Static NAT or NAT exemption?

So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.
We were looking at 2 solutions.
1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:
nat (inside,outside) 80.80.80.2 80.80.80.2
This is what we think would work best.
2. We create a nat exemption rule for that entire public vlan.
Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

Similar Messages

  • Is there a difference between NAT Traversal & NAT Transparency?

    What is the difference between NAT Traversal & NAT Transparency?
    And does (NAT-T) refers to NAT Traversal or NAT Transparency?

    As in, how the screen's pixels display colors?  No, there shouldn't be any difference.

  • How to setup OD Master with 1 Static IP and NAT?

    I'm attempting to setup an OD Master on my server. Currently, I only have 1 static IP from the ISP, so the router gets it.
    Pretty much all ports are forwarded from the router to the server which is running DNS, Mail, Web currently as a standalone server.
    The server (in network preferences) has a local IP address.
    DNS is setup using global address (PTR record is done by the ISP)
    DNS resolves correctly (checked using dig)
    Mail services all are good.
    Web services all are good.
    So, by my checklist:
    hostname: server.example.com
    DNS: resolved to FQDN and IP
    All should be ok for a OD Master (so I thought).
    I added the Open Directory Service.
    Changed Standalone to "Open Directory Master"
    Followed the steps.
    Kerberos was stopped when finished. I noted that during OD setup, after the screen where I input the OD Administrator username/password, the next screen should be related to Kerberos, but the screen did not come.
    Is it possible to use Kerberos in my configuration? (single IP nat to local IP)?
    +(I suspect that even though DNS resolves, there is issues with my DNS setup as sudo changeip -checkhostname reveals a primary ip address as a local address and not the global address. The DNS hostname is not available, please repair DNS and re-run this tool.)+

    ... unanswered. withdraw question

  • IOS static destination Port NAT for Proxy-Service

    HTTP Internet-traffic (tcp 80) from Clients connected to interface1 (10.0.0.0/8) sould be transfered/ scaned via Proxy-Server(192.168.0.1) on interface2 which acts on Port tcp 8080.
    HTTP Traffic form the clients is routed via PBR to the Proxy.
    But I don`t know how to nat the detination-port from the clients (tcp 80) to the service-port used by proxy (8080) WITHOUT natting the original source- and destination-address.

    object network nec1100_cpu
     host 192.168.0.201
    nat (inside,outside) static my-public-IP service udp 5060, 5080 5081
    Or you can also do this in the same way.
    object network nec1100_cpu
     host 192.168.0.201
    nat (inside,outside) static my-public-IP 
    Control udp port via the ACL on the outside interface.
    Hope this helps.
    thanks
    Rizwan Rafeek

  • Manual Nat (twice Nat) Answers

    There seems to be a large number of the subject queries in one form or another.  Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products.   I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.  
    What I would like to suggest to the experts and to those with the ability to give advice to document editers is to include far more ADSM web gui examples and discussion for manual nat.   The tools are all there - in the nat rules editing page,  the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing).   What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries.   In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics.  With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios.   I personally feel a bit embarrassed to be asking basic questions and appreciate the responses but with improvements in docs and forum answers the number of such questions should drop.  At the very least I and others like me will get better edumecated.    To be clear am not looking for the easy cookie cutter right answers, I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands.  In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .
    Thanks.
    Examples below of what I am talking about (note examples are simple embedded NAT object (port forwarding rules).  I can finally handle external users requiring access to internal servers. :-)  But that is just the surface.
    I have added the packet tracing jpegs for further context.  There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic.   What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).

