To nat destination ip

Similar Messages

• NAT destination IP address

  I have this toplogy:
  A ------ ASA -------- B
  A's real IP is 1.1.1.1
  B's real IP is 2.2.2.2
  B's mapped IP is 3.3.3.3
  How do I NAT it so that when A tries to connect to 3.3.3.3, the destination is translated to 2.2.2.2.  But at the same time, when B connects to A, it is using its real IP of 2.2.2.2 and is not NAT.
  I have a problem where A is getting its DNS information from an external server which is resolving it to an external IP address.
  Thank you in advanced!

  I think I found the answer. The "unidirectional" keyword is what I needed.
  nat (outside,inside) source static any any destination static MAPPED REAL unidirectional

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.

• Services over NAT

                     Hi,
  I am trying to conect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
  My question is
  1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
  2- Has anyone running this kind of network and provide sample config for ASA 5520?
  Regsrds,

  Hi,
  I suggest doing NAT on both sites.
  For Site A with ASA running 8.4 software the NAT configuration might look something like this
  Base Information
  Site A LAN: 192.168.1.0/24
  Site A LAN NAT: 10.1.1.0/24
  Site B LAN (NAT): x.x.x.x/24
  Site A LAN interface = inside
  Site A WAN interface = outside
  Configuration
  object network LAN-LOCAL
    subnet 192.168.1.0 255.255.255.0
  object network LAN-NAT
    subnet 10.1.1.0 255.255.255.0
  object network REMOTE-LAN
    subnet x.x.x.x 255.255.255.0
  nat (inside,outside) source static LAN-LOCAL LAN-NAT destination static REMOTE-LAN REMOTE-LAN
  What the above configuration will do is
  Do NAT between interfaces "inside" and "outside"
  When Site A users connect from their LAN-LOCAL to REMOTE-LAN their NAT IP address will be LAN-NAT This works both ways. When Site B REMOTE-LAN connect to LAN-NAT they will reach LAN-LOCAL of Site A
  Also notice that since you are using this type of NAT that every LOCAL and NAT address will match eachother regarding the last portion of the IP address
  192.168.1.1 = 10.1.1.1
  192.168.1.2 = 10.1.1.2
  192.168.1.3 = 10.1.1.3
  etc
  As I said before I would suggest you ask the Site B admin to also NAT their local LAN 192.168.1.0/24 to something and then you can use that network range and insert to the above configuration to the place of x.x.x.x.
  Please rate if you found the information helpfull
  Also ask more if needed
  - Jouni

• NAT Divert bypass

  We've run into a bit of a pickle and looking for possible solutions to our issue.  We run 8.4 which has the NAT dirvert functionality.  Below is what were trying to accomplish.
  Cisco ASA 5585-60 (8.4)
  3 total interfaces
  Inbound Interface App_LAN   (Apps reside here)
  Outbound Interface #1 Inter_DC_Path  (Customer servers sit behind this interface)
  Outbound Interface #2 Inside_Core        (Customer servers sit behind this interface)
  We have App servers that need to talk to our customer servers behind both interfaces (InterDC and Inside Core).  The customer servers are in the network range of 192.168.0.0/16 and they are split between both interfaces.  So Customer A might be on IP  192.168.11.1 behind the Inter_DC_Path and Customer B might be on IP 192.168.12.1 behind the Inside Core interface on the ASA.
  Our App servers need to hide behind NAT due to routing restrictions to our customers.  Also, the customer IP's are not contiguous so I can't break apart the 192.168.0.0/16 very easily between Inter_DC_Path and Inside Core. 
  So routing might look like this on the ASA Firewall
  route Inter_DC_Path 192.168.11.1 255.255.255.255 172.19.249.254
  route Inside_Core 192.168.12.1 255.255.255.255 172.28.222.254
  I am looking to put NAT statements that say
  Source: Appservers 10.10.10.1 and 10.10.10.2 (behind App_LAN)
  Destination: 192.168.0.0 255.255.0.0 (Either egress Inter_DC_Path or Inside Core)
  NAT To 172.28.220.2
  The issue is that since the destination is 192.168.0.0/16 NAT Divert will send traffic out the wrong interface correct?  Is there a way to turn off the NAT direct and allow us to NAT to the 192.168.0.0/16 and allow the firewall routing table to be consulted for egress?? 

