Source NAT for specific servers in a rule

Similar Messages

• Swap R3 source system for BW without recreating transfer rules

  Hi, All,
  I am facing an interesting situation. The team would like to retire an R3 system which is the source to our BW development environment. I need to replace the old R3 source with another one. The BW development environment is also the source of the transport path.
  Is there a quick way to swap out an R3 source system without recreating all the transfer rules/infosources/infopackages which are tie to the old system?
  Thank you in advance for your help.
  Chimei

  Hi,
  In BI 7.0, we are trying to repoint ECC 6 Dev system in place of R/3 Dev.  Ran BDLS which converted some tables but not all and ended with errors.  Does anyone know how to manually correct these entries?  Is there a program to independently correct the tables?
  Regards,
  Ramesh

• Dynamic Source NAT for multiple POOLS

  I am setting up Dynamic Source NAT with a few Pools and Access-list to translate according to the Access-list. However when configure some ACL don't work anything. And the ACL don't "match" any. I know that the correct way would be to apply the ACL about interface with "ip access-group <ACL-name> in/out" however in this case would be impossible to apply more one ACL with ip access-group command.
  FurthermoreI have tested to creating a route-map named TEST with all ACLs; but cannot to create all "ip nat inside source route-map... " with the same route-map name. Also checked the cisco example: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html...
  Attach the all configurations.
  I  need your help, 
  Thanks in advance!

  Oh my God!! Already works fine! I hadn't thought that "log"  would be a painful 
  Thanks John Marshall! 
  Attach my troubleshooting:
  INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:49529 10.55.0.1:49529   4.2.2.2:22         4.2.2.2:22
  tcp 200.200.200.1:62978 10.55.1.1:62978   4.2.2.2:4343       4.2.2.2:4343
  tcp 195.77.205.20:13493 181.70.12.18:13493 195.47.200.32:443 195.47.200.32:443
  Furthermore we can to check the "rotary option also works!"
  "INET#show ip nat translations
  Pro Inside global      Inside local       Outside local      Outside global
  tcp 195.77.205.33:57238 10.55.0.1:57238   4.2.2.2:22         4.2.2.2:22
  tcp 195.77.205.33:16393 10.55.1.1:16393   4.2.2.2:22         4.2.2.2:22"
  Thanks again!

• NAT for Tacacs Servers

  could anyone tell me if it is possible to NAT authentication requests for a specific TACACS server to an alternative address, which would be a new TACACS server - all device subnets have direct connections to a PIX firewall
  eg:  network devices on 10.50.X.X authenticate to 10.51.20.100.   I want any device destined for 10.51.20.100 using port 49 to translate to 192.168.1.100.
  I have tried numerous ways to achieve this but I think the problem is that they all have direct connections to the firewall and therefore it will never get translated.  Please see attached diagram.
  many thanks

  Using 'add destination service' in the group rule NATs the original client IP as the VIP (in your case), and ensures that return traffic from the remote 20.x.x.x servers flows back to the CSS and then to the client instead of directly to the client (which would reject the traffic). There's no need to worry about any kind of load balancing loop being created. The downside to implementing this is that your servers will see all traffic as originating from the VIP and not the unique client IPs, and since the CSS doesn't support the x-forwarded-for header you're kinda stuck with that side effect.
  Also, it's my understanding that the group rule must match the content rule in terms of VIP address and services within it to be effective. You would need to change your group rule to the following for it to work:
  FROM:
  group Gateway
    vip address 61.61.61.61
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  TO:
  group Gateway
    vip address 61.61.61.61
    add destination service 10.1.1.1
    add destination service 10.1.1.2
    add destination service 20.1.1.1
    add destination service 20.1.1.2
    active
  Good luck!
  James

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

• CSS Source NAT

  Hi,
  I have CSS in single arm deploymenet model. I am trying to do the exchange server load balancing. But I am facing problem
  with the soruce NAT. I dont want to NAT the client IP in VIP.
  Exchange team dont want to have Client IP address to be NATTED. They want real Client IP to appear in Exchange so that they can track exact
  user IP address for mail replying and tracking.
  Please let me know is there any way bypass the source NAT for specific VIP.

