Based on PAT strategies

Hello

I'm going to put in place an ASA5520 and need to configure each subnet I run behind a firewall with a separate public ip address. I think I can do that with nat based on strategies, but now I have look at the documentation, maybe not.

Here's what I want to try:

NAT (inside) 10 access list STI - pat

STI - pat extended permit a.b.c.d 255.255.255.0 ip access-list host z.y.x.w

NAT (inside) 20 access list HR - pat

access list HR - pat allowed extended a.b.c.e 255.255.255.0 ip host z.y.x.t

It looks like it will work? I don't know how I could test it until I put it in place.

Thank you!

Jeff

Jeff,

Yes this centainly may work, but you need to add a corresponding "global (outside) 10 x.x.x.x - x.x.x.x" and "global (outside) 20 x.x.x.x - x.x.x.x" kind of unfavorable to join nat actually occur.

The rate of HTH pls!

Tags: Cisco Security

Similar Questions

  • Cisco router access outside the local network interface

    Hi all!

    I have Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) with firewall area and based on routing strategies.

    Everything works fine, but now I need to have the ability to access external router interface IP LAN addresses.

    For example, I PAT 192.168.4.1 port 8443 to the outside interface IP (93.93.93.2 for example) and I need to check LAN 93.93.93.2:8443.

    ! PAT:

    IP nat inside source static tcp 192.168.4.1 8443 93.93.93.1 - extensible 8443 SDM_RMAP_1 road map

    ! DynNat to the internet:

    IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

    ! Routing policy

    SDM_RMAP_1 allowed 10 route map
    corresponds to the IP 101
    match interface GigabitEthernet0

    ! ACL 101 for routing policy

    access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
    access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
    access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
    access-list 101 permit ip 192.168.3.0 0.0.0.255 any
    access-list 101 permit ip 192.168.4.0 0.0.0.255 any

    ! ACL on the external interface:

    plug-in software component gi0 extended IP access list
    allow an ip
    allow icmp a whole

    ! External interface

    interface GigabitEthernet0
    Description $ETH - WAN$
    IP 93.93.93.1 255.255.255.240
    IP access-group gi0-in in
    NAT outside IP
    IP virtual-reassembly in
    EXTENT of the Member's area network security
    IP tcp adjust-mss 1452
    automatic duplex
    automatic speed
    card crypto SDM_CMAP_2

    ! Inside DMZ interface vlan:

    interface Vlan4
    IP 192.168.4.254 255.255.255.0
    IP nat inside
    IP virtual-reassembly in
    security of the members of the DMZ
    IP tcp adjust-mss 1452

    ! Allow outbound traffic to DMZ to Internet:

    Allow_All_ACL-DMZ extended IP access list
    allow an esp
    permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
    refuse the 192.168.4.0 ip 0.0.0.255 192.168.111.0 0.0.0.255
    refuse the 192.168.4.0 ip 0.0.0.255 172.17.19.0 0.0.0.255
    allow icmp 192.168.4.0 0.0.0.255 any
    ip licensing 192.168.4.0 0.0.0.255 any

    ! Allow incoming traffic from the Internet to DMZ:

    WAN_DMZ_ACL extended IP access list
    allow tcp any a Workbench
    permit tcp any any eq ftp
    permit tcp any any eq 990
    permit tcp everything any 51000 53000 Beach
    permit tcp any any eq 995
    permit tcp any any eq 465
    permit tcp any any eq www
    permit any any eq 443 tcp
    allow icmp a whole
    allow an esp
    permit any any eq non500-isakmp udp
    host ip 212.98.162.139 permit 192.168.4.0 0.0.0.255
    IP 81.30.80.0 allow 0.0.0.255 any
    IP 192.168.111.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
    IP 172.17.19.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
    host ip 172.16.194.100 permit 192.168.4.0 0.0.0.255
    host ip 172.31.255.1 permit 192.168.4.0 0.0.0.255
    permit ip host 172.31.255.1 172.17.193.100
    refuse an entire ip

    ! Focus on the area of firewall:

    type of class-card inspect entire game DMZ_WAN_CLASS
    match the group-access name DMZ Allow_All_ACL

    type of class-card inspect entire game WAN_DMZ_CLASS
    match the name of group-access WAN_DMZ_ACL

    type of policy-card inspect DMZ_WAN_POLICY
    class type inspect DMZ_WAN_CLASS
    inspect
    class class by default
    drop

    type of policy-card inspect WAN_DMZ_POLICY
    class type inspect WAN_DMZ_CLASS
    inspect
    class class by default
    drop

    the DMZ security


    area WAN security

    Security WAN_DMZ of the pair area source destination WAN DMZ
    type of service-strategy inspect WAN_DMZ_POLICY
    destination of DMZ_WAN source DMZ area pair WAN security
    type of service-strategy inspect DMZ_WAN_POLICY

    Maybe someone can help me to make Cisco to allow ports outside LAN using a NAT?

