Static Nat translation
There is one config that I can not figure out how to translate it over...
ip nat inside source static 10.4.200.29 27.166.58.194
ip nat inside source static 10.4.200.25 27.166.58.195
How do I do this on the ASA 8.2.5? (came from a 2800 router running ver 12.3(8r))
Hello Shaun,
Yeah, You are missing the ACL.
On an ASA when going from a lower security level to a higher there is a requirement of an ACL in order to the traffic to be allowed.
access-list out-in permit tcp any host 27.x.x.x eq 80
acces-group out-in in interface outside
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura
Similar Messages
-
ASA 8.2.1 static nat translation
Hello,
i want to ask for this:
On ASA version 8.2.1 is configured static translation like this:
static (Inside,Outside) 5.5.5.100 192.168.1.5 netmask 255.255.255.255
what is a static 1:1 mapping between Outside and Inside IP.
This translation create mapping from outside to local PC. But it translate for example RDP session port 3389 to port 3389 what is not a very good solution (i can use access-lists to restrict access from outside of course, but is a bit limiting)...
So i want to have "exception" only for one port to map it to other port on this public IP and other use with no change.
I can do: static (Inside,Outside) tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255, but can´t it use together with 1:1 static statement.
Maybe i can use:
global (outside) 2 5.5.5.100
nat (Inside) 2 access_list PC
access-list PC extended permit ip host 192.168.1.5 any
and then static (Inside,Outside) tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255
But is this a right way how to deal with this problem?
Thank you very much.Why do you need the 1 to 1 static for that PC if you just want to do port forwarding? Is there some requirement that desktop has a static IP address on the public internet?
If you must keep the 1 to 1, you can pretty easily change the port that PC listens on for remote desktop. That policy NAT example you have might work also. -
VPN Server under Static NAT. Any advices?
Hi there,
Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
Posted by WebUser Cisco NetPro from Cisco Support Community App -
Hi,
I've currently got an issue where I have a device configured with static nat that is trying to communicate to a nat'd ip address of a device in the same subnet.
I'm getting "No translation grou found for tcp src sourceip/80 dst destip/80.
I'm not 100% which areas of the config to post.
Cheers,
NeilDid you set the interface binding order correctly or to match the previous server?
DNS: Valid network interfaces should precede invalid interfaces in the binding order
http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
Modify the protocol bindings and network provider order
http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
http://support2.microsoft.com/kb/981953
You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
Show NIC Binding Order
http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
Make sure that the correct DNS are on the interfaces that you need to use, too.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Static NAT with port translation
Hello All,
I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443, I am thinking that following configuration should be fine, can anyone comment on it.
10.1.1.2:443 10.1.1.1 2.2.2.5
Server -------------------------- ASA --------------------- Internet router --Cloud
Config i am planing
static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
Thanks
JDThanks Harish and Jouni,
I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. UN-NAT - [static] -
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [rpf-check] -
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
10. ROUTE-LOOKUP - [output and adjacency]
access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
but if i go by the flow which i come to know it should be like
access-list OUTSIDE-IN permit tcp any host eq 443
What is your opion ?
Thanks
Jagdev -
Remote Access VPN, no split tunneling, internet access. NAT translation problem
Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan -
How to configure Multiple static NATs
Hi,
I am trying to configure a Cisco 871 router.
I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
Thanks in advance for any help.You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
For maitainence point of view one propagation and one apply is better
Regards,
SergeR -
Static-nat and vpn tunnel bound traffic from same private address?
Hi guys,
I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
For this local host @192.168.0.250, I also have a static one-to-one private to public.
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
How can I resolve this problem, without complicating the setup ?
BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside-50
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 mgmt-192
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mgmt_intf in interface mgmt-192
access-list mgmt_intf extended permit icmp any any
access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
NAT exempt
translate_hits = 5, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
nat-control
match ip mgmt-192 host 192.168.0.250 outside-50 any
static translation to 216.9.50.250
translate_hits = 25508, untranslate_hits = 7689
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
nat-control
match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
static translation to 192.168.0.0
translate_hits = 28867754, untranslate_hits = 29774713
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1623623685, packet dispatched to next module
Result:
input-interface: mgmt-192
input-status: up
input-line-status: up
output-interface: outside-50
output-status: up
output-line-status: up
Action: allow
BurlingtonASA1#
Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3
local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
current_peer: 216.9.62.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 37CA63F1
current inbound spi : 461C843C
inbound esp sas:
spi: 0x461C843C (1176273980)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3914997/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x003FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37CA63F1 (936010737)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 77398016, crypto-map: map1
sa timing: remaining key lifetime (kB/sec): (3915000/25972)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi
intersting VPN ACL
object-group network DM_INLINE_NETWORK_18
network-object YYY.YYY.YYY.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object UUU.UUU.UUU.0 255.255.255.0
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
Static NAT
static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
No NAT
object-group network DM_INLINE_NETWORK_20
network-object UUU.UUU.UUU.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
VPN CLient Pool
No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
I hope this helps
Thanks -
Hello fellow engineers!
I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
Scenario description:
2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented). The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link. These two are terminated on the switch on intf’s at the appropriate VLAN’s. At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks. The aDSL and Metro links have an 8-IP public set, each.
Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used. VLAN/subnet (all /24) pairs are:
VLAN 11 -> 10.0.1.x
VLAN 12 -> 10.0.2.x
VLAN 13 -> 10.0.3.x
VLAN 71 -> 192.168.17.x
VLAN 204 -> 172.16.204.x
and – last but not least ! – VLAN 10 -> 10.0.0.x
All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected. So does the PAT for hosts of all other VLAN’s (11, 12, 13, …). The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests ! Nothing else ! To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
Could pls someone spot what I’m missing !!
To help you I also attach the router config and some command outputs…
All help is appreciated.
Thanx
CostasThat last PBR statement
(route-map 10.0.0.X_hosts_PBR permit 70
description *** rest of 10.0.0.x net --> Oxygen ***
match ip address rest_of_10.0.0.x
set ip next-hop 212.251.64.153)
was not there in the first place - I got it there assuming it would help but it didn't. Actually - as mentioned - it does not get any hits !
(route-map 10.0.0.X_hosts_PBR, permit, sequence 255
Match clauses:
ip address (access-lists): rest_of_10.0.0.x
Set clauses:
ip next-hop 212.251.64.153
Policy routing matches: 0 packets, 0 bytes) -
Static NAT with two outside interfaces
I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
here is example
interface Fas0/0
ip nat outside
interface Fas0/1
ip nat outside
interface Vlan1
ip nat inside
ip nat inside source route-map rm_isp1 pool pool_isp1
ip nat inside source route-map rm_isp2 pool pool_isp2
all worked fine
then i tried to add static nat
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
and in result only last static NAT line appeared in config.
the solution was to use interface's IPs instead of names. that helped but isn't that a bug?In this scenario, we are trying to access a mail server located at
10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
69.1.1.1.
With CEF Enabled
Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
Packet goes to 10.0.0.1. The return packet goes to the LAN interface
first and the routing rule is determined *before* the packet is
translated.
Packet source IP at this point is 10.0.0.1 and destination is
66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
irrespective of the way it came in. Because of this, with CEF enabled
this will not work. CEF is per-destination.
So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
If it gets reply packet from 71.1.1.1, it should work.
If it gets it from 69.1.1.1, it will simply drop it as it never sent a
packet to 69.1.1.1.
With CEF and Fast Switching Disabled
Same steps as above, only that the packet is sent to the process level
to be routed. At this point, the packets will be sent out in a round
robin fashion. One packet will go out via the Fa0/0 and the other via the
Fa0/0. This will have a constant 50% packet loss and is also not a
viable solution.
So, what are you trying to achieve is not possible on Cisco router.
HTH,
Amit Aneja -
Static NAT - VPN - Internet Access
Does anyone know how to configure the following?
1. An static NAT from an inside ip address to another inside ip address (not physical subnet).
2. The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
My router just have two interfaces a WAN and a LAN.
I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
in an extract:
LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
BTW. I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.Why do you need an inside host to be natted to another inside IP address?
