Static NAT Command Clarification

Hi all :
From one of existing configuration file, I found there is static NAT command as below :
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255
whereby the security level in the DMZ is 50 and the subnet is 192.168.50.0/24,while security level at outside is 20 and the subnet is 192.168.20.0/24.
This command actually not causing any hiding of the DMZ IP address, right? I ping from outside to one valid IP of the DMZ network, for example 192.168.50.5, it still can ping.
I do not understand what is the purpose of this command line. Is it a wrong command line?
I then try a standard way of static NAT as below :
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
this is for the purpose of hiding 192.168.50.5 at DMZ from outside network.
With the previous command line that is "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" still around, this DMZ IP of 192.168.50.5 is not hide. I tried to delete away the command "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255", the hiding of 192.168.50.5 is OK because it cannot be ping from outside.
Can anybody confirmed that this command line "static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.255" servered no purpose and actually it is causing problem on other valid static NAT command?
Thanks and best regards,
tangsuan

Ok let me explain,
static (dmz,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
This command is also called "self static", this means if a source 192.168.50.x in subnet DMZ goes to outside world the source IP should be preserve (source ip would remain as 192.168.50.x).
Also if someone from outside world 192.168.20.x tries to access a machine in DMZ 192.168.50.x then it will access the machine using its real IP and not any natted IP. The above static will give you the same results as
nat (dmz) 0 access-list nat_0_acl
access-list nat_0_acl permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
Lets come down to another static now,
static (dmz,outside) 192.168.20.15 192.168.50.5 netmask 255.255.255.255
The above means if a source outside sends a request on 192.168.20.15, firewall will translate it to 192.168.50.5 on DMZ. basically you are hiding the machine xxx.50.5 behind xx.20.5.
Please rate if this helps !

Similar Messages

Static NAT - VPN - Internet Access

Does anyone know how to configure the following?
1. An static NAT from an inside ip address to another inside ip address (not physical subnet).
2. The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
My router just have two interfaces a WAN and a LAN.
I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
in an extract:
LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
BTW. I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

Why do you need an inside host to be natted to another inside IP address?
You need to configure a "no nat" policy, for the internet traffic.

Command to see host and static nat for the same object together

I have researched this but cannot find an answer. ASA running version 8.5.
When you create the config using object NAT you enter the commands as follows
object network <object name>
   host x.x.x.x
   nat (inside,outside) static y.y.y.y
When the config is displayed it separates the host and nat commands in two different sections of the config as follows
object network <object name>
   host x.x.x.x
object network <object name>
   nat (inside,outside) static y.y.y.y
Is there a command that will display it all together (like it was typed in)? Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
Any suggestions?
Thanks.

Sorry, show nat detail is what I meant in the original post in place of show nat.   Show nat detail still has all of the extra info I was trying to avoid. Guess I will be editing a text file.
Thanks for the reply.

Static NAT Pre 8.3 ASA no untranlate hits

Hello all---
Having an issue w a pre 8.3 ASA static NAT.   The intention is to static nat an antivirus server hanging off our DMZ interface on the ASA- that address being 192.168.255.2….. to one of our public IP address (for the sake of this forum) 44.44.44.44. The ASA DMZ interface is 192.168.255.1.
I’ve configured the static NAT rule and the access ACLs on both the outside interface and dmz interface. For the sake of testing, I used just IP as the service –will restrict it later w the correct service ports once I know it’s working- and for now just have a windows laptop acting as the server for testing.
What I’m seeing is incrementing translate hits, but no untranslated hits at all when performing the command:   show nat dmz outside 192.168.255.2 255.255.255.255
match ip dmz host 192.168.255.2 outside any
    static translation to 44.44.44.44
    translate_hits = 549, untranslate_hits = 0
match ip dmz any outside any
    no translation group, implicit deny
    policy_hits = 170905
Also, I see no hits at all on the acl for the outside interface when trying to do a ping or telnet to ports running on the laptop\server.
So, it’s obviously translating out- to the public, but not from the public in to the private. Almost like it’s not reaching that public IP. We have other publics we translate to for other services…..with no issue
Here’s the pertinent lines – pretty simple at this point.
Outside Interface ACL
access-list acl_out line 48 extended permit ip any host 44.44.44.44
DMZ interface ACL
access-list dmz_access_in line 3 extended permit ip any any
NAT Statement on DMZ interface
static (dmz,outside) 44.44.44.44 192.168.255.2 netmask 255.255.255.255
Any help or clarification is appreciated……   thanks   Dennis…

Try seeing what the ASA is doing with the return traffic using packet tracer utility as follows:
packet-tracer input outside tcp 8.8.8.8 1025 44.44.44.44 23
...substituting the actual public NAT address for the 44.44.44.44 of course. (If you were using 8.3+ you would specify the real end host IP address.)
Here's a link to the command reference for more details.

