Static NAT for DMZ hosts

Similar Messages

• Static NAT for FTP access

  NAT overload has been done successfully as follows:
  1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
  2. default route added on the router.
  3.additional configuration is added:
  ip nat inside source list 1 interface fa0/1 overload
  access-list 1 permit 192.168.1.0 0.0.0.255
  Now I am trying to use static NAT for FTP:
  ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
  But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.

  Router(config)#interface fa0/0
  Router(config-if)#ip address 192.168.1.254 255.255.255.0
  Router(config-if)#no shut
  Router(config-if)#ip nat inside
  Router(config-if)#interface fa0/1
  Router(config-if)#ip address 203.109.120.2 255.255.255.252
  Router(config-if)#no shut
  Router(config-if)#ip nat outside
  Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
  Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
  Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

• Configure static NAT for range of ports

  Hi,
  I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
  As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
  ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
  ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
  ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
  ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
  and so on...
  Is this the correct way to do it, or is there another better way?
  Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
  ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
  ip nat inside source list NAT_ACL pool PATPOOL overload     
  ip access-list standard NAT_ACL
   remark PAT to outside
   permit 192.168.1.0 0.0.0.255
   exit
  My question with this is will the static NAT work if I already have NAT overload configured as above?
  Thanks for the help in advance.
  Austin
  PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

  I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to. 
  I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
  ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
  In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
  Hopefully this information useful to others. 

• Setting up static nat for ip addresses

  We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA. 
  We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports. 
  Can anyone help me as to why I cannot ping these IP addresses?
  I can ping the private IP's from the private network (CA) that the printers are on.
  Solved!
  Go to Solution.

  No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now. 

• DM-VPN with Static NAT for Spoke Router. Require Expert Help

  Dear All,
              This is my first time to write something .
                           i have configure DM-VPN, and it's working fine, now i want to configure static nat.
  some people will think why need static nat if it's working fine.
  let me tell you why i need. what is my plan.
  i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
  will for that i try but fail. 
  will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
  i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
  ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
  but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
  spose spoke Network: 192.168.2.0/24
  and i want on HUB Router:
  ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
  i am using Cisco -- 887 and 877 ADSL Router.
  but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
  fore more details please see the diagram.
  for Contact Me: [email protected]

  hi rvarelac  thank you for reply :
  i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
  crypto isakmp policy 10
   encr aes
   authentication pre-share
  crypto isakmp key 12344321 address 1.1.1.1
  crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
   mode tunnel
  crypto map s2s 100 ipsec-isakmp
   set peer 1.1.1.1
   set transform-set Remote-Site
   match address vpnacl
  interface GigabitEthernet0/0
   crypto map s2s
  Extended IP access list lantointernet
  30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  80 permit ip any any

• Command to see host and static nat for the same object together

  I have researched this but cannot find an answer.  ASA running version 8.5.
  When you create the config using object NAT you enter the commands as follows
  object network <object name>
     host x.x.x.x
     nat (inside,outside) static y.y.y.y
  When the config is displayed it separates the host and nat commands in two different sections of the config as follows
  object network <object name>
     host x.x.x.x
  object network <object name>
     nat (inside,outside) static y.y.y.y
  Is there a command that will display it all together (like it was typed in)?  Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
  Any suggestions?  
  Thanks.

  Sorry, show nat detail is what I meant in the original post in place of show nat.   Show nat detail still has all of the extra info I was trying to avoid.  Guess I will be editing a text file.
  Thanks for the reply.

• Static NAT for Secondary IP addresses

  I am running a Novell SBS 6.0 SP4 server w/Border Manager 3.6 Sp2 with two
  Netcards. My Two public IP address w/different subnets on the same Net
  card will keep running but the secondary IP address fail after a few
  hours, but can be pinged from inside the Network. The following is how my
  config is setup:
  Netcard #1(public):
  IP #1 - 66.170.173.100 Subnet 255.255.255.240
  Static/Dynamic 66.170.173.17 -> 192.xxx.1.22
  66.170.173.18 -> 192.xxx.1.23
  66.170.173.20 -> 192.xxx.2.25
  IP #2 - 66.170.173.17 Subnet 255.255.255.248
  Static/Dynamic - Disabled
  Secondary Ip Address bound -> 66.170.173.18
  -> 66.170.173.20
  Netcard #2 (private)- 192.xxx.1.16
  The modem is connected directly to Netcard #1 with not router between
  them. Is there something wrong with this setup or is there something else
  I have to do? My filters seem to be working fine as far as I know.
  Thank you,
  [email protected]

