Static NAT for FTP access

NAT overload has been done successfully as follows:
1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
2. default route added on the router.
3.additional configuration is added:
ip nat inside source list 1 interface fa0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to use static NAT for FTP:
ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.

Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#interface fa0/1
Router(config-if)#ip address 203.109.120.2 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Similar Messages

  • Static NAT for DMZ hosts

    Hello,
    It has been a while since I last worked on firewall.  Please  take a look at info below.
    INSIDE does not have access to Internet
    Services/Servers in DMZ need to be accessible from Internet
    CONFIG
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address X.X.X.46 255.255.255.240 standby X.X.X.45
    interface Ethernet0/1
    speed 1000
    duplex full
    nameif inside
    security-level 100
    ip address INSIDE.254 255.255.254.0 standby INSIDE.253
    interface Ethernet0/2
    interface Ethernet0/2.1
    description LAN Failover Interface
    vlan 20
    interface Ethernet0/2.2
    description STATE Failover Interface
    vlan 30
    interface Ethernet0/3
    description DMZ INTERFACE
    speed 100
    duplex full
    nameif dmz
    security-level 100
    ip address DMZ.254 255.255.255.0 standby DMZ.253
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    dns server-group DefaultDNS
    domain-name CDGI.com
    same-security-traffic permit inter-interface
    access-list NAT0_INSIDE_DMZ remark NO NAT FROM INSIDE TO DMZ
    access-list NAT0_INSIDE_DMZ extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
    access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.41
    access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.41 eq www
    access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo
    access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo-reply
    access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.42
    access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.42 eq www
    access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo
    access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo-reply
    access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
    access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 192.168.254.0 255.255.255.0
    access-list NO-NAT-DMZ extended permit ip DMZ.0 255.255.255.0 192.168.254.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    ip local pool SSLCLIENT_IP_POOL 192.168.254.1-192.168.254.25 mask 255.255.255.0
    failover
    failover lan unit primary
    failover lan interface FAILOVER Ethernet0/2.1
    failover link STATEFUL Ethernet0/2.2
    failover interface ip FAILOVER 172.31.254.254 255.255.255.252 standby 172.31.254.253
    failover interface ip STATEFUL 172.31.254.250 255.255.255.252 standby 172.31.254.249
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (dmz) 0 access-list NO-NAT-DMZ
    static (dmz,outside) X.X.X.41 DMZ.49 netmask 255.255.255.255
    static (dmz,outside) X.X.X.42 DMZ.28 netmask 255.255.255.255
    access-group OUTSIDE_TO_DMZ in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    service resetoutside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect icmp
      inspect http
    service-policy global_policy global
    ===========================================================================================
    As you see above, config has ACL that allows traffic from Internet to DMZ and has static NAT.  The hosts in DMZ are still not accessible.
    Please help.
    Thanks,
    Paresh.

    Hi,
    For Inside to internet:
    you have no global( outside) as well as nat(inside) configured.
    nat(inside) 1 0 0
    global(outside) 1 interface
    For second part, I see no problem in the config, is it not working?
    Regards.
    Alain

  • Static NAT - VPN - Internet Access

    Does anyone know how to configure the following?
    1.  An static NAT from an inside ip address to another inside ip address (not physical subnet).
    2.  The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
    My router just have two interfaces a WAN and a LAN.
    I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
    I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
    in an extract:
    LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
    BTW.  I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

    Why do you need an inside host to be natted to another inside IP address?
    You need to configure a "no nat" policy, for the internet traffic.

  • Configure static NAT for range of ports

    Hi,
    I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
    As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
    ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
    ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
    ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
    ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
    and so on...
    Is this the correct way to do it, or is there another better way?
    Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
    ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
    ip nat inside source list NAT_ACL pool PATPOOL overload     
    ip access-list standard NAT_ACL
     remark PAT to outside
     permit 192.168.1.0 0.0.0.255
     exit
    My question with this is will the static NAT work if I already have NAT overload configured as above?
    Thanks for the help in advance.
    Austin
    PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

    I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to. 
    I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
    ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
    In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
    Hopefully this information useful to others. 