    I did this on Mikrotik easily = |

    It is due to the fact that they do not allow "hair pinning" by default, once this is configured, it will work.

    Martin

  • The mozilla download site has been hacked?

    Our Ironport appliances block downloads of Firefox with the following text is displayed.

    This Page cannot be displayed

    Based on your strategies for business access, this web site ( http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe ) has been blocked because it was determined by the reputation filters Web to be a threat to the security of your computer or the network of the company. This web site has been associated with malware/spyware.

    The threat of Type: othermalware
    Because of the threat: area reported and verified as being in the service of the malware.

    If you have any questions, please contact the UT Dallas computer Help Desk at 972-883-2911 or ([email protected]) and provide the codes below. If you think that this page has been classified by error, use the button below to report this classification.
    Notification codes: (1, MALWARE, othermalware, field reported and authenticated as a service. malware, BLOCK MALWARE, 0x029b41b8, 1342562888.252, AAAD6wAAAAAAAAAAGf8ACP8AAAD/AAAAAAAAAAAAAAE =, http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/Firefox%20Setup%2014.0.1.exe)

    And the bug report is

    Bug 775094 - Cisco's Ironport Web Security Appliance is blocking Firefox downloads

  • AMP for endpoint - File Types that are scanned by connector FireAMP

    Hello

    I have question for amp for endpoint,

    I am referring to the documentation "File Types that are scanned by FireAMP Connector»

    http://www.Cisco.com/c/en/us/support/docs/Security/Advanced-malware-prot...

    Windows and Mac connectors

    Support for the Types of files watched upward against the cloud

    Trajectory of the device and the file path display these file types:

    • MSEXE
    • PDF
    • MSCAB
    • MSOLE2
    • ZIP
    • ELF
    • MACHO
    • MACHO_UNIBIN
    • SWF
    • JAVA

    No file type supported

    • Mac connector is able to scan all except SWF.
    • Windows connector currently does not analyze Elf, Java, xar (pkg), macho or macho_unibin.

    The Android connector

    • Connector Android reviews the APK files.

    May I know from the documentation:

    1. is this means only these file types are supported to be analyzed by FireAMP connector?

    2 and I refer to the firepower 6.0 configuration guide and the following phrase AMP endpoints to support all types of files:

    http://www.Cisco.com/c/en/us/TD/docs/security/firepower/60/configuration...

    Table 2 vs network-based endpoint Protection strategies against advanced malware

    Feature

    Fire power AMP

    AMP for endpoints

    file type detection and blocking (control file) method

    in network traffic, using control strategies and file access

    not supported

    malicious code detection and blocking method

    in network traffic, using control strategies and file access

    on the individual endpoints, with a connector that communicates with the cloud of the WAP

    inspected traffic network

    traffic passing through a managed device

    None; inspect the connectors installed directly on the endpoints of the files

    robustness of Malware detection

    limited file types

    all types of files

    3 and I can't find what is the file referring to the MACHO and MACHO_UNBIN, could help you please advise what the file type are in these categories?

    Thanks again for the help.

    Thank you

    Kind regards

    Kelvin

    Kelvin,

    The types of files that you listed are those which is supported to display path of the device and the file path.  Other types of files are always scanned and checked against the cloud, they will simply not display on the device and the file path.

    For more information on the files of MACHO, please refer to this article.

    Thank you

    Matthew Franks

    ENGINEER, CUSTOMER SUPPORT

    FireAMP TAC

  • [SOLVED] Problem with the ACB and InterVLAN routing

    Hello.

    I have Cisco 3750 G with IOS k9 - mz.150 - 2.SE4 Service of intellectual property. In my network, I have 4 VLANs with 4 internet gateways. I have set 4 static route for each gateways and with PBR to match this static routes. If I use "set ip next-hop" all traffic goes through the specific gateway interVlan routing does not work (I need to because the customers interVlan routing in different VLANS must be), and if I use 'set ip default next-hop', I was incapable of it attributed to Vlan (road-map lan14 not supported based on routing strategies).

