Static nat with dual destination

I need to configure static nat for cisco ASA 5500,
here is the topology:
one server (source) with ip 10.211.250.22 /28 (interface : name if dmz_virtual_account)
will static nat to two destinations :
1. to Internet will translated to 202.152.19.196 (Interface : name if Outside_Inet) and,
2. to external network with  real address is 10.10.10.1 and will translated to 192.168.168.14 /29 (interface : name if dmz_external)
Need help
and many thanks for any advice
Regards,
Manao

Hi Marvin
my ASA's software running 8.4
Regards,
Manao

Similar Messages

  • Static NAT with two outside interfaces

    I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
    here is example
    interface Fas0/0
    ip nat outside
    interface Fas0/1
    ip nat outside
    interface Vlan1
    ip nat inside
    ip nat inside source route-map rm_isp1 pool pool_isp1
    ip nat inside source route-map rm_isp2 pool pool_isp2
    all worked fine
    then i tried to add static nat
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
    ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
    and in result only last static NAT line appeared in config.
    the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

    In this scenario, we are trying to access a mail server located at
    10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
    69.1.1.1.
    With CEF Enabled
    Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
    Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
    Packet goes to 10.0.0.1. The return packet goes to the LAN interface
    first and the routing rule is determined *before* the packet is
    translated.
    Packet source IP at this point is 10.0.0.1 and destination is
    66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
    irrespective of the way it came in. Because of this, with CEF enabled
    this will not work. CEF is per-destination.
    So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
    expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
    If it gets reply packet from 71.1.1.1, it should work.
    If it gets it from 69.1.1.1, it will simply drop it as it never sent a
    packet to 69.1.1.1.
    With CEF and Fast Switching Disabled
    Same steps as above, only that the packet is sent to the process level
    to be routed. At this point, the packets will be sent out in a round
    robin fashion. One packet will go out via the Fa0/0 and the other via the
    Fa0/0. This will have a constant 50% packet loss and is also not a
    viable solution.
    So, what are you trying to achieve is not possible on Cisco router.
    HTH,
    Amit Aneja

  • Static NAT with port translation

    Hello All,
    I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.
      10.1.1.2:443         10.1.1.1    2.2.2.5
    Server -------------------------- ASA --------------------- Internet router --Cloud
    Config  i am planing      
    static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
    Thanks
    JD

    Thanks Harish and Jouni,
    I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
    A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
    1. FLOW-LOOKUP - [] - Check for existing connections, if none found
    create a
    new connection.
    2. UN-NAT - [static] -
    2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
    3. ACCESS-LIST - [log] - ACL Lookup
    4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
    5. IP-OPTIONS - [] -
    6. NAT - [rpf-check] -
    7. NAT - [host-limits] -
    8. IP-OPTIONS - [] -
    9. FLOW-CREATION - [] - If everything passes up until this point a
    connection
    is created.
    10. ROUTE-LOOKUP - [output and adjacency]
    access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
    but if i go by the flow which i come to know it should be like
    access-list OUTSIDE-IN permit tcp any host eq 443
    What is your opion ?
    Thanks
    Jagdev

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • Using both Dynamic and Static NAT with two Different Internet facing Subnets

    We have two Class C Public Address subnets.  We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B).   Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet.  So they are receiving packets on their (A) Address, though replying to them with a (B) address. 
    It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound. 
    So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool. 
    Public IP: 192.168.1.100/24
    Internal IP: 10.0.0.100/16
    Public IP: 192.168.5.101/24
    Internal IP: 10.0.0.101/16
    interface Ethernet0/0
    description 192.168.1.0/24 Network Outside IP
    nameif outside-1
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    interface Ethernet0/1
    description 192.168.5.0/24 Network Outside IP
    nameif outside-5
    security-level 0
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    description inside 10.0.0.0/16
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.0.0
    object network serverA_o
    host 192.168.1.100
    object network serverA_i
    host 10.0.0.100
    object network serverB_o
    host 192.168.5.101
    object network serverB_i
    host 10.0.0.101
    object network 192-168-1-NAT-POOL
    range 192.168.1.50 192.168.1.239
    nat (inside,outside-1) source static serverA_i serverA_o
    nat (inside,outside-5) source static serverB_i serverB_o
    nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
    object network serverA_i
    nat (inside,outside-1) static serverA_o
    object network serverB_i
    nat (inside,outside-5) static serverB_o
    route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
    route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
    When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
    Any Suggestions?
    Thanks!

    Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
    We have a Single ISP, though have 2 separate non-Contiguous  Class C Addresses from them. We host some Servers on one subnet and some on the other. 
    I'm looking for a way to use both Subnets on the same ASA. 
    The Connection to the net looks like this:
    Internet -> Edge Router Layer3 VLAN Switch
    GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
    GE0/1.2 - 192.168.5.1 VLAN Tagged -^
    Layer3 VLAN Switch Firewall
    GE1 192.168.1.0/24 Untagged -> ASA Outside-1
    GE2 192.168.5.0/24 Untagged -> ASA Outside-5
    Firewall
    ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
    Hope that helps clarify.
    I could try to post some sanitized Configs of my PIX and ASA if needed.  But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. 

  • ACE 4710 A3 outbound static NAT with Port redirection

    Hi
    I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
    I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
    When I try to configure this:
    ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
    I get the error: Error: Invalid real port configured for NAT static
    Any ideas what it means anyone?

    Right. Forget about the previous question. I have an update.
    I get this output on show nat policies at the moment:
    NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
    ID:64 Static port translation
    Real addr:172.21.7.11 Real port:26 Real interface:18
    Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
    Netmask:255.255.255.255
    where x.x.x.x - is the Public, external IP address on the ACE.
    I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
    Something is telling me I am looking at it from a wrong direction altogether.
    This is the config I have at the moment:
    access-list 130 line 20 extended permit ip any any
    access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
    class-map match-any Class_Port26
    2 match access-list Source_NAT
    policy-map multi-match Policy_Port26_Static
    class Class_Port26
    nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
    interface vlan 107
    ip address 172.21.7.2 255.255.255.240
    peer ip address 172.21.7.1 255.255.255.240
    access-group input 130
    service-policy input Policy_Port26_Static
    no shutdown
    No server farms, no load balancing. Just that.
    Any ideas?

  • Static NAT and same IP address for two interfaces

    We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
    static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
    static (production,Outside) 10.10.10.10  access-list production_nat_static_1
    Thanks for any help.
    Jeff

    Hi Jeff,
    Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Who needs the ACLs and static NAT?

    I came apon a job whose network layout is kind of tricky. Here is the skinny:
    2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
    All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
    Now heres what I am trying to accomplish:
    The customer wants to be able to telnet into one machine in the private network from her house.
    Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
    Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
    I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
    Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
    Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!

    I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
    Here's what I have right now:
    SBC router is configured to allow Telnet traffic in.
    The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
    Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in.

