Static/Dynamic NAT Conflict

Similar Messages

• PcAnywhere and dynamic NAT

  I have Bordermanager 3.51 that uses dynamic NAT on the public interface
  connected to DSL with a static IP address. I have followed TID #
  10024898 " Creating filter exception for PCAnywhere".
  I have double checked settings of the filter exceptions but still cannot
  remote access a internal host using PcAnywhere v 11.0. My question is
  should I be using dynamic NAT or static nat or a static/dynamic nat
  configuration ?
  Thanks,
  Karl

  > In article <HmmFc.236$[email protected]>, wrote:
  > > . My question is
  > > should I be using dynamic NAT or static nat or a static/dynamic nat
  > > configuration ?
  > >
  > If you want inbound pcAW traffic, you have two choices when NAT is
  > involved: static NAT, or generic proxies. (Both are described in my
  > BMgr / Filtering books at the URL below).
  >
  > You will not be able to get to an internal PC with just dynamic NAT
  > enabled. There is no way to route the packets in then.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  Thanks Craig for your direction. I will check out the URL
  Happy 4th !
  >

• ASA 8.2 - Static NAT and Dynamic NAT Policy together

  Hello community,
  I have the following problem using a ASA with version 8.2.
  1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
  2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
  so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
  PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
  Thanks for your reply and help!

  Hello community,
  I have the following problem using a ASA with version 8.2.
  1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
  2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
  so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
  PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
  Thanks for your reply and help!

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• How to configure inbound ruleset in dynamic nat.

  Hi ,
  I have a doubt on configure the inbound rules for dynamic nat. I want to allow my web server (172.16.101.115) able connect from outside with tcp/443.
  How do I configure the inbound ruleset for allow public connect to my webserver with tcp/443 in dynamic nat.
  Here I have draw a diagram and some configuration i have configure in my ASA 8.2. Please correct me if I was wrong config it. 
  Public IP: 10.10.10.28
  Private IPs:
  172.16.101.115
  172.16.101.116
  172.16.101.117
  172.16.101.118
  172.16.101.119
  172.16.101.120
  access-list Web_nat permit ip host 172.16.101.115 any
  access-list Web_nat permit ip host 172.16.101.116 any
  access-list Web_nat permit ip host 172.16.101.117 any
  access-list Web_nat permit ip host 172.16.101.118 any
  access-list Web_nat permit ip host 172.16.101.119 any
  access-list Web_nat permit ip host 172.16.101.120 any
  nat (firewall-dmz) 1 access-list Web_nat
  global (firewall-outbound) 1 10.10.10.28
  access-list fw-outbound-access permit tcp any host 10.10.10.28 eq 443 //allow outside connect to my external ip.
  access-list fw-dmz-access permit tcp any host 172.16.101.115 eq 443 //allow my translation ip connect to my webserver with tcp/443.

  Hi,
  I am not sure what you are attempting to configure here.
  But what the NAT configuration above does is do a Dynamic PAT for all the servers on the "firewall-dmz" to a single IP address towards the "firewall-outbound"
  This Dynamic translation doesnt however enable connections to be initiated from behind the "firewall-outbound" interface. When your hosting a server which needs a NAT towards the users then the NAT type has to be Static NAT or Static PAT.
  Static NAT will essentially use up one public IP address for just the single local host/server.
  Static PAT will do a Port Forward from the public IP address and public port to the local IP and local port. And this is most commonly used with environments which only public IP address is the one that the ASA holds in its WAN interface.
  A typical Static NAT configuration is this
  static (inside,outside) 1.1.1.1 10.10.10.10 netmask 255.255.255.255
  Where
  inside = is the interface behind which the host is
  outside = is the interface towards which the host is NATed
  1.1.1.1 = is the public NAT IP address for the host
  10.10.10.10 = is the local IP address of the host
  A typical Static PAT configuration is this
  static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255
  Where
  tcp = specifies the protocol for which the Static PAT configured
  interface = specifies that we will be using the public IP address of the destination interface "outside" as the public IP address for this single Port Forward.
  80 = first "80" specifies the public port visible to users behind the destination interface
  80 = second "80" specifies the actual local port on which the local host is listening on
  Hope this helps
  - Jouni

• Dynamic NAT parameters

  Hi,
  I have an application that is unhappy running via dynamic NAT. The app
  developers are asking me if I can turn on sticky sessions in BM's dynamic
  NAT. Are there any options for tuning dynamic NAT in BM that could help?
  Cheers,
  Devon

