Same subnet NAT translation

hi
Is there any documentation of same subnet, private IP to private IP documentaion on the Cisco website????

Hi
what device you whant to use ?
As far as a know asa's can do this.
Other way is with two routers.
HTH

Similar Messages

  • No translation group for a statically nat'd ip connecting to an external IP of a device in the same subnet

    Hi, 
    I've currently got an issue where I have a device configured with static nat that is trying to communicate to a nat'd ip address of a device in the same subnet.
    I'm getting "No translation grou found for tcp src sourceip/80 dst destip/80.
    I'm not 100% which areas of the config to post.
    Cheers,
    Neil

    Did you set the interface binding order correctly or to match the previous server?
    DNS: Valid network interfaces should precede invalid interfaces in the binding order
    http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
    Modify the protocol bindings and network provider order
    http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
    An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
    http://support2.microsoft.com/kb/981953
    You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
    Show NIC Binding Order
    http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
    Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
    If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
    Make sure that the correct DNS are on the interfaces that you need to use, too.
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Nat inside to outside, IP not in same subnet as outside IP

    I already posted this but cant seem to find the post now, so re-posting.
    We have 10 IP's being NAT'd, all working ok.  I need a servers outbound source address to be translated to an IP that is not in the same subnet as the outside IP:
    Outside IP = 193.xxx.xxx.99/23
    Translated IP = 195.xxx.xxx.64/24
    I have created the NAT rule to translate traffic source address from 192.168.2.55 to 195.xxx.xxx.64 packet trace shows it getting through, but this is not working in practice.  The host that I have set the NAT rule up for can no longer access wan.
    Is this possible on an ASA?  

    It should work. I'd run capture on the outside and see if the packet is leaving the ASA and it's coming back or not. If it is, then it's ASA config within the NAT, and you need to look at proxy-arp parameter. If the packet doesn't come back, then it's maybe the router outside the ASA. You might need to take care of manual arp (ASA outside MAC and the new translate IP) and the routing to the new subnet back to ASA outside IP.

  • Access another host on same subnet through Nat'd IP address

    I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.

    Borman,
    Its more complicated than that, consider the following scenario:
                                20.20.20.0/24
                   ASA------------------------------Internet
                      | (DMZ)
                 Switch
         Host A          Host B
       10.1.1.10      10.1.1.100
                          20.20.20.20 (Nat outside address)
    Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
    nat (DMZ,outside) 20.20.20.20 10.1.1.100
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface
    When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
    same-security-traffic permit intra-interface
    Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
    Global (DMZ) 1 interface
    This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
    If running version 8.3 or higher, the concept is the same, but the commands change a bit.
    8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    So bottom line, configuration needed on 8.2
    global (outside) 1 interface
    same-security-traffic permit intra-interface
    Configuration for 8.3
    same-security-traffic permit intra-interface
    object network Server_Public
    host 20.20.20.20
    object network Server_Private
    host 10.1.1.100
    object network Any
    subnet 0.0.0.0 0.0.0.0
    Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
    Hope this helps a bit.
    Mike

  • Can 2 vlans have the same subnet?

    I hope the combined genius of the fellow community can answer me this. I am new to Cisco, and I understand VLANs as a physical boundary separating broadcast domains.
    I was wondering if it is possible to divide 1 subnet (192.168.1.0) into two separate VLANS? I have all layer 3 switches in my environment. Making matters worse, there would be no pattern for the IP address assignments into VLAN-A vs. VLAN-B..
    If this is possible, can you please explain the mechanisms for a successful implementation. 

    It mostly depends if/how you want hosts on them to talk one another (or other networks).
    If the answer is "not at all" then you can have as many VLANs as you like using the same subnet. 
    If the answer is "completely" then you have to either a. break your addressing (L3) down to have one set of hosts in subnet A (on vlan a) and the others in subnet b (on VLAN b). or b. have some fancy tricks in place with network address translation (NAT) in place.
    I'll leave the latter solution off as beyond the scope of your question.
    For the former, you would just change your subnet mask - for example, if the classful subnet is a "standard" /24 (255.255.255.0) then split it in two - /25 or 255.255.255.128. Assign hosts in one or the other.
    You have to have some pattern - all networking is based on patterns in some way or another.