    Model SDM is on the road that ip Routing is enabled.

    Here is my config for 2 of these VLANS:

    interface Vlan7
    IP 192.168.7.254 255.255.255.0
    IP access-group 107 to
    !
    interface Vlan14
    IP 192.168.14.254 255.255.255.0
    IP access-group 114 to
    !
    IP http server
    IP http secure server
    !
    !
    IP route 0.0.0.0 0.0.0.0 192.168.70.254
    IP route 0.0.0.0 0.0.0.0 192.168.140.254
    !
    access-list 107 permit udp any eq bootpc any eq bootps
    access-list 107 allow ip 192.168.7.0 0.0.0.255 any

    access-list 114 permit udp any eq bootpc any eq bootps
    access-list 114 allow ip 192.168.14.0 0.0.0.255 any

    lan7 allowed 10 route map
    corresponds to the IP 107
    IP 192.168.70.254 jump according to the value
    !

    lan14 allowed 10 route map
    corresponds to the IP 114
    IP 192.168.140.254 jump according to the value

    !

    Where is my error in config?

    Please help me, I'm stuck here almost three weeks.

    Hello

    You have created courses 2-card to set the next hop for a portion of the traffic classified with an acl.

    If you want any other traffic manager you must create an empty instance of your roadmap

    Example:

    lan7 allowed 10 route map

    football game...

    map of route allowed lan7 20 ==> Add this instance and leave it empty. You say the switch/router that he must refrain from other traffic but nothing to apply.

    Hope that this clear.

  • Analysis of the network strategy and how they really work

    While I have read in the Doc user Sourcefire I'm starting to get confused about the effective implementation of strategies of network analysis. So I know that you can choose a strategy analysis by default through policy to access control in the Advanced section, if none match. Reading advanced literature, it seems that packages will "choose" a network analysis strategy based on established strategies? Can someone clarify this for me?

    Hello

    You can create a customer NAP (network analysis strategy), but he needs to be selected in advance section of access control strategy. If the default policy is selected it, default policy will apply.

    There is an option that allows you to create custom rules for personalized NAP. For example, you want to use the default of 1 for all traffic and specific network, need a custom NAP. You can do this in advance section of access control strategy.

    Rate if helps.

    Yogesh

  • Problem with the commissioning of Web check-in and ASK when swicht to the TMS Provisioning extend mode

    Hi, I need help please, because I have no contract and I cannot open a TAC case.

    I have the following two issues:

    1. when I do the tms extension preparation mode switch as stop working sip calls, I get the following error of internal and internet scenarios for my internal network:

    VCS-e when the call is the Internet to the internal network

    2013-09 - 05T 11: 50:38 - 04:30

    "" "" "" "TVCS: event = 'Search is complete" reason ="authorization not valid - insufficient privilege" Service = "H323" type-aliases-Src ="E164" CBC-alias = '7449"Dst-alias-type ="H323"Dst-alias ="anthony_accardi"call-number ="1a069dfa-1647-11e3-86f9-0010f328943a"Tag ="1a069f44-1647-11e3-b22f-0010f328943a"detail ="found: fake, searchtype:ARQ"Level ="1"elements UTCTime = '2013-09-05 16:20:38, 670"

    VCS - c when the call is internal network to the Internet:

    2013-09 - 05T 11: 53:31 - 04:30

    "" "" "" "TVCS: event = 'Search is complete" reason ="prohibited" Service = "H323" type-aliases-Src ="E164" CBC-alias = '7429"Dst-alias-type ="H323"Dst-alias ="vianyfel_cordaro"call-number ="812a5198-1647-11e3-ba89-0010f325da04"Tag ="812a52e2-1647-11e3-93c9-0010f325da04"detail ="found: fake, searchtype:ARQ"Level ="1"elements UTCTime = '2013-09-05 16:23:31, 687"

    2013-09 - 05T 11: 53:31 - 04:30

    "" "" "TVCS: Event = 'research has attempted" Service ="H323" CBC-alias-type = "E164" CBC-alias ='7429"Dst-alias-type ="H323"Dst-alias ="vianyfel_cordaro"call-number ="812a5198-1647-11e3-ba89-0010f325da04"Tag ='812a52e2-1647-11e3-93c9-0010f325da04" detail = "searchtype:ARQ" Level = "1" elements UTCTime ='2013-09-05 16:23:31, 680"

