Configure NAT for object-group 8.3

Similar Questions

• Export the configuration information for each group

  How to export the configuration information for each group? (I want to see the information that this group has read or write access to the cube XXXXX)

  By LCM, I was able to export information on groups and users. But no information about its commissioning. can any body tell me how can I get the configuration of shared services information

  We have a utility to do this, or can we get this information using LCM?

  Any information about him will be useful

  Thank you

  The commissioning is under Application groups > Foundation > Shared Services > native Directory > assigned roles > then choose the product / app

  There is a utility command line available if you want to automate the process of execution of export - Oracle Hyperion Enterprise Performance Management System Lifecycle Management Guide, you create the definition of migration file but which can be done by running an export.

  See you soon

  John

  http://John-Goodwin.blogspot.com/

• How to configure NAT for Hyper-V on laptop with wifi, wired and vpn connectivity

  Me, as I suspect a lot of people, I have a laptop with WiFi connection, cable connection and VPN connection (Cisco AnyConnect), which

  also uses a virtual adapter (activated when active). I searched for some time a way to be able to move to

  Hyper-V in VirtualBox. Blocker full for me is the need for a lot of my virtual machines to be able to connect to the

  Internet through 'the connection active' in the way that VirtualBox and VMWare Workstation/Player through their NAT feature.

  I'm not a networking wait, but after looking around, can't seem to find something that is simple enough for me to configure,

  with a minimum of resources, which allows me to connect a Hyper-V virtual network via a simple NAT device adapter

  all three potential network connections - most seem to not assume that one connection out of the machine, which of course does not

  me what I want.

  Three questions:

  1. is there a Windows application available that an adapter (like loopback) internal which acts as a real NAT device to one of the surfaces

  external access via the active network connections and through the Windows Firewall and any other antivirus, components etc. for

  the road to (i.e. behaves like a "normal app" inside Windows for internet access)? It would be the best option, because it would be

  "always there" when I run virtual machines

  2. display of my lack of knowledge around this feature, don't RRAS (and I know that this is not an option "minimum contact") allow you to

  Connect an internal network adapter to several external network adapters?

  3. on the Linux/OpenBSD various base/NAT routers, are everything that allow several external adapters and who are

  relatively easy to set up (by an independent expert of the network)?

  Really, we could do with this feature for Hyper-V on the desktop, but willing to work around him, if there is a way to at least the

  use virtual machines, once it is easy to install.

  Hello

  The question is more suited in the TechNet forums. So I would say you mention the link and send the request in this forum for better support.

  http://social.technet.Microsoft.com/forums/en-us/w8itpronetworking/threads

  For any information related to Windows, feel free to get back to us. We will be happy to help you.

• Configuration settings for a group

  Hi people,
  
  I have hundreds of targets in my company, and we would divide some measures to development/test/production environments. If we target it will take a lot of time.
  My question is: is possible to create a group, add members and then add parameters to this group? If not, a suggestion?
  
  See you soon,.
  Jonny

  Yes you can use templates to apply to groups.
  Example: create a Prod db, a database of Test group and db Dev group. Create a database of model Prod based on a database with events set the way you want them to be. You can change the template if you want to. Now you can roll the Prod DB model to one or more targets DB (Prod) or the Prod db group.
  It goes same for Test and Dev of the db.
  The model may contain measures (including the UDM), thresholds, corrective and political action.
  In fact, for any target, you can use templates, therefore, not just for the db.

  Eric

• ASA 8.4 cleaning using Network Configuration and Service objects

  Hello

  As most of you know, firewall configurations can growth in order to be large and complex, making them difficult to understand and difficult to change.

  I have a cleaning using network firewall configuration and Service objects and groups of objects running from 8.4 who I want to. This ASA (8.4) has over 30 Web Server VM deployed behind each with the same basic configuration: one to the outside inside the IP address and port mapping (x.x.x.x:ftp to y.y.y.y:ftp, etc.) by using the following well known ports: FTP, 80, 443, 3389.

