Setting Nat Translations in RRAS

Similar Messages

• How to use MARS for NAT Translation Analysis...

  Hi All,
  I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
  I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
  Regards.

  Hello Nicolas,
  Use the following steps :
  Step 1
  Locate the File “global.properties”
  Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
  The following values should be present:
  vintela.enabled=true
  idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
  idm.princ=SPN User
  idm.allowUnsecured=true
  idm.allowNTLM=false
  idm.logger.name=simple
  idm.logger.props=error-log.properties
  Step 2:
  Locate the file “web.xml”
  D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
  Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
  idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
  idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
  idm.keytab = (the same as specified for idm.keytab in the global.properties )
  Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  Step 3:
  Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
  KR,
  MD

• NAT Translating Destination IP and Port

  Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
  I am struggling with NAT  translation on a Cisco router. I want to translate all HTTP traffic  that exits my network to change the destination IP to 117.166.1.1  and  translate the destination port from tcp 80 to tcp 3128.
  i.e. If a  PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead  of the traffic going to 200.1.1.1 on port 80, it will be directed to  117.166.1.1 on port 3128
  This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
  I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
  Thanks
  K

  Hi,
  If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
  In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
  For more detailed information, please refer to the link below:
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  Best regards,
  Susie

• Maximum number of simultaneous NAT translations

  Hi all...
  Does anyone know how many simultaneous NAT translations a low end device such as a Cisco RV016 supports?
  I  know this is a low end device but I see no reason that with a typical  allocaiton of  220 bytes per entry and modern CPU's to walk the tree that this RV016  could not support 500 to 1000 easily?
  http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/792_pp.htm#wp39411
  Any  reasonable device should support 500 to 1000? I believe a linux box  would do it effortlessly for 500 tcp/udp connections ,mapped via  NAT at 100Mbits/second but I would prefer a  cisco router any day.
  I am looking for at least 500+ users  in on the WAN side to 1 or 2 servers on the LAN side behind the NAT wall.
  Of course worst case would assume 1 to 1 NAT simultaneous translations for numbers.
  What would be the mimum low end cisco gateway router I could use to do this 500 to 1? 1000 to 1?
  Am I way off on this?
  Thanx.
  -Glenn

  The prevailing wisdom from Adobe for simultaneous requests is
  very wrong and inaccurate. First off, editing the simultaneous
  requests in the CFAdmin is safe to do. Editing your JVM settings
  with the CFAdmin is very dangerous on Linux because the CF Admin
  code can mangle the xml file. I'm not sure if this is true on
  Windows.
  Now back to the simultaneous requests issue. If you have high
  traffic and enough server processing power you can greatly increase
  the request number. We currently run our CFMX 7.02 servers set to
  100 simultaneous requests. And yes we've been maxed out at that
  level. We see over 1.5 million page views per day on a single cf
  server with only one instance of CF. As of today we switched to a
  load balanced setup and split the load across two servers. The
  reason we went load balanced is that we're expecting to more than
  double our traffic. Anyways, the number of simultaneous requests
  can be much higher than the 'General Wisdom' at Adobe.
  Oh yeah, I almost forgot. I've seen the new setting for
  simultaneous requests take effect with out having to restart CFMX.
  Cheers,

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• What's the best way to do many NAT translations for WWW farm?

  Hello all, I hope this finds you in good spirits.
  I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
  I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
  Do I have to create an network object for each and every IP i want to nat through? 
  Thank you for your consideration!

  Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
  If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
  It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time:

• Setting NAT to disabled breaks internet connection

  Hello when i set NAT to disabled my internet connections does not work. Why is that?  When NAT is disabled what attacks do i leave my self open to? My ultimate goal is to run three xboxes with open NAT setting, how do i do this? the details of my network are below.
  Modem --> WRT610n
  (everything is using statis IP)
  my desktop is plugged into the router via ethernet cable
  Wireless devices:
  3 xboxes
  2 Desktops
  1 laptop
  we are trying to get all three xboxs running with open NAT how do i do this?

  Why would you disable NAT? NAT is required to allow systems with Private IP Addresses to access the internet. For instance, if your PC has an IP Address of 192.168.1.50 it needs NAT to convert this non routable private IP address into something that is routable on the internet. NAT is designed to allow multiple systems within the private IP space to access the internet. Also, for systems that are not acting as 24/7 "Servers" why use static IP addresses? DHCP, when set up properly, eliminates user error by automatically entering the necessary information to allow workstations and game consoles to access the internet. No offense, but if you don't understand NAT and private vs. public IP addressing, you probably shouldn't be entering information into a static IP address config screen...The XBOX saying you have "Moderate" or "Strict" NAT has nothing to do with DHCP vs. Static IP.
  Open NAT should work correctly if UPNP is enabled on the router. If it doesn't, you can try opening the ports like the previous responder suggested but it shouldn't be neccessary.
  The router does allow for ONE IP address on your internet network to act as a "DMZ Host" which will bypass NAT and give that device unfiltered internet access but you will not be able to have 3 DMZ host devices. 