  • What's the best way to do many NAT translations for WWW farm?

    Hello all, I hope this finds you in good spirits.
    I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
    I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
    Do I have to create an network object for each and every IP i want to nat through? 
    Thank you for your consideration!

    Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
    If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
    It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time:

  • How do I load balance TFTP between two servers and a client on the same subnet?

    Hi,
    I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
    Config is currently;
    =====
    probe icmp ICMP_PROBE
      description icmp probe for default gateway tracking
      interval 5
      passdetect interval 15
    rserver host server1
      description Server1
      ip address 10.0.0.1
      inservice
    rserver host server2
      description Server 2
      ip address 10.0.0.2
      inservice
    serverfarm host serverfarm_01
      description servers used
      probe ICMP_PROBE
      rserver server1
        inservice
      rserver server2
        inservice
    class-map match-all L4_VIP_TFTP
      10 match virtual-address 10.0.0.10 udp eq 69
    policy-map type loadbalance first-match L7_TFTP
      class class-default
        serverfarm serverfarm_01
    policy-map multi-match L4_LB_VIP_POLICY
      class L4_VIP_TFTP
        loadbalance vip inservice
        loadbalance policy L7_TFTP
        loadbalance vip icmp-reply active
    nat dynamic 1 vlan 200
    interface vlan 200
      ip address 10.0.0.250 255.255.255.0
      nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
      service-policy input L4_LB_VIP_POLICY
      no shutdown
    ip route 0.0.0.0 0.0.0.0 10.0.0.254
    =====
    I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
    Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
    Thanks

    Try using the following configuration:
    Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
    You need to configure a management policy on the interface when using a UDP probe.
    That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
    ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
    Without a management policy-map, the ICMP unreachable message will be dropped.
    Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
    That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
    The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
    With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
    Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
    access-list ALL line 10 extended permit ip any any
    probe udp TFTP
      port 69
      interval 5
      passdetect interval 15
    probe icmp ICMP_PROBE
      interval 5
      passdetect interval 15
    rserver host TFTP_1
      ip address 10.0.0.1
      probe TFTP
      probe ICMP_PROBE
      inservice
    rserver host TFTP_2
      ip address 10.0.0.2
      probe TFTP
      probe ICMP_PROBE
      inservice
    serverfarm host TFTP-SFARM
      rserver TFTP_1
        inservice
      rserver TFTP_2
        inservice
    sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
      timeout 10
      replicate sticky
      serverfarm TFTP-SFARM
    class-map type management match-any MANAGE
      2 match protocol icmp any
    class-map match-all NAT
      2 match virtual-address 0.0.0.0 0.0.0.0 udp any
    class-map match-all TFTP
      2 match virtual-address 10.0.0.10 udp eq 69
    policy-map type management first-match MANAGE
      class MANAGE
        permit
    policy-map type loadbalance first-match ROUTE
      class class-default
        forward
    policy-map type loadbalance first-match TFTP-POL
      class class-default
        sticky-serverfarm TFTP-STICKY
    policy-map multi-match TFTP-MULTI
      class TFTP
        loadbalance vip inservice
        loadbalance policy TFTP-POL
        nat dynamic 1 vlan 212
      class NAT
        loadbalance vip inservice
        loadbalance policy ROUTE
        nat dynamic 2 vlan 212
    interface vlan 212
      ip address 10.0.0.250 255.255.255.0
      no normalization
      access-group input ALL
      nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
      nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
      service-policy input TFTP-MULTI
      service-policy input MANAGE
      no shutdown
    Let me know how it goes.
    Good luck!

  • Problem accessing another public ip in same subnet

    Hi,
    I have searched around for a previous post regarding this but can't find an issue similar to mine (or I'm just too stupid to understand that it is )
    I have a Cisco 5505 at a small business that I help. The problem is that the ISP are providing public IPs to multiple customers in a /24 subnet. The ASA has a single public IP configured 8.8.8.8 (not really, just for the examples sake) with a subnet mask of 255.255.255.0.
    The webserver I have to access is not managed by me and is located in a different location (same town though) has 8.8.8.115, it is located in the same subnet as the ASA.
    How would I make this work? I have tried to configure a static arp entry for the web server but it just won't work. If i place a computer directly on the outside interface I have no problem accessing the web server.
    I am running ASA version 8.2, but I could upgrade if it would help me solve the problem.
    Any help with this issue is much appreciated.