    2013-09 - 05T 11: 53:23 - 04:30

    "" "" "" "TVCS: event = 'Search is complete" reason ="prohibited" Service = "H323" type-aliases-Src ="E164" CBC-alias = '7429"Dst-alias-type ="H323"Dst-alias ="vianyfel_cordaro"call-number ="7c9181c4-1647-11e3-bda8-0010f325da04"Tag ="7c918304-1647-11e3-865b-0010f325da04"detail ="found: fake, searchtype:ARQ"Level ="1"elements UTCTime = '2013-09-05 16:23:23, 974"

    BUT WHEN THE MODE IS AGENT LEGACY TMS ALL THE CALL WORKS FINE

    2 when I switch I can tms mode of preparation I can do internal network equipment supply but not from the outside and this worries me more is the jabber that being Internet I get the following error:

    013 09 - 05 T 11: 07:42 - 04:30

    "" "" TVCS: elements UTCTime = '2013-09-05 15:37:42, 263"Module ="network.sip"Level = 'INFO': Src - ip ="192.168.0.252"Src-port ="25084"detail = 'receive the Request OPTIONS = method, Request-URI = sip: 192.168.0.250:7001; transport = tls, [email protected] / * /"

    2013-09 - 05T 11: 07:42 - 04:30

    "" TVCS: elements UTCTime = '2013-09-05 15:37:42, 261"Module ="network.sip"Level ="DEBUG": Dst - ip ="192.168.0.252"Dst-port ="25084"
    SIPMSG:
    | SIP/2.0 401 Unauthorized
    Via: SIP/2.0/TLS 192.168.0.252:5061; branch = z9hG4bK4de281330ed1277914e57a4bb98ac81416134; received = 192.168.0.252; rport = 25084
    Call ID: [email protected]/ * /.
    CSeq: 38570 OPTIONS
    Starting at: ; tag = 21e96c96b3f9a439
    To: ; tag = ba0e03ca2f6b3957
    Server: TANDBERG/4120 (X7.2.1)
    WWW-Authenticate: Digest realm = "TraversalZone", nonce = "b40cb8278b4a11da992154324161d566d2b57bac3d83c5c518c4528c790d", opaque = "AQAAAN1NC9IHdFS3kNJ3Q6UX2JiBXhut", stale = FALSE, algorithm = MD5, qop = "auth".
    Content-Length: 0

    |

    2013-09 - 05T 11: 07:42 - 04:30

    "" "" TVCS: elements UTCTime = '2013-09-05 15:37:42, 261"Module ="network.sip"Level = 'INFO': Dst - ip ="192.168.0.252"Dst-port ="25084"detail ="sending = 401, method = OPTIONS, To = sip response Code: 192.168.0.250:7001, [email protected] / * /"

    2013-09 - 05T 11: 07:42 - 04:30

    "" TVCS: elements UTCTime = '2013-09-05 15:37:42, 261"Module ="network.sip"Level ="DEBUG": Src - ip ="192.168.0.252"Src-port ="25084"
    SIPMSG:
    | Sip OPTIONS: 192.168.0.250:7001; transport = tls SIP/2.0
    Via: SIP/2.0/TLS 192.168.0.252:5061; branch = z9hG4bK4de281330ed1277914e57a4bb98ac81416134; received = 192.168.0.252; rport = 25084
    Call ID: [email protected]/ * /.
    CSeq: 38570 OPTIONS
    Starting at: ; tag = 21e96c96b3f9a439
    TO:
    Max-Forwards: 0
    User-Agent: TANDBERG/4120 (X7.2.1)
    Support: com.tandberg.vcs.resourceusage
    Content-Type: text/xml
    Content-Length: 250

    25075024960|

    2013-09 - 05T 11: 07:42 - 04:30

    "" "" TVCS: elements UTCTime = '2013-09-05 15:37:42, 261"Module ="network.sip"Level = 'INFO': Src - ip ="192.168.0.252"Src-port ="25084"detail = 'receive the Request OPTIONS = method, Request-URI = sip: 192.168.0.250:7001; transport = tls, [email protected] / * /"

