Setting up static nat for ip addresses
We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA.
We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports.
Can anyone help me as to why I cannot ping these IP addresses?
I can ping the private IP's from the private network (CA) that the printers are on.
Solved!
Go to Solution.
No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now.
Similar Messages
-
NAT overload has been done successfully as follows:
1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
2. default route added on the router.
3.additional configuration is added:
ip nat inside source list 1 interface fa0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to use static NAT for FTP:
ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#interface fa0/1
Router(config-if)#ip address 203.109.120.2 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255 -
DM-VPN with Static NAT for Spoke Router. Require Expert Help
Dear All,
This is my first time to write something .
i have configure DM-VPN, and it's working fine, now i want to configure static nat.
some people will think why need static nat if it's working fine.
let me tell you why i need. what is my plan.
i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address. so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
will for that i try but fail.
will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
but this time this command is not working, because the ip address which i mention it's related HUB Network not Spoke
spose spoke Network: 192.168.2.0/24
and i want on HUB Router:
ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
i am using Cisco -- 887 and 877 ADSL Router.
but it's not working, Need experts help. please write your comment's which are very important for me. waiting for your commant's
fore more details please see the diagram.
for Contact Me: [email protected]hi rvarelac thank you for reply :
i allready done that , i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key 12344321 address 1.1.1.1
crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
mode tunnel
crypto map s2s 100 ipsec-isakmp
set peer 1.1.1.1
set transform-set Remote-Site
match address vpnacl
interface GigabitEthernet0/0
crypto map s2s
Extended IP access list lantointernet
30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
80 permit ip any any -
How to set and static ip_address for a Suse Linux box
Hi.
I've done the following to set an static ip address for my Suse 9 Linux box:
- Take not of inet address value from ifconfig command. ie: (172.17.2.14)
- Change this value in /etc/hosts for my linux box.
Since Suse is configure by default to use DHCP for assigning dinamic ip_addresses i'm not sure whether will lastly be set as a static address. I've rebooted my box and it seems to be OK.
Thanks in advance ...!/etc/hosts is not configuration file for ethernet interfaces.
Configuration files for ethernet interfaces are stored in /etc/sysconfig/network directory.
For example if you have eth0 device then configuretion for this device is stored in /etc/sysconfig/network/ifcfg-eth0 file.
Important directives:
DEVICE - interface (eth0)
IPADDR - IP address of interface
NETMASK - netmask
BOOTPROTO - "static" for static configuration, dhcp for dynamic configuration via dhcp
ONBOOT - activating interface during boot (yes/no) (yes - of course :-) )
GATEWAY - default gateway
So for example you want setup static IP (192.168.10.1 / 255.255.225.0) for eth0 interface.
Edit the /etc/sysconfig/network/ifcfg-eth0 file and your configuration should be:
DEVICE=eth0
IPADDR=192.168.10.1
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yesThen you simply restart the nework using:
/etc/init.d/network restartOR
/sbin/ifdown eth0
/sbinf/ifup eth0 OR
ifconfig eth0 down
ifconfig eth0 up -
Hello,
It has been a while since I last worked on firewall. Please take a look at info below.
INSIDE does not have access to Internet
Services/Servers in DMZ need to be accessible from Internet
CONFIG
names
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.46 255.255.255.240 standby X.X.X.45
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address INSIDE.254 255.255.254.0 standby INSIDE.253
interface Ethernet0/2
interface Ethernet0/2.1
description LAN Failover Interface
vlan 20
interface Ethernet0/2.2
description STATE Failover Interface
vlan 30
interface Ethernet0/3
description DMZ INTERFACE
speed 100
duplex full
nameif dmz
security-level 100
ip address DMZ.254 255.255.255.0 standby DMZ.253
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name CDGI.com
same-security-traffic permit inter-interface
access-list NAT0_INSIDE_DMZ remark NO NAT FROM INSIDE TO DMZ
access-list NAT0_INSIDE_DMZ extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.41
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.41 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo-reply
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.42
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.42 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo-reply
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 192.168.254.0 255.255.255.0
access-list NO-NAT-DMZ extended permit ip DMZ.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool SSLCLIENT_IP_POOL 192.168.254.1-192.168.254.25 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/2.1
failover link STATEFUL Ethernet0/2.2
failover interface ip FAILOVER 172.31.254.254 255.255.255.252 standby 172.31.254.253
failover interface ip STATEFUL 172.31.254.250 255.255.255.252 standby 172.31.254.249
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) X.X.X.41 DMZ.49 netmask 255.255.255.255
static (dmz,outside) X.X.X.42 DMZ.28 netmask 255.255.255.255
access-group OUTSIDE_TO_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
service-policy global_policy global
===========================================================================================
As you see above, config has ACL that allows traffic from Internet to DMZ and has static NAT. The hosts in DMZ are still not accessible.