  Examples of my existing configuration:

  network of the Y.Y.Y.Y_FTP object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp ftp ftp service

  network of the Y.Y.Y.Y_WWW object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp http http service

  network of the Y.Y.Y.Y_HTTPS object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp 443 443 service

  network of the Y.Y.Y.Y_RDP object

  Home y.y.y.66

  NAT (inside, outside) static service tcp 3389 3389 X.X.X.66

  outside_in list extended access permit tcp any host y.y.y.66 eq ftp

  outside_in list extended access permit tcp any host y.y.y.66 eq www

  outside_in list extended access permit tcp any host y.y.y.66 eq 3389

  outside_in list extended access permit tcp any host y.y.y.66 eq 443

  The entries above for each port have to do whenever a new virtual machine is deployed behind the firewall.

  Here's my ACE project and entered the object-group service to clean up configuration.

  object-group service WWW_FTP

  Description access FTP HTTP

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq ftp service - data

  the purpose of the service tcp destination eq www

  object-group service WWW_FTP_RDP

  Description access FTP RPD WWW

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq ftp service - data

  the purpose of the service tcp destination eq www

  the destination eq 3389 tcp service object

  object-group service WWW_FTP_RDP_SSH

  Description access WWW RDP SSH FTP

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq ftp service - data

  the purpose of the service tcp destination eq www

  the destination eq 443 tcp service object

  the destination eq 3389 tcp service object

  object-group service RDP_SSH

  Access SSH RDP description

  the destination eq 443 tcp service object

  the destination eq 3389 tcp service object

  object-group service RDP_SSH_FTP

  Access SSH FTP RDP description

  the destination eq 443 tcp service object

  the destination eq 3389 tcp service object

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq ftp service - data

  object-group service RDP_FTP

  Access FTP RDP description

  the destination eq 3389 tcp service object

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq ftp service - data

  outside_in list extended access allowed object-group WWW_FTP_RPD any host Y.Y.Y.Y

  outside_in list extended access allowed object-group WWW_FTP_RDP_SSH any host Y.Y.Y.Y

  outside_in list extended access allowed object-group WWW_FTP any host Y.Y.Y.Y

  outside_in list extended access allowed object-group RDP_FTP any host Y.Y.Y.Y

  outside_in list extended access allowed object-group RDP_SSH_FTP any host Y.Y.Y.Y

  outside_in list extended access allowed object-group RDP_SSH any host Y.Y.Y.Y

  The challenge lies in the consolidation of the network object entries that follow into something more condensed as the entries in the object-group service.

  network of the Y.Y.Y.Y_FTP object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp ftp ftp service

  network of the Y.Y.Y.Y_WWW object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp http http service

  network of the Y.Y.Y.Y_HTTPS object

  Home y.y.y.66

  NAT (inside, outside) Static X.X.X.66 tcp 443 443 service

  network of the Y.Y.Y.Y_RDP object

  Home y.y.y.66

  NAT (inside, outside) static service tcp 3389 3389 X.X.X.66

  Any help is greatly appreciated!

  Hello

  I'm afraid that the only part of the configuration you can really change and make more condenced is configurations ACL using configurations different ' object-group ' .

  Of course, you can also create a "object-group" for all servers that need the same ports open to further reduce the lines of actual configurations in the configuration of the CLI.

  However,.

  Regarding NAT configurations there is unfortunately no way to reduce the amount of required configurations if you use Static PAT (Port Forward) for servers. There is no way yet to ports in group for "nat" configurations.

  My question is, you have public IP addresses less at your disposal compared with the amount of different servers in your network behind the ASA?

  If you have a public IP address dedicated to each server in the network, then I suggest to use static NAT instead of static PAT. It's about the only way that the NAT configuration could be minimized.