    Hi,
    I've personally always preferred using CLI over GUI. Probably comes due to the fact I started with old Cisco switches and routers.
    When I first used a Cisco PIX the switch from switches/routers was a bit hard. The configuration format in 6.x was totally different from the IOS. After I upgraded the first PIX to software 7.0 it was abit more familiar already. Interfaces were now configured like in the switches and routers. Also the permitting traffic through the device used access-lists.
    I was just beginning to handle all the different NAT setups (atleast the ones we run into) and then came 8.3 (and 8.4) which totally changed the NAT configuration format
    I still find myself configuring the NAT through CLI. I use the CLI because I like beeing able to see the whole device configuration without jumping from tab to tab and clicking drop down menus. I mostly use ASDM to edit existing configurations or something that might not be as familiar with. Though my goal usually is to learn to configure the same from the CLI after I've done it a couple of times from GUI interface.
    If you're only using ASDM GUI to configure the ASA, I suggest you go "Tools -> Preferences" and from there enable the option "Preview commands before sending them to the device" This will basicly show you all configurations that you are going to apply in the CLI format. I think this preview setting is off by default.
    EDIT2: One really helpfull thing is also the fact that you can get help for almost every configuration page on the ASDM GUI. I think theres almost always a direct "Help" button that opens information about the configuration page in question and clarifies all the options you have on the page. Again, as I haven't used much ASDM, I dont know if they clarify the things you are asking for.
    The first 2 pictures to my understanding illustrate the configuration of a port forwarding using the "outside" interfaces address.
    The first pictures Translated Address just refers that you are going to use the "outside" interfaces IP address (whatever it might be) to configure a NAT. The ASDM has a habit of giving names to IP addresses which can confuse you. The same line might as well contain an IP address in numeric format if you for example had a small public subnet at your disposal for NAT translations.
    The second pictures source/destination interface just basically tells you the interfaces between which the NAT is beeing performed. Either of these can also be specified as "any".
    I'll give you a couple of examples
    EXAMPLE 1
    The below configuration basicly tells the ASA that it will PAT all outbound (outside) traffic from the source networks defined in the object-group to the outside interface address. It also tells that the source interface can be any interface on the ASA.
    So basically if you keep adding interfaces to an ASA that need (Or networks behind them) default PAT translations when they use the Internet, you can just keep adding "network-object x.x.x.x y.y.y.y" statements with the new networks under the object-group and the ASA will do PAT for them. You wont have to configure any additional NAT statements.
    object-group network DEFAULT-PAT-SOURCE-NETWORKS
    description Source Networks for PAT
    network-object 10.10.10.0 255.255.255.0
    network-object 192.168.0.0 255.255.255.0
    network-object 172.16.8.0 255.255.255.0
    nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE-NETWORKS interface
    EXAMPLE 2
    The below configuration basically tells the ASA that the DMZ server will be visible to other hosts behind other ASA interface with the same NAT ip of "1.2.3.4". This could apply to situations where you want to access the DMZ server with the same public IP address from both the Internet and the LAN.
    This could help with situations where your LAN uses public DNS and that DNS points to the servers public IP address. With this NAT configuration even though you LAN hosts are connecting to a public IP address the device will still be accessible from the LAN since you're NATing the DMZ server towards all interfaces.
    object-network DMZ-PUBLIC-STATIC
    description Static Public IP for DMZ server
    host 192.168.10.10
    nat (dmz,any) static 1.2.3.4 dns
    The UN-NAT section to my understanding just tells you  that a connection coming from outside to a NAT IP is basically forwarded to the actual lan host IP address and not the public IP the user was originally connecting to.
    To be honest I don't really know how to configure well with the ASDM as I usually just use the CLI. Because of that I'm sometimes at a loss on how to configure the most simple things because I've only done them on the CLI.
    Hope some of this was helpfull to you
    EDIT: Didn't realize I wrote so much
    - Jouni

  • ASA 8.2(1) Global and NAT statements, natting certain internal hosts

    Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
    I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet.  We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic.  I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
    Thoughts on how to accomplish this?  Thanks!

    Hi,
    To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
    Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
    In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
    This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
    global (outside) 1 interface
    nat (inside) 1 10.10.10.0 255.255.255.0
    So the above is probably the type of configuration you have at the moment?
    For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
    global (outside) 2 1.1.1.1
    nat (inside) 2 10.10.10.1
    nat (inside) 2 10.10.10.2
    nat (inside) 2 10.10.10.3
    If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
    Without seeing the configurations I dont think I can say much more.
    Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
    For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
    packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
    This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
    Active translations on the firewall you can show with the command
    show xlate
    It does have a lot of additional parameters after the "xlate" if you want to have more specific output
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • Static NAT and IPSec VPN

    This maybe stupid but may somebody help on this.
    Site A --- Internet --- Site B
    An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
    But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
    May someone advise me how to overcome this? Thanks.

    Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

  • Example of Manual NAT to implement NAT exemption

    Hi Everyone,
    Below is from Cisco LEarning Network site
    Referring to the Cisco ASA NAT configuration  below
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    Need to understand how below answer is correct?
    This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
    Regards
    MAhesh

    Hi Mahesh,
    Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
    In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
    The above configuration could correspond to the following on the 8.2 software
    access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NAT0
    And as you have already mentioned the 8.3+ format is
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
    Now lets look at the above "nat" statement in all of its parts
    nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
    inside = Is the source interface for the NAT as its mentioned first
    outside = Is the destination interface for the NAT its mentioned second
    source = Simply specifies that the source parameters for this NAT configuration will follow
    static = Defines that were doing a Static type of NAT
    one = Defines the real source network
    one = Defines the mapped source network
    destination = Simply specifies that the destination parameters for this NAT configuration will follow
    static = Defines that the destination is static. It can only be static
    two = Defines the mapped destination network
    two = Defines the real destination network
    And the key things to notice from the configuration.
    Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
    When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
    I am not really sure if I explained the above in the best way I could. Hope it makes any sense
    - Jouni

  • ASA 5505 Static NAT

    Hi Guys,
    Me again asking for some more help, thanks.
    I am trying to deploy a Polycom Access Director behind an ASA 5505 firewall and am having some problems configuring inbound NAT for this device.
    Currenlty I am able to dial from an endpoint outbound through the ASA with no problem but am unable to dial into the VC endpoint by the IP address (Traffic is not hitting the Access Director)
    This blog post shows what I am trying to achieve along with the ACLs that I have applied.
    http://blog.networkfoo.org/2014/02/deploy-polycom-rpad-single-nic-with.html#!/2014/02/deploy-polycom-rpad-single-nic-with.html
    These are my NAT Rules
    nat (Wireless_LAN,VC_INFRA) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
    nat (Wireless_LAN,VC_DMZ) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.239.0 obj-10.255.239.0
    nat (Wireless_LAN,VC_LAN) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
    nat (VC_INFRA,any) source static obj-10.255.243.0 obj-10.255.243.0 destination static VPNPool-Network VPNPool-Network
    object network obj-10.255.222.0
     nat (outside,outside) dynamic interface
    object network obj-10.255.243.0
     nat (outside,outside) dynamic interface
    object network obj_any
     nat (Wireless_LAN,outside) dynamic interface
    object network obj_any-01
     nat (VC_DMZ,outside) dynamic interface
    object network obj_any-02
     nat (VC_INFRA,outside) dynamic interface
    object network obj_any-03
     nat (VC_LAN,outside) dynamic interface
    nat (outside,VC_DMZ) after-auto source static any any destination static interface obj-CV2RPAD1
    This is my ACLs
    access-list outside_access_in extended permit udp any eq 1719 object-group RPAD_SERVERS_EXT eq 1719
    access-list outside_access_in extended permit udp any eq 1720 object-group RPAD_SERVERS_EXT eq 1720
    access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq h323
    access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT range 10001 13000
    access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT range 20002 30001
    access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
    access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
    access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5061
    access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5222
    access-list outside_access_in extended permit icmp any any object-group DefaultICMP
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 20002 30001
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 16386 25386
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1719 any eq 1719
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1720 object-group DMA_SERVERS_INT eq 1720
    access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT eq h323
    access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT range 36000 61000
    access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 13001 15000 any gt 1023
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq sip any gt 1023
    access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 5070 object-group DMA_SERVERS_INT eq sip
    access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 30001 60000 object-group RM_SERVERS_INT eq https
    access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 any gt 1023
    access-list dmz_access_in extended permit icmp object-group RPAD_SERVERS_EXT any object-group DefaultICMP
    If I move my NAT statement as follows
          no nat after-auto 1
          nat (outside,VC_DMZ) 5 source static any any destination static interface obj-CV2RPAD1
    I am able to dial outbound still with no issues and am also able to intiate a call inbound which partially connects. The call seems to fail at the Capabilities exchange so the RTP media stream does not start up so there is some additional troubleshooting to be done.
    However moving this NAT statement has the side effect of breaking the IPSec VPN that I have configured for the Cisco VPN Client, I would like to be able to keep my VPN working and be able to do a port forwards/Static 1:1 NAT towards my RPAD.
    Once this is happy and working I can then go and troubleshoot why inbound calls are failing at the cpabilities exchange.