Static NAT to two servers using same port

I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- Mike

Hi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni

NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

Hello fellow engineers!
I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
Scenario description:
2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).   The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
VLAN 11 -> 10.0.1.x
VLAN 12 -> 10.0.2.x
VLAN 13 -> 10.0.3.x
VLAN 71 -> 192.168.17.x
VLAN 204 -> 172.16.204.x
and – last but not least ! – VLAN 10 -> 10.0.0.x
All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
Could pls someone spot what I’m missing !!
To help you I also attach the router config and some command outputs…
All help is appreciated.
Thanx
Costas

That last PBR statement
(route-map 10.0.0.X_hosts_PBR permit 70
description *** rest of 10.0.0.x net --> Oxygen ***
match ip address rest_of_10.0.0.x
set ip next-hop 212.251.64.153)
was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
(route-map 10.0.0.X_hosts_PBR, permit, sequence 255
Match clauses:
    ip address (access-lists): rest_of_10.0.0.x
Set clauses:
    ip next-hop 212.251.64.153
Policy routing matches: 0 packets, 0 bytes)

Static NAT causes unable to access server via internal IP

Hi all,
Need some help. I running site-to-site IPsec VPN in Cisco 2811 IOS 12.4 both site. Here I encounter a problem to access server on Site A from Site B
Site A having Leased Line connected to router with Public IP. I have done static mapping 1 web server to Public IP (NAT). This to allow external users to access the server via Public IP. At the same time, users at Site B would need to access to same server via Internal IP since they have Site-to-Site VPN established. But once I done Static Mapping (NAT), user at Site B unable to access the server at Site A using its internal IP. But external user can access server via Public IP. What went wrong here. Do i need to add extra command to get this done? We really need this.

Hi sheik,
I'm accessing the server form Site B using its server's LAN IP.
If I remove the static NAT statement from my router at Site A, everything works well. I can access the server from site B using its LAN IP via Site-to-Site VPN. But in this case, external users unable to access server via Public IP since no Static NAT statement.

MS NLB with ASA and Static NAT from PUP to NLB IP

Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
Chris

Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris

STATIC NAT

Hi,
I am facing a problem in static nat. I am having a 1760 router with 12.3(6) version of ios. i have configured a static nat using the command
Ip nat inside source static x.x.x b.b.b.b
All of a sudden the nat was not happening. i have enabled the debug ip nat detailed command. and found out that the ip is getting natted.But i was not able to see any return traffic coming to the natted ip.
But if i use a PAT (e.g) ip nat inside source list 1 serial0/0 overload command nat is working fine without any problem.
If i use a nat pool also it is not working. Only overload option is working.
What could be the reason for this behavior. How do we solve this.
Krishna.

HI,
I am using a public address in my nat pool.
i am using two nat statement.
ip nat inside source static 192.168.10.15 x.x.x.y
ip nat inside source static 192.168.10.20 x.x.x.z
where x.x.x.y and x.x.x.z is the public address
int fa0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
int fa0/1
description **** connected to isp ******
ip address x.x.x.u 255.255.255.248
ip nat ouside
Regards
Krishna.