  • MS NLB with ASA and Static NAT from PUP to NLB IP

    Hi all,
    I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
    ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
    I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
    192.168.0.50 is the 1st VM
    192.168.0.51 is the 2nd VM
    192.168.0.52 is the cluster IP for heartbeat
    192.168.0.53 is the cluster IP for NLB traffic.
    0100.5e7f.0035 is the cluster MAC.
    The NLB cluster is using MULTICAST
    I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
    For the ASA I found
    http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
    ASDM
    Configuration > Device Management > Advanced > ARP > ARP Static Table
    I was able to add my stic ARP just fine.
    However, the next step was to enable ARP inspection.
    Configuration > Device Management > Advanced > ARP > ARP Inspection
    My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
    For the CAT Switch I found
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
    I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
    On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
    At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
    So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
    Result of the command: "show run"
    : Saved
    ASA Version 8.4(4)9
    hostname MP-ASA-1
    enable password ac3wyUYtitklff6l encrypted
    passwd ac3wyUYtitklff6l encrypted
    names
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 198.XX.XX.82 255.255.255.240
    interface Ethernet0/1
    description Root Inside Interface No Vlan
    speed 1000
    duplex full
    nameif Port-1-GI-Inside-Native
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    interface Ethernet0/1.2
    description Managment LAN 1 for Inside Networks
    vlan 2
    nameif MGMT-1
    security-level 100
    ip address 192.168.180.1 255.255.255.0
    interface Ethernet0/1.3
    description Managment LAN 2 for Inside Networks
    vlan 3
    nameif MGMT-2
    security-level 100
    ip address 192.168.181.1 255.255.255.0
    interface Ethernet0/1.100
    description Development Pubilc Network 1
    vlan 100
    nameif DEV-PUB-1
    security-level 50
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1.101
    description Development Pubilc Network 2
    vlan 101
    nameif DEV-PUB-2
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/1.102
    description Suncor Pubilc Network 1
    vlan 102
    nameif SUNCOR-PUB-1
    security-level 49
    ip address 192.168.3.1 255.255.255.0
    interface Ethernet0/1.103
    description Suncor Pubilc Network 2
    vlan 103
    nameif SUNCOR-PUB-2
    security-level 49
    ip address 192.168.4.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa844-9-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network Inside-Native-Network-PNAT
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network with PNAT
    object network ASA-Outside-IP
    host 198.XX.XX.82
    description The primary IP of the ASA
    object network Inside-Native-Network
    subnet 10.1.1.0 255.255.255.0
    description Root Inisde Native Interface Network
    object network VPN-POOL-PNAT
    subnet 192.168.100.0 255.255.255.0
    description VPN Pool NAT for Inside
    object network DEV-PUP-1-Network
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUP-1 Network
    object network DEV-PUP-2-Network
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUP-2 Network
    object network MGMT-1-Network
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1 Network
    object network MGMT-2-Network
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2 Network
    object network SUNCOR-PUP-1-Network
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUP-1 Network
    object network SUNCOR-PUP-2-Network
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUP-2 Network
    object network DEV-PUB-1-Network-PNAT
    subnet 192.168.0.0 255.255.255.0
    description DEV-PUB-1-Network with PNAT
    object network DEV-PUB-2-Network-PNAT
    subnet 192.168.2.0 255.255.255.0
    description DEV-PUB-2-Network with PNAT
    object network MGMT-1-Network-PNAT
    subnet 192.168.180.0 255.255.255.0
    description MGMT-1-Network with PNAT
    object network MGMT-2-Network-PNAT
    subnet 192.168.181.0 255.255.255.0
    description MGMT-2-Network with PNAT
    object network SUNCOR-PUB-1-Network-PNAT
    subnet 192.168.3.0 255.255.255.0
    description SUNCOR-PUB-1-Network with PNAT
    object network SUNCOR-PUB-2-Network-PNAT
    subnet 192.168.4.0 255.255.255.0
    description SUNCOR-PUB-2-Network with PNAT
    object network DEV-APP-1-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-APP-2-SNAT
    host 192.168.2.120
    description DEV-APP-2 Server with SNAT
    object network DEV-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network DEV-SQL-1
    host 192.168.0.110
    description DEV-SQL-1 Inside Server IP
    object network DEV-SQL-2
