VPN ASA inside Interface and ip pool are one same Subnet

Similar Messages

• SVC WebVPN (clientless) uses IP pool addressing or ASA inside interface IP

  I'm trying to design something which requires ASA to uniquely assign one IP per clientless VPN user. it seems like all these web requests coming through the ASA are proxied via the ASA's inside IP for the source address of the Web request. Does ASA proxy requests through it by changing the VPN client request IP's from a POOL configuration. Or is it always going to use the ASA inside interface IP? Assuming a two NIC configuration (inside/outside)
  NOTE: I'm not talking about AnyConnect, IKEV1/2 client based VPN's. I'm specifically talking about the client-free login connection method.
  thx in advance,
  Will

  Hi Will,
  Pls move your thread to here
  https://supportforums.cisco.com/community/6001/vpn
  HTH
  Rasika

• My battery runs low very fast (three hours). I looked in the usage settings and it seems the time for usage and stand-by are the same, allthough i did have my iphone on stand-by!! What can i do?

  Community,
  I have a problem with my iphone 4. Every few months my battery starts draining within a few hours. I have tried all kinds of battery saving tips, but they don't help. When i go to the settings/general/usage is can see that the time for Usage and Stand-by are the same, so my phone is fully on all the time this explains the draining. But in reallity i turn my phone to stand-by most of the time, i mean the screen is black and all???
  The first and second time a had this problem, both a few months a part,  i restored my phone and it was solved. This time i restored my phone but this did not help!! And restoring my phone every two months is not my preferd way of solving this problem.
  Does anybody have an idea on how to solve this problem? can anybody help me?
  best regards,
  Merijn

  Restoring is the answer. It sounds as if there is a rogue process constantly draining your battery.
  The issue you face is that, if you restore your backup thereafter, you risk the problem coming straight back with your files.
  Store your files individually and it is time to start fresh.

• Cannot set up iPad since my email and apple id are the same.  Help?

  I cannot set up my new iPad since the apple ID and the email are the same, any suggestions?

  Anything here to help? http://support.apple.com/kb/HE37

• Your Price and Retail Price are showing same value.

  In my Catalog section display routing page "Your Price" and "Retail Price" are showing same value. How can I resolve this issue?

  Hi Ashish,
  The CUSTOMER context for qualifiers is supported at the Item / Cart levels.  However, it is only supported in the Catalog when using Best Price.  If using minisite based pricing, "IBE: Use Price List Associated with Specialty Site" = Yes,  and/or customer account pricing, "IBE: Use Customer Account Price List" = Yes,
  Then this qualifier is not referenced for the catalog pricing calls by the pricing engine.
  As per the documentation link referenced above -
  Pricing Qualifiers Supported by Oracle iStore
  All of the pricing qualifiers that are supported by Oracle iStore are supported at the shopping cart level -- but in the catalog pages, a only subset these supported attributes are available to the pricing engine.
  The following table shows the pricing attributes supported in the Customer Application. The table also shows the context for the attributes, whether they are supported in the catalog in addition to the shopping cart, and whether they are supported at item level (also known as line level) or cart level (also known as order or header level). Remember, all of the following are supported in the shopping cart; some are only supported in the catalog. Customer contexts are supported in a Best Price scenario only.
  The discount will not be applied in the catalog with a CUSTOMER context qualifier on the modifier unless using Best Price for pricing.  This behavior is discussed in the (Doc ID 429657.1)
  Regards,
  Debbie

• Can not access ASAs inside interface via VPN tunnels

  Hi there,
  I have a funny problem.
  I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
  All tunnels and the RAS VPN access are working fine.
  I use the tunnels for Voip, terminal server access and a few other services.
  The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
  No problem when I connect to the interface via a host inside the network.
  All telnet statments in the config are ending with the INSIDE command.
  On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
  For the RAS client access I use the Cisco 5.1 VPN client.
  Did anybody have any suggestions?
  Regards
  Marcel

  Marcel,
  Simply add on the asas you want to administer through the tunnels
  management-access
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
  for asa5505
  management-access inside
  for all others if you have management interface management0/0 defined then:
  management-access management
  then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
  telnet 10.20.20.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  same principle for l2l vpns
  Regards

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Message Interface and Communication Channel are not getting in RW B

  Hi
  I have created a sceario in which i have created following things
  2 - External Definition of Same XSD
  2 - Data Types
  2 - Message Types
  4 - Message Interfaces
  2 - XSLT mappings
  2 - Interface Mapping
  I have created on two scenario objects in XI ID.
  But In RWB i can see only one sceario message interfaces and communication channels but the for other scenario MIs and Communication channels are not visible in RWB
  I have created all the things in only one Namespace.
  What could be the problem .please help me
  Regards

  Hi,
  Have you activated it?
  Can you see it in SXI_CACHE?
  If one is no please run report SAI_CACHE_REFRESH
  Kind regards,
  Wojciech

• Since upgrading to Mavericks my Interface and hard drive are shutting down when Mac put to sleep

  Hi,
  Since upgrading to Mavericks, when I put my Mac to sleep both my audio interface and my time machine hard drive are put to sleep also. Effectively making it so that when I start up my macbook again it means removing both the aforesaid from the usb outlets and putting them in again so that the mac recognises them.
  This means two things. First of all all my time machine backups fail that are attempted whist the mac is put to sleep, whereas before they succesfully ran. It also means that my audio interface does'nt work and has to be re-set.
  Anybody have the same kind of USB / Sleep issues?
  Many thanks in advance.