    2013-09 - 05T 11: 07:36 - 04:30

    "" "" "TVCS: elements UTCTime = '2013-09-05 15:37:36, 757" Module ="network.tcp" Level = "DEBUG": Src - ip = "10.10.10.1" Src-port ="10191" Dst - ip = "10.10.10.10" Dst-port ='5060"detail = 'TCP connection is closed"

    2013-09 - 05T 11: 07:36 - 04:30

    "" TVCS: elements UTCTime = '2013-09-05 15:37:36, 641"Module ="network.sip"Level ="DEBUG": Dst - ip ="10.10.10.1"Dst-port ="10191"
    SIPMSG:
    | SIP/2.0 404 not found
    Via: SIP/2.0/TCP 201.210.111.54:2379; branch = z9hG4bK5fc6a3c5021e3557216ef01c2434fb00.1; received = 10.10.10.1; rport = 10191; DefaultZone = ingress-box
    Call ID: [email protected]/ * /.
    CSeq: 301 SUBSCRIBE
    From: <> [email protected] / * />; tag = 2991aa56d191ede3
    To: <> [email protected] / * />; tag = c4114db76ace49d8
    Server: TANDBERG/4120 (X7.2.1)
    WARNING: 200.11.230.253:5060 399 'political response '.
    Content-Length: 0

    |

    2013-09 - 05T 11: 07:36 - 04:30

    "" "" TVCS: elements UTCTime = '2013-09-05 15:37:36, 641"Module ="network.sip"Level = 'INFO': Dst - ip ="10.10.10.1"Dst-port ="10191"detail = 'send = 404, method = SUBSCRIBE, To = sip response Code: [email protected] / * /, [email protected] / * /"

    2013-09 - 05T 11: 07:36 - 04:30

    "" TVCS: elements UTCTime = '2013-09-05 15:37:36, 638"Module ="network.sip"Level ="DEBUG": Src - ip ="10.10.10.1"Src-port ="10191"
    SIPMSG:
    | Sip SUBSCRIBE:[email protected] / * / SIP/2.0
    Via: SIP/2.0/TCP 201.210.111.54:2379; branch = z9hG4bK5fc6a3c5021e3557216ef01c2434fb00.1; received = 10.10.10.1; rport = 10191
    Call ID: [email protected]/ * /.
    CSeq: 301 SUBSCRIBE
    Contact: <> [email protected]/ * /: 2379; transport = tcp >
    From: <> [email protected] / * />; tag = 2991aa56d191ede3
    To: <> [email protected] / * />
    Max-Forwards: 70
    Directions:
    User-Agent: TANDBERG/774 (4.6.3.17194 PCS) - Windows
    Expires: 300
    Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.6.3.17194;clientid="S-1-5-21-1078081533-484061587-725345543";connectivity=1
    Accept: application/pidf + xml
    Content-Length: 0

    The setup I have is:

    Configuration on VCS Expressway:

    TMS Agent Legacy mode

    Search rule:

    local area-no domain

    Any

    Any

    NO.

    Alias matching

    Regex

    (. +) @domain.com. *.

    Replace

    Continue

    LocalZone.GetDaylightChanges

    local area full URL

    Any

    Any

    NO.

    Alias matching

    Regex

    (. +) @domain.com. *.

    Leave

    Continue

    LocalZone.GetDaylightChanges

    Search of covered area rule

    Any

    Any

    NO.

    Any alias

    Continue

    TraversalZone

    Search for DNS zone rule

    Any

    AllZones

    NO.

    Alias matching

    Regex

    (?. *@%localdomains%.*$).*)

    Leave

    Continue

    DNSZone

    Transform

    Transform the alis destinations to URL

    ([^@]*)

    Regex

    Replace

    ------[email protected] / * /

    Presence PUA - on

    Presence server - off

    CONTROL VCS:

    TMS Extension commissioning of fashion

    Search rule

    local area-no domain

    Any

    Any

    NO.

    Alias matching

    Regex

    (. +) @domain.com. *.

    Replace

    Continue

    LocalZone.GetDaylightChanges

    local area full URL

    Any

    Any

    NO.

    Alias matching

    Regex

    (. +) @domain.com. *.

    Leave

    Continue

    LocalZone.GetDaylightChanges

    Search of covered area rule

    Any

    Any

    NO.

    Any alias

    Continue

    TraversalZone

    External IP address search rule

    Any

    Any

    NO.