L2TP over IPSEC Static NAT trouble

I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. As of right now i have two open issues that i cannot figure out. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.
The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail. The config is below.
To sum up, and put this in perspective i need to be able to do the following...
VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
As well as any help with DNS. Please advise, thank you.
-tony
: Saved
ASA Version 8.2(1)
hostname fw-01
enable password HOB2xUbkoBliqazl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.103.6.0 K2CONT description K2 Control Network
name 10.103.5.0 K2FTP description K2 FTP Network
name 10.103.1.0 NET description Internal Network Core Subnet
name 10.1.4.0 WBND description WBND Business Network
name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
name 10.103.2.50 ENG-PC description Engineering PC
name 10.103.2.56 NAV-PC description Navigator PC
name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
name 10.103.2.0 GEN-NET description General Broadcast Network
name 10.103.4.0 INEWS-NET description INEWS Network
name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
name 10.103.3.0 TELE-NET description TELEMETRICS Network
name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
name 10.103.4.80 MOSGW description "MOS Gateway."
name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
name 209.118.74.10 PF-EXT-0 description PF External Server 0
name 209.118.74.19 PF-EXT-1 description PF External Server 1
name 209.118.74.26 PF-EXT-2 description PF External Server 2
name 209.118.74.80 PF-EXT-3 description PF External Server 3
name 10.103.4.37 PIXPWR description Pixel Power System 0
name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
name 10.103.4.121 ignite
name 10.103.3.89 telemetrics
name 10.1.4.50 vpn_3000
name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
name 10.1.4.40 NAT-ENG-PC description Engineering HP
name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
name 10.1.1.0 WCIU description WCIU
name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
name 10.2.1.0 A-10.2.1.0 description WCIU 2
name 10.1.50.0 VPN-POOL description VPN ACCESS
interface Ethernet0/0
description "Internal Network 10.103.1.0/24"
nameif inside
security-level 100
ip address 10.103.1.1 255.255.255.0
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/2
nameif COMCAST_PUBLIC
security-level 0
ip address 173.161.x.x 255.255.255.240
interface Ethernet0/3
description "WBND Business Network 10.1.4.0/24"
nameif outside
security-level 0
ip address 10.1.4.8 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone Indiana -4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-OK
description "ICMP types we want to permit."
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
object-group network INTERNAL-ALL
description "All internal networks."
network-object NET 255.255.255.0
network-object GEN-NET 255.255.255.0
network-object TELE-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
network-object K2FTP 255.255.255.0
network-object K2CONT 255.255.255.0
object-group service W3C
description "HTTP/S"
service-object tcp eq www
service-object tcp eq https
object-group service FTP-ALL
description "FTP Active/Passive."
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service INEWS-CLI
description "Ports required for INEWS client/server communications."
service-object tcp eq telnet
service-object tcp eq login
service-object tcp eq 600
service-object tcp eq 49153
service-object tcp eq 49152
service-object tcp-udp eq 1020
service-object tcp-udp eq 1019
group-object W3C
group-object FTP-ALL
service-object tcp eq ssh
service-object tcp-udp eq 1034
service-object tcp-udp eq 1035
object-group service NET-BASE
description "Base network services required by all."
service-object tcp-udp eq 123
service-object udp eq domain
object-group network INEWS-SVR
description "iNEWS Servers."
network-object INEWS0 255.255.255.255
network-object INEWS1 255.255.255.255
object-group network WCIU-INEWS
description "iNEWS Servers at WCIU."
network-object WCIU-INEWS0 255.255.255.255
network-object WCIU-INEWS1 255.255.255.255
object-group network K2-FTP
description "K2 Servers"
network-object host K2-FTP0
network-object host K2-FTP1
object-group network PF-SYS
description Internal PathFire Systems
network-object host PF-DUB-01
network-object host PF-SVR-01
object-group network INET-ALLOWED
description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
network-object host ENG-PC
network-object host NAV-PC
network-object host PF-SVR-01
group-object INEWS-SVR
group-object K2-FTP
group-object PF-SYS
network-object host PIXPWR
network-object K2CONT 255.255.255.0
object-group service GoToAssist
description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
service-object tcp eq 8200
object-group service DM_INLINE_SERVICE_1
group-object FTP-ALL
group-object W3C
service-object tcp eq ssh
service-object tcp eq telnet
group-object GoToAssist
object-group network RTI
network-object host RTISVR1
network-object host RTISVR
object-group network NAT-K2-SVR
description "Public NAT addresses of K2 Servers."
network-object host NAT-K2-FTP0
network-object host NAT-K2-FTP1
object-group network NAT-INEWS-SVR
description "Public NAT addresses of iNEWS servers."
network-object host NAT-INEWS0
network-object host NAT-INEWS1
object-group service INEWS-SVCS
description "Ports required for iNEWS inter-server communication.
group-object INEWS-CLI
service-object tcp eq 1022
service-object tcp eq 1023
service-object tcp eq 2048
service-object tcp eq 698
service-object tcp eq 699
object-group service MOS
description "Ports used for MOS Gateway Services."
service-object tcp eq 10540
service-object tcp eq 10541
service-object tcp eq 6826
service-object tcp eq 10591
object-group network DM_INLINE_NETWORK_1
network-object host WCIU-INEWS0
network-object host WCIU-INEWS1
object-group network DM_INLINE_NETWORK_2
network-object GEN-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
object-group network PF-Svrs
description External PathfFire Servers
network-object host PF-EXT-0
network-object host PF-EXT-1
network-object host PF-EXT-2
network-object host PF-EXT-3
