Sh ip nat translations

Similar Messages

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• What's the best way to do many NAT translations for WWW farm?

  Hello all, I hope this finds you in good spirits.
  I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
  I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
  Do I have to create an network object for each and every IP i want to nat through? 
  Thank you for your consideration!

  Were your NATs not present in the pre-upgrade code? If they were, they should have been automatically rebuilt along with the recommended objects.
  If they weren't, you can relatively easily make a little script of spreadsheet with some transforms to go from your text listing to the necessary network objects and new syntax nat rules.
  It's also relatively easy to build them in ASDM and just copy, insert and modify down the list. You can even use the "Add Object" part of the GUI to also add the NAT rules at the same time:

• How to use MARS for NAT Translation Analysis...

  Hi All,
  I was wondering if we could use MARS to do NAT logging. To be more specific, currently we are using a PUX Firewall that does dynamic nat/pat. We log NAT Translations to syslog server and if further required we search into the files to find what we want.
  I was wondering if anyone had tried to send translation logs to MARS and then doing a custom report for NAT Translations (i.e. by source, destination, time etc).
  Regards.

  Hello Nicolas,
  Use the following steps :
  Step 1
  Locate the File “global.properties”
  Drive:\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom
  The following values should be present:
  vintela.enabled=true
  idm.realm=Domain Name (u can get the name from C:\Windows\Krb5.ini)
  idm.princ=SPN User
  idm.allowUnsecured=true
  idm.allowNTLM=false
  idm.logger.name=simple
  idm.logger.props=error-log.properties
  Step 2:
  Locate the file “web.xml”
  D:\SAP BusinessObjects\Tomcat6\webapps\dswsbobje\WEB-INF
  Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional)
  idm.realm = SPN user (the same as the default_realm specified in the Krb5.ini file)
  idm.princ = SPN User (the same as specified for idm.princ in the global.properties)
  idm.keytab = (the same as specified for idm.keytab in the global.properties )
  Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  Step 3:
  Backup and edit Drive:\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true' Restart Tomcat
  KR,
  MD

• NAT Translating Destination IP and Port

  Hi I have posted this in the Routing and switching forum but thought i'd post it in here too as it realted to web security
  I am struggling with NAT  translation on a Cisco router. I want to translate all HTTP traffic  that exits my network to change the destination IP to 117.166.1.1  and  translate the destination port from tcp 80 to tcp 3128.
  i.e. If a  PC with an IP 192.168.1.10 enters 200.1.1.1 into the webbrowser, instead  of the traffic going to 200.1.1.1 on port 80, it will be directed to  117.166.1.1 on port 3128
  This is because I am using a cloud url filter and want all HTTP traffic to go to that proxy.
  I believe this can be done with an outside NAT but I am unable to get this work. Anyone know how to do this?
  Thanks
  K

  Hi,
  If you want to block all the connections to your computer on 25 port, you need to add My IP Address as the Destination address and set Any IP Address as the Source address in your computer.
  In addition, if you choose Mirrored, it will mirror the filters automatically configures both inbound and outbound filters. In your scenario, you would uncheck it.
  For more detailed information, please refer to the link below:
  Step-by-Step Guide to Internet Protocol Security (IPSec)
  Best regards,
  Susie

• SNMP number of NAT translation

  Hi,
  I am looking for the SNMP OID to monitor the sh ip nat translations on a cisco 881.
  Can anyone please know if this is available.
  Thanks,
  Ilya
  #sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Thu 26-Feb-09 06:01 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  center-gw1 uptime is 1 day, 16 hours, 23 minutes
  System returned to ROM by power-on
  System restarted at 13:06:10 MSK Thu Jan 5 2012
  System image file is "flash:c880data-universalk9-mz.124-24.T.bin"
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
  Processor board ID FCZ1434C3U4
  5 FastEthernet interfaces
  256K bytes of non-volatile configuration memory.
  125440K bytes of ATA CompactFlash (Read/Write)