  • DM-VPN with Static NAT for Spoke Router. Require Expert Help

    Dear All,
                This is my first time to write something .
                             i have configure DM-VPN, and it's working fine, now i want to configure static nat.
    some people will think why need static nat if it's working fine.
    let me tell you why i need. what is my plan.
    i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
    will for that i try but fail. 
    will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
    i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
    ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
    but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
    spose spoke Network: 192.168.2.0/24
    and i want on HUB Router:
    ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
    i am using Cisco -- 887 and 877 ADSL Router.
    but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
    fore more details please see the diagram.
    for Contact Me: [email protected]

    hi rvarelac  thank you for reply :
    i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
    crypto isakmp key 12344321 address 1.1.1.1
    crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
     mode tunnel
    crypto map s2s 100 ipsec-isakmp
     set peer 1.1.1.1
     set transform-set Remote-Site
     match address vpnacl
    interface GigabitEthernet0/0
     crypto map s2s
    Extended IP access list lantointernet
    30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    80 permit ip any any

  • NAT for remote access VPN clients

    Hello,
    I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
    The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
    I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
    Thanks.

    Have a look here for solution
    http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
    Regards

  • Setting up static nat for ip addresses

    We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA. 
    We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports. 
    Can anyone help me as to why I cannot ping these IP addresses?
    I can ping the private IP's from the private network (CA) that the printers are on.
    Solved!
    Go to Solution.

    No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now. 

  • Have a static IP for internet access - how do I replace my Linksys wireless router with Time Capsule?

    Have 5 macs on an ethernet network - some wired and some wireless to a Linksys router.  My provider uses static IP and DSL for internet access.  I am replacing an existing Linksys router with the Time Capsule.  The Static IP settings I have are IP address, Gateway, Mask, primary DNS and secondary DNS.  The Airport Utility is not as straight forward as the Linksys setup.  There is not a place to list gateway.  Consequently I am unable to connect to the internet and am back on the Linksys router until I get this resolved.  Any suggestions would be much appreciated !

    You enter the static public IP address info on the TCP/IP tab within the Airport Utility. For a static address, use Configure IPv4 = Manually. You use the Router field for the Gateway address.

  • Command to see host and static nat for the same object together

    I have researched this but cannot find an answer.  ASA running version 8.5.
    When you create the config using object NAT you enter the commands as follows
    object network <object name>
       host x.x.x.x
       nat (inside,outside) static y.y.y.y
    When the config is displayed it separates the host and nat commands in two different sections of the config as follows
    object network <object name>
       host x.x.x.x
    object network <object name>
       nat (inside,outside) static y.y.y.y
    Is there a command that will display it all together (like it was typed in)?  Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
    Any suggestions?  
    Thanks.

    Sorry, show nat detail is what I meant in the original post in place of show nat.   Show nat detail still has all of the extra info I was trying to avoid.  Guess I will be editing a text file.
    Thanks for the reply.

  • Bug report with proposed solution for mounting external drives for ftp access

    Hello Guys,   I registered to inform you about something I would classify as a bug. I realized this when I used an external drive with my WD My Cloud and trying to access the drive via ftp. It simply was not visible on the ftp, but was accessible as samba share. I digged a bit in the scripts and found this:  /etc/init.d/mountDataVolume.sh   [...]
    ## initialze bind mount dir (/nfs)
    /usr/local/sbin/updateShareBindMntDir.sh --init
    [...]  /usr/local/sbin/updateShareBindMntDir.sh  [...]
    init_mounts()
    mount | grep -q "${SHARE_BIND_MNT_DIR}/"
    if [ $? -ne 0 ]; then
    # initial clean up of MNT dir
    rm -rvf ${SHARE_BIND_MNT_DIR}/*
    fi
    for D in `find /shares/ -maxdepth 1 -mindepth 1 -type d -not -name ".*"`; do
    share_name=$(basename $D)
    add_mount "${share_name}"
    done
    [...]   The init_mounts() function searches /shares for directories (find -type >d<) and bind mounts these to SHARE_BIND_MNT_DIR (default: /nfs) by calling add_mount(). This is the directory where ftp users will drop in after logging in. The problem: find -type d will not find symlinks and external drives are represented by a symlink from /shares to /var/media/EXTERNALDRIVE I propose adding the following code at the end of init_mounts()   for D in `find /shares/ -maxdepth 1 -mindepth 1 -type l -not -name ".*"`; do
    share_name=$(basename $D)
    add_mount "${share_name}"
    done That will look for symlinks in /shares and call add_mount() for each symlink to bind mount it to SHARE_BIND_MNT. I think this is not intended aka a bug because I found this comment for add_mount(): # - If <share_name> is a symlink to an external volume, then create the bind mount
    # directly to the external volume.As it seems from this comment add_mount() supports symlinks but init_mounts does not feed it any.   I tried this solution myself and it works flawlessly.   Yours sincerely,schnip

    Nice find!