  I just searched documentation and see that it's 5000 ports for tcp. That
  will be easy to hit. The documentation says that it will just re-use the
  oldest connections in a rolling fashion. I'm wondering whether that's
  working properly or whether something else in the system is keeping the
  state for longer.
  Cheers,
  Devon
  >>> On 9/08/2007 at 11:21, Devon Heaphy<[email protected]>
  wrote:
  > Still testing, but it appears to. Part of the problem is that the
  > application is very chatty and constantly opens new connections instead
  > of
  > using existing ones. I think the reason static NAT appears to work is
  > that
  > there are more source ports available for a given machine to use.
  >
  > Do you know the upper limit of dynamic NAT connections through BM?
  >
  > Cheers,
  > Devon
  >
  >>>> On 7/08/2007 at 4:44, Craig Johnson<[email protected]> wrote:
  >> In article <[email protected]>, Devon Heaphy
  > wrote:
  >>> I have an application that is unhappy running via dynamic NAT. The app
  >>> developers are asking me if I can turn on sticky sessions in BM's
  >> dynamic
  >>> NAT. Are there any options for tuning dynamic NAT in BM that could
  help?
  >>>
  >> No.
  >>
  >> Does it work via static NAT?
  >>
  >> Craig Johnson
  >> Novell Support Connection SysOp
  >> *** For a current patch list, tips, handy files and books on
  >> BorderManager, go to http://www.craigjconsulting.com ***

• 9.0 can a dynamic nat be used over ipsec vpn?

  9.0 can a  dynamic nat be used over ipsec vpn?
  we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL. 
  we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same. 
  Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn. 
  So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code. 
  Thanks

  I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time. 
  Yes it seems that you need the nat ip like always. Should have just went with my gut on that. 
  Thanks

• Help with dynamic NAT and CSM 4.4 and ASA 8.3

  Hello
  I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
  Failed to generate delta config
  The following commands have not been recognized by the Configuration Parser:
  ==========================
  (inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
  So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
  How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
  Traffic comes from inside and has to leave the outside with the changed source IP.
  I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
  Thanks
  Patrick

  Matty
  Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
  1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
  2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
  3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
  ip access-list extended PBX_SUBNET
  permit ip 10.1.1.0 0.0.0.255 any      <-- note the last octet of the wildcard mask is 255.
  Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
  Jon

• Dynamic NAT (1841 & n00b)

  Hi all. (waiting for TAC support to register me)
  I'm trying to find information on setting up a Dynamic NAT for my 1841 using the SDM. I know how to do the static NATs and they seem to work fine. However, our Japan office would like Dynamic NAT. Where can I find info on how to set this up?
  I have a range of server addresses on my network (E0) from 10.1.10.16 to 10.1.10.40/24. The addressing I have for these on the "outside" (E1) is 172.25.1.16 to 172.25.40/16.
  I tried to set this up, but it seemed that the router duplicated all of my server addresses and my systems weren't happy.
  Thanks for any assistance.
  BC

  OK.
  I had to attach it since it's too long to post.
  Thanks for any insight. The router for the Japan office is 172.25.1.1.

• Dynamic type conflict during the assignment of references. - Error while generating proxy in the backend

  Hi All,
  I get a short dump while generating a proxy in the backend.I give the package and the prefix and end up with a short dump.
  Does any one know why this mught come up
  "Dynamic type conflict during the assignment of references."
  background: I imported a WSDl provided by legacy into PI and created service interfaces and then trying to generate a proxy class while i get this error.
  Thanks.

  Hi Shyamsundar,
  I will explain a problem that I usually see in some developments:
  XSD originally:                                  XSD transformed:
  Root                                                     -> Root
  Tag 1 type int                                    -> Tag 1 type int
  Tag2 type string                               -> Tag2 type string
  Tag3 type  any                                  - Tag3 type  string
  Normally the tag3 should have a XML inside. Then the ABAPers have to construct the tag3 with  a CDATA structure (CDATA is used to put in an XML tag more XML tags inside like a text and no to be interpreted).
  Later in SAP PI you can extract the cdata with an XSL, you can find some examples in the SCN.
  I don’t like to convert the whole XML in only one string tag, because this makes difficult the develop for the ABAPers, although the work inside the PI is very easy because with an XSL you can extract the whole message easily. (You can find some examples in the SCN)
  Regards.