  -Jouni

• Cannot save settings: unable to create a configuration file for the required configuration object

  When I try to open the application in the administrator account it say - could not save the settings: unable to create a configuration file for the required configuration object

  Thanks for the reply.i think that a virus changed I scan my computer and discovered C:\users\jason\AppData\local\temp\low\temporary internet files\content. IE5\TLIFXGRH\ why is Task Manager disabled people [1]

• Policy NAT for VPN L2L

  Summary:

  We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

  My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

  Here is the config:

  # #List of OUR guests

  the OURHosts object-group network

  network-host 192.168.x.y object

  # Hosts PARTNER #List

  the PARTNERHosts object-group network

  network-host 10.2.a.b object

  ###ACL for NAT

  # Many - to - many outgoing

  access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

  # One - to - many incoming

  VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

  # #NAT

  NAT (INSIDE) 2-list of access NAT2

  NAT (OUTSIDE) 2 172.20.n.0

  NAT (INSIDE) 3 access-list VIH3

  NAT (OUTSIDE) 3 172.20.n.1

  # #ACL for VPN

  access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

  access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

  # #Tunnel

  tunnel-group type ipsec-l2l

  card <#>crypto is the VPN address

  card crypto <#>the value transform-set VPN

  card <#>crypto defined peer

  I realize that the ACL for the VPN should read:

  access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

  access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

  .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

  What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

  Thanks in advance.

  Patrick

  Here is the order of operations for NAT on the firewall:

  1 nat 0-list of access (free from nat)

  2. match the existing xlates

  3. match the static controls

  a. static NAT with no access list

  b. static PAT with no access list

  4. match orders nat

  a. nat [id] access-list (first match)

  b. nat [id] [address] [mask] (best match)

  i. If the ID is 0, create an xlate identity

  II. use global pool for dynamic NAT

  III. use global dynamic pool for PAT

  If you can try

  (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

  (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

  I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

  Jon

• Rule of NAT for vpn access... ?

  Hey, putting in place the vpn ssl via the client Anyconnect on a new ASA 5510, ASA ASDM 6.4.5 8.4.2.

  I am able to 'connect' through the anyconnect client, & I am assigned an ip address from the pool of vpn that I created, but I can't ping or you connect to internal servers.

  I think that I have configured the split tunneling ok following the guide below, I can browse the web nice & quickly while connected to the vpn but just can't find anything whatsoever on the internal network.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080975e83.shtml

  I suspect her stockings for a nat rule, but I am a bit stuck if it should be a rule of nat object network or if it must be dynamic/static & if its between the external interface or external ip & network inside or the VPN (I created the pool on a different subnet), or a 'Beach' (but then I am getting overlapping ip errors when I try to create a rule for a range of IP addresses.

  Any advice appreciated,

  Hi Eunson,

  After have connected you to the ASA that clients receive an IP address, let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.

  On the SAA, you would need an NAT exemption for 192.168.20.0 to 192.168.10.0

  Create two groups of objects, for pool VPN and your itnernal LAN.

  object-group network object - 192.168.20.0

  object-network 192.168.20.0 255.255.255.0

  object-group network object - 192.168.10.0

  object-network 192.168.10.0 255.255.255.0

  NAT (inside, outside) 1 source static object - 192.168.20.0 object - 192.168.20.0 destination static object - 192.168.10.0 object - 192.168.10.0 non-proxy-arp-search to itinerary

  At the inside = interface behind which is your LOCAL lan

  Outside = the interface on which the Clients connect.

  If you can't still access then you can take the shot on the inside interface,

  create and acl

  access-list allowed test123 ip host x.x.x.x y.y.y.y host

  access-list allowed test123 ip host host x.x.x.x y.y.y.y

  interface test123 captures inside test123 access list

  view Cape test123

  It will show if the packages are extinguished inside the interface and if we see that the answers or not. If we have all the answers, this means that there might be a routing on the internal LAN problem as devices know may not be not to carry the traffic of 192.168.10.0 return to the ASA inside the interface.

  Or maybe it's that there is a firewall drop packets on your internal LAN.

  HTH

• I need VPN gateway to gateway with NAT for several subnets, RV082

  I have a pair of RV082 routers and I would like to configure a gateway to gateway VPN tunnel, as described in a book, "How to configure a VPN tunnel that routes all traffic to the remote gateway," (name of file Small_business_router_tunnel_Branch_to_Main.doc).  I followed this recipe book and found that my while the main office has internet connectivity, the branch subnet is not an internet connection.