Please help.
Thanks,
Paresh.Hi,
For Inside to internet:
you have no global( outside) as well as nat(inside) configured.
nat(inside) 1 0 0
global(outside) 1 interface
For second part, I see no problem in the config, is it not working?
Regards.
Alain -
BO Webi: How to populate a variable with the set of static values for Graph
Hi All,
I have the data: Order number, Order Date, processing time coming from the SAP Bex query in the below format:
Order No Order Date Processing time (Days)
1 Jan-2011 4
2 Jan-2011 5
3 Feb-2011 6
In BO webi report, I have to report the number of orders which were processed in <1day, <2days, <3days,...<10days in a graphical view. i.e., X-Axis: <1day, <2days, <3days,...<10days(10 static buckets for the processing days)
Y-Axis: Number of Orders.
The graphical output should be like below:
X-Axis: <1day, <2days, <3days,<4days,<5days,<6days,<7days,<8days,<9days,<10days
Y-Axis: 0, 0,0,0,1,2,3,3,3,3 (count(Order No)) (Cumulative count)
I am able to calculate the number of orders individually for each of the 10 buckets. But the problem i am facing is that I am not able to hold the 10 static bucket values in a variable to use it for the x-axis in the Graph, as these 10 static bucket values are not coming from the backend source.
I would like to know if there is way to populate a variable(to use it for the X-Axis in the graph) with the set of 10 static values.
Any help would be highly appreciated.
Thanks,
LeelaHi ,
I think we can use the variable as X-axis in chart.. but Variable Qulaification should be Dimension.
can you try this?.
Using efasion universe
1) Select month and Sold at (unit price) , then run the query
2) create the variable V_Month ==If [Month]=1 Then "Month1" Else "Month2" (Note = Variable Qulaification should be Dimension)
3) Create the variable V_Sum= sum (Sold at (unit price))
4) create another variable V_Cumulative_Sum==[V_Sum]+Previous([V_Sum])
Now add V_Month and V_Cumulative_Sum in table , then convert to chart.. now you can add the variable V_Month as X-axis of the chart.
Hope this will help:)
Thanks
Ponnarasu K -
Configure static NAT for range of ports
Hi,
I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
and so on...
Is this the correct way to do it, or is there another better way?
Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
ip nat inside source list NAT_ACL pool PATPOOL overload
ip access-list standard NAT_ACL
remark PAT to outside
permit 192.168.1.0 0.0.0.255
exit
My question with this is will the static NAT work if I already have NAT overload configured as above?
Thanks for the help in advance.
Austin
PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to.
I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
Hopefully this information useful to others. -
Static NAT for Secondary IP addresses
I am running a Novell SBS 6.0 SP4 server w/Border Manager 3.6 Sp2 with two
Netcards. My Two public IP address w/different subnets on the same Net
card will keep running but the secondary IP address fail after a few
hours, but can be pinged from inside the Network. The following is how my
config is setup:
Netcard #1(public):
IP #1 - 66.170.173.100 Subnet 255.255.255.240
Static/Dynamic 66.170.173.17 -> 192.xxx.1.22
66.170.173.18 -> 192.xxx.1.23
66.170.173.20 -> 192.xxx.2.25
IP #2 - 66.170.173.17 Subnet 255.255.255.248
Static/Dynamic - Disabled
Secondary Ip Address bound -> 66.170.173.18
-> 66.170.173.20
Netcard #2 (private)- 192.xxx.1.16
The modem is connected directly to Netcard #1 with not router between
them. Is there something wrong with this setup or is there something else
I have to do? My filters seem to be working fine as far as I know.
Thank you,
[email protected]> hi Ken,
>
> do you have a way to verify that the secondary IP addresses work
properly if
> they're associated to another device?