    Thanks a lot Jon, for assisted me solve this problem.
    The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
    How you explain that?

  • NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

    Hello fellow engineers!
    I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
    Scenario description:
    2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
    Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
    VLAN 11 -> 10.0.1.x
    VLAN 12 -> 10.0.2.x
    VLAN 13 -> 10.0.3.x
    VLAN 71 -> 192.168.17.x
    VLAN 204 -> 172.16.204.x
    and – last but not least ! – VLAN 10 -> 10.0.0.x
    All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
    Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
    What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
    Could pls someone spot what I’m missing !!
    To help you I also attach the router config and some command outputs…
    All help is appreciated.
    Thanx
    Costas

    That last PBR statement
    (route-map 10.0.0.X_hosts_PBR permit 70
     description *** rest of 10.0.0.x net --> Oxygen ***
     match ip address rest_of_10.0.0.x
     set ip next-hop 212.251.64.153)
    was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
    (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
      Match clauses:
        ip address (access-lists): rest_of_10.0.0.x
      Set clauses:
        ip next-hop 212.251.64.153
      Policy routing matches: 0 packets, 0 bytes)

  • Static NAT with two outside interfaces

    I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
    here is example
    interface Fas0/0
    ip nat outside
    interface Fas0/1
    ip nat outside
    interface Vlan1
    ip nat inside
    ip nat inside source route-map rm_isp1 pool pool_isp1
    ip nat inside source route-map rm_isp2 pool pool_isp2
    all worked fine
    then i tried to add static nat
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
    and in result only last static NAT line appeared in config.
    the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

    In this scenario, we are trying to access a mail server located at
    10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
    69.1.1.1.
    With CEF Enabled
    Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
    Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
    Packet goes to 10.0.0.1. The return packet goes to the LAN interface
    first and the routing rule is determined *before* the packet is
    translated.
    Packet source IP at this point is 10.0.0.1 and destination is
    66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
    irrespective of the way it came in. Because of this, with CEF enabled
    this will not work. CEF is per-destination.
    So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
    expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
    If it gets reply packet from 71.1.1.1, it should work.
    If it gets it from 69.1.1.1, it will simply drop it as it never sent a
    packet to 69.1.1.1.
    With CEF and Fast Switching Disabled
    Same steps as above, only that the packet is sent to the process level
    to be routed. At this point, the packets will be sent out in a round
    robin fashion. One packet will go out via the Fa0/0 and the other via the
    Fa0/0. This will have a constant 50% packet loss and is also not a
    viable solution.
    So, what are you trying to achieve is not possible on Cisco router.
    HTH,
    Amit Aneja