  Hi,
  I need something like that, I need to hide all servers behind the CSS11501. So, any client will contact the server as follows:
  1-          Client initiates the traffic to the VIP which will be forwarded to the servers. Then the server will replay to the client, from VIP to the client. In this case, I need to configure service and content.
  2-          Server initiates traffic to the client, the source will be VIP, the destination is client IP. In this case, I need to configure service and group.
  Q1: Is that right?
  I am facing a problem because some client applications discovered the server IP not VIP, the make failure..
  Q2: Where is the problem?

• Help to create a monitor for specific non-windows ID generated by script

  Hello all,
  Do you know how to create a monitor for specific event ID (4,5,6,7 & 8) in SCOM (with alerts) I know how to create a monitor but not how to create it for specific servers. I would like to copy those monitors in the Management Pack that I override (because
  the original was locked).
  Thanks for your help.

  Hi,
  you can create new DISABLED monitor in new management pack.
  After that you will enable this monitor for specific servers using overrides.

• ISG not create a session for specific pepoles

  Hi  All;
  I have an ASR 1k running as ISG and DHCP server.
  I used an initiator  for the session as MAC address.
  Today I found unexpected behavior as for some users used to work before to have IP address and no session created.
  this configuration on the interface :-
  interface Port-channel1.12
  encapsulation dot1Q 112
  ip address 10.0.0.1 255.255.255.0
  service-policy type control EAP-AP
  ip subscriber l2-connected
    initiator unclassified mac-address
  Any help in That.
  Thanks
  AbdelGalil Farid

  Hi,
  you can create new DISABLED monitor in new management pack.
  After that you will enable this monitor for specific servers using overrides.

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• How to find what are all the rules and events are monitoring for specific server in SCOM 2007

  how to find what are all the rules and events are monitoring for specific server in SCOM 2007.
  I need to know what are all the events, services, and rules are monitored for the specific server.
  Kindly help me friends.

  how to find what are all the rules and events are monitoring for specific server in SCOM 2007.
  I need to know what are all the events, services, and rules are monitored for the specific server.
  Kindly help me friends.
  Thanks for the question Sandoss. This is something that we all come across at sometime.
  Thanks & regards, Sumit Agrawal
  The lack of this feature is an inexcusable oversight for an enterprise management product.  They have some serious lightweights making design decisions on the SCOM team. 5 thumbs down. 
  BTW the answer is probably LOTS of stuff. Literally 100's of workflows are running on any server. 
  The following OpsMgr DB query will list all running monitors on a server. Change the name of @srv. I think this works pretty well.  I'd like some feedback if something is missing.
  DECLARE @srv varchar(30)
  SET @srv = 'your name here'
  SELECT mon.displayName as monitor, bme.FullName,bme.DisplayName as object,
  case
      when s.HealthState = 1 then 'healthy'
      when s.HealthState = 2 then 'Warning'
      when s.HealthState = 3 then 'Critical'
      else 'N/A'
  end as Health
  FROM state AS s WITH (NOLOCK)
  left join BaseManagedEntity as bme WITH (NOLOCK) on s.basemanagedentityid = bme.basemanagedentityid
  left join dbo.MonitorView Mon WITH (NOLOCK) on Mon.ID = s.monitorid
  where
  bme.FullName like '%' + @srv + '%'
  and s.HealthState <> 0
  and mon.IsInternalRollupMonitor = 0
  and mon.IsExternalRollupMonitor = 0
  order by bme.DisplayName, mon.displayName

• [yaourt] Keep sources/build files only for specific AUR packages

  Hi,
  By default, packages are build in BUILDDIR=/tmp/makepkg, which itself usually is a virtual dir in RAM. I generally like this behaviour, so I don't wanna change the BUILDDIR variable to point to a dir on the harddisk, but for a few packages I'd welcome the sources/build dir to be kept, e.g. for *-git packages to reduce build time on consecutive updates. Is there a neat Arch-way to tell the makepkg system to use a different dir (i.e., one on the harddisk) for specific packages? It'd be even greater to be able to use wildcards as well, so I could just enable this option for all *-git packages.
  And as I said, I generally like the idea of building in RAM so the trick to just let BUILDDIR point to a dir on my hdd and put a command in some shutdown-script to delete all but the directories ending in -git wouldn't be perfect
  Cheers
  Last edited by epinephrine (2013-01-27 16:25:17)