> What's the agreement you have with your ISP about the two subnet of
> addresses? Are they aware that they're associated to the same physical
> device? I'm wondring if there is something wrong in the wireless system
that
> prevents ARP from working properly in that configuration.
>
> --
> Caterina Luppi
> Novell Support Connection Volunteer Sysop
> <[email protected]> wrote in message
> news:zj7mc.1918$[email protected]..
> > > Hi Ken,
> > >
> > > > Whos router are we talking about? Is it the modem of the ISP just
> > before
> > > > my server or my internal switches for my workstations?
> > >
> > > sorry, my bad. I was referring to the modem of the ISP. I suspect
this
> is
> > > not a modem only, right? I mean, you have an ethernet connection
between
> > the
> > > modem and the BM server, correct? In this case the device of your
ISP is
> > a
> > > modem/router, not a modem only.
> > > Are you using DSL or cable?
> > > --
> > > Caterina Luppi
> > > Novell Support Connection Volunteer Sysop
> > >
> > >
> > Yes, we are running wireless DSL. They called it a modem, but it might
be
> > a router.
> >
> > [email protected]
>
>
I just received an email back from the ISP and they said they have had
troubles with that modem and ARP tables. They are going to swap out the
modem when they get the new type of modems in. I will post back the
outcome when they swap them out.
Thank you for the help,
[email protected] -
Need help setting up static NAT to internal server
One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL
via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
Here is a copy of my config. Please advise. Thanks.
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 102 permit tcp any host public ip eq 8443
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
endIf you are planning to use the fa0/1 interface IP itself then the configuration would be:
ip nat inside source static tcp 172.19.3.133 8443 interface fa0/1 8443 extendable
Assuming that you would like to port forward TCP/8443.
Then the ACL should be written:
ip access-list extended 102
2 permit tcp any host eq 8443 -
Help setting up static ip for minecraft server with TC and PC
Hey guys,
I have a dell xps laptop and a son that is hooked on minecraft. I have promised him that I would let him set up a server so he and his buddies can play together. I would really appreciate some assistance on doing this on my time capsual. I have been searching for the solution but could only find references to doing this with a Mac, not a PC.
Could anyone point in the right direction? I afraid I am in a little over my head. Thanks in advance!!
Zippy>Does that mean that the range on the IPV4 local network page should be modified to exclude the IP address that I want to use for the static IP....
e.g. change the range from 1-255 to 1-200 and then use an IP of XXX.XXX.X.201 for instance
That's right.
You want to reserve static IP addresses in a range that does not overlap with the range that is allocated for generic DHCP clients. For example, you can define the DHCP pool to be 50~149, and reserved IP addresses to be 2~49 (for servers). -
Command to see host and static nat for the same object together
I have researched this but cannot find an answer. ASA running version 8.5.
When you create the config using object NAT you enter the commands as follows
object network <object name>
host x.x.x.x
nat (inside,outside) static y.y.y.y
When the config is displayed it separates the host and nat commands in two different sections of the config as follows
object network <object name>
host x.x.x.x
object network <object name>
nat (inside,outside) static y.y.y.y
Is there a command that will display it all together (like it was typed in)? Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
Any suggestions?
Thanks.Sorry, show nat detail is what I meant in the original post in place of show nat. Show nat detail still has all of the extra info I was trying to avoid. Guess I will be editing a text file.
Thanks for the reply. -
How to configure Multiple static NATs
Hi,
I am trying to configure a Cisco 871 router.
I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
Thanks in advance for any help.You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
For maitainence point of view one propagation and one apply is better
Regards,
SergeR -
H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T
Hi,
I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
ip nat inside source static 172.16.1.2 x.x.x.x
The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
Additionally, I debugged ip natting and I see following information when making video calls:
router#debug ip nat h323
IP NAT H323 debugging is on
router#
*Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
*Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
*Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
Regards,
AngranHi,
i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please? -
Regarding the SA540, Can you can set a statically NAT’d private IP to go outbound on the same Public IP instead of the general one. Specifically, 184.183.11.224 routes to 192.168.1.5 and 184.183.11.225 routes to 192.168.1.4. Currently, 192.168.1.5 goes outbound as 184.183.11.224 and 192.168.1.4 goes outbound as 184.183.11.225. My concern is that the SA-540 isn’t capable of making the latter happen and all outbound communication from 192.168.1.4 and 192.168.1.5 will gout as the Public IP of the router itself (184.183.11.223).