    host 192.168.2.110
    description DEV-SQL-2 Inside Server IP
    object network SUCNOR-APP-1-PUB
    host 198.XX.XX.XX
    description SUNCOR-APP-1 Public Server IP
    object network SUNCOR-APP-2-SNAT
    host 192.168.4.120
    description SUNCOR-APP-2 Server with SNAT
    object network SUNCOR-APP-2-PUB
    host 198.XX.XX.XX
    description DEV-APP-2 Public Server IP
    object network SUNCOR-SQL-1
    host 192.168.3.110
    description SUNCOR-SQL-1 Inside Server IP
    object network SUNCOR-SQL-2
    host 192.168.4.110
    description SUNCOR-SQL-2 Inside Server IP
    object network DEV-APP-1-SNAT
    host 192.168.0.120
    description DEV-APP-1 Network with SNAT
    object network SUNCOR-APP-1-SNAT
    host 192.168.3.120
    description SUNCOR-APP-1 Network with SNAT
    object network PDX-LAN
    subnet 192.168.1.0 255.255.255.0
    description PDX-LAN for S2S VPN
    object network PDX-Sonicwall
    host XX.XX.XX.XX
    object network LOGI-NLB--SNAT
    host 192.168.0.53
    description Logi NLB with SNAT
    object network LOGI-PUP-IP
    host 198.XX.XX.87
    description Public IP of LOGI server for NLB
    object network LOGI-NLB-IP
    host 192.168.0.53
    description LOGI NLB IP
    object network LOGI-PUP-SNAT-NLB
    host 198.XX.XX.87
    description LOGI Pup with SNAT to NLB
    object-group network vpn-inside
    description All inside accessible networks
    object-group network VPN-Inside-Networks
    description All Inside Nets for Remote VPN Access
    network-object object Inside-Native-Network
    network-object object DEV-PUP-1-Network
    network-object object DEV-PUP-2-Network
    network-object object MGMT-1-Network
    network-object object MGMT-2-Network
    network-object object SUNCOR-PUP-1-Network
    network-object object SUNCOR-PUP-2-Network
    access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
    access-list outside_access_out remark Block ping to out networks
    access-list outside_access_out extended deny icmp any any inactive
    access-list outside_access_out remark Allow all traffic from inside to outside networks
    access-list outside_access_out extended permit ip any any
    access-list outside_access extended permit ip any object LOGI-NLB--SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
    access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
    access-list outside_access extended permit ip any object DEV-APP-2-SNAT
    access-list outside_access extended permit ip any object DEV-APP-1-SNAT
    access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu Port-1-GI-Inside-Native 1500
    mtu MGMT-1 1500
    mtu MGMT-2 1500
    mtu DEV-PUB-1 1500
    mtu DEV-PUB-2 1500
    mtu SUNCOR-PUB-1 1500
    mtu SUNCOR-PUB-2 1500
    mtu management 1500
    ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any Port-1-GI-Inside-Native
    icmp permit any MGMT-1
    icmp permit any MGMT-2
    icmp permit any DEV-PUB-1
    icmp permit any DEV-PUB-2
    icmp permit any SUNCOR-PUB-1
    icmp permit any SUNCOR-PUB-2
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
    arp timeout 14400
    no arp permit-nonconnected
    nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
    nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
    object network Inside-Native-Network-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network VPN-POOL-PNAT
    nat (Port-1-GI-Inside-Native,outside) dynamic interface
    object network DEV-PUB-1-Network-PNAT
    nat (DEV-PUB-1,outside) dynamic interface
    object network DEV-PUB-2-Network-PNAT
    nat (DEV-PUB-2,outside) dynamic interface
    object network MGMT-1-Network-PNAT
    nat (MGMT-1,outside) dynamic interface
    object network MGMT-2-Network-PNAT
    nat (MGMT-2,outside) dynamic interface
    object network SUNCOR-PUB-1-Network-PNAT
    nat (SUNCOR-PUB-1,outside) dynamic interface
    object network SUNCOR-PUB-2-Network-PNAT
    nat (SUNCOR-PUB-2,outside) dynamic interface
    object network DEV-APP-2-SNAT
    nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
    object network SUNCOR-APP-2-SNAT
    nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
    object network DEV-APP-1-SNAT
    nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
    object network SUNCOR-APP-1-SNAT
    nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
    object network LOGI-NLB--SNAT
    nat (DEV-PUB-1,outside) static LOGI-PUP-IP
    object network LOGI-PUP-SNAT-NLB
    nat (outside,DEV-PUB-1) static LOGI-NLB-IP
    access-group outside_access in interface outside
    access-group outside_access_out out interface outside
    route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 outside
    http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
    http 192.168.180.0 255.255.255.0 MGMT-1
    http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
    : end
    Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
    Thanks,
    Chris

    Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
    Chris

  • Static Policy NAT in VPN conflicts with Static NAT

    I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
    The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
    interface Vlan1
    ip address 192.168.10.1 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
    static (inside,outside) 192.168.24.0 access-list VPN
    crypto map outside_map 1 match address outside_1_cryptomap
    In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
    static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
    The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
    So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
    What am I missing?

    Hi,
    To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
    So I am not sure are we looking at some bug or what the problem is.
    I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
    I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
    I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
    access-list STATICPAT-SMTP permit tcp host eq smtp any
    static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
    access-list STATICPAT-HTTPS permit tcp host eq https any
    static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
    access-list STATICPAT-RDP permit tcp host eq 3389 any
    static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
    access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
    static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
    access-list STATICPAT-POP3 permit tcp host eq pop3 any
    static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
    Naturally you would add the Static Policy NAT for the VPN first.
    Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
    Remember that you should be able to test the translations with the "packet-tracer" command
    For example
    packet-tracer input outside tcp 1.1.1.1 12345
    - Jouni

  • H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

    Hi,
    I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
    I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
    ip nat inside source static 172.16.1.2 x.x.x.x
    The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
    Additionally, I debugged ip natting and I see following information when making video calls:
    router#debug ip nat h323
    IP NAT H323 debugging is on
    router#                
    *Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
    *Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
    *Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
    *Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
    *Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
    *Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
    *Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
    *Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
    *Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
    *Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
    This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
    Regards,
    Angran

    Hi,
    i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?

  • DM-VPN with Static NAT for Spoke Router. Require Expert Help

    Dear All,
                This is my first time to write something .
                             i have configure DM-VPN, and it's working fine, now i want to configure static nat.
    some people will think why need static nat if it's working fine.
    let me tell you why i need. what is my plan.
    i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
    will for that i try but fail. 
    will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
    i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
    ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
    but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
    spose spoke Network: 192.168.2.0/24
    and i want on HUB Router:
    ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
    i am using Cisco -- 887 and 877 ADSL Router.
    but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
    fore more details please see the diagram.
    for Contact Me: [email protected]

    hi rvarelac  thank you for reply :
    i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
    crypto isakmp key 12344321 address 1.1.1.1
    crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
     mode tunnel
    crypto map s2s 100 ipsec-isakmp
     set peer 1.1.1.1
     set transform-set Remote-Site
     match address vpnacl
    interface GigabitEthernet0/0
     crypto map s2s
    Extended IP access list lantointernet
    30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    80 permit ip any any

  • ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

    Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is.  My guess right now is that it has something to do with dynamic PAT.
    Essentially, I have a block of 5 static public IP's.  I have 1 assigned to the interface and am using another for email/webmail.  I have no problems accessing the internet, receving emails, etc...  The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT.  I would really appreciate if anyone could help shed some light as to why this is happening for me.  I always thought a static nat should take precidence in the order of things.
    Recap:
    IP 1 -- 10.10.10.78 is assigned to outside interface.  Dynamic PAT for all network objects to use this address when going out.
    IP 2 -- 10.10.10.74 is assgned through static nat to email server.  Email server should respond to and send out using this IP address.
    Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
    Thanks in advance for anyone that reads this and can lend a hand.
    - Justin
    Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
    ASA Version 8.4(3)
    hostname MYHOSTNAME
    domain-name MYDOMAIN.COM
    enable password msTsgJ6BvY68//T7 encrypted
    passwd msTsgJ6BvY68//T7 encrypted
    names
    interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 10.10.10.78 255.255.255.248
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.2 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name MYDOMAIN.COM
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    access-list inside_access_out extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
    access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
    access-list outside_access_in extended deny icmp any any
    access-list outside_access_in extended permit tcp any object Email eq smtp
    access-list outside_access_in extended permit tcp any object Webmail eq www
    access-list outside_access_in extended permit tcp any object WebmailSecure eq https
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    access-group outside_access_in in interface outside
    access-group inside_access_out out interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server MYDOMAIN protocol kerberos
    aaa-server MYDOMAIN (inside) host 192.168.2.8
    kerberos-realm MYDOMAIN.COM
    aaa-server MYDOMAIN (inside) host 192.168.2.9
    kerberos-realm MYDOMAIN.COM
    aaa-server MY-LDAP protocol ldap
    aaa-server MY-LDAP (inside) host 192.168.2.8
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    aaa-server MY-LDAP (inside) host 192.168.2.9
    ldap-base-dn DC=MYDOMAIN,DC=com
    ldap-group-base-dn DC=MYDOMAIN,DC=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
    server-type microsoft
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.2.0 255.255.255.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    email [email protected]
    subject-name CN=MYHOSTNAME
    ip-address 10.10.10.78
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate e633854f
        30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
        0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
        355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
        2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
        f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
        4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
        aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
        f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
        0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
        78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
        03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
        0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
        0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
        02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
        d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
        e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
        5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
        781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 20
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 192.168.2.8 source inside prefer
    ssl trust-point ASDM_TrustPoint0 inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    enable inside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
    anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    group-policy GroupPolicy_VPN internal
    group-policy GroupPolicy_VPN attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2 ssl-client
    group-lock value VPN
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    group-policy GroupPolicy-VPN-LAPTOP internal
    group-policy GroupPolicy-VPN-LAPTOP attributes
    wins-server value 192.168.2.8 192.168.2.9
    dns-server value 192.168.2.8 192.168.2.9
    vpn-filter value VPN_Split_Tunnel_List
    vpn-tunnel-protocol ikev2
    group-lock value VPN-LAPTOP
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Split_Tunnel_List
    default-domain value MYDOMAIN.COM
    webvpn
      anyconnect profiles value VPN_client_profile type user
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    authentication-server-group MYDOMAIN
    default-group-policy GroupPolicy_VPN
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    tunnel-group VPN-LAPTOP type remote-access
    tunnel-group VPN-LAPTOP general-attributes
    authentication-server-group MY-LDAP
    default-group-policy GroupPolicy-VPN-LAPTOP
    dhcp-server 192.168.2.8
    dhcp-server 192.168.2.9
    dhcp-server 192.168.2.10
    tunnel-group VPN-LAPTOP webvpn-attributes
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    class class-default
      user-statistics accounting
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