    The ISP only specify one gateway in that range and that is 8.8.8.1 so any other would not let me access internet.
    Once again thank you for your time.
    : Saved
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name XXXXXXX
    enable password XXXXXXX encrypted
    passwd XXXXXXX encrypted
    names
    name 8.8.8.8 Outside_IP
    name 192.168.20.2 Server
    name 192.168.20.11 rav-dc01
    name 192.168.20.12 rav-ms01
    name 192.168.20.13 rav-rds01
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Outside_IP 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name XXXXXXX
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
    access-list RemoteVPNSplittunnel standard permit 192.168.20.0 255.255.255.0
    access-list outside_access_in extended permit tcp host 100.100.100.228 interface outside eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq smtp
    access-list outside_access_in extended permit udp any interface outside eq 4125
    access-list outside_access_in extended permit tcp any interface outside eq 4125
    access-list outside_access_in extended permit tcp any interface outside eq https
    access-list outside_access_in extended permit tcp any interface outside eq pptp
    access-list outside_access_in extended permit tcp any interface outside eq 444
    access-list outside_access_in extended permit gre any interface outside
    access-list outside_access_in extended permit udp any interface outside eq 444
    access-list outside_access_in extended permit tcp any interface outside eq www
    access-list inside_access_in extended permit tcp host rav-ms01 any eq smtp
    access-list inside_access_in extended deny tcp any any eq smtp
    access-list inside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool RemoteVPNPool 192.168.25.100-192.168.25.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) udp interface 4125 Server 4125 netmask 255.255.255.255
    static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255
    static (inside,outside) tcp interface https rav-ms01 https netmask 255.255.255.255  dns
    static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 rav-rds01 3389 netmask 255.255.255.255  dns
    static (inside,outside) tcp interface smtp rav-ms01 smtp netmask 255.255.255.255
    static (inside,outside) udp interface 444 Server 444 netmask 255.255.255.255
    static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255  dns
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 8.8.8.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server rav_Intern protocol radius
    aaa-server rav_Intern (inside) host rav-dc01
    key CiscoAsa5505RAV2012
    radius-common-pw CiscoAsa5505RAV2012
    http server enable 8080
    http 192.168.20.0 255.255.255.0 inside
    http 192.168.25.0 255.255.255.0 inside
    http 100.100.101.128 255.255.255.192 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection timewait
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.20.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd address 192.168.20.190-192.168.20.200 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server rav-dc01 source inside
    webvpn
    group-policy RemoteVPN internal
    group-policy RemoteVPN attributes
    wins-server value 192.168.20.11
    dns-server value 192.168.20.11
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value RemoteVPNSplittunnel
    default-domain value rav.nu
    split-dns value rav.nu
    username SupportVPN password XXXXXXX encrypted privilege 0
    username SupportVPN attributes
    vpn-group-policy RemoteVPN
    tunnel-group RemoteVPN type remote-access
    tunnel-group RemoteVPN general-attributes
    address-pool RemoteVPNPool
    authentication-server-group rav_Intern
    accounting-server-group rav_Intern
    default-group-policy RemoteVPN
    tunnel-group RemoteVPN ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8481ab3aa01b23bad17bacb2aca7197a
    : end
    asdm image disk0:/asdm-621.bin
    no asdm history enable

  • How to use MARS for NAT Translation Analysis...

    Hi All,
    I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
    I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
    Regards.

    Hello Nicolas,
    Use the following steps :
    Step 1
    Locate the File “global.properties”
    Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
    The following values should be present:
    vintela.enabled=true
    idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
    idm.princ=SPN User
    idm.allowUnsecured=true
    idm.allowNTLM=false
    idm.logger.name=simple
    idm.logger.props=error-log.properties
    Step 2:
    Locate the file “web.xml”
    D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
    Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
    idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
    idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
    idm.keytab = (the same as specified for idm.keytab in the global.properties )
    Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
    Step 3:
    Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
    KR,
    MD

  • CSS Load balancing on same subnet/vlan

    Hi
    I have connections coming in to a VIP which is load balanced with a CSS between web servers. However I need the web servers to talk to a VIP on the same subnet and then load balance that to servers in the same subnet as my web servers. We are using the CSS's in bridging mode. Is this possible?