  • Using both Dynamic and Static NAT with two Different Internet facing Subnets

    We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
    It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
    So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
    Public IP: 192.168.1.100/24
    Internal IP: 10.0.0.100/16
    Public IP: 192.168.5.101/24
    Internal IP: 10.0.0.101/16
    interface Ethernet0/0
    description 192.168.1.0/24 Network Outside IP
    nameif outside-1
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    interface Ethernet0/1
    description 192.168.5.0/24 Network Outside IP
    nameif outside-5
    security-level 0
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    description inside 10.0.0.0/16
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.0.0
    object network serverA_o
    host 192.168.1.100
    object network serverA_i
    host 10.0.0.100
    object network serverB_o
    host 192.168.5.101
    object network serverB_i
    host 10.0.0.101
    object network 192-168-1-NAT-POOL
    range 192.168.1.50 192.168.1.239
    nat (inside,outside-1) source static serverA_i serverA_o
    nat (inside,outside-5) source static serverB_i serverB_o
    nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
    object network serverA_i
    nat (inside,outside-1) static serverA_o
    object network serverB_i
    nat (inside,outside-5) static serverB_o
    route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
    route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
    When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
    Any Suggestions?
    Thanks!

    Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
    We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
    I'm looking for a way to use both Subnets on the same ASA. 
    The Connection to the net looks like this:
    Internet -> Edge Router Layer3 VLAN Switch
    GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
    GE0/1.2 - 192.168.5.1 VLAN Tagged -^
    Layer3 VLAN Switch Firewall
    GE1 192.168.1.0/24 Untagged -> ASA Outside-1
    GE2 192.168.5.0/24 Untagged -> ASA Outside-5
    Firewall
    ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
    Hope that helps clarify.
    I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

  • Dynamic PAT and Static NAT issue ASA 5515

    Hi All,
    Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
    - Bhal

    Hi,
    I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
    The very basic configured for Static NAT and Default PAT I would do in the following way
    object network STATIC
    host
    nat (inside,outside) static dns
    object-group network DEFAULT-PAT-SOURCE
    network-object
    nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
    The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
    This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
    You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
    https://supportforums.cisco.com/docs/DOC-31116
    Hope this helps
    - Jouni