• Error Dynamic type conflict when assigning references in EHP4

  Hi Experts,
  We are facing problem while customizing application wizard in EHP4.
  Based on our requirement, we need to create one more tab named "Notes" to add instructions for applicants while applying for Job. It contains only instruction. To achieve this, we have done below set up.
  1. We have created new WD component (WD window), OTR Alias
  2. Created one more additional steps in T77RCF_RM_STEP called "Notes" and maintained step 1 information
  3. In table T77RCF_RM_SEQ, under Application wizard (employee), we have added notes in sequence 1.
  Now our new tab "Notes" is reflecting in application wizard. But while cliking on send application, we are getting error "The following error text was processed in the system GEG : Dynamic type conflict when assigning references".
  Error Details:-
  u2022     The following error text was processed in the system GEG : Dynamic type conflict when assigning references
  u2022     The error occurred on the application server sapgeg_GEG_59 and in the work process 0 .
  u2022     The termination type was: RABAX_STATE
  u2022     The ABAP call stack was:
  Can anybody guide what we are doing wrong?
  It would be great help.
  Regards,
  purnima

  Hi Rajasekhar,
       Facing the same issue, can you please let me know how you solved the above issue.
  Best Regards,
  Laxman

• Dynamic NAT ASA 8.4 Packet Tracer not working

  Hi guys,
  I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
  Thanks!
  ASA Version 8.4(2)
  hostname ciscoasa
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.0.0.0
  object network inside-subnet
  subnet 192.168.1.0 255.255.255.0
  object network inside-subnet
  nat (inside,outside) dynamic interface
  telnet timeout 5
  ssh timeout 5
  dhcpd address 192.168.1.5-192.168.1.35 inside
  dhcpd auto_config outside

  Thanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working. 
  Does anyone have a suggestion? My updated config is below.
  Thanks!
  ASA Version 8.4(2)
  hostname ciscoasa
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.0.0.1 255.0.0.0
  object network inside-subnet
  subnet 192.168.1.0 255.255.255.0
  object network outside-subnet
  subnet 10.0.0.0 255.0.0.0
  access-list TEST extended permit icmp any any echo-reply
  access-list TEST extended permit tcp any any eq www
  access-list http extended permit tcp any any eq www
  access-list http2 extended permit udp any any eq www
  access-group TEST in interface outside
  object network inside-subnet
  nat (inside,outside) dynamic interface
  telnet timeout 5
  ssh timeout 5
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.35 inside
  dhcpd enable inside

• Dynamic Type Conflict

  I have a context node called ERROR_MESSAGE, with a single attribute
  called MSG of type BAPI_MSG.
  I encounter an error stating "Dynamic type conflict when assigning references" at the
  following point in my code:
  lo_nd_error_message->bind_elements( error_msgs )
  error_msgs is defined as follows:
  Data: error_messages type standard table of bapi_msg.

  What is the Cardinality of your context node ERROR_MESSAGE?  Make sure that it is 0...n or 1...n.

• Dump while testing Function- Dynamic type conflict when assigning reference

  Hi Gurus,
  I have the following checked and activated-
  - Function with 1 Ruleset
  - The Ruleset containing couple of DBlookup expressions
  - Value range
  - Decision Table
  - Decision tree,
  - Procedure call
  After I give test data while Simulating the function, I get this dump-
  Short text
      Dynamic type conflict when assigning references
  What happened?
      Error in the ABAP Application Program
      The current ABAP program "CL_FDT_DB_LOOKUP==============CP" had to be
       terminated because it has
      come across a statement that unfortunately cannot be executed.
  Have I missed something? We are on SAPKA70207.

  Hi Carsten,
  I couldn't find an OSS note featuring-
  "MOVE_CAST_ERROR" "CX_SY_MOVE_CAST_ERROR"
  "CL_FDT_DB_LOOKUP==============CP" or "CL_FDT_DB_LOOKUP==============CM01K"
  "BUILD_WHERE_CLAUSE_LIMIT"
  Raised OSS note.

• RFx Q&A dump SRM 7- Dynamic type conflict when assigning references Q&A

  Hello,
  We are on SRM 7.0 SP05. When adding a question via the Q&A 'chat' functionality on a published RFx the EP shows the following error: 'Dynamic type conflict when assigning references Q&A'.
  Could somebody test if this issue is also occuring on their system?
  Anybody has a clue what's causing this?
  Kind regards,
  Tim

  Hello Jay,
  Loggings show the following:
  15:18:49 DIA  000 100 NLPURCOR                AB  0 Run-time error "MOVE_CAST_ERROR" occurred
  15:18:50 DIA  000 100 NLPURCOR                AB  1 > Short dump "100324 151849 dmzsv719 b_SRM_00 " generated