Same subnet NAT translation
hi
Is there any documentation of same subnet, private IP to private IP documentaion on the Cisco website????
Hi
what device you whant to use ?
As far as a know asa's can do this.
Other way is with two routers.
HTH
Similar Messages
-
Hi,
I've currently got an issue where I have a device configured with static nat that is trying to communicate to a nat'd ip address of a device in the same subnet.
I'm getting "No translation grou found for tcp src sourceip/80 dst destip/80.
I'm not 100% which areas of the config to post.
Cheers,
NeilDid you set the interface binding order correctly or to match the previous server?
DNS: Valid network interfaces should precede invalid interfaces in the binding order
http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
Modify the protocol bindings and network provider order
http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
http://support2.microsoft.com/kb/981953
You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
Show NIC Binding Order
http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
Make sure that the correct DNS are on the interfaces that you need to use, too.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Nat inside to outside, IP not in same subnet as outside IP
I already posted this but cant seem to find the post now, so re-posting.
We have 10 IP's being NAT'd, all working ok. I need a servers outbound source address to be translated to an IP that is not in the same subnet as the outside IP:
Outside IP = 193.xxx.xxx.99/23
Translated IP = 195.xxx.xxx.64/24
I have created the NAT rule to translate traffic source address from 192.168.2.55 to 195.xxx.xxx.64 packet trace shows it getting through, but this is not working in practice. The host that I have set the NAT rule up for can no longer access wan.
Is this possible on an ASA?It should work. I'd run capture on the outside and see if the packet is leaving the ASA and it's coming back or not. If it is, then it's ASA config within the NAT, and you need to look at proxy-arp parameter. If the packet doesn't come back, then it's maybe the router outside the ASA. You might need to take care of manual arp (ASA outside MAC and the new translate IP) and the routing to the new subnet back to ASA outside IP.
-
Access another host on same subnet through Nat'd IP address
I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.
Borman,
Its more complicated than that, consider the following scenario:
20.20.20.0/24
ASA------------------------------Internet
| (DMZ)
Switch
Host A Host B
10.1.1.10 10.1.1.100
20.20.20.20 (Nat outside address)
Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
nat (DMZ,outside) 20.20.20.20 10.1.1.100
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
same-security-traffic permit intra-interface
Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
Global (DMZ) 1 interface
This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
If running version 8.3 or higher, the concept is the same, but the commands change a bit.
8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
So bottom line, configuration needed on 8.2
global (outside) 1 interface
same-security-traffic permit intra-interface
Configuration for 8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
Hope this helps a bit.
Mike -
Can 2 vlans have the same subnet?
I hope the combined genius of the fellow community can answer me this. I am new to Cisco, and I understand VLANs as a physical boundary separating broadcast domains.
I was wondering if it is possible to divide 1 subnet (192.168.1.0) into two separate VLANS? I have all layer 3 switches in my environment. Making matters worse, there would be no pattern for the IP address assignments into VLAN-A vs. VLAN-B..
If this is possible, can you please explain the mechanisms for a successful implementation.It mostly depends if/how you want hosts on them to talk one another (or other networks).
If the answer is "not at all" then you can have as many VLANs as you like using the same subnet.
If the answer is "completely" then you have to either a. break your addressing (L3) down to have one set of hosts in subnet A (on vlan a) and the others in subnet b (on VLAN b). or b. have some fancy tricks in place with network address translation (NAT) in place.
I'll leave the latter solution off as beyond the scope of your question.
For the former, you would just change your subnet mask - for example, if the classful subnet is a "standard" /24 (255.255.255.0) then split it in two - /25 or 255.255.255.128. Assign hosts in one or the other.
You have to have some pattern - all networking is based on patterns in some way or another. -
What's the best way to do many NAT translations for WWW farm?
Hello all, I hope this finds you in good spirits.
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
Thank you for your consideration!Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time: -
How do I load balance TFTP between two servers and a client on the same subnet?