  Hi,
  Please correct if I am wrong but as I understand it you have no overlap in the actual destination addresses between the 2 interfaces? Only that the the larger network 192.168.0.0/16 is split between the 2 interface with varying size "chuncks" of the whole network?
  To my understanding in this situation you would not have to mention the destination address/subnet in the NAT configuration at all and your "route" commands would handle forwarding the traffic where it needs to be forwarded.
  On the other hand if same APP servers need different translations towards different customers then I can see your problem. Though in that case I would simply suggest avoid configuring the NAT destination network with such a large network mask. You should then clearly specify the destination hosts which need to be forwarded to each of the interfaces.
  The only situation where you can issue the "route-lookup" command to check the routing table seems to be with Static Identity NAT and therefore wouldnt apply to your situation. (If you are doing Dynamic Policy PAT)
  Or did I understand something wrong?
  - Jouni

• Natting in cisco firewall ASA

  Hi,
  Currently I was facing a problem on how do i do a internal natting for my network.
  how do I nat my vlan 116 to vlan 200 in my firewall asa?
  Source                        Natted                     Destination
  192.168.116.0/24  -> 192.168.200.0/24  ->   192.168.102.0/24
  attached was my diagram and appreciate if someone can give me some guideline.

  Hello,
  The link below will help you for any NAT scenario you want.
  https://supportforums.cisco.com/docs/DOC-9129

• Site to Site VPN with 2 ASA 5510's

  Hello guys,
  Im hoping yall can help me with the following objective. I have been tasked to make a site to site VPN between two networks. We are both using an ASA 5510.
  This is the scenario:
  SiteA has an wan adress of (example) 20.20.20.20  - The firewall is connected to a DMZ range : 192.168.0.0 255.255.255.0. In this range there is another firewall which grants/blocks acces to the internal range. 10.20.0.0 255.255.0.0
  SiteB has an wan adress of (example) 21.21.21.21 - The internal range is 10.0.0.0 255.0.0.0 No DMZ.
  How can i connect these 2 devices since there is an overlap. I am gonna need to use nat right? Can someone give me readable  Access rule/Nat Rule and maybe advice / some other things i need to think of.
  Hope to hear from yall. Any advice is highly appriciated.
  Thanks in advance

  Hi,
  Well regarding the remote site I suppose if they are using hosts from ranges 10.0.1.0/24 and 10.0.2.0/24 they could simply NAT these portions of the network towards the L2L VPN connection. For example NAT them to subnets 192.168.101.0/24 and 192.168.102.0/24
  But you also seem to have a large subnet on your side since its 10.20.0.0/16. Because of this I would suggest narrowing it down to the hosts or smaller subnets like above with the remote site because simply NATing the whole subnet 10.20.0.0/16 to some other private range that is NOT from the 10.0.0.0/8 range would probably cause problems in the long run.
  Lets presume that on your side the network that needs to access the L2L VPN is 10.20.1.0/24 and we would NAT that to 192.168.201.0/24 then your NAT configuration could look like this
  object network DMZ-INTERNAL
    subnet 10.20.1.0 255.255.255.0
  object network DMZ-INTERNAL-NAT
   subnet 192.168.201.0 255.255.255.0
  object-group network REMOTE-NETWORKS
   network-object 192.168.101.0 255.255.255.0
   network-object 192.168.102.0 255.255.255.0
  nat (dmz,outside) 1 source static DMZ-INTERNAL DMZ-INTERNAL-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS
  In the above configuration we first create an "object" for both the actual internal DMZ subnet and the subnet that we will NAT it to. Then we create an "object-group" that will have inside it both of the remote NATed networks (NAT performed at the remote site).
  Finally the "nat" command itself will perform NAT between "dmz" and "outside" interface and it will NAT "DMZ-INTERNAL" to "DMZ-INTERNAL-NAT" when the destination is "REMOTE-NETWORKS". The NAT configuration is bidirectional so it naturally handles which ever directin the connection is attempted. The names of the objects are up to the user.
  The ACL that defines the local and remote networks for the L2L VPN should use the NAT subnets of each site.
  If you want to restrict the traffic from the remote site then this can be done in a couple of ways. At its default settings the ASA will allow ALL traffic from the remote site behind the L2L VPN connection.
  You can use the command "show run all sysopt" to list some configurations that will tell us how your ASA has been set to handle VPN related traffic. The command we are looking for is "sysopt connection permit-vpn". This is the default setting that allows all traffic from VPN connections. If you were to change this to "no sysopt connection permit-vpn" then you could simply use the interface ACL of the interface that terminates the L2L VPN connection on your side to select what traffic is allowed. You would allow traffic the same way as if you were allowing traffic from Internet to your servers.
  The problem with this setup is if you have other existing VPN connections (VPN Client and L2L VPN) because they would also require their traffic to be allowed in your external interfaces ACL if you changed the above mentioned global setting.
  The other option is to configure a VPN Filter ACL that you will then attach to a "group-policy". You will then attach that "group-policy" to the "tunnel-group" of the L2L VPN connection.
  The actual ACL used for the VPN Filter purpose is a norma ACL but you will always have to configure the remote network as the source in the ACL and this usually causes some confusion.
  - Jouni