  Routing behaves as advertised, where all traffic goes to the seat.  However, the 192.168.1.0 subnet in the branch receives no internet connectivity.  I read in other posts that the main router will provide only NAT for the local subnet, not the Management Office subnet.  Is it possible to configure the RV082 router to provide NAT for all subnets?

  If this is not the case, what product Cisco will provide connectivity VPN Tunnel as well as the NAT for all subnets?  The RV082 can be used as part of the final solution or are my RV082s a wasted expense?

  Here is the configuration that I had put in place, (real IP and IKE keys are false).

  Bridge to bridge

  Remote Head Office

  Add a new Tunnel

  No de tunnel                  1                                               2

  Name of the tunnel:, n1 n1-2122012_n2-1282012-2122012_n2-1282012

  Interface: WAN1 WAN1

  Enable :                   yes                                             yes

  --------------------------------------------------------------------------------

  Configuration of local groups

  Type of local security gateway: IP only IP only

  IP address: 10.10.10.123 10.10.10.50

  Local security group type: subnet subnet

  IP address: 192.168.1.0 0.0.0.0

  Subnet mask: 255.255.255.0 0.0.0.0

  --------------------------------------------------------------------------------

  Configuration of the remote control groups

  Remote security gateway type: IP only IP only

  IP address: 65.182.226.50 67.22.242.123

  Security remote control unit Type: subnet subnet

  IP address: 0.0.0.0 192.168.1.0

  Subnet mask: 0.0.0.0 255.255.255.0

  --------------------------------------------------------------------------------

  IPSec configuration

  Input mode: IKE with preshared key IKE with preshared key

  Group of the phase 1 of DH: Group 5 - 1536 bit group 5 - 1536 bit

  Encryption of the phase 1: of THE

  The phase 1 authentication: MD5 MD5

  Step 1 time in HIS life: 2800 2800 seconds

  Perfect Forward Secrecy: Yes Yes

  Group of the phase 2 DH: Group 5 - 1536 bit group 5 - 1536 bit

  Encryption of the phase 2: of THE

  Phase 2 of authentication: MD5 MD5

  Time of the phase 2 of HIS life: 3600 seconds 3600 seconds

  Preshared key: MyKey MYKey

  Minimum complexity of pre-shared key: Enable Yes Enable

  --------------------------------------------------------------------------------

  If you are running 4.x firmware on your RV082, you must add an additional Allow access rule for the Branch Office subnet (considered one of the multiple subnets in the main office) may have access to the internet. Note the firmware version has more details about it.

  http://www.Cisco.com/en/us/docs/routers/CSBR/rv0xx/release/rv0xx_rn_v4-1-1-01.PDF

• object-group network

  Hi all

  recentry I had some problems with my router 892 and maybe I can find the answer here.

  I have two groups of network object:

  object-group network net1

  192.168.1.0 255.255.255.0

  the object-group net2 network

  192.168.2.0 255.255.255.0

  Two ACLs:

  acl-net12 extended IP access list

  permit ip object-group net1 net2 object-group

  acl-net12-new extended IP access list

  ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  A single card encryption:

  card crypto ipsec vpn 1 isakmp

  Network2 description

  defined peer xx.xx.xx.xx

  Set security-association second life 28800

  the value of the transform-set 3des-sha

  match address acl-net12

  When the address for correspondence is set to acl-net12, I can't ping my router on the external interface and tunnel works very badly (15-20% packet loss).

  If I change my address for correspondence of the acl-net12 to acl-net12 - new then I can ping my router on external if interface and vpn works well.

  I also have an acl (located on the external interface) allowing the ping, but it seems that this does not work when the acl-net12 is used on a card encryption

  outside_acl extended IP access list

  Note leave ping

  permit any any icmp echo

  permit any any icmp echo response

  What I am doing wrong?

  Maybe someone can help me.

  Thank you.

  On my final tests with groups of crypto-acl objects, is that the content has been changed to "permit ip any any" which is usually not a desired configuration. I guess it's a bug or a feature that is not yet implemented.