  > hi Ken,
  >
  > do you have a way to verify that the secondary IP addresses work
  properly if
  > they're associated to another device?
  > What's the agreement you have with your ISP about the two subnet of
  > addresses? Are they aware that they're associated to the same physical
  > device? I'm wondring if there is something wrong in the wireless system
  that
  > prevents ARP from working properly in that configuration.
  >
  > --
  > Caterina Luppi
  > Novell Support Connection Volunteer Sysop
  > <[email protected]> wrote in message
  > news:zj7mc.1918$[email protected]..
  > > > Hi Ken,
  > > >
  > > > > Whos router are we talking about? Is it the modem of the ISP just
  > > before
  > > > > my server or my internal switches for my workstations?
  > > >
  > > > sorry, my bad. I was referring to the modem of the ISP. I suspect
  this
  > is
  > > > not a modem only, right? I mean, you have an ethernet connection
  between
  > > the
  > > > modem and the BM server, correct? In this case the device of your
  ISP is
  > > a
  > > > modem/router, not a modem only.
  > > > Are you using DSL or cable?
  > > > --
  > > > Caterina Luppi
  > > > Novell Support Connection Volunteer Sysop
  > > >
  > > >
  > > Yes, we are running wireless DSL. They called it a modem, but it might
  be
  > > a router.
  > >
  > > [email protected]
  >
  >
  I just received an email back from the ISP and they said they have had
  troubles with that modem and ARP tables. They are going to swap out the
  modem when they get the new type of modems in. I will post back the
  outcome when they swap them out.
  Thank you for the help,
  [email protected]

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• Static translation from dmz to inside on Asa 8.6

  Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
  Sent from Cisco Technical Support iPad App

  Hi,
  The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.
  So if you for example have the following interfaces
  outside
  lan1
  lan2
  dmz
  If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)
  Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.
  So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside
  object network DMZ-STATIC
  host 192.168.1.7
  nat (dmz1,outside) static x.x.x.x dns
  For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.
  You can always post some configurations if you want someone to take a look through them.
  - Jouni

• Static NAT inbound correct - Outbound using Interface IP

  Here is the scenario that i have:
  I have a router (2921) that has 2 interfaces:
       G0/0 - WAN - 10.254.1.10
       G0/1 - LAN - 192.168.1.230
  I have a few static NATs for servers that are behind g0/1, this is the only nat config i have except for an 'ip nat inside' and 'ip nat outside' on the interfaces:
       ip nat inside source static 192.168.1.231 10.254.1.11
       ip nat inside source static 192.168.1.232 10.254.1.12
       ip nat inside source static 192.168.1.240 10.254.1.13
  I can connect to each of these on their respective NAT'd IP.
  The issue that i have is when these servers go out they have the interface IP address!  So if i ping a server that is across the way i see
  SRC: 10.254.1.10 DST: 10.1.2.11 Protocol: ICMP
  I do not understand how this would work??  i have no other NAT configuration in the router.

  Here is the NAT table when pinging from the outside to one of the NAT'd servers:
  Pinging from 10.1.2.11 to 10.254.1.13
  Cisco2921#sh ip nat trans
  Pro Inside global      Inside local       Outside local      Outside global
  --- 10.254.1.11        192.168.1.231      ---                ---
  tcp 10.254.1.12:80     192.168.1.232:80   10.1.2.11:62512    10.1.2.11:62512
  tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62491    10.1.2.11:62491
  tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62493    10.1.2.11:62493
  --- 10.254.1.12        192.168.1.232      ---                ---
  icmp 10.254.1.13:1     192.168.1.240:1    10.1.2.11:1        10.1.2.11:1
  tcp 10.254.1.13:22     192.168.1.240:22   10.1.2.11:62386    10.1.2.11:62386
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62508    10.1.2.11:62508
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62510    10.1.2.11:62510
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62511    10.1.2.11:62511
  icmp 10.254.1.10:21531 192.168.1.240:21531 10.1.2.11:21531   10.1.2.11:21531
  udp 10.254.1.10:38288  192.168.1.240:38288 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:55051  192.168.1.240:55051 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:55383  192.168.1.240:55383 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:58944  192.168.1.240:58944 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:59854  192.168.1.240:59854 10.1.2.1:161      10.1.2.1:161
  --- 10.254.1.13        192.168.1.240      ---                ---
  Here is from an internal server to the same outside host:
  Pinging from 192.168.1.240 to 10.1.2.11
  Cisco2921#sh ip nat trans
  Pro Inside global      Inside local       Outside local      Outside global
  --- 10.254.1.11        192.168.1.231      ---                ---
  tcp 10.254.1.12:80     192.168.1.232:80   10.1.2.11:62517    10.1.2.11:62517
  tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62491    10.1.2.11:62491
  tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62493    10.1.2.11:62493
  --- 10.254.1.12        192.168.1.232      ---                ---
  tcp 10.254.1.13:22     192.168.1.240:22   10.1.2.11:62386    10.1.2.11:62386
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62515    10.1.2.11:62515
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62516    10.1.2.11:62516
  tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62518    10.1.2.11:62518
  icmp 10.254.1.10:7163  192.168.1.240:7163 10.1.2.1:7163      10.1.2.1:7163
  icmp 10.254.1.10:7184  192.168.1.240:7184 10.1.2.1:7184      10.1.2.1:7184
  icmp 10.254.1.10:11548 192.168.1.240:11548 10.1.2.11:11548   10.1.2.11:11548
  udp 10.254.1.10:38288  192.168.1.240:38288 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:53384  192.168.1.240:53384 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:58383  192.168.1.240:58383 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:58944  192.168.1.240:58944 10.1.2.1:161      10.1.2.1:161
  udp 10.254.1.10:59143  192.168.1.240:59143 10.1.2.1:161      10.1.2.1:161
  --- 10.254.1.13        192.168.1.240      ---                ---

