Static NAT to IP that is not local to ASA?

All, I have a doubt about a configuration I am requesting.  I know just a little about ASA myself, but am working with a contractor on this project and he is not sure this can be done or not.
My applciation is this:
- ASA with internet and some public IP. 
- Exisiting internal LAN of 10.10.10.0/24. 
- New voice VLAN 10.10.100.0 on L3 SGE switch doing inter-vlan route between 10.10.100.0/24 and 10.10.10.0/24 via 10.10.10.1 (ASA internal interface)
- ASA will have static route to 10.10.100.0/24 via 10.10.10.254 (data VLAN interface on my L3 switch)  This much is a known working configuration for me to allow voice and data vlans to route and require very little of firewall contractor.
Now I need static NAT of a public IP to my IP PBX on 10.10.100.1.  The doubt I have is if they try to configure this the ASA will not want to make a NAT to 10.10.100.1 because that network does not exist anywhere in the ASA config.
Is there a way to make this work or will it be required/better to use an extra interface no the ASA and make it 10.10.100.0/24 and have the ASA do inter-vlan routing instead of the switch?
Thanks in advance,
Brandon

The inside static route is now working, thank you.  Back to my original question about static NAT.  I just need a public IP to pass all traffic to an internal IP that is on the 10.10.100.0/24 network not directly conencted to the ASA.  I am thinking this would be the command:
static (outside,inside) 10.10.100.1 222.222.222.222 netmask 255.255.255.255
Does that seem correct and can you provide an example of what the ACL would look like?  I want to just allow all traffic now for the purpose of remote IP phones and some admin and mobile apps using various ports.  Once it is tested working I will let the firewall vendor layer security on.
Thanks again,
Brandon

Similar Messages

  • Static NAT inbound correct - Outbound using Interface IP

    Here is the scenario that i have:
    I have a router (2921) that has 2 interfaces:
         G0/0 - WAN - 10.254.1.10
         G0/1 - LAN - 192.168.1.230
    I have a few static NATs for servers that are behind g0/1, this is the only nat config i have except for an 'ip nat inside' and 'ip nat outside' on the interfaces:
         ip nat inside source static 192.168.1.231 10.254.1.11
         ip nat inside source static 192.168.1.232 10.254.1.12
         ip nat inside source static 192.168.1.240 10.254.1.13
    I can connect to each of these on their respective NAT'd IP.
    The issue that i have is when these servers go out they have the interface IP address!  So if i ping a server that is across the way i see
    SRC: 10.254.1.10 DST: 10.1.2.11 Protocol: ICMP
    I do not understand how this would work??  i have no other NAT configuration in the router.

    Here is the NAT table when pinging from the outside to one of the NAT'd servers:
    Pinging from 10.1.2.11 to 10.254.1.13
    Cisco2921#sh ip nat trans
    Pro Inside global      Inside local       Outside local      Outside global
    --- 10.254.1.11        192.168.1.231      ---                ---
    tcp 10.254.1.12:80     192.168.1.232:80   10.1.2.11:62512    10.1.2.11:62512
    tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62491    10.1.2.11:62491
    tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62493    10.1.2.11:62493
    --- 10.254.1.12        192.168.1.232      ---                ---
    icmp 10.254.1.13:1     192.168.1.240:1    10.1.2.11:1        10.1.2.11:1
    tcp 10.254.1.13:22     192.168.1.240:22   10.1.2.11:62386    10.1.2.11:62386
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62508    10.1.2.11:62508
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62510    10.1.2.11:62510
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62511    10.1.2.11:62511
    icmp 10.254.1.10:21531 192.168.1.240:21531 10.1.2.11:21531   10.1.2.11:21531
    udp 10.254.1.10:38288  192.168.1.240:38288 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:55051  192.168.1.240:55051 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:55383  192.168.1.240:55383 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:58944  192.168.1.240:58944 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:59854  192.168.1.240:59854 10.1.2.1:161      10.1.2.1:161
    --- 10.254.1.13        192.168.1.240      ---                ---
    Here is from an internal server to the same outside host:
    Pinging from 192.168.1.240 to 10.1.2.11
    Cisco2921#sh ip nat trans
    Pro Inside global      Inside local       Outside local      Outside global
    --- 10.254.1.11        192.168.1.231      ---                ---
    tcp 10.254.1.12:80     192.168.1.232:80   10.1.2.11:62517    10.1.2.11:62517
    tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62491    10.1.2.11:62491
    tcp 10.254.1.12:443    192.168.1.232:443  10.1.2.11:62493    10.1.2.11:62493
    --- 10.254.1.12        192.168.1.232      ---                ---
    tcp 10.254.1.13:22     192.168.1.240:22   10.1.2.11:62386    10.1.2.11:62386
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62515    10.1.2.11:62515
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62516    10.1.2.11:62516
    tcp 10.254.1.13:80     192.168.1.240:80   10.1.2.11:62518    10.1.2.11:62518
    icmp 10.254.1.10:7163  192.168.1.240:7163 10.1.2.1:7163      10.1.2.1:7163
    icmp 10.254.1.10:7184  192.168.1.240:7184 10.1.2.1:7184      10.1.2.1:7184
    icmp 10.254.1.10:11548 192.168.1.240:11548 10.1.2.11:11548   10.1.2.11:11548
    udp 10.254.1.10:38288  192.168.1.240:38288 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:53384  192.168.1.240:53384 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:58383  192.168.1.240:58383 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:58944  192.168.1.240:58944 10.1.2.1:161      10.1.2.1:161
    udp 10.254.1.10:59143  192.168.1.240:59143 10.1.2.1:161      10.1.2.1:161
    --- 10.254.1.13        192.168.1.240      ---                ---