  Until that which is fixed, you must configure VPN without groups of objects. BTW: IOS-version are you running? I don't a not test it with the new versions-15, 2.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Issue of NAT for VPN

  If I have a LAN or 10.1.1.0/24 and I want NAT all of the hosts in 192.168.1.0/24.  I really don't want to create the object for each unique host network, because it's just for a lot.  I just wanted to confirm by creating two objects then natting them must configure a NAT right one?

  network object obj - 10.1.1.0

  10.1.1.0 subnet 255.255.255.0

  !

  network object obj - 192.168.1.0

  subnet 192.168.1.0 255.255.255.0

  !

  NAT (inside, outside) source static obj - 10.1.1.0 obj - 192.168.1.0 statick "remotely" destination "at a distance".

  Now when the remote network need access to network 10.1.1.0/24 hosts they should just be able to access to?

  10.1.1.1 will map to 192.168.1.1

  10.1.1.2 will map to 192.168.1.2

  10.1.1.3 will map to 192.168.1.3

  and so on...?

  In addition,

  A test on my ASA home

  Configuration

  the object of the LAN network

  10.0.0.0 subnet 255.255.255.0

  network of the REMOTE object

  subnet 10.0.1.0 255.255.255.0

  network of the LAN - NAT object

  10.0.100.0 subnet 255.255.255.0

  LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

  LAN remotely

  ASA (config) # packet - trace tcp 10.0.0.10 LAN entry 1025 10.0.1.1 80

  Phase: 3

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

  Additional information:

  Definition of static 10.0.0.10/1025 to 10.0.100.10/1025

  REMOTE CONTROL FOR LAN

  ASA (config) # packet - trace entry WAN tcp 10.0.1.100 1025 10.0.100.10 80

  Phase: 1

  Type: UN - NAT

  Subtype: static

  Result: ALLOW

  Config:

  LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

  Additional information:

  NAT divert on the LAN of the output interface

  Untranslate 10.0.100.10/80 to 10.0.0.10/80

  -Jouni

• How can you change a password on Vista for a group of net work at home

  How can you access the area to change the password for a group of net work at home? I'm unable to find had worked well but formatted Vista computer to make it faster. Now unable to find the box to change the password. Another computer on a network running 7.

  Hello

  What password are you talking?

  If it's regarding network sharing again the sharing.

  Maybe this can help.

  To get best results connect to each computer system screen and set all the computers to be on a bearing the same name of Working Group , while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall, AV, or other security components allow free local traffic on all network computers. If you use the 3rd group of security, firewall native Vista/XP must be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please Note that some 3rd party software firewall/AV/security costumes continue to block aspects of the Local traffic even it they are off (off). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic.

  If you end up with the 3rd party software uninstalled or disabled, make sure that Windows native firewall is active .

  Network Win 7 with another version of Windows as a work network (works very well if all computers are Win 7 also).

  In the center of the network, by clicking on the type of network opens the window to the right.

  Choose your network type. Note the check box at the bottom and check/uncheck depending on your needs.

  http://www.ezlan.NET/Win7/net_type.jpg

  Win 7 - http://windows.microsoft.com/en-us/windows7/Networking-home-computers-running-different-versions-of-Windows

  Win 7 network sharing folder specific work - http://www.onecomputerguy.com/windows7/windows7_sharing.htm

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have permission and security issues with Vista/Win7, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  ** Note . All the users who are allowed to share need to have an account onall computers that they are allowed to connect to.

  Everyone is an account, that means a group of all users who already have an account now as users. It is available to avoid the need to configure permission for each on its own, it does not mean all those who feel that they would like to connect.

• How it works for objectChoice group "FOCUS_CHANGED".

  Hi all

  can someone tell me how FOCUS_CHANGED works for the group object of choice when we change our focus in the drop-down window?

  actully I use:

  {public focusChanged Sub (field field, int eventType)

  If (eventType == FOCUS_CHANGED) {}
  System.out.println ("FOCUS_CHANGED");
  } else if(eventType == FOCUS_GAINED) {}
  System.out.println ("FOCUS_GAINED");
  } else if(eventType == FOCUS_LOST) {}
  System.out.println ("FOCUS_LOST");
  }

  }

  It nevers print "FOCUS_CHANGED", but it works for the FOCUS_GAINED and the FOCUS_LOST.