  • Static NAT for Secondary IP addresses

    I am running a Novell SBS 6.0 SP4 server w/Border Manager 3.6 Sp2 with two
    Netcards. My Two public IP address w/different subnets on the same Net
    card will keep running but the secondary IP address fail after a few
    hours, but can be pinged from inside the Network. The following is how my
    config is setup:
    Netcard #1(public):
    IP #1 - 66.170.173.100 Subnet 255.255.255.240
    Static/Dynamic 66.170.173.17 -> 192.xxx.1.22
    66.170.173.18 -> 192.xxx.1.23
    66.170.173.20 -> 192.xxx.2.25
    IP #2 - 66.170.173.17 Subnet 255.255.255.248
    Static/Dynamic - Disabled
    Secondary Ip Address bound -> 66.170.173.18
    -> 66.170.173.20
    Netcard #2 (private)- 192.xxx.1.16
    The modem is connected directly to Netcard #1 with not router between
    them. Is there something wrong with this setup or is there something else
    I have to do? My filters seem to be working fine as far as I know.
    Thank you,
    [email protected]

    > hi Ken,
    >
    > do you have a way to verify that the secondary IP addresses work
    properly if
    > they're associated to another device?
    > What's the agreement you have with your ISP about the two subnet of
    > addresses? Are they aware that they're associated to the same physical
    > device? I'm wondring if there is something wrong in the wireless system
    that
    > prevents ARP from working properly in that configuration.
    >
    > --
    > Caterina Luppi
    > Novell Support Connection Volunteer Sysop
    > <[email protected]> wrote in message
    > news:zj7mc.1918$[email protected]..
    > > > Hi Ken,
    > > >
    > > > > Whos router are we talking about? Is it the modem of the ISP just
    > > before
    > > > > my server or my internal switches for my workstations?
    > > >
    > > > sorry, my bad. I was referring to the modem of the ISP. I suspect
    this
    > is
    > > > not a modem only, right? I mean, you have an ethernet connection
    between
    > > the
    > > > modem and the BM server, correct? In this case the device of your
    ISP is
    > > a
    > > > modem/router, not a modem only.
    > > > Are you using DSL or cable?
    > > > --
    > > > Caterina Luppi
    > > > Novell Support Connection Volunteer Sysop
    > > >
    > > >
    > > Yes, we are running wireless DSL. They called it a modem, but it might
    be
    > > a router.
    > >
    > > [email protected]
    >
    >
    I just received an email back from the ISP and they said they have had
    troubles with that modem and ARP tables. They are going to swap out the
    modem when they get the new type of modems in. I will post back the
    outcome when they swap them out.
    Thank you for the help,
    [email protected]