  • L2TP over IPSEC Static NAT trouble

    I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect.  As of right now i have two open issues that i cannot figure out.  The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface.  I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. 
    The second issue involves DNS.  I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS.  What is the workaround for using split tunneling AND internal DNS servers, if any?
    I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail.  The config is below.
    To sum up, and put this in perspective i need to be able to do the following...
         VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
    A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd.  You can see in the config where i added the extra STATIC NAT to try and fix the issue.  And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
    As well as any help with DNS.  Please advise, thank you.
    -tony
    : Saved
    ASA Version 8.2(1)
    hostname fw-01
    enable password HOB2xUbkoBliqazl encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.103.6.0 K2CONT description K2 Control Network
    name 10.103.5.0 K2FTP description K2 FTP Network
    name 10.103.1.0 NET description Internal Network Core Subnet
    name 10.1.4.0 WBND description WBND Business Network
    name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
    name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
    name 10.103.2.50 ENG-PC description Engineering PC
    name 10.103.2.56 NAV-PC description Navigator PC
    name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
    name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
    name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
    name 10.103.2.0 GEN-NET description General Broadcast Network
    name 10.103.4.0 INEWS-NET description INEWS Network
    name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
    name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
    name 10.103.3.0 TELE-NET description TELEMETRICS Network
    name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
    name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
    name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
    name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
    name 10.103.4.80 MOSGW description "MOS Gateway."
    name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
    name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
    name 209.118.74.10 PF-EXT-0 description PF External Server 0
    name 209.118.74.19 PF-EXT-1 description PF External Server 1
    name 209.118.74.26 PF-EXT-2 description PF External Server 2
    name 209.118.74.80 PF-EXT-3 description PF External Server 3
    name 10.103.4.37 PIXPWR description Pixel Power System 0
    name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
    name 10.103.4.121 ignite
    name 10.103.3.89 telemetrics
    name 10.1.4.50 vpn_3000
    name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
    name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
    name 10.1.4.40 NAT-ENG-PC description Engineering HP
    name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
    name 10.1.1.0 WCIU description WCIU
    name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
    name 10.2.1.0 A-10.2.1.0 description WCIU 2
    name 10.1.50.0 VPN-POOL description VPN ACCESS
    interface Ethernet0/0
    description "Internal Network 10.103.1.0/24"
    nameif inside
    security-level 100
    ip address 10.103.1.1 255.255.255.0
    interface Ethernet0/1
    shutdown
    no nameif
    security-level 0
    no ip address
    interface Ethernet0/2
    nameif COMCAST_PUBLIC
    security-level 0
    ip address 173.161.x.x 255.255.255.240
    interface Ethernet0/3
    description "WBND Business Network 10.1.4.0/24"
    nameif outside
    security-level 0
    ip address 10.1.4.8 255.255.255.0
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    clock timezone Indiana -4
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group icmp-type ICMP-OK
    description "ICMP types we want to permit."
    icmp-object echo
    icmp-object echo-reply
    icmp-object traceroute
    icmp-object unreachable
    icmp-object time-exceeded
    object-group network INTERNAL-ALL
    description "All internal networks."
    network-object NET 255.255.255.0
    network-object GEN-NET 255.255.255.0
    network-object TELE-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    network-object K2FTP 255.255.255.0
    network-object K2CONT 255.255.255.0
    object-group service W3C
    description "HTTP/S"
    service-object tcp eq www
    service-object tcp eq https
    object-group service FTP-ALL
    description "FTP Active/Passive."
    service-object tcp eq ftp
    service-object tcp eq ftp-data
    object-group service INEWS-CLI
    description "Ports required for INEWS client/server communications."
    service-object tcp eq telnet
    service-object tcp eq login
    service-object tcp eq 600
    service-object tcp eq 49153
    service-object tcp eq 49152
    service-object tcp-udp eq 1020
    service-object tcp-udp eq 1019
    group-object W3C
    group-object FTP-ALL
    service-object tcp eq ssh
    service-object tcp-udp eq 1034
    service-object tcp-udp eq 1035
    object-group service NET-BASE
    description "Base network services required by all."
    service-object tcp-udp eq 123
    service-object udp eq domain
    object-group network INEWS-SVR
    description "iNEWS Servers."
    network-object INEWS0 255.255.255.255
    network-object INEWS1 255.255.255.255
    object-group network WCIU-INEWS
    description "iNEWS Servers at WCIU."
    network-object WCIU-INEWS0 255.255.255.255
    network-object WCIU-INEWS1 255.255.255.255
    object-group network K2-FTP
    description "K2 Servers"
    network-object host K2-FTP0
    network-object host K2-FTP1
    object-group network PF-SYS
    description Internal PathFire Systems
    network-object host PF-DUB-01
    network-object host PF-SVR-01
    object-group network INET-ALLOWED
    description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
    network-object host ENG-PC
    network-object host NAV-PC
    network-object host PF-SVR-01
    group-object INEWS-SVR
    group-object K2-FTP
    group-object PF-SYS