  Please help me.

  Its urgency.

  Thank you

  Ashutosh

  Well you're right, it doesn't have the fire for me either. You can use "FieldChangeListener" it will be server your purpose.

• Error when adding new subnet for CSM group

  Hello

  I'm trying to add a new subnet to an existing group in the CSM v4.0.1 b7823 company.  When you add a new subnet to the Group (the other elements of the group is a different subnet), CSM emits several errors for each SAA touched:

  Description:

  BB (GROUPNAME), referenced by the 'Http network' on maps (DEVICENAME) device to multiple network IP addresses!

  Cause:

  Made http refers to a network object that corresponds to more than one IP address on the device

  Action:

  Please config the policy with the network object that resolves to a single IP address.

  There is an error for ICMP as well.  The group is already a /24subnet content, I don't think it's a clear mistake.  Has anyone encounter this?

  Thank you very much.

  Justin

  Hi Justin,

  what you observe is normal given the way in which we have set up the remote access policy. As you probably know, in cli, you can specify only one rule of access by line for ssh, http, telnet etc...

  For example, if you want to allow ssh access to ASA lines host 1.1.1.1 and 2.2.2.2 you put two

  SSH 2.2.2.2 255.255.255.255 outside

  SSH 1.1.1.1 255.255.255.255 outside

  The CSM, we model this two lines as two different object, so the building of network type block object that refers to the object of type ssh access can have only one entry. This behavior is the same for ICMP as well.

  Access list is different because we model to the CSM in a different way, plus you can use the object-group put on different networks. It is not possible to access to the device.

  I hope that gave you an overview a little more on the reason

  Also it would be nice to score this answer if this is the case

  Stefano

• NATting for VPN traffic only

  I have a client with an ASA 5505 who has several networks, he tries to communicate via a VPN tunnel with a desktop remotely. One of the networks does not work because it is also used on the other side of the tunnel management interface, and none of both sides seem ready to re - IP their interior space.

  Their proposed solution is to NAT the contradictory network on this side to a different subnet firewall before passing through the tunnel. How to implement a NAT which only uses the VPN tunnel while the rest of the traffic that comes through this device of the United-NATted Nations?

  The network in question is 192.168.0.0/24. Their target you want the NAT is 172.16.0.0/24. Config of the SAA is attached.

  Hello

  Basically, the political dynamic configuration PAT should work to connect VPN L2L because the PAT political dynamics is processed before PAT/NAT dynamic configurations.

  Only NAT configurations that can replace this dynamic NAT of the policy are

  • NAT0 / exempt NAT configuration
  • Strategy static NAT/PAT
  • Public static NAT/PAT

  And because we have determined that the only problem is with the network 192.168.0.0/24 and since there is no static configuration NAT/PAT or static policy NAT/PAT, then PAT political dynamics should be applied. Unless some configurations NAT0 continues to cause problems.

  The best way to determine what rules are hit for specific traffic is to use the command "packet - trace" on the SAA

  Packet-trace entry inside tcp 192.168.0.100 12345 10.1.7.100 80

  For example to simulate an HTTP connection at random on the remote site

  This should tell us for example

  • Where the package would be sent
  • He would pass the ACL interface
  • What NAT would be applied
  • It would correspond to any configuration VPN L2L
  • and many others

  Then can you take a sample output from the command mentioned twice and copy/paste the second result here. I ask get exit twice because that where the actual VPN L2L negotiations would go through the first time that this command would only raise the L2L VPN while the second command could show already all the info of what actually passed to the package simulated.

  In addition, judging by the NAT format you chose (political dynamics PAT), I assume that only your site connects to the remote site? Given that the political dynamics PAT (or dynamic PAT) normal does not allow creating a two-way connection. Connections can be opened that from your site to the remote site (naturally return traffic through automatically because existing connections and translations)

  -Jouni