  • MS NLB with ASA and Static NAT from PUP to NLB IP

    Hi all,
    I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
    ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
    I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
    192.168.0.50 is the 1st VM
    192.168.0.51 is the 2nd VM
    192.168.0.52 is the cluster IP for heartbeat
    192.168.0.53 is the cluster IP for NLB traffic.
    0100.5e7f.0035 is the cluster MAC.
    The NLB cluster is using MULTICAST
    I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
    For the ASA I found
    http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
    ASDM
    Configuration > Device Management > Advanced > ARP > ARP Static Table
    I was able to add my stic ARP just fine.
    However, the next step was to enable ARP inspection.
    Configuration > Device Management > Advanced > ARP > ARP Inspection
    My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
    For the CAT Switch I found
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
    I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
    On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
    At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
    So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
    Result of the command: "show run"
    : Saved
    ASA Version 8.4(4)9
    hostname MP-ASA-1
    enable password ac3wyUYtitklff6l encrypted
    passwd ac3wyUYtitklff6l encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 198.XX.XX.82 255.255.255.240
    interface Ethernet0/1
    description Root Inside Interface No Vlan
    speed 1000
    duplex full
    nameif Port-1-GI-Inside-Native
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/1.2
    description Managment LAN 1 for Inside Networks
    vlan 2
    nameif MGMT-1
    security-level 100
    ip address 192.168.180.1 255.255.255.0
    interface Ethernet0/1.3
    description Managment LAN 2 for Inside Networks
    vlan 3
    nameif MGMT-2
    security-level 100
    ip address 192.168.181.1 255.255.255.0
    interface Ethernet0/1.100
    description Development Pubilc Network 1
    vlan 100
    nameif DEV-PUB-1
    security-level 50
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1.101
    description Development Pubilc Network 2
    vlan 101
    nameif DEV-PUB-2
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/1.102
    description Suncor Pubilc Network 1
    vlan 102
    nameif SUNCOR-PUB-1
    security-level 49
    ip address 192.168.3.1 255.255.255.0
    interface Ethernet0/1.103
    description Suncor Pubilc Network 2
    vlan 103
    nameif SUNCOR-PUB-2
    security-level 49
    ip address 192.168.4.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa844-9-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network Inside-Native-Network-PNAT
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network with PNAT
    object network ASA-Outside-IP
    host 198.XX.XX.82
    description The primary IP of the ASA
    object network Inside-Native-Network
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network
    object network VPN-POOL-PNAT
    subnet 192.168.100.0 255.255.255.0
    description VPN Pool NAT for Inside
    object network DEV-PUP-1-Network
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUP-1 Network
    object network DEV-PUP-2-Network
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUP-2 Network
    object network MGMT-1-Network
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1 Network
    object network MGMT-2-Network
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2 Network
    object network SUNCOR-PUP-1-Network
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUP-1 Network
    object network SUNCOR-PUP-2-Network
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUP-2 Network
    object network DEV-PUB-1-Network-PNAT
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUB-1-Network with PNAT
    object network DEV-PUB-2-Network-PNAT
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUB-2-Network with PNAT
    object network MGMT-1-Network-PNAT
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1-Network with PNAT
    object network MGMT-2-Network-PNAT
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2-Network with PNAT
    object network SUNCOR-PUB-1-Network-PNAT
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUB-1-Network with PNAT
    object network SUNCOR-PUB-2-Network-PNAT
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUB-2-Network with PNAT
    object network DEV-APP-1-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-APP-2-SNAT
    host 192.168.2.120
    description DEV-APP-2 Server with SNAT
    object network DEV-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-SQL-1
    host 192.168.0.110
    description DEV-SQL-1 Inside Server IP