    Hi ,
    As per you config :
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Email
    nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
    object network Webmail
    nat (inside,outside) static 10.10.10.74 service tcp www www
    object network WebmailSecure
    nat (inside,outside) static 10.10.10.74 service tcp https https
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network inside-network
    subnet 192.168.2.0 255.255.255.0
    object network Email
    host 192.168.2.7
    object network Webmail
    host 192.168.2.16
    object network WebmailSecure
    host 192.168.2.16
    The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
      Are you saying that this is not happening ?
    Dan

  • Static nat and service port groups

    I need some help with opening ports on my ASA using firmware 9.1.2.
    I read earlier today that I can create service groups and tie ports to those.  But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ? 
    I have the ACL -
    access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
    Can this statement
    object network obj-ExchangeSever-smtp
    nat (inside,outside) static interface service tcp smtp smtp
    reference the service port groups instead? 
    Thanks,
    Andrew

    Hi,
    Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
    Well you can for example configure this kind of "object-group"
    object-group service SERVER-PORTS
    service-object tcp destination eq www
    service-object tcp destination eq ftp
    service-object tcp destination eq https
    service-object icmp echo
    access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
    The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
    I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
    You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
    Hope this helps
    - Jouni

Maybe you are looking for

  • Ipod touch stuck on 'connect to itunes' - Restore is not working

    We've got an Ipod touch (no idea on generation) that we were trying to sync some apps to from a laptop (not mac), they wouldn't sync so we tried resetting the ipod and syncing everything together. After resetting when we tried to access the ipod on i

  • MacBook to Projector--- Cables?

    I need to connect to a projector, with sound and video. Any tips on cords I need? Thanks, Erin

  • Service entry sheet creation for planned services

    Hi, I have created a service purchase order with planned services. After this I am trying to create a service entry. During ML81N, I give the P.O number and then click on create service entry. However, to adopt the services from the purchases, there

  • Errors in OVS code

    Hi all,    Can someone help rectify errors in the below code. I can't able to run this code // This file has been generated partially by the Web Dynpro Code Generator. // MODIFY CODE ONLY IN SECTIONS ENCLOSED BY @@begin AND @@end. // ALL OTHER CHANGE

  • Tecra S1 does some noise

    There seems to be a lot of noise suddenly coming from the hard drive, not sure if I may need to replace it, anyone any suggestions as to what could be causing this. Many Thanks Steve