  Hello jamieesa,
  You might cosider resetting your system's SMC and PRAM.
  Intel-based Macs: Resetting the System Management Controller (SMC)
  http://support.apple.com/kb/HT3964
  OS X Mavericks: Reset your computer’s PRAM
  http://support.apple.com/kb/PH14222
  Cheers,
  Allen

• Could nt complete your request because source and destination files are the same

  Hi, thank you for reading.
  I'm having this problem and it's driving me nuts.
  I'm actually following a tutorial that you can check out here: http://nightshifted.tumblr.com/post/2559360661/tutorial-paused-animations
  basically I'm trying to do a animated gif with canvas (I'm sorry if my english is not so great). when I try to drag the layers into the canvas (step 2 of the tutorial), I get the error: "could not complete your request because source and destination are the same".
  can anybody help me? I have both CS3 and CS5 and they the error appears in both.
  thank you in advanced

  I think they mean select the layers and frames and using the move tool, drag
  inside the document (click inside the document window and drag) to move the
  selected layers to the top half  (transparent area), not to drag the layers from
  the layers palette into the document, which would give that error.
  MTSTUNER

• *Fix* Usage and Standby Times are the same - iPhone 4S 7.0.4

  I'd like to share my experience here because I actually found the solution on here but I'm actually having trouble finding it again.
  I had three problems:
  1. My standby and usage times were always reporting the same values, thus draining my battery faster than usual. This is not normal behavior; whenever the screen is off it should report standby times, and after the phone is unlocked it is considered usage. They should never be recording in tangent.
  2. Whenever I would try to turn off my phone by holding down the power button, the phone would basically restart itself, showing the Apple logo boot screen and then restarting. The only caveat was that it would turn off if it was plugged in and being charged. But take it off the charger and try to replicate it turning off and it would restart.
  3. The sound would sometimes think that it was connected to a Dock, so when I went to the Airplay options, they were listed as Dock Connector, Airport Express and Apple TV. There would be no volume slider in the Control Center, and when pressing the volume buttons, there would be no dots, just the bell with a line through it.
  Many people might be having genuine battery issues, where you have an older phone and your battery is just really bad and needs to be replaced. My 4S was still under AppleCare in December 2013 and the battery was pretty bad, so I had it replaced in an Apple Store. So for me, the battery life itself was not the problem.
  I tried a lot of things to try and fix the above problem but none of them helped. This includes chatting with Apple support (I was surprised they didn't steer me in an obvious direction, considering the large amount of folks who were having these kinds of problems, but they played dumb), restoring fresh and restoring icloud and itunes backups, all kinds of combinations of settings for Mail, iCloud, etc., but nothing worked. I probably restored my phone at least ten times in my troubleshooting efforts. The isolated test of restoring my phone fresh, setting it up to the start screen, making sure the battery was charged 100% and taking it off the charger waiting about 10 minutes. Then I would check standby and usage times.
  I had read about fixes for the phone not being able to turn completely off, and it had something to do with cleaning the charging port. I attempted to clean the port with compressed air and other methods, but it never fixed this problem. Then I read a post on Apple Support about a guy who had the exact same problems as I did, then said he changed out his charging port and this fixed it. Well, it was $40 so I paid someone to do it in 45 minutes.
  After I got my phone back the problem didn't appeared to be fixed, but after a restore and even with an icloud backup restored with it, I looked down at my phone and presto chango, the times where separate and working as they should. Last night with wifi off while I was sleeping, the battery only went down 3%. I know this is turning out to be a narrative, but I spent a lot of time trying to figure out what the problem was and it was a frustrating process. I'm happy it's resolved.
  Apple Support thought it was a corrupt install package from iTunes, or some kind of software glitch or maybe some part of iCloud constantly trying to call home, but it was a combination of both hardware and software. Because of the bad charging port, for some reason the phone thought it was still being used and thus was still treating standby as usage.
  I would encourage those that are having this problem to do a test and see if your phone will turn off when you want it to. If it resets automatically and if your standby usage times are the same, replacing the charging port might fix it.

  Ever since iOS7.0.6. and still on iOS7.1 both me and my wife had huge battery drain on our iPhone 4S and stand-by was equal to usage time. We finally found the solution to a post of another user on the Dutch Tweakers forum. There seem to be a bug within a certain Dutch coupon app called 'Scoupy' which drained the battery completely although GPS setting was turned of and also 'refresh on background' was off.
  Scoupy said that a fix for their app is send for approval to the App Store. We removed the app and our usage/stand-by time is again as normal (higher stand-by time then usage time) and best of all a 'normal' battery use as it was the case on iOS7.0.4. I hope this could help someone. I'm wondering if the iBeacon changes in iOS7.0.6/7.1 together with a bug in the Scoupy app could be the cause? Maybe this is also with our similar apps you have on your phone.