  Hi Ilya,
  Have you used SNMPwalk to that device?
  Try the following MIb file
  CISCO-IETF-NAT-MIB

• Maximum number of simultaneous NAT translations

  Hi all...
  Does anyone know how many simultaneous NAT translations a low end device such as a Cisco RV016 supports?
  I  know this is a low end device but I see no reason that with a typical  allocaiton of  220 bytes per entry and modern CPU's to walk the tree that this RV016  could not support 500 to 1000 easily?
  http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/792_pp.htm#wp39411
  Any  reasonable device should support 500 to 1000? I believe a linux box  would do it effortlessly for 500 tcp/udp connections ,mapped via  NAT at 100Mbits/second but I would prefer a  cisco router any day.
  I am looking for at least 500+ users  in on the WAN side to 1 or 2 servers on the LAN side behind the NAT wall.
  Of course worst case would assume 1 to 1 NAT simultaneous translations for numbers.
  What would be the mimum low end cisco gateway router I could use to do this 500 to 1? 1000 to 1?
  Am I way off on this?
  Thanx.
  -Glenn

  The prevailing wisdom from Adobe for simultaneous requests is
  very wrong and inaccurate. First off, editing the simultaneous
  requests in the CFAdmin is safe to do. Editing your JVM settings
  with the CFAdmin is very dangerous on Linux because the CF Admin
  code can mangle the xml file. I'm not sure if this is true on
  Windows.
  Now back to the simultaneous requests issue. If you have high
  traffic and enough server processing power you can greatly increase
  the request number. We currently run our CFMX 7.02 servers set to
  100 simultaneous requests. And yes we've been maxed out at that
  level. We see over 1.5 million page views per day on a single cf
  server with only one instance of CF. As of today we switched to a
  load balanced setup and split the load across two servers. The
  reason we went load balanced is that we're expecting to more than
  double our traffic. Anyways, the number of simultaneous requests
  can be much higher than the 'General Wisdom' at Adobe.
  Oh yeah, I almost forgot. I've seen the new setting for
  simultaneous requests take effect with out having to restart CFMX.
  Cheers,

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• Ip add inside Nat translated twice

  Hi,
  I have hear of the possibility of having an inside ip add translated twice, I am not referring to double nat but below scenario:
  private ip address translated into a 29/ then...However wan ip add is /30
  Have u ever heard of it?
  Thank you

  Hello Nwag,
  When you perform a NAT translation, the prefix that you define is not added to the translation, it simply narrows down to source and destination IP addresses, the prefix or mask is used more details to static network translations and to define the ranges for the traffic that you want to translate.
  Anyway your ISP controls the IP address that are routed to your router, so even if you translate the traffic to an IP address it does not guarantee that you will get that traffic back. If you need more addresses you will need to purchase them.
  Hopes this answer your inquiries.
  Regards,
  Alex Sanchez
  CCIE R&S #37454

• ASR1006 log NAT translations

  Good day. We've got the following problem, but i cant solve it.
  We have:
  ASR1000-RP2
  ASR1000-ESP40
  ASR1000-SIP40
  SPA-10X1GE-V2
  SPA-10X1GE-V2
  Kiwi Syslog Server
  ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing.
  Because of the economic address space subscribers surf the Internet through NAT.
  Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
  I've tried:
  ip nat log translations syslog
  logging trap debugging
  logging host xx.xx.xx.xx transport UDP port xxx
  no logging console (so as not to load the CPU)
  Next on the syslog server has come the following message:
  %IOSXE-4-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:064 TS:00004084523374422713 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 1048576 exceeded; frame dropped
  I did:
  ip nat translation max-entries 10000000
  Error stopped publishing but logs do not come.
  I think of the huge number of translation per second, it can not send them as fast.
  How can this problem be solved or otherwise obtain and store information about a translations?
  Say what Syslog server is properly used for large volumes of data.
  Thank You and sorry for my English

  So I was able to redirect all log nat translations to the server using the command:
  ip nat log translations flow-export v9 udp destination server_ip udp_port
  Through Wireshark I get all the relevant information about ip address and time.
  Is there any software that could take this information and process it.
  I has used PRTG, ZOHO but they can`t analyze this flow type.
  Can anyone help me?