• Sh ip nat translations

  Hi,
  When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does NOT belong to out local network. See attached.
  192.168.1.0/24 does not belong to any of our user, not in routing table as static route (we don't use dynamic protocol) nor this is a configure interface on the router.
  Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to configure the following under the NAT Pool ACL:
  deny ip 192.168.1.0 0.0.0.255 any any log
  Show log:
  Jun 18 2007 14:41:46.081 EST: %SEC-6-IPACCESSLOGP: list NAT_ACL denied udp 192.168.1.130(0) -> 10.0.1.1(0), 15 packets
  and
  Jun 18 2007 14:51:29.101 EST: %SEC-6-IPACCESSLOGDP: list NAT_ACL denied icmp 192.168.1.111 -> 71.8.70.164 (0/0), 3 packets
  Could this be a DOS attack?
  We are currently experiencing Internet outage to some users which cannot use HTTP, mail and terminal service.
  Thanks

  Is there any subnets inside who are conencted to a different network over VPN
  with the IP 192.168.1.X etc & access th internet.

• SNMP number of NAT translation

  Hi,
  I am looking for the SNMP OID to monitor the sh ip nat translations on a cisco 881.
  Can anyone please know if this is available.
  Thanks,
  Ilya
  #sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Thu 26-Feb-09 06:01 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  center-gw1 uptime is 1 day, 16 hours, 23 minutes
  System returned to ROM by power-on
  System restarted at 13:06:10 MSK Thu Jan 5 2012
  System image file is "flash:c880data-universalk9-mz.124-24.T.bin"
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
  Processor board ID FCZ1434C3U4
  5 FastEthernet interfaces
  256K bytes of non-volatile configuration memory.
  125440K bytes of ATA CompactFlash (Read/Write)

  Hi Ilya,
  Have you used SNMPwalk to that device?
  Try the following MIb file
  CISCO-IETF-NAT-MIB

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• Ip add inside Nat translated twice

  Hi,
  I have hear of the possibility of having an inside ip add translated twice, I am not referring to double nat but below scenario:
  private ip address translated into a 29/ then...However wan ip add is /30
  Have u ever heard of it?
  Thank you

  Hello Nwag,
  When you perform a NAT translation, the prefix that you define is not added to the translation, it simply narrows down to source and destination IP addresses, the prefix or mask is used more details to static network translations and to define the ranges for the traffic that you want to translate.
  Anyway your ISP controls the IP address that are routed to your router, so even if you translate the traffic to an IP address it does not guarantee that you will get that traffic back. If you need more addresses you will need to purchase them.
  Hopes this answer your inquiries.
  Regards,
  Alex Sanchez
  CCIE R&S #37454

• ASR1006 log NAT translations

  Good day. We've got the following problem, but i cant solve it.
  We have:
  ASR1000-RP2
  ASR1000-ESP40
  ASR1000-SIP40
  SPA-10X1GE-V2
  SPA-10X1GE-V2
  Kiwi Syslog Server
  ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing.
  Because of the economic address space subscribers surf the Internet through NAT.
  Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
  I've tried:
  ip nat log translations syslog
  logging trap debugging
  logging host xx.xx.xx.xx transport UDP port xxx
  no logging console (so as not to load the CPU)
  Next on the syslog server has come the following message:
  %IOSXE-4-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:064 TS:00004084523374422713 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 1048576 exceeded; frame dropped
  I did:
  ip nat translation max-entries 10000000
  Error stopped publishing but logs do not come.
  I think of the huge number of translation per second, it can not send them as fast.
  How can this problem be solved or otherwise obtain and store information about a translations?
  Say what Syslog server is properly used for large volumes of data.
  Thank You and sorry for my English

  So I was able to redirect all log nat translations to the server using the command:
  ip nat log translations flow-export v9 udp destination server_ip udp_port
  Through Wireshark I get all the relevant information about ip address and time.
  Is there any software that could take this information and process it.
  I has used PRTG, ZOHO but they can`t analyze this flow type.
  Can anyone help me?

• Dhcp client lease, nat translation statistics

  I am using my 3620 instead of a netgear cable router connected to cablevision.
  1) How can I see when the router dhcp lease ends so I can see if it gets another address? I have seen on past posts that there were problems with this issue. I am using 12.3(13) ios.
  2) How can I see how much memory has been used by nat translations? I have 64Meg of memory.
  Thanks

  Hi csross,
  If I understand you correct this will resolve your issue.
  1) show ip dhcp binding [ip-address]
  It will show you the lease expiration like the output below
  Router# show ip dhcp binding 172.16.1.11
  IP add Hard add Lease expiration Type
  172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Automatic
  Here you go with the link
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_s1h.htm#wp1132199
  2) Each NAT mapping uses approximately 160 bytes of memory.
  I am still not sure of the command.
  HTH
  Ankur

• Clearing nat translations through SNMP Set

  Is it possible to clear the translstions on a router through snmp?
  CLI Command : clear ip nat trans forced

  Not directly.  There is a trick, though.  If you use the CISCO-CONFIG-COPY-MIB, you can upload a config snippet with the following contents:
  do clear ip nat trans *
  end
  That will clear the tables.  The tech tip for the CISCO-CONFIG-COPY-MIB can be found at http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml .

• MARS and FWSM NAT translation

  Greetings
  I've been running CS-MARS along with an FWSM and IDSM for about a year now and has always wanted to know one thing.
  If the IDSM send an alert originating from the FWSM global IP I 'sometimes' get a translation into the internal NATed IP address. It's about a 10% success ratio.
  All systems are set with NTP to an internal server and I see no special pattern to it.
  Any ideas?
  Best regards
  Fredrik

  You need to check the NAT rules to find out which rule is working and changing the IP. After this scan the network traffic and determine at which particular traffic this happens.