• How do I limit the number of Operator Interface and Execution instances to one?

  We have a problem in MFG.  The operator launches to instances of the operator interface and executes the same sequence.  A second scenario is where the operator is executing the sequence and then changes from the execution window back to the Sequence Display window and launches a second execution window.  We need to understand how to limit the number of executions within an instance of the Operator Interface to one.  We also need to understand how to limit the number of instances of the Operator Interface to one.
  Regards,
  Steve Easthope

  Steve,
  This is a duplicate post.  Please reference your first thread. 
  Derrick S.
  Product Manager
  NI DIAdem
  National Instruments

• Unrendered Audio - sequence and clip settings are the same

  When I drag a clip to the timeline a redline appears on the top of the timeline. I know this means that there is a setting issue between the sequence and the clips. All the settings are the same with the exception of the:
  audio format - Clip: 8 bit integer
  Seq: 32 Bit Floating
  Audio Rate - Clip: 48000 5kh
  Seq: 48.0 KH
  The clips which is 1 1/2 HR takes 6 minutes to render.
  Does anyone know why I need to render this clip?
  Macbook Pro   Mac OS X (10.4.8)  

  Here: a foolproof way to ensure clip-sequence settings match up:
  http://web.mac.com/steelepro/iWeb/steelecuts.com/fcs%20detective/6FD1D5FD-0C56-4 F06-992C-902D00556549.html
  And if you still have the problem, why not convert it to AIFF via QT?

• Is Snapshot and Materialised view are the same?

  Can you please help me on this...
  I am using oracle 10G enterprise edition...
  Thanks in advance..

  Re: Is Snapshot and Materialised view are the sameYes

• How do I load balance TFTP between two servers and a client on the same subnet?

  Hi,
  I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
  Config is currently;
  =====
  probe icmp ICMP_PROBE
    description icmp probe for default gateway tracking
    interval 5
    passdetect interval 15
  rserver host server1
    description Server1
    ip address 10.0.0.1
    inservice
  rserver host server2
    description Server 2
    ip address 10.0.0.2
    inservice
  serverfarm host serverfarm_01
    description servers used
    probe ICMP_PROBE
    rserver server1
      inservice
    rserver server2
      inservice
  class-map match-all L4_VIP_TFTP
    10 match virtual-address 10.0.0.10 udp eq 69
  policy-map type loadbalance first-match L7_TFTP
    class class-default
      serverfarm serverfarm_01
  policy-map multi-match L4_LB_VIP_POLICY
    class L4_VIP_TFTP
      loadbalance vip inservice
      loadbalance policy L7_TFTP
      loadbalance vip icmp-reply active
  nat dynamic 1 vlan 200
  interface vlan 200
    ip address 10.0.0.250 255.255.255.0
    nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
    service-policy input L4_LB_VIP_POLICY
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.0.254
  =====
  I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
  Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
  Thanks

  Try using the following configuration:
  Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
  You need to configure a management policy on the interface when using a UDP probe.
  That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
  ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
  Without a management policy-map, the ICMP unreachable message will be dropped.
  Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
  That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
  The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
  With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
  Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
  access-list ALL line 10 extended permit ip any any
  probe udp TFTP
    port 69
    interval 5
    passdetect interval 15
  probe icmp ICMP_PROBE
    interval 5
    passdetect interval 15
  rserver host TFTP_1
    ip address 10.0.0.1
    probe TFTP
    probe ICMP_PROBE
    inservice
  rserver host TFTP_2
    ip address 10.0.0.2
    probe TFTP
    probe ICMP_PROBE
    inservice
  serverfarm host TFTP-SFARM
    rserver TFTP_1
      inservice
    rserver TFTP_2
      inservice
  sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
    timeout 10
    replicate sticky
    serverfarm TFTP-SFARM
  class-map type management match-any MANAGE
    2 match protocol icmp any
  class-map match-all NAT
    2 match virtual-address 0.0.0.0 0.0.0.0 udp any
  class-map match-all TFTP
    2 match virtual-address 10.0.0.10 udp eq 69
  policy-map type management first-match MANAGE
    class MANAGE
      permit
  policy-map type loadbalance first-match ROUTE
    class class-default
      forward
  policy-map type loadbalance first-match TFTP-POL
    class class-default
      sticky-serverfarm TFTP-STICKY
  policy-map multi-match TFTP-MULTI
    class TFTP
      loadbalance vip inservice
      loadbalance policy TFTP-POL
      nat dynamic 1 vlan 212
    class NAT
      loadbalance vip inservice
      loadbalance policy ROUTE
      nat dynamic 2 vlan 212
  interface vlan 212
    ip address 10.0.0.250 255.255.255.0
    no normalization
    access-group input ALL
    nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
    nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
    service-policy input TFTP-MULTI
    service-policy input MANAGE
    no shutdown
  Let me know how it goes.
  Good luck!