You need to configure a "no nat" policy, for the internet traffic. -
Hi,
I'm configuring a 1841 router with 4-port FE WIC card.
Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
My config follows. Am I missing something? Hope someone can help me.
Thanks in advance.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
ip address 192.168.0.6 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.18 0.0.0.128Albert
It looks to me like your NAT is working. I get similiar results in my NAT table.
2600_connect#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
Line 1) is a dynamic translation from inside to outside for ping.
Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
to 172.16.1.9 (which gets Natted to 10.15.1.3)
Line 3) is the permanent static translation that gets entered when from the
config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
Relevant Router config
======================
interface FastEthernet0/0
description Connection to CR02
ip address 10.15.1.1 255.255.255.240
ip nat inside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
interface FastEthernet0/1
description Connection to P1
ip address 172.16.1.9 255.255.255.248
ip nat outside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
router eigrp 20
redistribute connected
redistribute static
network 10.0.0.0
network 172.16.0.0
no auto-summary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
ip classless
access-list 1 permit 10.15.1.0 0.0.0.15
=====================
Are you sure it is a natting problem ?
Jon -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
NAT 8.6 multiple subnets in a single static NAT
Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.
Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.
Today's configuration is this
*** FROM ONE SUBNET TO ANOTHER ***
object-group network REGIONAL-SOURCE
network-object 10.1.1.0 255.255.255.0
object-group network REGIONAL-NAT
network-object 10.1.201.0 255.255.255.0
nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns
What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.
10.1.2.0/24 natted to 10.1.202.0 255.255.255.0
10.1.3.0/24 natted to 10.1.203.0 255.255.255.0
*** TWO MORE SUBNETS ARE NEEDED ***
object-group network REGIONAL-SOURCE
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
object-group network REGIONAL-NAT
network-object 10.1.202.0 255.255.255.0
network-object 10.1.203.0 255.255.255.0
If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.Hi,
This should be no problem. It should work as you have thought.
I tested the configurations on my own ASA
object-group network REGIONAL-SOURCE
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
object-group network REGIONAL-NAT
network-object 10.1.201.0 255.255.255.0
network-object 10.1.202.0 255.255.255.0
network-object 10.1.203.0 255.255.255.0
nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
Here at the results of the "packet-tracer" to show the translations
ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
Additional Information:
Static translate 10.1.1.100/12345 to 10.1.201.100/12345
ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
Additional Information:
Static translate 10.1.2.100/12345 to 10.1.202.100/12345
ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
Additional Information:
Static translate 10.1.3.100/12345 to 10.1.203.100/12345
As you can see, everything is fine
Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA 8.2 - Static NAT and Dynamic NAT Policy together
Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!Hello community,
I have the following problem using a ASA with version 8.2.
1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
Thanks for your reply and help!
Maybe you are looking for
-
Problem with Nokia 5700's audio adapter
I have recently updated my Nokia 5700's firmware with the newest version. But now I can't use my audio adapter(this thing: http://img114.imageshack.us/img114/7485/adapteryb4.jpg ) which is connected with the headphones. While I listened to music, I t
-
Internal order - budget leftover in previous year
Hi all, We have an internal order from 2005 that had a pr/po deleted, freeing up some budget to be used now in 2006. Since 2005 has been closed out, how do we use this 2005 budget in a PO for 2006? Thanks in advance, Den
-
Redo log backup failing with BR253E errno 2:
Hi all, I am able to take online as well as offline backup through sapdba , but unfortunately from last 7 days my redo log backup is failing after online backup is complete with below mentioned error. I also tried to start redo log backup seperately
-
Acrobat pro X error: Cannot use this product under a guest account
We are installing acrobat pro with GP on XP systems. The install goes fine but on some users machines when they launch the program it comes back with "Cannot use this product under a guest account". The users are admins on the system. If I uninstall
-
Creating a Pdf / 8 pro / sits and spins
Hello everyone, I loaded and activated my acrobat 8 pro and all was initialized but when i try and convert a word doc over to a pdf it sits there and spins. any ideas? stumped in charlotte... Home Inspector