  • STATIC NAT PROBLEM

    Hi All,
    We are having a problem with a static NAT statement and or ACL not allowing traffic to the port configured to the inside host on the LAN.
    NETWORK SETUP
    We have a 3CX IP PBX behind a Pix firewall and need remote hosts to be able to connect to the 3CX over the 3CX tunnel protocol that uses port 5090. 3CX internal IP Address is 172.16.0.254 and the port it is listening on for the tunnel traffic is 5090. We have configured static NAT to the 3CX which is listening on port 5090 and created the ACL and applied this to the Outside interface. 3CX tunnel protocol uses a mixture of TCP and UDP so we have these both configured. Here are the various lines of configuration.
    access-list Outside_In extended permit tcp any host 172.16.0.254 eq 5090
    access-list Outside_In extended permit udp any host 172.16.0.254 eq 5090
    static (Inside,Outside) tcp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
    static (Inside,Outside) udp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
    access-group Outside_In in interface Outside
    ISSUE
    We have configured static NAT to the 3CX which is listening on port 5090 and created an ACL to permit inbound traffic to the 3CX. Inbound traffic is not traversing the firewall and therefore not reaching the 3CX on the inside LAN.
    TROUBLE SHOOTING SO FAR
    We have tried a number of different ACL and NAT configurations, but the above configs are not permitting the traffic through the firewall. We have done a number of captures on the firewall and we can see the traffic from remote hosts getting to the Outside interface, but not traversing to the Inside interface and therefore not reaching the 3CX on the inside LAN. The xlate shows the static NAT entry correctly.
    Any suggestions anyone??
    Regards,

    Hi,
    If you are doing a Static NAT or Static PAT towards the Internet on your ASA or PIX, this is how the different firewall software versions behave
    Software 8.2 and earlier: When you configure a Static NAT / Static PAT and want to allow traffic from the Internet to the NATed host, you use the NAT IP address as the destination IP address in the ACL attached to the "outside" interface you are using.
    Software 8.3 and later: NAT and ACLs changed in the 8.3 software and in those software levels you are required to use the actual real IP address of the host in the ACLs you configure. Using the NAT IP address in the newer software levels wont work anymore.
    As you mentioned your software level to be 8.0 we can see that you need to use the NAT IP address as the destination address of the "outside" interface ACL.
    I guess you could try for example
    access-list Outside_In permit tcp any interface Outside eq 5090
    access-list Outside_In permit udp any interface Outside eq 5090
    You can also use the "packet-tracer" command like I mentioned above to simulate what the firewall would do to the traffic.
    The command tested could be for example
    packet-tracer input Outside tcp 1.2.3.4 1234 5090
    The only situation where I could see the need to use the real IP address in the ACL statement of the "outside" interface would be if you had a L2L VPN / Site-to-Site VPN configured between your firewall and the remote end. But as I cant see your configuration I dont know if thats the case. Though since you have configured Static PAT to use the public IP address of your firewalls "outside" interface it would lead me to believe that you are trying to open/share this service from the LAN device to the Internet.
    Guess you could next try the above mention ACL lines I listed and test the traffic again. Also the "packet-tracer" command should tell you if theres any problems with your firewall configurations.
    - Jouni

  • NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

    Hello fellow engineers!
    I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
    Scenario description:
    2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
    Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
    VLAN 11 -> 10.0.1.x
    VLAN 12 -> 10.0.2.x
    VLAN 13 -> 10.0.3.x
    VLAN 71 -> 192.168.17.x
    VLAN 204 -> 172.16.204.x
    and – last but not least ! – VLAN 10 -> 10.0.0.x
    All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
    Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
    What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
    Could pls someone spot what I’m missing !!
    To help you I also attach the router config and some command outputs…
    All help is appreciated.
    Thanx
    Costas

    That last PBR statement
    (route-map 10.0.0.X_hosts_PBR permit 70
     description *** rest of 10.0.0.x net --> Oxygen ***
     match ip address rest_of_10.0.0.x
     set ip next-hop 212.251.64.153)
    was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
    (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
      Match clauses:
        ip address (access-lists): rest_of_10.0.0.x
      Set clauses:
        ip next-hop 212.251.64.153
      Policy routing matches: 0 packets, 0 bytes)

  • Static NAT pass-through; can not get to work

    I am not having any luck getting a static NAT pass-through to work.
    BM3.8/NW6.5 all patched to the latest patches (no betas). IPFLT is NOT
    loaded.
    My internal network on one LAN all have 10.100.xxx.xxx private addresses.
    Dynamic NAT works great.
    I have secondary public IP addresses bound to my public NIC. Static NAT
    mapping between the secondary public IP addresses and the couple of
    individual private addresses work just fine. In other words, all has been
    working fine.
    I need to give one of those internal resources its public IP address
    (change it's private to its public).
    OK, I went into the NAT table and changed the proper public <-> private to
    public <-> public (identical addresses). I changed the internal computer
    to it's public address/mask with the same default gateway the server is
    using. The internal computer can now only ping itself; can't even ping
    it's default gateway. I did reinitialize, and also restarted. I can not
    get the pass-through connection to work.
    Any thoughts will be well received.
    Bob

    Robert,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://support.novell.com/forums)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://support.novell.com/forums/faq_general.html
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Static NAT not working

    Hi,
    I'm configuring a 1841 router with 4-port FE WIC card.
    Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
    I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
    In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
    My config follows. Am I missing something? Hope someone can help me.
    Thanks in advance.
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 10.10.10.1 255.255.255.248
    duplex auto
    speed auto
    interface FastEthernet0/1
    description $ETH-LAN$
    ip address 192.168.2.2 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0/0
    interface FastEthernet0/0/1
    interface FastEthernet0/0/2
    interface FastEthernet0/0/3
    interface Vlan1
    ip address 192.168.0.6 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
    ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 remark SDM_ACL Category=2
    access-list 2 permit 192.168.0.18 0.0.0.128

    Albert
    It looks to me like your NAT is working. I get similiar results in my NAT table.
    2600_connect#sh ip nat trans
    Pro Inside global Inside local Outside local Outside global
    1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
    2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
    3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
    Line 1) is a dynamic translation from inside to outside for ping.
    Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
    to 172.16.1.9 (which gets Natted to 10.15.1.3)
    Line 3) is the permanent static translation that gets entered when from the
    config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
    Relevant Router config
    ======================
    interface FastEthernet0/0
    description Connection to CR02
    ip address 10.15.1.1 255.255.255.240
    ip nat inside
    ip pim dense-mode
    no ip route-cache
    speed 100
    full-duplex
    interface FastEthernet0/1
    description Connection to P1
    ip address 172.16.1.9 255.255.255.248
    ip nat outside
    ip pim dense-mode
    no ip route-cache
    speed 100
    full-duplex
    router eigrp 20
    redistribute connected
    redistribute static
    network 10.0.0.0
    network 172.16.0.0
    no auto-summary
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
    ip classless
    access-list 1 permit 10.15.1.0 0.0.0.15
    =====================
    Are you sure it is a natting problem ?
    Jon

  • Building an application that does not use any local program files or libraries

    I need to build an application that will not use any local libraries or LabView program files(even if LabView is installed on the PC). I also am curious if anyone knows if there is a way to debug such an application(in it's compiled state).
    Any help on these topics would be greatly appreciated.
    -Nate
    Solved!
    Go to Solution.

    Hello,
    I am unclear on what you are trying to accomplish here. As the previous poster mentioned, if you enable debugging when building your application, you can remotely connect and probe the block diagram of the running executable. Executables use the run-time engine but could also access drivers or other run-times if using a specialized toolkit/module. This all depends on your application.
    -Zach
    Certified LabVIEW Developer

  • Upload image that is not in local file system

    We have an abomination of a project where we are trying to upload employee images into our main 'People' form. The only issue is that the images exist on a SQL Server database. I can get the images onto the Oracle server easily enough but the functionality does not exist to browse to a remote server, just the local machine. Has anyone had to do something like this before? If it was just a few images we could FTP them to a mapped drive and do it 1 by 1 but we are talking about 15000 images so that is not an avenue we would care to explore. Any advice would be welcome.