    object network DEV-SQL-2
    host 192.168.2.110
    description DEV-SQL-2 Inside Server IP
    object network SUCNOR-APP-1-PUB
    host 198.XX.XX.XX
    description SUNCOR-APP-1 Public Server IP
    object network SUNCOR-APP-2-SNAT
    host 192.168.4.120
    description SUNCOR-APP-2 Server with SNAT
    object network SUNCOR-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network SUNCOR-SQL-1
    host 192.168.3.110
    description SUNCOR-SQL-1 Inside Server IP
    object network SUNCOR-SQL-2
    host 192.168.4.110
    description SUNCOR-SQL-2 Inside Server IP
    object network DEV-APP-1-SNAT
    host 192.168.0.120
    description DEV-APP-1 Network with SNAT
    object network SUNCOR-APP-1-SNAT
    host 192.168.3.120
    description SUNCOR-APP-1 Network with SNAT
    object network PDX-LAN
    subnet 192.168.1.0 255.255.255.0
    description PDX-LAN for S2S VPN
    object network PDX-Sonicwall
    host XX.XX.XX.XX
    object network LOGI-NLB--SNAT
    host 192.168.0.53
    description Logi NLB with SNAT
    object network LOGI-PUP-IP
    host 198.XX.XX.87
    description Public IP of LOGI server for NLB
    object network LOGI-NLB-IP
    host 192.168.0.53
    description LOGI NLB IP
    object network LOGI-PUP-SNAT-NLB
    host 198.XX.XX.87
    description LOGI Pup with SNAT to NLB
    object-group network vpn-inside
    description All inside accessible networks
    object-group network VPN-Inside-Networks
    description All Inside Nets for Remote VPN Access
    network-object object Inside-Native-Network
    network-object object DEV-PUP-1-Network
    network-object object DEV-PUP-2-Network
    network-object object MGMT-1-Network
    network-object object MGMT-2-Network
    network-object object SUNCOR-PUP-1-Network
    network-object object SUNCOR-PUP-2-Network
    access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
    access-list outside_access_out remark Block ping to out networks
    access-list outside_access_out extended deny icmp any any inactive
    access-list outside_access_out remark Allow all traffic from inside to outside networks
    access-list outside_access_out extended permit ip any any
    access-list outside_access extended permit ip any object LOGI-NLB--SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
    access-list outside_access extended permit ip any object DEV-APP-2-SNAT
    access-list outside_access extended permit ip any object DEV-APP-1-SNAT
    access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu Port-1-GI-Inside-Native 1500
    mtu MGMT-1 1500
    mtu MGMT-2 1500
    mtu DEV-PUB-1 1500
    mtu DEV-PUB-2 1500
    mtu SUNCOR-PUB-1 1500
    mtu SUNCOR-PUB-2 1500
    mtu management 1500
    ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any Port-1-GI-Inside-Native
    icmp permit any MGMT-1
    icmp permit any MGMT-2
    icmp permit any DEV-PUB-1
    icmp permit any DEV-PUB-2
    icmp permit any SUNCOR-PUB-1
    icmp permit any SUNCOR-PUB-2
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
    arp timeout 14400
    no arp permit-nonconnected
    nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    object network Inside-Native-Network-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network VPN-POOL-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network DEV-PUB-1-Network-PNAT
    nat (DEV-PUB-1,outside) dynamic interface
    object network DEV-PUB-2-Network-PNAT
    nat (DEV-PUB-2,outside) dynamic interface
    object network MGMT-1-Network-PNAT
    nat (MGMT-1,outside) dynamic interface
    object network MGMT-2-Network-PNAT
    nat (MGMT-2,outside) dynamic interface
    object network SUNCOR-PUB-1-Network-PNAT
    nat (SUNCOR-PUB-1,outside) dynamic interface
    object network SUNCOR-PUB-2-Network-PNAT
    nat (SUNCOR-PUB-2,outside) dynamic interface
    object network DEV-APP-2-SNAT
    nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
    object network SUNCOR-APP-2-SNAT
    nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
    object network DEV-APP-1-SNAT
    nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
    object network SUNCOR-APP-1-SNAT
    nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
    object network LOGI-NLB--SNAT
    nat (DEV-PUB-1,outside) static LOGI-PUP-IP
    object network LOGI-PUP-SNAT-NLB
    nat (outside,DEV-PUB-1) static LOGI-NLB-IP
    access-group outside_access in interface outside
    access-group outside_access_out out interface outside
    route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 outside
    http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
    http 192.168.180.0 255.255.255.0 MGMT-1
    http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
    : end
    Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
    Thanks,
    Chris

    Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
    Chris

  • Static nat & public IP on inside interface.

    Hello Guys,
    I am facing some issue related to static nat please provide your replies. let me explain the scenario.
    At site we have 4 cameras connected on switch and NVR (network video recorder) also connected on the same switch.
    Locally at site we are able to access the four cameras via http/web and also through NVR software .
    In order to access this cameras from remote location, we did static natting in router with pubic ip address for this cameras private IP address. Find nat table below.
    At remote site/from internet when we are adding the cameras in NVR software using public IP address. Later automatically public IP address resolving into private IP address.
    We are able to access cameras individually using http://<public ip address for camera> but when we try to add it in INVR software its changing public ip address to private.
    Camera Name
    Private IP address
    Public IP address
    Camera 1
    192.168.1.3
    xx. x8.23.115
    Camera 2
    192.168.1.4
    xx.x8.23.116
    Camera 3
    192.168.1.5
    xx.x8.23.117
    Camera 4
    192.168.1.6
    xx.x8.23.118
    Below is the configuration for the router. I am concerned about the public IP address which is assigned on internal/LAN interface instead of outisde interface by ISP. In other project i experienced Public IP address is at outside interface and private is at inside interface and we do static nat for inside to outside interface.
    But here when i access the cameras through public IP individually its working but not when i am adding this public IP in NVR software. May be something is wrong with static.
    interface GigabitEthernet0/0.1
     encapsulation dot1Q 868
     ip address 172.20.38.26 255.255.255.252
     ip nat outside
     ip virtual-reassembly in
    interface GigabitEthernet0/1
     ip address 192.168.1.1 255.255.255.0 secondary
     ip address 212.x.x.113 255.255.255.240                       (its a public IP address)
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    ip nat inside source list 10 pool SLT overload
    ip nat inside source static 192.168.1.3 x.x.23.115
    ip nat inside source static 192.168.1.4 x.x.23.116
    ip nat inside source static 192.168.1.5 x.x.23.117
    ip nat inside source static 192.168.1.6 x.x.23.118
    ip route 0.0.0.0 0.0.0.0 172.20.38.25
    access-list 10 permit 192.168.1.0 0.0.0.255
    ip nat translation tcp-timeout 1000
    ip nat translation udp-timeout 1000
    ip nat pool SLT xx.xx.23.114 xx.xx.23.114 netmask 255.255.255.240
    ip nat inside source list 10 pool SLT overload
    Please advise on the above configuration. Your help in the above regard will be highly appreciated.
    Many Thanks in Advance.

    It is a bit odd to see the IPv4 address assigned this way. (Putting it on a Loopback would be a more elegant approach if the ISP is using private addresses for the WAN link.) But, there's nothing in here that would cause the NAT to fail. I suspect that the cameras are doing an HTTP redirect to their private IPv4 addresses at some point and this is causing your software to switch.
    With this configuration, there's no reason why you can't just put the cameras directly on the public addresses and forego the NAT entirely. If there is a redirect going on, they will redirect to the correct IPv4 address and things will still work.

  • Static Nat and VPN conflict

    Hi
    I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
    I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
    I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
    Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
    Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
    I hope the above makes sense.

    Hi
    intersting VPN ACL
    object-group network DM_INLINE_NETWORK_18
         network-object YYY.YYY.YYY.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_22
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
    Static NAT
    static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
    No NAT
    object-group network DM_INLINE_NETWORK_20
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
    VPN CLient Pool
    No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
    I hope this helps
    Thanks

  • Port 21 not open - FTP access denied - Help please :-)

    I am running Server 10.3.9 on a DP 1.8 G5 with 1 GB RAM.
    I configured and started ftp services and set up a user and folder. Tried to access using fetch from a machine on the LAN before setting up NAT for WAN access and got an Access Denied message. Did a port scan of the server and found that there are no ports open in the 20-23 range. I am not running the server's firewall.
    Can somebody tell me how to open up port 21? Please use small words
    DP G5 - 1GB RAM   Mac OS X (10.3.9)  

    Stumbled across somebody else's post. Turns out port 21 likes to close itself at times. A restart took care of it.

Maybe you are looking for

  • KDE and kde apps don't started

    Couple of days ago i had installed arch32 from arch64 using this how-to https://wiki.archlinux.org/index.php/Sw … i686_HOWTO, everything works fine except i needed to reinstall man-db & delete libreoffice configuration dir. Yesterday evening i instal

  • Ipod nano says cannot update playlists due to lack of available space

    Recently after I left my ipod nano charging overnight mysteriously all the songs were removed from it (not on my computer - just the ipod unit). Whenever I try to "Update Administrator iPod" it comes up with the message that it doesn't have enough sp

  • List of open PR's

    Dear Gurus, We have one customized report for open PR, 1. This report shows the Purchase requisitions which are Partly processed along with PR's which are not at all processed. For this report we need a selection option on the selection screen which

  • How to include atribute xsi:type in the xml generated through java

    Hi, i am generating an xml using java and castor. I want to include this attribute in my xml: xsi:type="abc" for example: My snippet is: Underwriting_detail[] underwritingDetail = new Underwriting_detail[1]; underwritingDetail[0] = new Underwriting_d

  • Release Strategy in PO for direct materials not driven by MRP

    We have a requirement to enable release strategy for purchase orders created for direct materials that are not driven from an MRP requirement for a single plant. Request you to let me know how I can make this work. I have an option to make it mandato