    Any IP address

    Continue

    TraversalZone

    Transform

    Transform the alis destinations to URL

    ([^@]*)

    Regex

    Replace

    ------[email protected] / * /

    PUA - on

    presence server - on

    I do not have political appeal hace

    Please help me to see what I'm missing or what's wrong?

    Thankss

    Hello

    Ok. Are you saying that VCSe uses the IP address 10.10.10.10 in interface external, right? Of course, what the IP address of 200.x.x.x? It's your VCSe NAT IP address, right? What is this configured in VCSe?

    Well, reaally you have a problem of NAT. look at the SUBSCRIPTION message of jabber to VCSe:

    SIPMSG:

    | Sip SUBSCRIBE:[email protected] / * / SIP/2.0

    Via: SIP/2.0/TCP 201.210.116.201:3612; branch = z9hG4bK138dca6bf6cdd458588900dbaf7b45f4.1; received = 10.10.10.1; rport = 9368

    Call ID: [email protected]/ * /.

    CSeq: 301 SUBSCRIBE

    Contact:

    From: [email protected] / * />; tag = 1e82c817dc3224d5

    In: [email protected] / * />

    Max-Forwards: 70

    Directions:

    User-Agent: TANDBERG/774 (4.6.3.17194 PCS) - Windows

    Expires: 300

    Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.6.3.17194;clientid="S-1-5-21-1078081533-484061587-725345543";connectivity=1

    Accept: application/pidf + xml

    Content-Length: 0

    Do you see? If the Red 192.168.41.205 IP address is the IP address of your router/nat, then you can come to the conclusion that your router is inspection/ALG, it puts its own IP address in the SIP headers. Your router/firewall device should not use any function ALG/inspection, otherwise you will have problems.

    I can say with great confidence, VCSe rejects the message SUBSCRIBE "404 not found" response because VCSE does not recognize this IP address in the field 'road', 192.168.41.205.

    In addition, the configuration of your NAT is not recommended. First, you use the port-based NAT (PAT), in fact, you must use a NAT. Second, when your NAT firewall allows VCSe, the source address is 10.10.10.1, which means that your firewall is NATing the source address and destination address not only. This type of NAT, it is not recommended for h.323/SIP applications.

    Well, don't be angry with me, I try to help, but I need to say, your deployment VCSe is almost completely false, there are a lot of blind spots.

    I suggest reviewing and reconfigure your deployment following this guide:

    http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.PDF

    I hope this helps.

    Concerning

    Paulo Souza

    My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

  • ASA 5512 different route by VPN Group (VRF as feature?)

    Hello

    Here's what I'm trying to do.  I have a Nexus 7000 with several of the VRF, simplicity lets call it A VRF, VRF B, VRF C. VRF A simulates a network of management and VRF B and C are customer environments.  VRF B and C VRF will be overlap of intellectual property.  I have a 5512 ASA I use VPN in the environment, it also provides internet access for applications that run in A VRF, (VRF B and C do not require internet access).  What I want to do is to implement three different access VPN on the SAA even, where some users will have VPN 1 group policy and have access to the VRF has, but should not have access to the VRF B or C, same VPN 2 should have access to the VRF B and 3 C VRF VPN.

    My original intent was to configure the ASA with 0/0 to internet Gig, Gig 0/1 A VRF and then Gig 0/2 sub interfaced so 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.10.1 in 102 VLAN that connects to VRF C.  However, better than I can tell ASA 5512 is not aware of VRF (or is it just a separate license, I would need?) and as such, it is not possible.

    Next similar reflection, but instad configure as 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.11.1 in 102 VLAN that connects to VRF C. However, I throw it here, issues as the VPN 2 and 3 need access to devices with the same IP address, which is even better I can tell, the ASA is not able to make Policy based routing.

    Is there another way to do this? Is there something that I am on?
    I need to make sure that the 2A VPN users can access services available in the VRF B, they should not have the ability to access (intentionally or not) services on VRF A or C, nor the users VPN 1 or 3.

    I have also a 5585 ASA w / context multi license, I can then creates a context by VRF (that I have), I then interfaces in each correct the VRF-related context.  However, I do not think that I can terminate VPN here, best I can tell when in multi-contexte mode you can not have VPN license.

