FVS336GV2 Nat or routing?

Similar Questions

• Issue of ASA NAT and routing

  Hello

  I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?

  Thanks for the help.

  Todd

  The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.

  You just need to add lines like the following:

  static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x

  for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.

  list of allowed inbound tcp access any host 209.x.x.x eq smtp

  list of allowed inbound tcp access any host 209.y.y.y eq http

  Access-group interface incoming outside

• VRF-lite, NAT and route-leak

  Hello, community. I'm trying to reproduce the installation with two clients (R1 and R2) program, router PE (R3) and common services (R4).

  Here is the configuration:

  R1:

  interface Loopback0

  IP 10.10.1.1 255.255.255.255

  !

  interface FastEthernet1/0

  192.168.15.1 IP address 255.255.255.0

  !

  IP route 0.0.0.0 0.0.0.0 192.168.15.5

  R2:

  interface Loopback0

  10.10.2.2 IP address 255.255.255.255

  !

  interface FastEthernet1/0

  IP 192.168.16.1 255.255.255.192

  !

  IP route 0.0.0.0 0.0.0.0 192.168.16.5

  R3:

  IP vrf VRF1

  RD 1:1

  export of road-objective 1:1

  import of course-target 1:1

  !

  IP vrf VRF2

  Rd 2:2

  Route target export 2:2

  import of course-target 2:2

  !

  interface FastEthernet0/0

  R1 description

  IP vrf forwarding VRF1

  IP 192.168.15.5 255.255.255.192

  IP nat inside

  IP virtual-reassembly

  !

  interface FastEthernet0/1

  R2 description

  IP vrf forwarding VRF2

  IP 192.168.16.5 255.255.255.192

  IP nat inside

  IP virtual-reassembly

  !

  interface FastEthernet1/0

  R4 description

  IP 1.1.1.1 255.255.255.0

  NAT outside IP

  IP virtual-reassembly

  !

  IP route 0.0.0.0 0.0.0.0 1.1.1.2

  IP route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

  IP route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1

  IP route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 overall 1.1.1.2

  IP route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1

  !

  IP nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload

  VRF2 of the IP nat inside source list 16 interface FastEthernet1/0 vrf, overload

  !

  access-list 15 allow 192.0.0.0 0.255.255.255

  access-list 15 allow 10.10.0.0 0.0.255.255

  access-list 16 allow 192.0.0.0 0.255.255.255

  access-list 16 allow 10.10.0.0 0.0.255.255

  R4:

  interface Loopback0

  IP 10.10.10.10 address 255.255.255.255

  !

  interface FastEthernet0/0

  1.1.1.2 IP 255.255.255.0

  !

  IP route 0.0.0.0 0.0.0.0 1.1.1.1

  The configuration is not operational.

  R1 #ping 192.168.15.5

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/89/116 ms

  R1 #ping 192.168.15.5 source l0

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.15.5, wait time is 2 seconds:

  Packet sent with the address 10.10.1.1 source

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 68/86/92 ms

  R1 #ping 1.1.1.1 source l0

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:

  Packet sent with the address 10.10.1.1 source

  .!!!!

  Success rate is 80% (4/5), round-trip min/avg/max = 292/357/400 ms

  R1 #ping 1.1.1.2 source l0

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 1.1.1.2, time-out is 2 seconds:

  Packet sent with the address 10.10.1.1 source

  .!!!!

  Success rate is 80% (4/5), round-trip min/avg/max = 216/187/160 ms

  R1 #ping 10.10.10.10 source l0

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

  Packet sent with the address 10.10.1.1 source

  .....

  Success rate is 0% (0/5)

  I can't ping R4 loopback address ("shared resource" or also known as the "common service")

  It is the same with R2 (second customer).

  But I can still ping loopback R4 of R3:

  R3 #ping 10.10.10.10

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes of 10.10.10.10, time-out is 2 seconds:

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 40/88/116 ms

  It's the routing on R3 table:

  R3 #sh ip road | start the gateway

  Gateway of last resort is 1.1.1.2 network 0.0.0.0

  1.0.0.0/24 is divided into subnets, subnets 1

  C 1.1.1.0 is directly connected, FastEthernet1/0

  S * 0.0.0.0/0 [1/0] via 1.1.1.2

  R3 #sh ip route vrf VRF1 | start the gateway

  Gateway of last resort is 1.1.1.2 network 0.0.0.0

  192.168.15.0/26 is divided into subnets, subnets 1

  C 192.168.15.0 is directly connected, FastEthernet0/0

  10.0.0.0/16 is divided into subnets, subnets 1

  S 10.10.0.0 [1/0] via 192.168.15.1

  S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

  R3 #sh ip route vrf VRF2 | start the gateway

  Gateway of last resort is 1.1.1.2 network 0.0.0.0

  10.0.0.0/16 is divided into subnets, subnets 1

  S 10.10.0.0 [1/0] via 192.168.16.1

  192.168.16.0/26 is divided into subnets, subnets 1

  C 192.168.16.0 is directly connected, FastEthernet0/1

  S * 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0

  So the question is what is the cause of the problem? How to troubleshoot? What is the troubleshooting steps?

  Hi Eugene Khabarov

  His does not work since the address IP of Destination that represents common Services is be routed locally to the THIS itself. That's the problem here. We must ensure that the Destination subnet is not pointing to what is happening here.

  R4:

  interface Loopback0

  IP 10.10.10.10 address 255.255.255.255

  !

  R3-VRF1

  S 10.10.0.0 [1/0] via 192.168.15.1

  Concerning

  Verdier

• Cisco 892 NAT or routing support for VoIP

  I have some experience with Cisco switches, but not with routers. I'm trying to connect to a network of small intrenal at the port of FastEthernet8 and the WAN connected to Gigabit 0. I was able to configure DHCP for the internal network, but have been several days trying to find a way so that it can route all traffic through the WAN interface. I enclose below my current setup. Any help would be greatly appeciated.

  Current configuration: 1542 bytes
  !
  ! Last modification of the configuration to 00:15:51 UTC Sunday, August 24, 2014
  !
  version 15.0
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname sgivoip
  !
  boot-start-marker
  boot-end-marker
  !

  !
  No aaa new-model
  !
  !
  !
  !
  !
  IP source-route
  !
  !
  DHCP excluded-address IP 192.168.11.1 192.168.11.30
  !
  IP dhcp pool insideDHCP
  network 192.168.11.0 255.255.255.0
  router by default - 192.168.54.202
  DNS-server 167.206.112.138 167.206.7.4
  !
  !
  IP cef
  No ipv6 cef
  !
  !
  Authenticated MultiLink bundle-name Panel
  license udi pid CISCO892-K9 sn FGL1710231R
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  interface BRI0
  no ip address
  encapsulation hdlc
  Shutdown
  Multidrop ISDN endpoint
  ISDN point - to point-setup
  !
  !
  interface FastEthernet0
  !
  !
  interface FastEthernet1
  !
  !
  interface FastEthernet2
  Shutdown
  !
  !
  interface FastEthernet3
  Shutdown
  !
  !
  interface FastEthernet4
  Shutdown
  !
  !
  interface FastEthernet5
  Shutdown
  !
  !
  FastEthernet6 interface
  Shutdown
  !
  !
  interface FastEthernet7
  Shutdown
  !
  !
  interface FastEthernet8
  192.168.11.1 IP address 255.255.255.0
  full duplex
  automatic speed
  !
  !
  interface GigabitEthernet0
  DHCP IP address
  automatic duplex
  automatic speed
  !
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  !
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  !
  Dialer-list 1 ip protocol allow
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  password *.
  opening of session
  !
  max-task-time 5000 Planner
  end

  I'm trying to figure out what makes the default entry of the 192.168.54.202 router in your DHCP pool? It usually comes to 192.168.11.1 or whatever you want your router to be. You need to add the following commands:

  interface F8

  IP nat inside

  interface G0

  NAT outside IP

  IP access-list standard NAT
  permit 192.168.11.0 0.0.0.255

  IP nat inside source list NAT interface G0 overload

  That should do it. If you have any other questions, I would recommend turning off your modem cable for a few minutes and then turn power on and then turn your router. To see if you have received an IP address, you can run a show ip interface brief and next to G0, you should see an external IP address.

• Based on the IOS VPN Lan-to-Lan (NAT and route map Questions)

  Hello world

  I worked on my review of CCNA security and I have a question about this stage

  LAN1 192.168.0.0/24---(routeur HQ)--10.10.10.0/30--(INTERNET)--20.20.20.0/30--(routeur Branch) - LAN2 192.168.1.0/24

  I use 10.10.10.0/30 and 20.20.20.0/30 networks assuming that these are public addresses (is just a laboratory).