    Hi,
    Please see if these threads help.
    API to load images for
    API to load images for
    Employee Photo Upload in HRMS
    Employee Photo Upload in HRMS
    Dispay employee pictures in Employee Self Service screen
    Dispay employee pictures in Employee Self Service  screen
    Regards,
    Hussein

  • What is the command to verify the configuration that are not saved or sent to local controllers?

    Q: What is the command to verify the configuration that are not saved or sent to local controllers?
    A: We can execute the command that is shown in below image to check the status of the configuration that has been made.
    Note: For example I made changes to the default VAP profile and executed the command "show master-configpending" which shows the pending configuration to be saved/sent to local controllers.

    But that jar file loads without images and icons when it is in other directory.Images should be accessed via a URL rather than using a filename because they will exist as entries in the jar archive not as files. Typically this URL would be obtained by using the Class method [getResource()|http://java.sun.com/javase/6/docs/api/java/lang/Class.html#getResource(java.lang.String)]. There are details in this [Java World article|http://www.javaworld.com/javaworld/javaqa/2002-11/02-qa-1122-resources.html].

  • Are there any apps which will allow local calling using data only that do not require any special numbers called out initially and does not require the receiver to have a similar app or account?

    Are there any apps which will allow local calling using data only (not minutes, no extra charge) that do not require any special numbers called out initially and does not require the receiver to have a similar app or account?  Just for random local calling.

    Yup.
    Here is a way you could solve this by adding an extra column and a small lookup table:
    The lookup table is here for the copying:
    0
    1
    k
    kilo
    2
    M
    mega
    3
    G
    giga
    4
    T
    tera
    5
    P
    peta
    6
    E
    exa
    7
    Z
    zetta
    8
    Y
    yotta
    In table 8 (the one on the left in the image) column A is where the values are. 
    B1=A1÷(1024^VLOOKUP(INT(LOG(A1, 1024)), Binary Prefixes::A:D, 1))&" "&VLOOKUP(INT(LOG(A1, 1024)), Binary Prefixes::A:D, 2)&"B"
    this is shorthand for... select cell B1, then type (or copy and paste from here) the formula:
    =A1÷(1024^VLOOKUP(INT(LOG(A1, 1024)), Binary Prefixes::A:D, 1))&" "&VLOOKUP(INT(LOG(A1, 1024)), Binary Prefixes::A:D, 2)&"B"
    select cell B1, copy,
    now select all the cells in column B, paste

  • I travel for work and use iCloud - I can not use back to my mac because i use a Verizon MiFi wireless that does not have NAT-PMP or UPnP. Does anyone know of a way to get around this problem

    I travel for work and use iCloud - I can not use back to my mac because i use a Verizon MiFi wireless that does not have NAT-PMP or UPnP. Does anyone know of a way to get around this problem

    All ISP-provided equipment is junk. You could get a decent router and connect it to the Verizon router in bridge mode. It should cost about $ 30.

  • The feature: "The edition of Reporting Services that you are using requires that you use local SQL Server relational databases for report data sources and the report server database." is not supported in this edition of Reporting Services.

    Hello all,
    I have SQL express 2014 advance edition installed ..
    and i am connecting SQl server 2008 r2 instance which is in network 
    while creating datasource in Reportserver which has Express installed ..
    got this error ..
    please help me how to connect to remote server
    Dilip Patil..

    Error message says it all.
    With SQL Express, Data source should be local SQL DB.
    With SQL Enterprise, Standard, BI edition, you can create Data soruce which are hosted on other servers.
    Please refer similar thread:
    https://social.msdn.microsoft.com/Forums/en-US/c0468e3f-bad7-47a7-a695-75c13762280a/the-feature-the-edition-of-reporting-services-that-you-are-using-requires-that-you-use-local-sql?forum=sqlreportingservices
    Cheers,
    Vaibhav Chaudhari
    [MCTS],
    [MCP]

  • Static NAT to two servers using same port

    I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
    I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
    Any help would be very much appreciated.
    Thanks,
    - Mike                  

    Hi,
    Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
    On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
    I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
    But nevertheless its a possibility.
    So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
    - Jouni

  • How to configure Multiple static NATs

    Hi,
    I am trying to configure a Cisco 871 router.
    I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
    I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
    I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
    I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
    Thanks in advance for any help.