Can anyone answer this for me?Today we have the same problem,basically we have two public addresses one for internal network another one for mail server.the problem was that we could not inbound from ip address of mail server to alias ip address(not address from main wan interface)
mail server internal ip-------SA540(ip alias address)------internet
network------sa540(main wan interface address)---internet
The solution was to reset to factory defaults and doing the firewall rules for mail server first,i guess somehow SA540 remember old settings(no clear xslate) mostly because of iptables rules or.... -
Guide or instruction about build and config NAT for network.
Hey everybody. I’m having learn CCNA CISCO, I have a problem when I build a network, a network required that: Construct and build a topo network have 4 Router, 6 Switch, 8 PC, auto set and config IP address for communication between equipment in your topo network. Give some suggest : 3->4 IP front, 1 range 4 IP route, 2 range 8 IP route, 1 range 16 IP route. Les’t raise, give method and config NAT for it network with: Static NAT, Dynamic NAT, PAT and NAT co-ordinate.
Please give some guide or instruction me about that lab, Thank very muchHey all here is a topo (model) network I do by myself and I have cofig NAT for it. Please see, check, fix error or guide me to fix error if it have error. Thank very much.
As a subject I have propose use a IP range is 200.200.5.1/27
b/Static NAT for IP PC8 192.16.6.1 to become IP 200.200.5.1 with a Network outside.
Router3(config)#ip nat inside source static 192.168.1.2 200.200.5.1
Router3(config)#interface fa 1/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
a/ Accept PC in LAN 192.168.5.1/24 go out internet, this IP will be nat by IP range 200.200.5.1-> 200.200.5.6 (IP 200.200.5.1 have use for Static NAT but we can reuse).
Router3(config)#access-list 1 permit 192.168.5.0 0.0.0.255
Router3(config)#ip nat pool natdong 200.200.5.1 200.200.5.6 netmask 255.255.255.248
Router3(config)#ip nat inside source list 1 pool natdong
Router3(config)#interface fa 0/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
c/ Accept PC in 2 LAN 192.168.1.0/24 and 192.168.2.0/24 go out internet, this IP range will be NAT by IP range 200.200.5.33-> 200.200.5.48 (16 Ip address)
Router3(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router3(config)#access-list 1 permit 192.168.2.0 0.0.0.255
Router3(config)#ip nat pool natpat 200.200.5.33 200.200.5.48 netmask 255.255.255.224
Router3(config)#ip nat inside source list 1 interface serial 0/0 overload
Router3(config)#ip nat inside source list 1 pool natpat overload
Router3(config)#interface fa 0/0
Router3(config-if)#ip nat inside
Router3(config)#interface fa 1/0
Router3(config-if)#ip nat inside
Router3(config-if)#interface s 0/0
Router3(config-if)#ip nat outside
[b]Note: My ability of English is not good so please sympathize for spelling mistake[/b]
Maybe you are looking for
-
HP Pocket Playlist mobile application for windows 8 devices
Hi, does someone know why there is not HP Pocket Playlist mobile application for Windows 8 phones? or when the application will be available in the app store? Any information is very welcome. Regards, Fer
-
Dear All, I have done the GR for 2 times, against the same PO which includes Freight Charges also. When i try to post the invoice thro' MIRO, I am getting 3 line items. 2 for the Materials & only 1 line item for the Freight charges which includes cha
-
How can I turn this line and its intersection into a separate object?
My initial object is #1, then I draw a line on #2. How can I turn the highlighted area into a separate object? (I cheated and filled this area with Photoshop, but I'd like to know how to turn this red area into a separate object so that I can fill it
-
Error when install sap license with 'saplicense -install'
Dear experts, Error when install sap license with 'saplicense -install': SAPLICENSE (Release 640) ERROR *** ERROR: Can not set DbSl trace function DETAILS: DbSlControl(DBSL_CMD_IMP_FUNS_SET) failed with return code 20 RC-INFO: error loa
-
Correct rom for Geforce 7800 GTX for Mac G5?
I just got my hands on a Nvidia Geforce 7800 GTX 512 and would like to flash it to work on my Quad G5. I know it is floaing around out there somewhere in our Ether-Space. Would some kind soul please share? Thanks