-in in interface vlan1011
access-group inet-in in interface inet
route inet 0.0.0.0 0.0.0.0 X.X.X.Z 1
route vlan1011 10.0.0.0 255.0.0.0 10.100.10.100 1
route vlan1011 10.0.0.0 255.255.255.0 10.100.10.1 1
timeout xlate 9:00:00
timeout conn 48:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
quit
telnet 10.100.10.0 255.255.255.0 vlan1011
telnet timeout 30
ssh 10.100.10.0 255.255.255.0 vlan1011
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server __________ prefer
webvpn
class-map Exp_MSS
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class Exp_MSS
set connection advanced-options Exp_MSS
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect pptp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous -
Hi all,
ACE20 module with A2(3.3)
I have tried to config a NAT-pool with two adresses, but only one is used.
class-map match-all NAT015_VLAN702
2 match source-address 192.168.137.93 255.255.255.255
3 match destination-address 192.168.137.0 255.255.255.255
policy-map multi-match lb-int-vlan802
class V13700080
loadbalance vip inservice
loadbalance policy V13700080-l7slb
loadbalance vip icmp-reply active
appl-parameter http advanced-options PAMHTTP001
connection advanced-options PAMCONNSV
class NAT015_VLAN702
nat dynamic 70203 vlan 702
interface vlan 702
bridge-group 802
no normalization
access-group input BPDU
access-group input alla
access-group output alla
nat-pool 70202 192.168.32.1 192.168.32.2 netmask 255.255.255.255 pat
nat-pool 70203 192.168.32.5 192.168.32.6 netmask 255.255.255.255 pat
nat-pool 70204 192.168.32.9 192.168.32.10 netmask 255.255.255.255 pat
nat-pool 70205 192.168.32.13 192.168.32.14 netmask 255.255.255.255 pat
nat-pool 70206 192.168.32.17 192.168.32.18 netmask 255.255.255.255 pat
nat-pool 70207 192.168.32.21 192.168.32.22 netmask 255.255.255.255 pat
service-policy input lb-int-vlan802
no shutdown
Can someone tell me what is wrong?
Regards
MatsHi Chris,
Been away a couple of days.
I'm doing show xlate global 192.168.32.5 and 192.168.35.6 and I never see xlate's on 192.168.32.6.
A#1/prod1# sho xlate global 192.168.32.5
TCP PAT from vlan702:192.168.137.93/22524 to vlan702:192.168.32.5/62357
TCP PAT from vlan702:192.168.137.93/22565 to vlan702:192.168.32.5/62396
TCP PAT from vlan702:192.168.137.93/22600 to vlan702:192.168.32.5/62433
TCP PAT from vlan702:192.168.137.93/22686 to vlan702:192.168.32.5/62519
TCP PAT from vlan702:192.168.137.93/22814 to vlan702:192.168.32.5/62645
TCP PAT from vlan702:192.168.137.93/21368 to vlan702:192.168.32.5/61201
TCP PAT from vlan702:192.168.137.93/22514 to vlan702:192.168.32.5/64626
TCP PAT from vlan702:192.168.137.93/22605 to vlan702:192.168.32.5/64720
TCP PAT from vlan702:192.168.137.93/22527 to vlan702:192.168.32.5/64644
TCP PAT from vlan702:192.168.137.93/21935 to vlan702:192.168.32.5/64052
TCP PAT from vlan702:192.168.137.93/22863 to vlan702:192.168.32.5/64978
TCP PAT from vlan702:192.168.137.93/22882 to vlan702:192.168.32.5/64998
TCP PAT from vlan702:192.168.137.93/22893 to vlan702:192.168.32.5/65008
TCP PAT from vlan702:192.168.137.93/22996 to vlan702:192.168.32.5/65113
TCP PAT from vlan702:192.168.137.93/23012 to vlan702:192.168.32.5/65129
A#1/prod1#
A couple of seconds later it start over with low portnumbers
A#1/prod1# sho xlate global 192.168.32.5
TCP PAT from vlan702:192.168.137.93/23673 to vlan702:192.168.32.5/1279
TCP PAT from vlan702:192.168.137.93/23728 to vlan702:192.168.32.5/1334
TCP PAT from vlan702:192.168.137.93/23984 to vlan702:192.168.32.5/1588
TCP PAT from vlan702:192.168.137.93/24113 to vlan702:192.168.32.5/63943
A#1/prod1#
This server has about 140 conn/sec at this moment, but under high load about 250 conn /sec.
As You can see from my show command, that the connectionstime are very short
Regards
Mats Ruuth -
Hello,
Does anyone who uses NAT/PAT (nat overload) limit the max number of NAT translations that any one internal IP address can have? We have had issues where people do port scans and utilise a large majority of our NAT pool. We are doing NAT on a ASR 1002 with an ESP5. It can do up to 250,000 NAT translations total and 50,000 new a second.
Now I found out that the ASR in a pool will only use the last available IP to do PAT.. The rest of the IP addresses are used for 1-1 NAT.