    Yes, it is possible. You can define one VIP to load balance traffic on your web servers and another VIP (on the same subnet) to allow load balancing between web servers and back-end servers. If the web servers use a different TCP port to communicate with the back-end servers as for the web access, you can even use the same VIP address and two content rules.
    Something is however very important to make this working : you have to NAT the source address for the backend servers connections to make sure the return traffic pass through the CSS and not directly to the web server (they are on the same subnet).
    Yves Haemmerli (IBM)

  • VPN ASA inside Interface and ip pool are one same Subnet

    Hi Everyone,
    I have configured RA VPN full tunnel.
    Inside interface of ASA is
    Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
    ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
    Need to know is it good design to have both on same subnet?
    When i access the Switch  connecting to VPN ASA  inside interface via--https://10.0.0.2
    which has IP 10.0.0.2  while using Remote VPN connection to ASA it does not work gives error
    message as below
    Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
    Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
    Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
    Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK  on interface outside
    Current NAT config is
    nat (inside,outside) source dynamic any interface
    Regards
    MAhesh
    Message was edited by: mahesh parmar

    Hi Mahesh,
    It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
    Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
    I would suggest changing the VPN Pool first and then configuring this
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network VPN-POOL
    subnet
    nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
    We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
    In the future it would be best if you changed your current Dynamic PAT configuration to this
    nat (inside,outside) after-auto source dynamic any interface
    We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
    - Jouni

  • Sh ip nat translations

    Hi,
    When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
    192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
    Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
    deny ip 192.168.1.0 0.0.0.255 any any log
    Show log:
    Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
    and
    Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
    Could this be a DOS attack?
    We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
    Thanks

    Is there any subnets inside who are conencted to a different network over VPN
    with the IP 192.168.1.X etc & access th internet.

  • ACE module client and real servers on same subnet

    I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
    Configuration
    test context
    real server vlan 233
    real server subnet - 167.6.233.x
    VIP vlan - 539
    VIP subnet - 167.6.238.128/25
    production context
    real server vlan 232
    real server subnet - 167.6.232.x
    VIP vlan - 538
    VIP subnet - 167.6.238.0/25
    Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
    Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
    Here are the scenarios and questions
    1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
    2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
    3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
    4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539)  - this is not working
    5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
    Can we implement the scenarios 4 and 5?

    Hi Suresh,
    I see it's a bit complex and we do not have the config at hand.
    However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
    Alessandro
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Virtual IP and server IPs on the same subnet?

    Hi,
    Is it possible to have the VIP and the IPs of the individual servers on the same subnet when the CSS is used in-line?
    thanks a lot,
    alec

    Hi Alec,
    this is only possible if you configure the CSS in "one-armed configuration mode". In other words the servers have to think, that the request is comming from the CSS so that the return flow is directed to the CSS and NOT to the client directly. In other words you have to use source-NAT done by source-groups or ACLs.
    Kind regards,
    Joerg