  I read that if I want to make the VPN tunnel while I using NAT I must exclude valuable traffic from the NAT process so I look on the database of cisco for more help and I found this (look at the 3660 router configuration):

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008045a2d2.shtml#T1

  so, I applied this config for my routers, so the config is:

  IP nat inside source map route sheep interface fastEthernet0/1

  access list 110 deny ip 192.168.0.0. 0.0.0.255 192.168.1.0 0.0.0.255

  access list 119 permit ip 192.168.0.0. 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 110

  I didn't really understand who is using the command route-map here, so I made this configuration:

  IP nat inside list sheep interface FastEthernet0/1

  sheep extended IP access list

  deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  Licensing ip 192.168.0.0 0.0.0.255 any

  Two of them worked I could translate my LAN addresses to the public to address internet and also could establish the VPN tunnel. So my questions are:

  1. What is the purpose of the road-map command?

  2. What is the difference between these two configuration?

  3. which one I should use and in what cases?

  Thanks in advance

  Jose

  Jose,

  Very good questions and in fact no need to the road map it.

  Personally, I like using course maps because it allows much more flexibility than simply ACL setup, but in order to bypass the NAT source IPs, there is no need of route-maps and you can do this with the ACL directly.

  I personally always use road-maps just because I can (route-maps are cool) haha

  Route-maps are very useful in other scenarios where you need to put more of conditions or factors.

  Remember that it is almost always more than one method to accomplish a task... which is one of those cases.

  It will be useful.

  Federico.

• Cisco e1000 only route when NAT disabled

  I have a cisco e1000 itinerary. I already implemented a wireless network with success with cisco connect software. However, when I logged in the Web config, I disabled the NAT with routing table remains unchanged. the problem is that anyone of the network which links Internet WAN port can ping and receive the response of PCs within the wireless network, but it is impossible to reverse and all traffic inside e1000 can be passed through. Can someone explain this to me?

  with NAT disabled, the E1000 actually forward packets from 192.168.0.*/24 to 192.168.1.*/24 and vice versa. However, this range is effective between these 2 networks only. If a PC inside 192.168.0.*/24 send a packet to the internet, the package will pass by E1000 without changing source IP(addressed 192.168.0.*) with the address of the E1000 Wan port. Arriving at the modem, the packet can be ignored, because the modem would NAT to only local source address (192.168.1. *) or even if the package were put to rout, he would have no chance to be routed by the backbone routers.

  In addition, to be routed to 192.168.1.*/24 to 192.168.0.*/24, inside the 192.168.1.*/24 PC is configured by default with gateway 192.168.1.1 but the modem to a static route:

  dest: 192.168.0.0 mask: 255.255.255.0 Gateway: 192.168.1.W interface: Lan (W is the port of E1000 WAN address)

  and you can connect with 192.168.0.*/24 successfully.

  to summarize, I think that disable NAT would win few benefits for your internet access. As my job now requires two network so I want the E1000 to operate as a regular IP for ease router. Once again thanks for your help

• searching for NAT/Firewall/static routing tips

  Hello

  I am very new to vCloud network and security. I've read the documentation, but it can be confusing for me. I am attaching a schema to help provide a context for what I'm trying to achieve. Keep in mind that the IP address has been changed for security reasons. Address ranges are not accurate but for the context.

  We have an org routed with a single VM VAPP, directly connected to the VCC-Net. It is a Linux server. We have a vShield edge device. There is no rule of firewall, NAT, static routes configured. Essentially of deployment costs. The owner of the server wants to be able to connect to a Linux repo for updates/etc.

  For testing purposes, I have disabled the vShield firewall to allow all traffic through. from the Linux server, I was able to ping both addresses assigned to the border of vShield (192.168.1.1 and 10.10.16.17) but I couldn't ping 10.10.2.140. This leads me to believe the vShield Edge does not know how to route packets between 192.168.1.0/24 and 10.10.0.0/16.

  I have read and what I'm gathering is that I have to configure NAT and firewall rules to achieve. I googled everything I can, and now I'm just confused. Can someone please give me some advice?

  VShield Edge routing feature is similar to traditional router. By default, it can discover only directly attached networks and deliver packages, in this case 192.168.1.0/24 and 10.10.16.0/16 are direct networks. So if you need reach any other private network, we need to define a static route (it is not supported / configurable in vshield edges of dynamic routing since then). For Linux VM 192.168.1.10/24 join the public network, set a NAT NAT vShield edge rules and enable the appropriate firewall rules.