Hi,
I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
Config is currently;
=====
probe icmp ICMP_PROBE
description icmp probe for default gateway tracking
interval 5
passdetect interval 15
rserver host server1
description Server1
ip address 10.0.0.1
inservice
rserver host server2
description Server 2
ip address 10.0.0.2
inservice
serverfarm host serverfarm_01
description servers used
probe ICMP_PROBE
rserver server1
inservice
rserver server2
inservice
class-map match-all L4_VIP_TFTP
10 match virtual-address 10.0.0.10 udp eq 69
policy-map type loadbalance first-match L7_TFTP
class class-default
serverfarm serverfarm_01
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_TFTP
loadbalance vip inservice
loadbalance policy L7_TFTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
ip address 10.0.0.250 255.255.255.0
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
service-policy input L4_LB_VIP_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.254
=====
I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
ThanksTry using the following configuration:
Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
You need to configure a management policy on the interface when using a UDP probe.
That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
Without a management policy-map, the ICMP unreachable message will be dropped.
Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
access-list ALL line 10 extended permit ip any any
probe udp TFTP
port 69
interval 5
passdetect interval 15
probe icmp ICMP_PROBE
interval 5
passdetect interval 15
rserver host TFTP_1
ip address 10.0.0.1
probe TFTP
probe ICMP_PROBE
inservice
rserver host TFTP_2
ip address 10.0.0.2
probe TFTP
probe ICMP_PROBE
inservice
serverfarm host TFTP-SFARM
rserver TFTP_1
inservice
rserver TFTP_2
inservice
sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
timeout 10
replicate sticky
serverfarm TFTP-SFARM
class-map type management match-any MANAGE
2 match protocol icmp any
class-map match-all NAT
2 match virtual-address 0.0.0.0 0.0.0.0 udp any
class-map match-all TFTP
2 match virtual-address 10.0.0.10 udp eq 69
policy-map type management first-match MANAGE
class MANAGE
permit
policy-map type loadbalance first-match ROUTE
class class-default
forward
policy-map type loadbalance first-match TFTP-POL
class class-default
sticky-serverfarm TFTP-STICKY
policy-map multi-match TFTP-MULTI
class TFTP
loadbalance vip inservice
loadbalance policy TFTP-POL
nat dynamic 1 vlan 212
class NAT
loadbalance vip inservice
loadbalance policy ROUTE
nat dynamic 2 vlan 212
interface vlan 212
ip address 10.0.0.250 255.255.255.0
no normalization
access-group input ALL
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
service-policy input TFTP-MULTI
service-policy input MANAGE
no shutdown
Let me know how it goes.
Good luck! -
Problem accessing another public ip in same subnet
Hi,
I have searched around for a previous post regarding this but can't find an issue similar to mine (or I'm just too stupid to understand that it is )
I have a Cisco 5505 at a small business that I help. The problem is that the ISP are providing public IPs to multiple customers in a /24 subnet. The ASA has a single public IP configured 8.8.8.8 (not really, just for the examples sake) with a subnet mask of 255.255.255.0.
The webserver I have to access is not managed by me and is located in a different location (same town though) has 8.8.8.115, it is located in the same subnet as the ASA.
How would I make this work? I have tried to configure a static arp entry for the web server but it just won't work. If i place a computer directly on the outside interface I have no problem accessing the web server.
I am running ASA version 8.2, but I could upgrade if it would help me solve the problem.
Any help with this issue is much appreciated.The ISP only specify one gateway in that range and that is 8.8.8.1 so any other would not let me access internet.
Once again thank you for your time.
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name XXXXXXX
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 8.8.8.8 Outside_IP
name 192.168.20.2 Server
name 192.168.20.11 rav-dc01
name 192.168.20.12 rav-ms01
name 192.168.20.13 rav-rds01
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Outside_IP 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list RemoteVPNSplittunnel standard permit 192.168.20.0 255.255.255.0
access-list outside_access_in extended permit tcp host 100.100.100.228 interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit udp any interface outside eq 4125
access-list outside_access_in extended permit tcp any interface outside eq 4125
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 444
access-list outside_access_in extended permit gre any interface outside
access-list outside_access_in extended permit udp any interface outside eq 444
access-list outside_access_in extended permit tcp any interface outside eq www
access-list inside_access_in extended permit tcp host rav-ms01 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteVPNPool 192.168.25.100-192.168.25.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 4125 Server 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255
static (inside,outside) tcp interface https rav-ms01 https netmask 255.255.255.255 dns
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 rav-rds01 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp interface smtp rav-ms01 smtp netmask 255.255.255.255
static (inside,outside) udp interface 444 Server 444 netmask 255.255.255.255
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8.8.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server rav_Intern protocol radius
aaa-server rav_Intern (inside) host rav-dc01
key CiscoAsa5505RAV2012
radius-common-pw CiscoAsa5505RAV2012
http server enable 8080
http 192.168.20.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 100.100.101.128 255.255.255.192 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.20.190-192.168.20.200 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server rav-dc01 source inside
webvpn
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.20.11
dns-server value 192.168.20.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPNSplittunnel
default-domain value rav.nu
split-dns value rav.nu
username SupportVPN password XXXXXXX encrypted privilege 0
username SupportVPN attributes
vpn-group-policy RemoteVPN
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPNPool
authentication-server-group rav_Intern
accounting-server-group rav_Intern
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:8481ab3aa01b23bad17bacb2aca7197a
: end
asdm image disk0:/asdm-621.bin
no asdm history enable -
How to use MARS for NAT Translation Analysis...