• L2 services over routed network.

  Does anyone know what Cisco recommends for multisite L2 lan services over a routed IP network(no MPLS core)? I've been reading about vpls over gre, but after checking Cisco feature navigator, it looks like the ME switches do not do it. Is there another way to accomplish multisite L2 lan services in the ME or do you have to use 6500 or 6800 series?

  Hi,
  I suggest doing NAT on both sites.
  For Site A with ASA running 8.4 software the NAT configuration might look something like this
  Base Information
  Site A LAN: 192.168.1.0/24
  Site A LAN NAT: 10.1.1.0/24
  Site B LAN (NAT): x.x.x.x/24
  Site A LAN interface = inside
  Site A WAN interface = outside
  Configuration
  object network LAN-LOCAL
    subnet 192.168.1.0 255.255.255.0
  object network LAN-NAT
    subnet 10.1.1.0 255.255.255.0
  object network REMOTE-LAN
    subnet x.x.x.x 255.255.255.0
  nat (inside,outside) source static LAN-LOCAL LAN-NAT destination static REMOTE-LAN REMOTE-LAN
  What the above configuration will do is
  Do NAT between interfaces "inside" and "outside"
  When Site A users connect from their LAN-LOCAL to REMOTE-LAN their NAT IP address will be LAN-NAT This works both ways. When Site B REMOTE-LAN connect to LAN-NAT they will reach LAN-LOCAL of Site A
  Also notice that since you are using this type of NAT that every LOCAL and NAT address will match eachother regarding the last portion of the IP address
  192.168.1.1 = 10.1.1.1
  192.168.1.2 = 10.1.1.2
  192.168.1.3 = 10.1.1.3
  etc
  As I said before I would suggest you ask the Site B admin to also NAT their local LAN 192.168.1.0/24 to something and then you can use that network range and insert to the above configuration to the place of x.x.x.x.
  Please rate if you found the information helpfull
  Also ask more if needed
  - Jouni