    Your research led you to conclude correctly that the ASA is neither compatible with VRF nor can it be based on routing strategies. Also, you cannot terminate remote access VPN on an ASA multi-contexte.

    Doing what you ask a single AAS is a bit problematic. If you had a unique internal addresses, the subinterfaces would work fine.

    Because it looks like you have a virtualization infrastructure, have you considered using the low cost ASAv? You could run multiple instances, one per VRF. Everyone knows only the public address space and its respective assocated VRF.

  • ASA DMVPN to Azure cloud

    Hello

    It looks like one of our customers were buying SRI is to connect to the Microsoft via DMVPN cloud azure, because Cisco ASA does not (yet) support.

    ASA will support this in a future release nearby?

    Finally, anyone have any suggestions? (Apart from not using azure ;-)

    Based on the comments of the representatives of Cisco in sessions DMVPN/FlexVPN to Cisco Live!, there is no plan to support DMVPN/FlexVPN on SAA. This may have changed since then, but I doubt it.

    VPN infrastructure evolve slowly but surely based simply on strategies IPSec VPN that supports the ASA to the more modern and more flexible based on the VPN as DMVPN and FlexVPN road. The key here sentence is "road", which puts the technology firmly within the scope of routers rather than safety devices.

    The ASA units are very good in what they do, but modern VPN infrastructure are a bit beyond their reach.

  • Cisco IDS Vs Websense

    I have a n race pix firewall and I m trying to install hardware cisco IDS.

    I want to know if cisco ids and/or pix can help me to have as much control over the access to the internet as websense.

    I know that websense has 29 categories of content at the base that can be used to block outgoing traffic and pix and ID basically area limitation of incoming traffic and classification actions as attacks respectively.

    I have to justify if we need or don't need with cisco ids websense and websense and would appreciate your comments.

    You're talking about two different animals here. Websense looks at the URL used by the user to access the sites. Based on the strategies defined at Websense, the URL is allowed or denied. The PIX sends the URL of the Websense server before allowing the connection to the server. The ID decodes packets and does not care what the URL. You will need two systems for better protection.

    I don't recommend Websense. I carried out an audit of a websense server and it blocks all the URLS and I saw problems with the reportng function. A better product is Vericept.

  • Multiple NAT Outside beaches?

    HI -.

    I hope someone can advise me if this scenario is possible.

    Here's my situation. I just installed a second WAN link and a border router additional ISPs to double-House using BGP. To facilitate the management, we will use one of the 2 24 we control now, however one that we will use later, the new block comes from the second ISP, which means of course go through a change of ip address.

    I try to avoid a plan where I have to change all the public IP addresses on a weekend, due to the amount of the different VPN and other specific IP connections than other organizations have with us, while I was trying to plan a gradual passage.

    I have a single 515 (6.3) for outbound traffic, and add another is not possible for about 6 months (lease is expected to return for the time in which we will go to the ASA). Finally addresses outside the firewall will be a single/24 network, but in the meantime, I would use the two lines (using NAT) on the firewall.

    By design, the GW for the firewall is currently concert port on the original router. This router is using the static routes for the trafficking of exit and entry to our ASN, but the newly installed router is using BGP. Before I turn BGP on the original router, I have a show a connection between the two and I want to implement based on routing strategies to define all traffic from the new/24 range with a next hop for the new router BGP running.

    I tried yesterday, and I had no connectivity even ping on the edge router using this new set of IP addresses. Is it possible to implement these two ranges of IPs for NAT on the firewall and have the two lines at the same gateway IP address.

    I know it's probably confused, so if you need clarification in any field, let me know.

    Thanks for your help.

    I don't see why it would not work as long as you have control of the config of the outside PIX next hop router. Set up the first subnet as usual, then get your second subnet at IP of PIX. Implement the NATs on PIX as you wish. On the gateway router you need to establish routing strategy (map of the itinerary) so that it uses an ACL to look at the source IP address coming from the PIX, routes an ISP, second rate would vary other ISPS.

  • How does it works VPN behind PAT

    Hello

    Everywhere it is said, "If PAT is applied when a client tries to establish a VPN connection to a remote site, you must activate IPSEC over UDP, TCP, or NAT - T. The thing is that I use a DSL modem at home. And even when I disable transparent tunnelling on my Cisco VPN Client software of connection VPN works well? How can this be possible. is not, we know that the IPSEC packets cannot be PATed?