• MS NLB with ASA and Static NAT from PUP to NLB IP

  Hi all,
  I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
  ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
  I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
  192.168.0.50 is the 1st VM
  192.168.0.51 is the 2nd VM
  192.168.0.52 is the cluster IP for heartbeat
  192.168.0.53 is the cluster IP for NLB traffic.
  0100.5e7f.0035 is the cluster MAC.
  The NLB cluster is using MULTICAST
  I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
  For the ASA I found
  http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
  ASDM
  Configuration > Device Management > Advanced > ARP > ARP Static Table
  I was able to add my stic ARP just fine.
  However, the next step was to enable ARP inspection.
  Configuration > Device Management > Advanced > ARP > ARP Inspection
  My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
  For the CAT Switch I found
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
  I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
  On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
  At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
  So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
  Result of the command: "show run"
  : Saved
  ASA Version 8.4(4)9
  hostname MP-ASA-1
  enable password ac3wyUYtitklff6l encrypted
  passwd ac3wyUYtitklff6l encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 198.XX.XX.82 255.255.255.240
  interface Ethernet0/1
  description Root Inside Interface No Vlan
  speed 1000
  duplex full
  nameif Port-1-GI-Inside-Native
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface Ethernet0/1.2
  description Managment LAN 1 for Inside Networks
  vlan 2
  nameif MGMT-1
  security-level 100
  ip address 192.168.180.1 255.255.255.0
  interface Ethernet0/1.3
  description Managment LAN 2 for Inside Networks
  vlan 3
  nameif MGMT-2
  security-level 100
  ip address 192.168.181.1 255.255.255.0
  interface Ethernet0/1.100
  description Development Pubilc Network 1
  vlan 100
  nameif DEV-PUB-1
  security-level 50
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1.101
  description Development Pubilc Network 2
  vlan 101
  nameif DEV-PUB-2
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  interface Ethernet0/1.102
  description Suncor Pubilc Network 1
  vlan 102
  nameif SUNCOR-PUB-1
  security-level 49
  ip address 192.168.3.1 255.255.255.0
  interface Ethernet0/1.103
  description Suncor Pubilc Network 2
  vlan 103
  nameif SUNCOR-PUB-2
  security-level 49
  ip address 192.168.4.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa844-9-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network Inside-Native-Network-PNAT
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network with PNAT
  object network ASA-Outside-IP
  host 198.XX.XX.82
  description The primary IP of the ASA
  object network Inside-Native-Network
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network
  object network VPN-POOL-PNAT
  subnet 192.168.100.0 255.255.255.0
  description VPN Pool NAT for Inside
  object network DEV-PUP-1-Network
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUP-1 Network
  object network DEV-PUP-2-Network
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUP-2 Network
  object network MGMT-1-Network
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1 Network
  object network MGMT-2-Network
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2 Network
  object network SUNCOR-PUP-1-Network
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUP-1 Network
  object network SUNCOR-PUP-2-Network
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUP-2 Network
  object network DEV-PUB-1-Network-PNAT
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUB-1-Network with PNAT
  object network DEV-PUB-2-Network-PNAT
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUB-2-Network with PNAT
  object network MGMT-1-Network-PNAT
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1-Network with PNAT
  object network MGMT-2-Network-PNAT
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2-Network with PNAT
  object network SUNCOR-PUB-1-Network-PNAT
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUB-1-Network with PNAT
  object network SUNCOR-PUB-2-Network-PNAT
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUB-2-Network with PNAT
  object network DEV-APP-1-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-APP-2-SNAT
  host 192.168.2.120
  description DEV-APP-2 Server with SNAT
  object network DEV-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-SQL-1
  host 192.168.0.110