• Duplicate remote networks and PAT - IOS VPN

  This question pertains to an IOS router running c3900e-universalk9-mz.SPA.152-4.M5.
  We are deploying a new VPN termination router that will support multiple IPSec tunnels to multiple unrelated external organizations. We have many of these VPN routers in other regions hosting dozens of IPsec tunnels to dozens of unrelated external organizations. In the past, to allow for IPv4 uniqueness, we have suggested (required) these external organizations to PAT their source addresses to unique public addresses owned by the external organization. In some cases, my company has provided a public range of addresses to the external organization which the external organization uses to PAT their sources before presenting the traffic to our side of the VPN tunnel.
  This has served us well and scales quite well.
  However, we are now faced with an external organization (the very first organization on this new VPN termination router) that wants to present my company with non-unique addresses in the 10.0.0.0/8 range. This external organization has requested that we PAT their sources for them, which I understand that technically we can do.
  My first question is, if my company decides to go into the business of PATing the 10/8 sources of other external organizations, how will this impact the IP network used at the remote end of the tunnel and could these remote networks be overlapping between two or more external organizations without using some flavor of VRF? I developed a scenario below that I'd like help in understanding:
  interface Port-channel20.2900
  description Internet Bound (Outside)
  crypto map JIM                                               
  ip address 130.96.10.243 255.255.255.248
  ip nat inside 
  interface Port-channel20.2901
  *** Transit DMZ or LAN Bound (Inside)
  ip nat outside
  ip address 130.96.10.251 255.255.255.248 
  If we had two crypto external organizations:
  External Organization #1
  crypto map JIM 100 ipsec-isakmp
  description ***
  set peer 1.1.1.1
  set transform-set esp-3des-sha
  set security-association lifetime seconds 28800
  match address SCA
  crypto isakmp key blah address 1.1.1.1
  ip access-list extended SCA
  permit ip host 130.96.10.92 host 130.96.10.223
  access-list 7 remark *** SCA NAT List - SCA *** JMM
  access-list 7 permit 10.254.0.0 0.0.255.255
  ip nat pool SCA 130.96.10.223 130.96.10.223 prefix 30
  ip nat inside source list 7 pool SCA overload
  ip route 1.1.1.1 255.255.2552.255 130.96.10.241
  ip route 10.254.0.0 255.255.0.0 130.96.10.241
  External Organization #2
  crypto map JIM 200 ipsec-isakmp
  description ***
  set peer 2.2.2.2
  set transform-set esp-3des-sha
  set security-association lifetime seconds 28800
  match address SCB
  crypto isakmp key blah address 2.2.2.2
  ip access-list extended SCB
  permit ip host 130.96.11.14 host 130.96.11.223
  access-list 8 remark *** SCB NAT List - SCB *** JMM
  access-list 8 permit 10.254.0.0 0.0.255.255
  ip nat pool SCB 130.96.11.223 130.96.11.223 prefix 30
  ip nat inside source list 8 pool SCB overload
  ip route 2.2.2.2 255.255.2552.255 130.96.10.241
  Imagine these flows are present:
  Flow #
  External Organization
  Source
  NAT Destination
  Real Destination
  1
  1
  130.96.10.92
  130.96.10.223
  10.254.10.10
  2
  2
  130.96.11.14
  130.96.11.223
  10.254.10.10
  Since our interesting traffic access-lists are based on PAT addresses, theoretically the flow could be positively associated with the crypto-map clause before PAT. Is it true that in the forward direction we have PAT, followed by routing, followed by encryption? If so, this would mean that after PAT and routing the egress interface would be the same for both flows (Port-channel20.2900) and the IP destination address would also be the same (10.254.10.10). However, the source IP address would be distinct for each flow. Since routing has already happened, isn’t the router smart enough to associate the post-PAT packet(s) with the correct crypto-map clause on the crypto-enabled interface which would be based on the access-list in the “match address” clause within the crypto-map:
  ip access-list extended SCA
  permit ip host 130.96.10.92 host 130.96.10.223
  ip access-list extended SCB
  permit ip host 130.96.11.14 host 130.96.11.223
  In theory it seems this would allow duplicate IP networks at remote sites. Am I correct? If I'm wrong, where and how exactly does this fail?
  Thanks,
  Jim

  Hey Nathan...
  My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
  So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
  Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
  I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
  With all that said... it may not work at all. Good Luck!

• Transparent pix between 2 vrf

  hi guys,
  This is the problem : I need to receive from a GigaEth both some multicast streams and a unicast control traffic to be filtered. So, on a 3750 there is a trunk vs data provider, and Interface Vlan X for mcast and Vlan Y for outside unicast in global space. Than a Vlan Z in a separate vrf for inside. Pix is connected on L2 port Vlan X for outside and on L2 port Vlan Z for inside. It doesn't run !!! It seems to be unable to resolve arp ...
  The actual 3750, will become in a short time a 650x sup 720B, but I am not sure if we have a better results.
  Any advice ?
  Thanks
  Maurizio

  To make this happen a FWSM module has to be installed in the Catalyst 6500 series switch. The FWSM features has the following features
  Layer 2 Firewall (transparent mode)
  Layer 3 Firewall (route and/or NAT mode)
  Mixed Layer 2 and Layer 3 firewall per FWSM
  Dynamic/static NAT and PAT
  Policy-based NAT
  VRF-aware NAT
  Destination NAT for Multicast
  Static routing support in single- and multiple security context mode
  Dynamic routing in single security context mode: Open Shortest Path First (OSPF), Routing Initiation Protocol (RIP) v1 and v2, PIM Sparse Mode v2 multicast routing, Internet Group Management Protocol (IGMP) v2
  Transparent mode supports static routing only
  Private VLAN
  Asymmetric routing supporting without redundancy by using asymmetric routing groups
  IPv6 networking and management access using IPv6 HTTPS, Secure Shell Protocol (SSH) v1 and v2, and Telnet

• How to do destination NAT in a 2600 router with IOS 12.3?