• Setting Nat Translations in RRAS

  we are looking to have our windows server 2012 as our main router and firewall. we want to replace our sonicwall with the server 2012. i need to figure out how to do NAT translations to make an external Ip translate into a specific Ip address. for example
  we want 64.19.190.107 to translate to 192.168.50.55. please help me

  Hi,
  Hope the following articles could help you:
  Enable and Configure NAT
  Enable RRAS as a VPN Server and a NAT Router
  NAT Example
  How NAT Works
  IPv4 - NAT - Interface Properties - Address Pool Tab
  Happy Holidays.
  Jeremy Wu
  TechNet Community Support

• Dhcp client lease, nat translation statistics

  I am using my 3620 instead of a netgear cable router connected to cablevision.
  1) How can I see when the router dhcp lease ends so I can see if it gets another address? I have seen on past posts that there were problems with this issue. I am using 12.3(13) ios.
  2) How can I see how much memory has been used by nat translations? I have 64Meg of memory.
  Thanks

  Hi csross,
  If I understand you correct this will resolve your issue.
  1) show ip dhcp binding [ip-address]
  It will show you the lease expiration like the output below
  Router# show ip dhcp binding 172.16.1.11
  IP add Hard add Lease expiration Type
  172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Automatic
  Here you go with the link
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_s1h.htm#wp1132199
  2) Each NAT mapping uses approximately 160 bytes of memory.
  I am still not sure of the command.
  HTH
  Ankur

• ASA 8.2.1 static nat translation

  Hello,
  i want to ask for this:
  On ASA version 8.2.1 is configured static translation like this:
  static (Inside,Outside)  5.5.5.100 192.168.1.5 netmask 255.255.255.255
  what is a static 1:1 mapping between Outside and Inside IP.
  This translation create mapping from outside to local PC. But it translate for example RDP session port 3389 to port 3389 what is not a very good solution (i can use access-lists to restrict access from outside of course, but is a bit limiting)...
  So i want to have "exception" only for one port to map it to other port on this public IP and other use with no change. 
  I can do: static (Inside,Outside)  tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255, but can´t it use together with 1:1 static statement.
  Maybe i can use:
  global (outside) 2 5.5.5.100
  nat (Inside) 2 access_list PC
  access-list PC extended permit ip host 192.168.1.5 any 
  and then static (Inside,Outside)  tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255
  But is this a right way how to deal with this problem?
  Thank you very much. 

  Why do you need the 1 to 1 static for that PC if you just want to do port forwarding? Is there some requirement that desktop has a static IP address on the public internet?
  If you must keep the 1 to 1, you can pretty easily change the port that PC listens on for remote desktop. That policy NAT example you have might work also.

• Static Nat translation

  There is one config that I can not figure out how to translate it over...
  ip nat inside source static 10.4.200.29 27.166.58.194
  ip nat inside source static 10.4.200.25 27.166.58.195
  How do I do this on the ASA 8.2.5? (came from a 2800 router running ver 12.3(8r))

  Hello Shaun,
  Yeah, You are missing the ACL.
  On an ASA when going from a lower security level to a higher there is a requirement of an ACL in order to the traffic to be allowed.
  access-list out-in permit tcp any host 27.x.x.x eq 80
  acces-group out-in in interface outside
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• MARS and FWSM NAT translation

  Greetings
  I've been running CS-MARS along with an FWSM and IDSM for about a year now and has always wanted to know one thing.
  If the IDSM send an alert originating from the FWSM global IP I 'sometimes' get a translation into the internal NATed IP address. It's about a 10% success ratio.
  All systems are set with NTP to an internal server and I see no special pattern to it.
  Any ideas?
  Best regards
  Fredrik

  You need to check the NAT rules to find out which rule is working and changing the IP. After this scan the network traffic and determine at which particular traffic this happens.