Here is our NAT config
> ip nat translation tcp-timeout 1800
> ip nat translation udp-timeout 1800
> ip nat translation max-entries 250000
> ip nat pool Level3Pool some-ip-address some-ip-address netmask 255.255.255.248
> ip nat inside source list NAT pool Level3Pool overload
Any idea about:
ip nat settings mode cgn
ip nat settings mode cgn
ThanksFirewall or NAT: 250,000 sessions and 50,000 sessions-per-sec setup rate
This is from the datasheet. Pls check.
Table 3. Cisco ASR 1000 Series 5-Gbps ESP Module Performance and Scaling
Regards
Durga Prasad - Datasoft Comnet
Pls rate helpful posts
Sent from Cisco Technical Support Android App -
ASA supports NAT in bridge mode??
any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??
Hi Hans,
Yes it does, from version 8.0 and higher.
Unsupported Features
These features are not supported in transparent mode:
NAT /PAT
NAT is performed on the upstream router.
Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
Here is the document:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
Mike -
Hello,
Is there any way to setup dynamic nat for an entire group without having to setup dynamic nat for every single network?
For example,
network a: 10.168.32.0/24
network b: 10.184.32.0/24
network c: 10.16.38.0/24
I want to setup dynamic nat for all of these subnets at one time.
Of couse I have more than 3, more like 200 of them, so I don't want to have to setup dynamic nat individually.
Thanks,
Dan.Hi,
Well if you want to perform Dynamic PAT to different public IP addresses based on source interface for example then you could do it in the following way
object network INSIDE-PAT
host 1.1.1.1
object network DMZ-PAT
host 1.1.1.2
nat (inside,outside) after-auto source dynamic any INSIDE-PAT
nat (dmz,outside) after-auto source dynamic any DMZ-PAT
You could follow the above logic that applies to your network setup.
Ofcourse if you have only one source interface but several different networks or groups of networks that you want to use different PAT IP addresses then you would have to create the source address group for those networks
For example
object network PRODUCTION-PAT
host 1.1.1.1
object network TESTING-PAT
host 1.1.1.2
object-group network PRODUCTION-NETWORKS
network-object 10.10.0.0 255.255.0.0
network-object 10.20.0.0 255.255.0.0
object-group network TESTING-NETWORKS
network-object 10.30.0.0 255.255.0.0
network-object 10.40.0.0 255.255.0.0
nat (inside,outside) after-auto source dynamic PRODUCTION-NETWORKS PRODUCTION-PAT
nat (inside,outside) after-auto source dynamic TESTING-NETWORKS TESTING-PAT
or was it something else that you were after?
- Jouni -
Placing NAT statements in sections
is there a rule of thumb or general guildline for where you place these NAT statements?
I see 3 sections and after reading some posts I see a lot of "after-auto", which places the NAT statement in section 3.
I read the part in this document (http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157)
on the rule order, but I am still unclear.Hi,
I would suggest reading a document I wrote here on the forums on the "Documents" section.
https://supportforums.cisco.com/docs/DOC-31116
It explain for example the NAT rule ordering and the way I use the different Sections.
In general I would place the typical different types of NAT in the following way
Section 1
NAT0 / NAT Exempt
Policy type NAT configurations
Any other special/uncommon NAT configurations
Section 2
Static NAT
Static PAT
Section 3
Default Dynamic PAT/NAT rules means for majority of the users. The last section is the natural place for them as this rule should be the "last resort" for basic traffic through the firewall.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question.
Naturally ask more here in this discussion if you want some more specific answers than the document provides.
- Jouni -
Hi Dears.
I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be 10.193.115.11 but our local subnet is
10.103.70.0/24. our local subnet is also access to internet.
local subnet: 10.10.3.70.0/24
peer local subnet: 10.193.128.11/23
i think that i must be do policy nat.
1. ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
2. ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
3.ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
And i have also PAT Nat for local user.
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
is this configuration rigth?
please write your comment.
thanks.ok. thanks.
at last our configuration is that:
access-list 100 deny ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
for vpn traffic:
ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
you said that this configuration is help me for my aim.
thanks again.
Maybe you are looking for
-
BRF+ Trigger via Event, change on field value, etc
Hi, I'm implenting BRF+ for SPM Claims & Returns Process. It took me a while to understand how I can set up an application, Function from type event, Rulesets, rules, etc but at the end it seems that it is a tremendous improvement compared to BRF! So
-
Issue in Absence Quota generation wrt to actions (IT0000);using schema TQTA
Hi I wanted some clarification on Absence Quota generation through schema-u201CTQTAu201D The client Scenario is that they want Earned leaves (absence Quota type 0002 and 0003) and Half-Pay leave (Absence Quota 0004) semi-annually. Whenever an action
-
Errors when entering responses manually
I have been encountering an error, when manually entering responses to an existing (and open) Form in Adobe FormCentral. We are currently collecting registrations for an annual event, and the majority of people register online (via the form). However
-
X300 shuts down when switching into the presentation mode
Hi, I wanted to switch my Laptop to the presentation mode so that only the external monitor is enabled and the monitor of the laptop is off. After putting FN+F7 and choosing one option from the menu my laptop totally shuted down which means blue scre
-
Camera RAW 7.2 occasionally opens images with old CR interface
Not sure is this is normal, but I've noticed that if I try and edit an old shot that was previously edited in an older version of Camera RAW that I get the "old" interface in Camera RAW. ie: Exposure, Recovery, Fill Light, Blacks, Brightness, Contras