  Hi All
  I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
  FE 0/0 - 10.0.0.1/24 - client LAN - inside 
  FE 0/1 - 10.1.1.1/24 - server LAN - outside 
  The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
  I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
  Many Thanks
  [email protected]  

  Yes, you can do this.  You don't need destination NAT.  Source NAT translations work both ways.  This should work:
  ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
  int fa 0/0
  ip nat inside
  int fa 0/1
  ip nat outside
  The bigger question is why you'd want to.  Just because you CAN do something doesn't mean you SHOULD.  Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts.  Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10?  If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead?  You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense.  If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

• CSS 11503 Destination NAT - can only enable one service

  I have three web servers configured as six services. Three are for MOSS (Microsoft Office Sharepoint Server) and three are for SSRS (SQL Server Reporting Services 2006 in integration mode).
  THE PROBLEM:
  When more than one MOSS service is active I can no longer connect to the SSRS services.
  This is a trunked Configuration:
  interface 1/1
  trunk
  redundancy-phy
  vlan 1
  default-vlan
  vlan 100
  vlan 101
  vlan 103
  interface 3/16
  bridge vlan 4000
  circuit VLAN100
  redundancy
  ip address 192.168.100.xx0 255.255.255.0
  circuit VLAN103
  redundancy
  ip address 192.168.103.xx0 255.255.255.0
  circuit VLAN4000
  ip address 1.x.x.2 255.255.255.252
  redundancy-protocol
  circuit VLAN101
  redundancy
  ip address 192.168.101.xx0 255.255.255.0
  service MOSSWeb01
  ip address 192.168.103.xx1
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb02
  ip address 192.168.103.xx2
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb03
  ip address 192.168.103.xx3
  keepalive port 80
  keepalive type tcp
  active
  service SSRSWeb01
  ip address 192.168.103.xx1
  active
  service SSRSWeb02
  ip address 192.168.103.xx2
  active
  service SSRSWeb03
  ip address 192.168.103.xx3
  active
  owner MOSS
  content MOSS
  vip address 192.168.100.xx1
  vip-ping-response local-remote
  add service MOSSWeb01
  add service MOSSWeb02
  add service MOSSWeb03
  active
  owner SSRS
  content REPORTSERVER
  vip address 192.168.100.xx2
  add service SSRSWeb01
  add service SSRSWeb02
  add service SSRSWeb03
  vip-ping-response local-remote
  active
  group MOSS2007-DSTNAT
  vip address 192.168.100.xx1
  add destination service MOSSWeb01
  add destination service MOSSWeb02
  add destination service MOSSWeb03
  active
  group SSRS2005-DSTNAT
  vip address 192.168.100.xx2
  add destination service SSRSWeb01
  add destination service SSRSWeb02
  add destination service SSRSWeb03
  active
  NOTES:
  All (3) real servers have a default route to 192.168.103.xx0 which insures traffic passing through the CSS (so I don't understand why I still need a destination service group).
  When MOSS accesses SSRS it does so via http://SSRS2005/reportserver. This is configured in DNS as 192.168.100.xx2. I would think that this would also insure traffic through the CSS but I still had to configure a destination service for these.
  All clients connect to the MOSS services via one VIP (192.168.100.xx1) and the MOSS services connect to the SSRS services via a 2nd VIP (192.168.100.xx2). MOSS also connects to itself for indexing content and a variety of other services (I had originally tried separating the MOSS content rules using layer 5 matching on Host Headers. This seemed to cause issues with access to ports 139 and 445 for UNC access to document libraries so I simplified the MOSS content rule back to layer 3).
  I have setup two distinct groups and have used destination NAT so that the servers can communicate to each other.
  When using Wireshark on the servers to run packet traces and all services are up I do not even see any packets destined for the SSRS services leading me to believe that they are dropped by the CSS (however, I don't see them using show flows on the CSS either).
  Can anyone here shed some light on the correct way to configure the CSS in such a scenario?
  Thanks in advance.