  description DEV-SQL-1 Inside Server IP
  object network DEV-SQL-2
  host 192.168.2.110
  description DEV-SQL-2 Inside Server IP
  object network SUCNOR-APP-1-PUB
  host 198.XX.XX.XX
  description SUNCOR-APP-1 Public Server IP
  object network SUNCOR-APP-2-SNAT
  host 192.168.4.120
  description SUNCOR-APP-2 Server with SNAT
  object network SUNCOR-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network SUNCOR-SQL-1
  host 192.168.3.110
  description SUNCOR-SQL-1 Inside Server IP
  object network SUNCOR-SQL-2
  host 192.168.4.110
  description SUNCOR-SQL-2 Inside Server IP
  object network DEV-APP-1-SNAT
  host 192.168.0.120
  description DEV-APP-1 Network with SNAT
  object network SUNCOR-APP-1-SNAT
  host 192.168.3.120
  description SUNCOR-APP-1 Network with SNAT
  object network PDX-LAN
  subnet 192.168.1.0 255.255.255.0
  description PDX-LAN for S2S VPN
  object network PDX-Sonicwall
  host XX.XX.XX.XX
  object network LOGI-NLB--SNAT
  host 192.168.0.53
  description Logi NLB with SNAT
  object network LOGI-PUP-IP
  host 198.XX.XX.87
  description Public IP of LOGI server for NLB
  object network LOGI-NLB-IP
  host 192.168.0.53
  description LOGI NLB IP
  object network LOGI-PUP-SNAT-NLB
  host 198.XX.XX.87
  description LOGI Pup with SNAT to NLB
  object-group network vpn-inside
  description All inside accessible networks
  object-group network VPN-Inside-Networks
  description All Inside Nets for Remote VPN Access
  network-object object Inside-Native-Network
  network-object object DEV-PUP-1-Network
  network-object object DEV-PUP-2-Network
  network-object object MGMT-1-Network
  network-object object MGMT-2-Network
  network-object object SUNCOR-PUP-1-Network
  network-object object SUNCOR-PUP-2-Network
  access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
  access-list outside_access_out remark Block ping to out networks
  access-list outside_access_out extended deny icmp any any inactive
  access-list outside_access_out remark Allow all traffic from inside to outside networks
  access-list outside_access_out extended permit ip any any
  access-list outside_access extended permit ip any object LOGI-NLB--SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
  access-list outside_access extended permit ip any object DEV-APP-2-SNAT
  access-list outside_access extended permit ip any object DEV-APP-1-SNAT
  access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu Port-1-GI-Inside-Native 1500
  mtu MGMT-1 1500
  mtu MGMT-2 1500
  mtu DEV-PUB-1 1500
  mtu DEV-PUB-2 1500
  mtu SUNCOR-PUB-1 1500
  mtu SUNCOR-PUB-2 1500
  mtu management 1500
  ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any Port-1-GI-Inside-Native
  icmp permit any MGMT-1
  icmp permit any MGMT-2
  icmp permit any DEV-PUB-1
  icmp permit any DEV-PUB-2
  icmp permit any SUNCOR-PUB-1
  icmp permit any SUNCOR-PUB-2
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
  arp timeout 14400
  no arp permit-nonconnected
  nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  object network Inside-Native-Network-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network VPN-POOL-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network DEV-PUB-1-Network-PNAT
  nat (DEV-PUB-1,outside) dynamic interface
  object network DEV-PUB-2-Network-PNAT
  nat (DEV-PUB-2,outside) dynamic interface
  object network MGMT-1-Network-PNAT
  nat (MGMT-1,outside) dynamic interface
  object network MGMT-2-Network-PNAT
  nat (MGMT-2,outside) dynamic interface
  object network SUNCOR-PUB-1-Network-PNAT
  nat (SUNCOR-PUB-1,outside) dynamic interface
  object network SUNCOR-PUB-2-Network-PNAT
  nat (SUNCOR-PUB-2,outside) dynamic interface
  object network DEV-APP-2-SNAT
  nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
  object network SUNCOR-APP-2-SNAT
  nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
  object network DEV-APP-1-SNAT
  nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
  object network SUNCOR-APP-1-SNAT
  nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
  object network LOGI-NLB--SNAT
  nat (DEV-PUB-1,outside) static LOGI-PUP-IP
  object network LOGI-PUP-SNAT-NLB
  nat (outside,DEV-PUB-1) static LOGI-NLB-IP
  access-group outside_access in interface outside
  access-group outside_access_out out interface outside
  route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 outside
  http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
  http 192.168.180.0 255.255.255.0 MGMT-1
  http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
  : end
  Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
  Thanks,
  Chris

  Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
  Chris

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• Static nat configuration help

  Hi,
  I have the following setup that i am tasked with creating static nat for and i am a little lost with getting the correct nat working.
  Here is the setup:
  Internal servers behind firewall 192.168.1.0/24
  Firewall external interface is 192.168.5.36
  Firewall external interface is connected to inside gig0/0 interface on cisco router.
  cisco router currently, it has a sub interface g0/0.5 with ip 192.168.5.41.
  on the outside cisco interface, serial1/0 is an ip, 10.1.2.3.
  Beyond serial1/0 are multiple remote hosts, such as...
  10.8.10.5
  10.20.10.16
  10.20.12.12
  these are remotely managed by another company.
  Now, for the static nat, we want to do the following:
  translate 192.168.5.66 -> 10.8.10.5
  translate 192.168.5.67 -> 10.20.10.16
  translate 192.168.5.68 -> 10.20.12.12
  Internal hosts behind the firewall would communicate via 192.168.5.66, 67 or 68, and the cisco router would translate these to appropriate addresses.
  Note that 192.168.5.66,67,68 don't exist as yet, my understanding (which is possibly wrong) is that once nat is correctly setup they will just work and the cisco router will do the translations.
  I've tried some different scenarios with ip nat inside, ip nat outside and nvi (Cisco IOS is 12.4(11)XW3) but am failing to get proper translation happening.
  Most examples i've seen involve the internal "to be translated" address actually being an internal server, not something that gets configured on the cisco router by a nat translation.
  Is this possible?
  or have i got it completely wrong? i.e .should the addresses 192.168.5.66,67,68 be configured somewhere?
  Thanks in advance,
  Regards,
  Les

  Michael,
  Thanks for your reply, i had seen that doc before, but it wasn't enough to get things working for me. Most of the examples i have seen were similar to this, and involved nat where an internal host address was being nat'ed. In my case, the address to nat didn't exist on an internal host and to translate correctly i needed to define both and inside source static and an identical outside source static entry. I also had to change which interface was outside and inside.
  i.e.
  int g0/0.5
  ip nat outside
  int serial1/0
  ip nat inside
  ip nat inside source static 10.8.10.5 192.168.5.66
  ip nat outside source static 10.8.10.5 192.168.5.66
  with that config my translation table looked like...
  #sh ip nat tra
  Pro Inside global      Inside local       Outside local      Outside global
  ---   ---                           ---                        192.168.5.66     10.8.10.5
  --- 192.168.5.66     10.8.10.5        ---                         ---
  And debug ip nat detailed showed correct translations happening:
  # ping from 192.168.5.36
  Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]    
  Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]
  Sep  4 06:18:07.807: NAT*: s=192.168.5.36, d=192.168.5.66->10.8.10.5 [43]
  if i had only an inside source static address then the translations never happened.
  So i have a working config now.
  Regards,
  Les

• Static Nat and VPN conflict

  Hi
  I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
  I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
  I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
  Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
  Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
  I hope the above makes sense.

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• Overlaping Static NAT Rule

  Hello All . I have an issue while creating NAT rule i am having the Error Overlaping Static NAT Rule
  Here is the details
  I have already configured static NAT for RDP 3389 Traffic to my host 192.168.1.128 which is working fine. (so i can RDP from outside )
  However now i want 9090 port to be translated to 3389 for another host 192.168.1.13 (so i can put 9090 port when i do the RDP to reach the .13 server )
  i am receving the Error "
  Overlaping Static NAT Rule "
  I dont understand how can it be overpaped ?
  (see screen shot )
  Please help how can i have another Rule with PAT to the Translated port in the ASA ?

  Hi,
  Seems to me that you have the ports the wrong way around in the new configuration.
  Your Original port is TCP/9090 which would mean that this would be the actual local port on the host. And you have set the Translated port as TCP/3389 which means that this is the public/mapped port.
  Considering you have a Static PAT (Port Forward) already configure for port TCP/3389 this naturally overlaps.
  So in the configuration window where you define the ports switch their places and it should be fine.
  Hope this helps
  - Jouni