object-group service PF
description PathFire Services
group-object FTP-ALL
service-object tcp eq 1901
service-object tcp eq 24999
service-object udp range 6652 6654
service-object udp range 6680 6691
object-group service GVG-SDB
description "Ports required by GVG SDB Client/Server Communication."
service-object tcp eq 2000
service-object tcp eq 2001
service-object tcp eq 3000
service-object tcp eq 3001
object-group service MS-SVCS
description "Ports required for Microsoft networking."
service-object tcp-udp eq 135
service-object tcp eq 445
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq cifs
service-object tcp-udp eq domain
service-object tcp-udp eq kerberos
service-object tcp eq netbios-ssn
service-object udp eq kerberos
service-object udp eq netbios-ns
service-object tcp-udp eq 139
service-object udp eq netbios-dgm
service-object tcp eq cifs
service-object tcp eq kerberos
service-object udp eq cifs
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_2
group-object MS-SVCS
group-object NET-BASE
group-object GVG-SDB
group-object W3C
object-group service DM_INLINE_SERVICE_3
group-object GVG-SDB
group-object MS-SVCS
group-object W3C
object-group service PIXEL-PWR
description "Pixel Power Services"
service-object tcp-udp eq 10250
object-group service DM_INLINE_SERVICE_4
group-object FTP-ALL
group-object GoToAssist
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
group-object MS-SVCS
service-object ip
object-group service DM_INLINE_SERVICE_5
group-object MS-SVCS
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
object-group service IG-TELE tcp-udp
port-object range 2500 49501
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host ENG-PC
network-object host NAT-ENG-PC
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
object-group network il2k_test
network-object 207.32.225.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_8
service-object ip
group-object INEWS-CLI
service-object icmp
service-object udp
object-group service DM_INLINE_SERVICE_6
service-object ip
group-object MS-SVCS
object-group network DM_INLINE_NETWORK_5
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object udp
group-object INEWS-CLI
object-group network DM_INLINE_NETWORK_9
network-object host NAT-INEWS0
network-object host INEWS0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network VPN-POOL
description "IP range assigned to dial-up IPSec VPN."
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object WBND 255.255.255.0
network-object VPN-POOL 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object TELE-NET 255.255.255.0
network-object host ignite
access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit icmp any any object-group ICMP-OK
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit object-group MS-SVCS any any
access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
access-list outbound extended permit icmp any any object-group ICMP-OK
access-list outbound extended permit ip GEN-NET 255.255.255.0 any
access-list outbound extended permit ip host ignite host telemetrics
access-list outbound extended permit ip host NAV-PC host 10.103.2.18
access-list outbound extended permit ip any GEN-NET 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
access-list COMCAST_access_in extended permit ip any any
access-list COMCAST_PUBLIC_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu COMCAST_PUBLIC 1500
mtu outside 1500
mtu management 1500
ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any COMCAST_PUBLIC
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (COMCAST_PUBLIC) 1 173.161.x.x
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
access-group outbound in interface inside per-user-override
access-group inside_access_ipv6_in in interface inside per-user-override
access-group outbound in interface COMCAST_PUBLIC
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
route outside WCIU 255.255.255.0 10.1.4.11 1
route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
route inside GEN-NET 255.255.255.0 10.103.1.2 1
route inside TELE-NET 255.255.255.0 10.103.1.2 1
route inside INEWS-NET 255.255.255.0 10.103.1.2 1
route inside K2FTP 255.255.255.0 10.103.1.62 1
route inside K2CONT 255.255.255.0 10.103.1.62 1
route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMCON protocol radius
accounting-mode simultaneous
aaa-server DOMCON (outside) host 10.1.4.17
timeout 5
key Tr3at!Ne
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http NET 255.255.255.0 inside
http GEN-NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
crypto ipsec transform-set il2k-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
crypto map VPN 10 ipsec-isakmp dynamic dyno
crypto map VPN interface COMCAST_PUBLIC
crypto map VPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable COMCAST_PUBLIC
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh NET 255.255.255.0 inside
ssh GEN-NET 255.255.255.0 inside
ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
ssh 10.103.1.224 255.255.255.240 outside
ssh WBND 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 20
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.103.2.52 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-simultaneous-logins 100
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value MAINSERV
intercept-dhcp enable
address-pools value VPN-POOL
group-policy il2k internal
group-policy il2k attributes
dns-server value 10.1.4.17
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
username interlink password 4QnXXKO..Ry/9yKL encrypted
username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
username iphone attributes
service-type remote-access
username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
username hriczo attributes
service-type remote-access
username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
username cheighway attributes
vpn-group-policy il2k
service-type admin
username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
username roscor password jLkgabJ1qUf3hXax encrypted
username roscor attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
authentication-server-group DOMCON LOCAL
authentication-server-group (outside) LOCAL
authentication-server-group (inside) LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
: end