  I have two MOSS services down because MOSS can't get to SSRS if more than one MOSSservice is active. That's the crux of the biscuit.
  I had hoped to avoid the whole packet sniffing activity but it looks like I may need to capture more information. I don't really want to change the VLAN configuration since this CSS is managed by our network team and there are other services configured on the CSS that I have not indicated.
  I appreciate your advice, so far. I will actually have some downtime this coming weekend where I can try some additional configuration options after prime time from home.
  One thing that may not be apparent in this whole discussion is that all of the sites on both MOSS and SSRS use HOST Headers for HTTP. That's what keeps them separated. I had tried using layer 5 content rules but had the same issue plus other issues with non-HTTP traffic. I also did not care for the fact that the CSS actually spoofs the responses when using layer 5. There is a lot of NTLM Challenge/Response traffic for Windows Integrated Authentication and Negotiated Kerberos. The bottom line is that even without Layer 5 content rules the Host Headers do get passed to IIS and the sites are selected properly based on that header. The exception is that Host Headers are no longer required for SSRS since it is the default website on port 80 (besides - setting up host headers for SSRS in MOSS integration mode has it's own set of issues). Still, the host headers are sent to SSRS SOAP Endpoints and there are no issues connecting to any of the three SSRS services from any of the three MOSS servers interactively. The issue is when a client outside of these VLANs makes a request for a report.
  client->MOSS->SSRS->MOSS->client
  Be aware too that both MOSS and SSRS are making connections back through the CSS to their respective databases for each request.

• Cisco ASA 8.2. Destination NAT (network - network)

  Hi Guys,
  Could you tell me if I can do destination NAT (class C network => class C network) on Cisco ASA running 8.2? (or another version).
  For example, will destination NAT like this work:
  static (inside,outside) 8.2.2.0 10.10.8.0 netmask 255.255.255.0
  I need that when a packet from Internet go to 8.2.2.X it's destination IP address will change to 10.10.8.X.
  So, if a packet goes to 8.2.2.145 , the dest IP field of the packet will be changed to 10.10.8.145.
  If a packet goes to 8.2.2.1, the dest IP field of the packet will be changed to 10.10.8.1.
  Etc.
  Thanks.

  Hello,
  Yes, that is possible.. In fact that is the way it works.
  Regards,
  Julio

• How do I NAT based on destination port while source port can be ANY

  Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
  In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
  Here is a snap shot of the config:
  object service Proxy_HTTP
  service tcp destination eq www
  object service Proxy_HTTPS
  service tcp destination eq https
  nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
  nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
  object network Non_Proxy
  nat (any,outside) dynamic interface
  PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.
  You cannot use NAT Exemption as it cannot be port based
  A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
  I don't see any of the other NAT Types working this way.
  If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

  Karen-
  Results: Did not work. The web based shortcuts did not appear.
  Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
  Here is what was done:
  1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
  2. During setup created the admin account.
  3. Logged into the account a simple start screen was arranged and setup by:
  Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
  educational web based site.
  Right clicked a few provisioned apps and unpinned them from the start screen.
  Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
  4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
  export-startlayout -path C:\Users\Public\Master.xml -as xml
  (Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
  5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
  6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
  7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
  8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
  9. Logged out of the inital account and logged into newly created Alpha account.
  10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.

• Static nat with dual destination

  I need to configure static nat for cisco ASA 5500,
  here is the topology:
  one server (source) with ip 10.211.250.22 /28 (interface : name if dmz_virtual_account)
  will static nat to two destinations :
  1. to Internet will translated to 202.152.19.196 (Interface : name if Outside_Inet) and,
  2. to external network with  real address is 10.10.10.1 and will translated to 192.168.168.14 /29 (interface : name if dmz_external)
  Need help
  and many thanks for any advice
  Regards,
  Manao

  Hi Marvin
  my ASA's software running 8.4
  Regards,
  Manao