    MOST devices have IPSec PAT packages ' ing wrong, simply because there is no TCP or UDP port on the basis of the PAT number. It is not that the packages may not be PAT would have, it's just that most of the devices are not smart enough to be able to do, and therefore you should encapsulate your IPSec in UDP or TCP packets.

    I would just say to your modem ADSL is smart enough to understand about you use IPSec and it will be based on a different value in the PAT package. You can have questions from two clients behind this device, like the PAT tool will quite often only able to manage a.

    Routers Cisco were able to do that since the code of 12.2 (15) T, so it is not rare that it works.

  • PAT for two web servers

    Hi all.

    I want to change the MS ISA for Cisco ASA server, but I have problem with PAT.

    The two addresses are published under the same internet address 1.1.1.1 MS ISA server configured static PAT for two web servers, example.web1.com inside the address 192.168.1.10 and example.web2.com inside the address 192.168.1.11.

    When the user try to open the web page example.web1.com the internet ISA Server MS create translates an internal address 192.168.1.10

    When the user try to open the web page example.web2.com the internet ISA Server MS create translates an internal address 192.168.1.11.

    In the cisco example uses single address:

    static (inside, outside) tcp 1.1.1.1 192.168.1.10 www www netmask 255.255.255.25

    but I have two web servers uses the same port 80 and even outside of the address 1.1.1.1

    SAA can create translation URL? For example:

    static (inside, outside) tcp example.web1.com, www www 192.168.1.10 netmask 255.255.255.255

    static (inside, outside) tcp example.web2.com 192.168.1.11 www www netmask 255.255.255.255

    Hello

    To my knowledge, this type of NAT is not possible in the SAA.

    The ASA has nothing to differentiate the 2 translations to eachother other than the order of the NAT configurations. But I think that at the level of your software it doesn't accept even the second NAT configuration that it overlaps with the first. In the most recent software that it would accept the second configuration, but the traffic would still be hit only one of the NAT configurations.

    There must be something on the ISA MS who, in addition to NAT overlapping, knows that static PAT choose based on the requested web page?

    -Jouni

  • The PAT problems policy configuration

    We run an ASA5520, and must configure Global separate outside PAT addresses based on different subnets to source. Attached is a sample of the current configuration of the NAT on the SAA, which does not work as expected. We owe the 10.0.0.0/8 Pat 1.1.1.1 and 10.1.19.0/24 to PAT to 1.1.1.2.

    Try this url

    http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

  • Design of ACS server question 4.2 - role - based is a limit?

    Currently, I've implemented this ACS server.

    An ACS group maps to a group of active live in AD. For example, the Group ACS router_access maps to AD group called $f (gbr) raccess. If the user tries to connect to a router and it has this group in its profile AD, that it will be accepted and if not rejected.

    If for example, I want to revoke, allow access to some features I use NARS (for example accept connections from devices switch and router).

    It works - but this apparently isn't the way I do things.

    The best way is to have a group of ads by device group.

    EG for access to the router, you must $g (t) of group routers in your AD profile

    To get access to switch the Group $g (t) must spend in your AD profile

    Now, we hit the problem - the EC will use the first group in your AD profile to apply for pass/fail.

    Let as well as John has $g routers and switch (t) $g (t) group in its AD profile. When he tries to connect to a switch, the ACS attempts to use routers $g (t) because it's the first ACS AD Group in his profile. Subsequently, it fails, which means that ACS will not look through several AD strategies.

    I hope this makes sense.

    Anyway, I can't get it to work because it keeps failing!

    Hi Will,

    This is a limitation of how ACS 4.x performs operations. It defines everything based on your local user group on ACS as opposed to your ad groups - so the mapping of the group comes first and then everything else comes later.

    If you use Radius (this does not apply to the GANYMEDE) you may be able to use the network access profile feature to substitute some access. If for example you can tell if the user is in the local group, but authentication comes from a certain type of device, you can transmit different attributes. However, in terms of blocking, it is always based on the local group you are a member. He can do some additional checking of LDAP group, but I don't know if that will solve your problem.

    Is 5.x ACS to a new level - the entire platform is built as the network access profiles - so you can make rules as granular as you want - that is to say: If you are in a specific ad group (do not need to map - we can draw external groups) and it is a router then go down a permission set with a Pass. If it is a different ad group (or a different device type), then send a failure.

    Thank you

    Nate

Maybe you are looking for