  • Problem with Cisco 831 router NAT translation or routing

    Hello,
    I’ve reviewed several post on this forum, very useful, and I think this 831 router config should allow for NAT'ng port 8080 to the ‘inside’ ip address, per this statement below. but my efforts have not been successful, no responses get back to outside client (xx.24.40).   clients on inside can communicate outbound fine. The iis server at .10.3 is definitely up and running on port 8080. I know this is probably a duplicate of other posts but if anyone can pinpoint my error I would really appreciate it!!  
    ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
    Here is some debug ip nat output when attemping to connect on port 8080, do not get response back from server to external client (xx.24.40)….
    Feb 03 13:22:49 10.10.10.1 297472: *Mar 2 00:09:31.894: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21674]    
    Feb 03 13:22:49 10.10.10.1 297473: *Mar 2 00:09:31.894: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21674]
    Feb 03 13:22:52 10.10.10.1 297474: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21678]    
    Feb 03 13:22:52 10.10.10.1 297475: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21678]
    Feb 03 13:22:52 10.10.10.1 297476: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21679]    
    Feb 03 13:22:52 10.10.10.1 297477: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21679]
    Feb 03 13:22:58 10.10.10.1 297478: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21684]    
    Feb 03 13:22:58 10.10.10.1 297479: *Mar 2 00:09:40.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21684]
    Feb 03 13:22:58 10.10.10.1 297480: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21685]    
    Feb 03 13:22:58 10.10.10.1 297481: *Mar 2 00:09:40.910: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21685]
    Feb 03 13:23:10 10.10.10.1 297482: *Mar 2 00:09:52.922: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21698]    
    Feb 03 13:23:10 10.10.10.1 297483: *Mar 2 00:09:52.922: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21698]
    Feb 03 13:23:13 10.10.10.1 297484: *Mar 2 00:09:55.930: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21702]    
    Feb 03 13:23:13 10.10.10.1 297485: *Mar 2 00:09:55.930: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21702]
    Feb 03 13:23:19 10.10.10.1 297486: *Mar 2 00:10:01.934: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21709]    
    Feb 03 13:23:19 10.10.10.1 297487: *Mar 2 00:10:01.934: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21709]
    Feb 03 13:23:58 10.10.10.1 297489: *Mar 2 00:10:41.306: NAT: expiring xx.xx.254.128 (10.10.10.3) tcp 8080 (8080)
    538-R1023-C830#sh running-config full
    Building configuration...
    Current configuration : 4329 bytes
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname 538-R1023-C830
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    no logging console
    no aaa new-model
    resource policy
    ip subnet-zero
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool sdm-pool
       import all
       network 10.10.10.0 255.255.255.0
       default-router 10.10.10.1
       dns-server 10.1.18.152
       lease 0 2
    ip cef
    ip domain list sd.cox.net
    ip domain name sd.cox.net
    no ip ips deny-action ips-interface
    no ftp-server write-enable
    crypto pki trustpoint TP-self-signed-75609932
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-75609932
    revocation-check none
    rsakeypair TP-self-signed-75609932
    crypto pki certificate chain TP-self-signed-75609932
    certificate self-signed 01
    <snip>
    interface Ethernet0
    description inside
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Ethernet1
    description outside
    ip address dhcp
    ip access-group 101 in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    interface Ethernet2
    no ip address
    shutdown
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    no ip classless
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 1 interface Ethernet1 overload
    ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
    logging trap debugging
    logging 10.10.10.3
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 101 permit ip any any
    control-plane
    banner login ^C
    ^C
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    scheduler max-task-time 5000
    end

    Hi Alain,
    yes, the client i was testing with is on the same subnet as public router ip.  Good thought on the firewall, I will disable any firewall on iis machine (my laptop) and re-test.  will reply with those results on Monday.   ultimately i'm needing to test nat for port 9100 to a printer, I'll add that and test as well, firewall shouldn't be a factor with printer.
    thank you.
    Grant

Maybe you are looking for

  • Does hp 3056A printer work with windows 8

    does an hp 3056A all-in-one printer work with a windows 8 computer

  • Query Report to Include manually Reconciled Documents

    Hi All, I have a query report and its showing the right data. What changes can be made so that it displays the invoices which were reconciled and the payments/credit notes with which these were reconciled? Declare @datefrom as datetime DECLARE @datet

  • Prevent macbook air to sleep when lid closed

    Hi All I would like to know since I've already tried to configure it but it still do not work, I am trying to prevent my macbook air to sleep while the lid is closed and on power adaptor. I went to energy and preferences but i couldn't find any setti

  • I think that I found a bug in the new iTunes 8.0 PC

    I don't know if this is a bug or not, but has anyone notice that when you click on an item "link" in iTunes and if your mouse pointer remains on the link that you just click on, that the page will not move to the link until you move your pointer off

  • 2 Versions on the same box

    Is there any risk / known problems with running iPlanet version 4.1 and iPlanet version 6 on the same server? This configuration is not being setup for migration. Thanks Kris Dailey