    network-object host PIXPWR
    network-object K2CONT 255.255.255.0
    object-group service GoToAssist
    description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
    service-object tcp eq 8200
    object-group service DM_INLINE_SERVICE_1
    group-object FTP-ALL
    group-object W3C
    service-object tcp eq ssh
    service-object tcp eq telnet
    group-object GoToAssist
    object-group network RTI
    network-object host RTISVR1
    network-object host RTISVR
    object-group network NAT-K2-SVR
    description "Public NAT addresses of K2 Servers."
    network-object host NAT-K2-FTP0
    network-object host NAT-K2-FTP1
    object-group network NAT-INEWS-SVR
    description "Public NAT addresses of iNEWS servers."
    network-object host NAT-INEWS0
    network-object host NAT-INEWS1
    object-group service INEWS-SVCS
    description "Ports required for iNEWS inter-server communication.
    group-object INEWS-CLI
    service-object tcp eq 1022
    service-object tcp eq 1023
    service-object tcp eq 2048
    service-object tcp eq 698
    service-object tcp eq 699
    object-group service MOS
    description "Ports used for MOS Gateway Services."
    service-object tcp eq 10540
    service-object tcp eq 10541
    service-object tcp eq 6826
    service-object tcp eq 10591
    object-group network DM_INLINE_NETWORK_1
    network-object host WCIU-INEWS0
    network-object host WCIU-INEWS1
    object-group network DM_INLINE_NETWORK_2
    network-object GEN-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    object-group network PF-Svrs
    description External PathfFire Servers
    network-object host PF-EXT-0
    network-object host PF-EXT-1
    network-object host PF-EXT-2
    network-object host PF-EXT-3
    object-group service PF
    description PathFire Services
    group-object FTP-ALL
    service-object tcp eq 1901
    service-object tcp eq 24999
    service-object udp range 6652 6654
    service-object udp range 6680 6691
    object-group service GVG-SDB
    description "Ports required by GVG SDB Client/Server Communication."
    service-object tcp eq 2000
    service-object tcp eq 2001
    service-object tcp eq 3000
    service-object tcp eq 3001
    object-group service MS-SVCS
    description "Ports required for Microsoft networking."
    service-object tcp-udp eq 135
    service-object tcp eq 445
    service-object tcp eq ldap
    service-object tcp eq ldaps
    service-object tcp eq 3268
    service-object tcp eq 3269
    service-object tcp-udp eq cifs
    service-object tcp-udp eq domain
    service-object tcp-udp eq kerberos
    service-object tcp eq netbios-ssn
    service-object udp eq kerberos
    service-object udp eq netbios-ns
    service-object tcp-udp eq 139
    service-object udp eq netbios-dgm
    service-object tcp eq cifs
    service-object tcp eq kerberos
    service-object udp eq cifs
    service-object udp eq domain
    service-object udp eq ntp
    object-group service DM_INLINE_SERVICE_2
    group-object MS-SVCS
    group-object NET-BASE
    group-object GVG-SDB
    group-object W3C
    object-group service DM_INLINE_SERVICE_3
    group-object GVG-SDB
    group-object MS-SVCS
    group-object W3C
    object-group service PIXEL-PWR
    description "Pixel Power Services"
    service-object tcp-udp eq 10250
    object-group service DM_INLINE_SERVICE_4
    group-object FTP-ALL
    group-object GoToAssist
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    group-object MS-SVCS
    service-object ip
    object-group service DM_INLINE_SERVICE_5
    group-object MS-SVCS
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    object-group service IG-TELE tcp-udp
    port-object range 2500 49501
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host ENG-PC
    network-object host NAT-ENG-PC
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object udp
    protocol-object icmp
    object-group network DM_INLINE_NETWORK_4
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    object-group network il2k_test
    network-object 207.32.225.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_8
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_8
    service-object ip
    group-object INEWS-CLI
    service-object icmp
    service-object udp
    object-group service DM_INLINE_SERVICE_6
    service-object ip
    group-object MS-SVCS
    object-group network DM_INLINE_NETWORK_5
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_7
    service-object ip
    service-object icmp
    service-object udp
    group-object INEWS-CLI
    object-group network DM_INLINE_NETWORK_9
    network-object host NAT-INEWS0
    network-object host INEWS0
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object tcp
    object-group network VPN-POOL
    description "IP range assigned to dial-up IPSec VPN."
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_6
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_7
    network-object WBND 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    object-group network DM_INLINE_NETWORK_10
    network-object TELE-NET 255.255.255.0
    network-object host ignite
    access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
    access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
    access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
    access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
    access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit icmp any any object-group ICMP-OK
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
    access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit object-group MS-SVCS any any
    access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
    access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
    access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
    access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
    access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
    access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
    access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
    access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
    access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
    access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
    access-list outbound extended permit icmp any any object-group ICMP-OK