No one? I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction. I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
Please help. Thank you

H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

Hi,
I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
ip nat inside source static 172.16.1.2 x.x.x.x
The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
Additionally, I debugged ip natting and I see following information when making video calls:
router#debug ip nat h323
IP NAT H323 debugging is on
router#
*Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
*Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
*Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
Regards,
Angran

Hi,
i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?

STATIC NAT PROBLEM

Hi All,
We are having a problem with a static NAT statement and or ACL not allowing traffic to the port configured to the inside host on the LAN.
NETWORK SETUP
We have a 3CX IP PBX behind a Pix firewall and need remote hosts to be able to connect to the 3CX over the 3CX tunnel protocol that uses port 5090. 3CX internal IP Address is 172.16.0.254 and the port it is listening on for the tunnel traffic is 5090. We have configured static NAT to the 3CX which is listening on port 5090 and created the ACL and applied this to the Outside interface. 3CX tunnel protocol uses a mixture of TCP and UDP so we have these both configured. Here are the various lines of configuration.
access-list Outside_In extended permit tcp any host 172.16.0.254 eq 5090
access-list Outside_In extended permit udp any host 172.16.0.254 eq 5090
static (Inside,Outside) tcp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
static (Inside,Outside) udp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
access-group Outside_In in interface Outside
ISSUE
We have configured static NAT to the 3CX which is listening on port 5090 and created an ACL to permit inbound traffic to the 3CX. Inbound traffic is not traversing the firewall and therefore not reaching the 3CX on the inside LAN.
TROUBLE SHOOTING SO FAR
We have tried a number of different ACL and NAT configurations, but the above configs are not permitting the traffic through the firewall. We have done a number of captures on the firewall and we can see the traffic from remote hosts getting to the Outside interface, but not traversing to the Inside interface and therefore not reaching the 3CX on the inside LAN. The xlate shows the static NAT entry correctly.
Any suggestions anyone??
Regards,

Hi,
If you are doing a Static NAT or Static PAT towards the Internet on your ASA or PIX, this is how the different firewall software versions behave
Software 8.2 and earlier: When you configure a Static NAT / Static PAT and want to allow traffic from the Internet to the NATed host, you use the NAT IP address as the destination IP address in the ACL attached to the "outside" interface you are using.
Software 8.3 and later: NAT and ACLs changed in the 8.3 software and in those software levels you are required to use the actual real IP address of the host in the ACLs you configure. Using the NAT IP address in the newer software levels wont work anymore.
As you mentioned your software level to be 8.0 we can see that you need to use the NAT IP address as the destination address of the "outside" interface ACL.
I guess you could try for example
access-list Outside_In permit tcp any interface Outside eq 5090
access-list Outside_In permit udp any interface Outside eq 5090
You can also use the "packet-tracer" command like I mentioned above to simulate what the firewall would do to the traffic.
The command tested could be for example
packet-tracer input Outside tcp 1.2.3.4 1234 5090
The only situation where I could see the need to use the real IP address in the ACL statement of the "outside" interface would be if you had a L2L VPN / Site-to-Site VPN configured between your firewall and the remote end. But as I cant see your configuration I dont know if thats the case. Though since you have configured Static PAT to use the public IP address of your firewalls "outside" interface it would lead me to believe that you are trying to open/share this service from the LAN device to the Internet.
Guess you could next try the above mention ACL lines I listed and test the traffic again. Also the "packet-tracer" command should tell you if theres any problems with your firewall configurations.
- Jouni

Static Policy NAT in VPN conflicts with Static NAT

I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?

Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni

Static NAT and IPSec VPN

This maybe stupid but may somebody help on this.
Site A --- Internet --- Site B
An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
May someone advise me how to overcome this? Thanks.

Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

Static NATs using the network parameter

If I want one-to-one static NATs which allow inbound traffic, will this work? I want to be able to ping, SSH, etc to 172.18.48.1 by going to 172.18.31.48.1 from the other side of the VPN.
ip nat inside source static network 172.18.48.0 172.31.48.0 /24 route-map VPN_Somerset_NAT-rm reversible
route-map VPN_Somerset_NAT-rm permit 10
match ip address VPN_Somerset_NAT-ACL
ip access-list extended VPN_Somerset_NAT-ACL
permit ip 172.18.48.0 0.0.0.255 10.61.0.0 0.0.255.255

To translate the real address 10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are as follows:
hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST
In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the 209.165.200.224/27 network initiates a connection to 192.168.1.1, then the second address in the access list is the source address.
This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the "Policy NAT" section for more information.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the ASA translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access.

Static NAT Command Clarification

Similar Messages

Maybe you are looking for