    You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
    There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
    For maitainence point of view one propagation and one apply is better
    Regards,
    SergeR

  • ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

    Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is.  My guess right now is that it has something to do with dynamic PAT.
    Essentially, I have a block of 5 static public IP's.  I have 1 assigned to the interface and am using another for email/webmail.  I have no problems accessing the internet, receving emails, etc...  The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT.  I would really appreciate if anyone could help shed some light as to why this is happening for me.  I always thought a static nat should take precidence in the order of things.
    Recap:
    IP 1 -- 10.10.10.78 is assigned to outside interface.  Dynamic PAT for all network objects to use this address when going out.
    IP 2 -- 10.10.10.74 is assgned through static nat to email server.  Email server should respond to and send out using this IP address.
    Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
    Thanks in advance for anyone that reads this and can lend a hand.
    - Justin
    Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
    ASA Version 8.4(3)
    hostname MYHOSTNAME
    domain-name MYDOMAIN.COM
    enable password msTsgJ6BvY68//T7 encrypted
    passwd msTsgJ6BvY68//T7 encrypted
    names
    interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 10.10.10.78 255.255.255.248
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name MYDOMAIN.COM
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    access-list inside_access_out extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
    access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
    access-list outside_access_in extended deny icmp any any
    access-list outside_access_in extended permit tcp any object Email eq smtp
    access-list outside_access_in extended permit tcp any object Webmail eq www
    access-list outside_access_in extended permit tcp any object WebmailSecure eq https
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    access-group outside_access_in in interface outside
    access-group inside_access_out out interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server MYDOMAIN protocol kerberos
    aaa-server MYDOMAIN (inside) host 192.168.2.8
    kerberos-realm MYDOMAIN.COM
    aaa-server MYDOMAIN (inside) host 192.168.2.9
    kerberos-realm MYDOMAIN.COM
    aaa-server MY-LDAP protocol ldap
    aaa-server MY-LDAP (inside) host 192.168.2.8
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    aaa-server MY-LDAP (inside) host 192.168.2.9
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.2.0 255.255.255.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    email [email protected]
    subject-name CN=MYHOSTNAME
    ip-address 10.10.10.78
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate e633854f
        30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
        0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
        355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
        aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
        f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
        0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
        78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
        03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
        0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
        0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
        02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
        d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
        e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
        5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
        781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 20
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 192.168.2.8 source inside prefer
    ssl trust-point ASDM_TrustPoint0 inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    enable inside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
    anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    group-policy GroupPolicy_VPN internal
    group-policy GroupPolicy_VPN attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2 ssl-client
    group-lock value VPN
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    group-policy GroupPolicy-VPN-LAPTOP internal
    group-policy GroupPolicy-VPN-LAPTOP attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2
    group-lock value VPN-LAPTOP
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    authentication-server-group MYDOMAIN
    default-group-policy GroupPolicy_VPN
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    tunnel-group VPN-LAPTOP type remote-access
    tunnel-group VPN-LAPTOP general-attributes
    authentication-server-group MY-LDAP
    default-group-policy GroupPolicy-VPN-LAPTOP
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN-LAPTOP webvpn-attributes
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    class class-default
      user-statistics accounting
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

    Hi ,
    As per you config :
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
      Are you saying that this is not happening ?
    Dan

Maybe you are looking for

  • Operating system timestamps

    Can I get a timestamp directly from the OS, and if so how accurate is it?  Is there a known delay in getting it from the OS?

  • Object id for BP Internal reconciliation and SPTN

    Hi expert, Can any one help, What is the Object id for BP Internal reconciliation SAP B1? We want to make SPTN notification if any BP reconciliation customer/supplier code are not matching then system block for reconciliation. Thanks in Advance. Rega

  • Missing songs in playlists

    My iTunes shows 2400 items. My iPod shows 2100 songs. I think that would mean that there are 300 songs that are not in the lPod. Is there any way, short of checking each and every song manually, to find out which songs are not assigned to a playlist?

  • Can't Connect to WiFi Network After Changing Encryption

    I have an iPod Touch that no longer connects to my wifi network at home. Some background: I have an aipport extreme base station with three XP laptops, an iMac and a printer connected to it wirelessly. I use a WPA Personal password. My wife's iPhone

  • Developer Forms 10g Release 2

    i have installed developer forms 10g release 2 on my pc. i logged in as a scott user. i have created a form and a block of emp table. when i am going to run the form it will give me TNS:12560 : application protocol error. and ask for username/passwor