    access-list outbound extended permit ip GEN-NET 255.255.255.0 any
    access-list outbound extended permit ip host ignite host telemetrics
    access-list outbound extended permit ip host NAV-PC host 10.103.2.18
    access-list outbound extended permit ip any GEN-NET 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
    access-list COMCAST_access_in extended permit ip any any
    access-list COMCAST_PUBLIC_access_in extended permit ip any any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 100000
    logging asdm-buffer-size 512
    logging monitor notifications
    logging buffered notifications
    logging asdm notifications
    mtu inside 1500
    mtu COMCAST_PUBLIC 1500
    mtu outside 1500
    mtu management 1500
    ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
    ipv6 access-list inside_access_ipv6_in deny ip any any
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in deny ip any any
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any COMCAST_PUBLIC
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    no asdm history enable
    arp timeout 14400
    global (COMCAST_PUBLIC) 1 173.161.x.x
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 dns
    static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
    static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
    static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
    static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
    access-group outbound in interface inside per-user-override
    access-group inside_access_ipv6_in in interface inside per-user-override
    access-group outbound in interface COMCAST_PUBLIC
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
    route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
    route outside WCIU 255.255.255.0 10.1.4.11 1
    route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
    route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
    route inside GEN-NET 255.255.255.0 10.103.1.2 1
    route inside TELE-NET 255.255.255.0 10.103.1.2 1
    route inside INEWS-NET 255.255.255.0 10.103.1.2 1
    route inside K2FTP 255.255.255.0 10.103.1.62 1
    route inside K2CONT 255.255.255.0 10.103.1.62 1
    route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server DOMCON protocol radius
    accounting-mode simultaneous
    aaa-server DOMCON (outside) host 10.1.4.17
    timeout 5
    key Tr3at!Ne
    acl-netmask-convert auto-detect
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http NET 255.255.255.0 inside
    http GEN-NET 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
    crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
    crypto map VPN 10 ipsec-isakmp dynamic dyno
    crypto map VPN interface COMCAST_PUBLIC
    crypto map VPN interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable COMCAST_PUBLIC
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    crypto isakmp disconnect-notify
    telnet timeout 5
    ssh scopy enable
    ssh NET 255.255.255.0 inside
    ssh GEN-NET 255.255.255.0 inside
    ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
    ssh 10.103.1.224 255.255.255.240 outside
    ssh WBND 255.255.255.0 outside
    ssh 192.168.1.0 255.255.255.0 management
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 10.103.2.52 source inside prefer
    webvpn
    enable inside
    enable outside
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-simultaneous-logins 100
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    default-domain value MAINSERV
    intercept-dhcp enable
    address-pools value VPN-POOL
    group-policy il2k internal
    group-policy il2k attributes
    dns-server value 10.1.4.17
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
    username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
    username interlink password 4QnXXKO..Ry/9yKL encrypted
    username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
    username iphone attributes
    service-type remote-access
    username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
    username hriczo attributes
    service-type remote-access
    username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
    username cheighway attributes
    vpn-group-policy il2k
    service-type admin
    username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
    username roscor password jLkgabJ1qUf3hXax encrypted
    username roscor attributes
    service-type admin
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN-POOL
    authentication-server-group DOMCON LOCAL
    authentication-server-group (outside) LOCAL
    authentication-server-group (inside) LOCAL
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
    : end

    No one?  I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction.   I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
    Please help.  Thank you

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

Maybe you are looking for

  • HT3275 I've moved my time Capsule to another network and now i can not access it

    This may be something simple but im having one of those days! I moved in with my gf and moved my time Capsule to her house. I now can't find it! I can't seem to access it to change the wifi settings. Do I need a USB cable to do this?

  • Multi Client approach  in SAP CRM 7.0

    I got some basis CRM question and trying to get some answer. I thought this is the best place to get some answer. At my current client, we are implementing CRM initially with only few functionality i.e. ITSM and Customer Complaints. CRM team requeste

  • Profit Center picking wrongly during billling

    Hi SAP Experts, We have one issue where wrong profit center is getting picked during the time of billing. The SD flow is Customer Contract>Exchange customer order>Purchase Order>Billing Invoice> Accounting Doc. Till Purchase Order the profit center i

  • Message bundle, replace default "Required" message in ADF faces

    Hello, I hope i can ask some ADF faces questions here, I am trying to replace the default msg that adf faces give for different components I successfully created a resource properties file which includes 2 msgs, one is to replace the default value gi

  • How to set message to "important" in ff10

    How do I set message to "important" in ff10 ? I can't find a "help" button to solve this.