Hi All,
I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
Regards.Hello Nicolas,
Use the following steps :
Step 1
Locate the File “global.properties”
Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
The following values should be present:
vintela.enabled=true
idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
idm.princ=SPN User
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Step 2:
Locate the file “web.xml”
D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
idm.keytab = (the same as specified for idm.keytab in the global.properties )
Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
Step 3:
Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
KR,
MD -
CSS Load balancing on same subnet/vlan
Hi
I have connections coming in to a VIP which is load balanced with a CSS between web servers. However I need the web servers to talk to a VIP on the same subnet and then load balance that to servers in the same subnet as my web servers. We are using the CSS's in bridging mode. Is this possible?Yes, it is possible. You can define one VIP to load balance traffic on your web servers and another VIP (on the same subnet) to allow load balancing between web servers and back-end servers. If the web servers use a different TCP port to communicate with the back-end servers as for the web access, you can even use the same VIP address and two content rules.
Something is however very important to make this working : you have to NAT the source address for the backend servers connections to make sure the return traffic pass through the CSS and not directly to the web server (they are on the same subnet).
Yves Haemmerli (IBM) -
VPN ASA inside Interface and ip pool are one same Subnet
Hi Everyone,
I have configured RA VPN full tunnel.
Inside interface of ASA is
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
Need to know is it good design to have both on same subnet?
When i access the Switch connecting to VPN ASA inside interface via--https://10.0.0.2
which has IP 10.0.0.2 while using Remote VPN connection to ASA it does not work gives error
message as below
Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK on interface outside
Current NAT config is
nat (inside,outside) source dynamic any interface
Regards
MAhesh
Message was edited by: mahesh parmarHi Mahesh,
It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
I would suggest changing the VPN Pool first and then configuring this
object network LAN
subnet 10.0.0.0 255.255.255.0
object network VPN-POOL
subnet
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
In the future it would be best if you changed your current Dynamic PAT configuration to this
nat (inside,outside) after-auto source dynamic any interface
We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
- Jouni -
Hi,
When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
deny ip 192.168.1.0 0.0.0.255 any any log
Show log:
Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
and
Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
Could this be a DOS attack?
We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
ThanksIs there any subnets inside who are conencted to a different network over VPN
with the IP 192.168.1.X etc & access th internet. -
ACE module client and real servers on same subnet
I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
Configuration
test context
real server vlan 233
real server subnet - 167.6.233.x
VIP vlan - 539
VIP subnet - 167.6.238.128/25
production context
real server vlan 232
real server subnet - 167.6.232.x
VIP vlan - 538
VIP subnet - 167.6.238.0/25
Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
Here are the scenarios and questions
1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539) - this is not working
5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
Can we implement the scenarios 4 and 5?Hi Suresh,
I see it's a bit complex and we do not have the config at hand.
However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Virtual IP and server IPs on the same subnet?
Hi,
Is it possible to have the VIP and the IPs of the individual servers on the same subnet when the CSS is used in-line?
thanks a lot,
alecHi Alec,
this is only possible if you configure the CSS in "one-armed configuration mode". In other words the servers have to think, that the request is comming from the CSS so that the return flow is directed to the CSS and NOT to the client directly. In other words you have to use source-NAT done by source-groups or ACLs.
Kind regards,
Joerg -
Problem with Cisco 831 router NAT translation or routing
Hello,
I’ve reviewed several post on this forum, very useful, and I think this 831 router config should allow for NAT'ng port 8080 to the ‘inside’ ip address, per this statement below. but my efforts have not been successful, no responses get back to outside client (xx.24.40). clients on inside can communicate outbound fine. The iis server at .10.3 is definitely up and running on port 8080. I know this is probably a duplicate of other posts but if anyone can pinpoint my error I would really appreciate it!!
ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
Here is some debug ip nat output when attemping to connect on port 8080, do not get response back from server to external client (xx.24.40)….
Feb 03 13:22:49 10.10.10.1 297472: *Mar 2 00:09:31.894: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21674]
Feb 03 13:22:49 10.10.10.1 297473: *Mar 2 00:09:31.894: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21674]
Feb 03 13:22:52 10.10.10.1 297474: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21678]
Feb 03 13:22:52 10.10.10.1 297475: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21678]
Feb 03 13:22:52 10.10.10.1 297476: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21679]
Feb 03 13:22:52 10.10.10.1 297477: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21679]
Feb 03 13:22:58 10.10.10.1 297478: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21684]
Feb 03 13:22:58 10.10.10.1 297479: *Mar 2 00:09:40.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21684]
Feb 03 13:22:58 10.10.10.1 297480: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21685]
Feb 03 13:22:58 10.10.10.1 297481: *Mar 2 00:09:40.910: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21685]
Feb 03 13:23:10 10.10.10.1 297482: *Mar 2 00:09:52.922: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21698]
Feb 03 13:23:10 10.10.10.1 297483: *Mar 2 00:09:52.922: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21698]
Feb 03 13:23:13 10.10.10.1 297484: *Mar 2 00:09:55.930: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21702]
Feb 03 13:23:13 10.10.10.1 297485: *Mar 2 00:09:55.930: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21702]
Feb 03 13:23:19 10.10.10.1 297486: *Mar 2 00:10:01.934: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21709]
Feb 03 13:23:19 10.10.10.1 297487: *Mar 2 00:10:01.934: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21709]
Feb 03 13:23:58 10.10.10.1 297489: *Mar 2 00:10:41.306: NAT: expiring xx.xx.254.128 (10.10.10.3) tcp 8080 (8080)
538-R1023-C830#sh running-config full
Building configuration...
Current configuration : 4329 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 538-R1023-C830
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no logging console
no aaa new-model
resource policy
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.1.18.152
lease 0 2
ip cef
ip domain list sd.cox.net
ip domain name sd.cox.net
no ip ips deny-action ips-interface
no ftp-server write-enable
crypto pki trustpoint TP-self-signed-75609932
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-75609932
revocation-check none
rsakeypair TP-self-signed-75609932
crypto pki certificate chain TP-self-signed-75609932
certificate self-signed 01
<snip>
interface Ethernet0
description inside
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Ethernet1
description outside
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
interface Ethernet2
no ip address
shutdown
interface FastEthernet1
no ip address
duplex auto
speed auto
interface FastEthernet2
no ip address
duplex auto
speed auto
interface FastEthernet3
no ip address
duplex auto
speed auto
interface FastEthernet4
no ip address
duplex auto
speed auto
no ip classless
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
logging trap debugging
logging 10.10.10.3
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip any any
control-plane
banner login ^C
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
endHi Alain,
yes, the client i was testing with is on the same subnet as public router ip. Good thought on the firewall, I will disable any firewall on iis machine (my laptop) and re-test. will reply with those results on Monday. ultimately i'm needing to test nat for port 9100 to a printer, I'll add that and test as well, firewall shouldn't be a factor with printer.
thank you.
Grant
Maybe you are looking for
-
Does hp 3056A printer work with windows 8
does an hp 3056A all-in-one printer work with a windows 8 computer
-
Query Report to Include manually Reconciled Documents
Hi All, I have a query report and its showing the right data. What changes can be made so that it displays the invoices which were reconciled and the payments/credit notes with which these were reconciled? Declare @datefrom as datetime DECLARE @datet
-
Prevent macbook air to sleep when lid closed
Hi All I would like to know since I've already tried to configure it but it still do not work, I am trying to prevent my macbook air to sleep while the lid is closed and on power adaptor. I went to energy and preferences but i couldn't find any setti
-
I think that I found a bug in the new iTunes 8.0 PC
I don't know if this is a bug or not, but has anyone notice that when you click on an item "link" in iTunes and if your mouse pointer remains on the link that you just click on, that the page will not move to the link until you move your pointer off
-
Is there any risk / known problems with running iPlanet version 4.1 and iPlanet version 6 on the same server? This configuration is not being setup for migration. Thanks Kris Dailey