  Oh you're right in that BUILDDIR isn't set by default. I use yaourt for building AUR packages, so this is a yaourt related question, oops. I'll ask in the appropriate forum...
  Some packages are only available as git packages, and that for a good reason. Some git repository maintainers follow the good working principle to always have their master branch stable and deployable and do development and testing in respective branches to keep master clean. E.g. I maintain 2 git packages on the AUR, and there are no other "stable" options, also as git makes sense for these packages.
  And sometimes you just need a more up2date version

• Static NAT to two servers using same port

  I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
  I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
  Any help would be very much appreciated.
  Thanks,
  - Mike                  

  Hi,
  Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
  On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
  I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
  But nevertheless its a possibility.
  So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
  - Jouni

• How to configure email Alerts in OEM Cloud 12c for Database Servers up/down

  Hi everybody,
  How to configure email Alerts in OEM Cloud 12c for Database Servers up/down status?
  Regards,
  Miguel Vega

  Hi Miguel Vega,
  Information regarding the notifications:
  ==============================
  Configuring notification rules in 12c is different from earlier releases.
  The concept and function of notification rules has been replaced with a two-tier system consisting of Incident Rules and Incident Rule Sets :
  1. Incident Rules: Operate at the lowest level granularity (on discrete events) and performs the same role as notification rules from earlier releases.
  By using incident rules, you can automate the response to incoming incidents and their updates.
  A rule contains a set of automated actions to be taken on specific events, incidents or problems.
  The actions taken are for example : sending e-mails, creating incidents, updating incidents, and creating tickets.
  2. Incident Rule Set: A rule set is a collection of rules that applies to a common set of objects, for example, targets, jobs, and templates.
  To help you to achieve the Notification Rules configuration, refer those notes :
  How To Configure Notification Rules in 12C Enterprise Manager Cloud Control ? Doc ID 1368036.1
  EM12c How to Add and Configure Email Addresses to EM Administrators and Update the Notification Schedule ?Doc ID 1368262.1
  EM12c How to Subscribe or Unsubscribe for Email Notification for an Incident Rule Set ?Doc ID 1389460.1
  EM 12c How to Configure Notifications for Job Executions ? Doc ID 1386816.1
  Best Regards,
  Venkat

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• LabVIEW license for terminal servers and thin clients (e.g. LTSP)

  Does NI plan to provide a license agreement for terminal servers and thin
  clients?
  I've been told to purchase a multi-seat license. That doesn't make much
  sense since the thin clients won't be accessing DAQ hardware. They're
  just used for developing the LV source.
  Comments/suggestions?

  On Thu, 04 Nov 2004 13:43:58 -0600, jbrohan wrote:
  > As far as I know it's the capability to edit the source code that NI has
  Yes, this is a very good point. Quite a unique situation when compared to
  text based languages. Keep in mind I certainly don't mind paying for that
  but I see no need to pay for much of the other features - like running it.
  This is certainly one of the other features you pay for with LV. Since
  we never plan to run the app on the thin client, why pay for that
  feature?
  What we do is crank out source code on the thin clients. We then send the
  source code to this wireless mobile DAQ station running WindowsXP. From
  there we can roll it up to our clients' target systems. That machine is
  used for debugging then compilin
  g so it has its own LV Prof Dev license
  installed on it. Also, it can be operated locally or remotely via remote
  desktop (one user at a time).
  I know it may sound strange but it works great. And as the NI Software
  License Agreement(NISLA) specifies, we have separate licenses on all
  machines that load LV into local memory. The thin clients load nothing
  into local memory, hence no need for a separate license.
  > I express myself clearly in the hope of guidance. I am a one man shop
  Yes, this is understandable. Installing one license on multiple machines
  is a big no-no. However, that is not what I'm trying to do. Take a peek
  at the "Grant of License" and "Single Seat License" sections of the NISLA.
  > You say "That doesn't make much sense since ..." One of my clients has a
  Ha! How about this scenario: As wireless hardware (bluetooth, wifi)
  becomes more common, perhaps NI will have a peer scanner on all PCs with
  LV installed. That way if you get within 100 feet of a P
  C with the same
  LV serial number, you get locked out and it sends a small message to the
  NI batcave.
  Thanks for the response. I'm hoping NI chimes in soon.