• Network configuration / routing / two network interface cards / NAT - leased / dedicated Dell R210 running VMware ESXi 5.1.0 build-799733

  Network configuration / routing / two network interface cards / NAT - leased / dedicated Dell R210 running VMware ESXi 5.1.0 build-799733

  Hello

  I'm trying to understand how to configure a dedicated server of Dell R210 rented running VMware ESXi 5.1.0 build-799733

  This dedicated server is rented www.online.net and sits somewhere in France. One of its network adapters have an IP public 62.210.177.20x. The other NIC is here, but I do not understand how it is configured. According to the www.online.net portal, the other NETWORK card has or should have an IP 10.90.116.20x. And I am obviously set up is to have some virtual machines running and be able to access the Internet. I have access to the console of the server Dell through iDRAC and since I could see, one of the network adapters in the IP is 62.210.177.20x defined, and the other has been shown out of service. I managed to make it appear the other interface but I cannot find anywhere how to assign the IP address 10.90.116.20x to this 2^nd network adapter. But then again I don't even know if I should or if I need to assing a IP address to this 2^nd network adapter. What is the cable connected even for this 2^nd NIC? I do not know. Should it be - I'm not either. I don't know French and manuals/instructions on www.online.net are in French. I can try an online translator, but I don't think that what I'm looking for is explained. How do I get this set up? I have to do something about the ESXi on the server console? This interface 2^nd should be in place, or it must be down as if it was originally? Yesterday after watching someone videos on YouTube, I added the second virtual switch and moved the virtual hosts of this switch 2 and he entrusted the 2^nd NIC. But that 2^nd NIC had a red X next to it probably indicating that it was disconnected the 2^nd form virtual switch. Today and now I have managed to access the ESXi console server through iDRAC, I bring the 2^nd NIC, and now both network adapters are assigned to the virtual switch 1^st . But I think that a NIC should be attributed to a single switch and the other card NETWORK on the 2^nd switch. I'm just a desktop guy with enough knowledge to be dangerous J if you / someone put in steps how and where to set them up it... PLEASE

  Thanks in advance

  cweks

  ~ # vmware - v

  VMware ESXi 5.1.0 build-799733

  ~ # esxcfg - road

  VMkernel default gateway is 62.210.177.1

  ~ # esxcfg-vmknic-list

  Interface Port Group/DVPort IP IP family address Netmask Broadcast MAC address MTU TSO MSS active Type

  vmk0 management network IPv4 62.210.177.20x 255.255.255.0 62.210.177.255 d4:ae:52:cb:bb:84 1500 65535 true STATIC

  vmk0 networking fe80::d6ae:52ff:xxxx:bb84 64 d4:ae:52:cb:bb:84 1500 65535 true IPv6 STATIC, PREFERRED

  Portal www.online.NET--information

  NORMAL 1 ready 62.210.177.20x xxx.domain.eu.       D4:AE:52:AB:BB:84

  2 PRIVATE loan 10.90.116.20x d4:ae:52:ab:bb:85

  http://wiki.hetzner.de/index.php/VMware_ESXi/en#Network_configuration

  Network configuration

  • VMware vSphere Hypervisor is an "operating system" for pure virtualization and support NAT or routing. Therefore, only a real bridge configuration can be used.
  • To use a subnet additional IP must be configured as a router VM.

  If I understand the above, I need to show some VM and set up as a router? If the virtual machine that will act as a router must have two network interfaces, where it is connected to a switch and the other to the other switch network card. Am I do? The YouTube video that suggested, but I thought that maybe / somehow ESXi can route packets between the two network cards, but from what I read, ESXi can route packets. Do I need to order an additional / extra / 2nd IPv4 address so that it can be assigned to the interface of the router?

• WRT600N advanced routing problems / use as Access Point and switch

  Firmware 1.01.36 build 4 The WRT600N is connected to an existing LAN and is really only used as a Wireless N access point. There is nothing plugged into the WAN port; only the LAN port. I have NAT disabled. All traffic from a client connected to the WRT600N wireless going very well for the gateway and the Internet router. The customer experience is very good. However, there are a few minor issues as follows.

  1] Setup > Advanced Routing tab has only the following options; to do this, * not * have a picker 'Mode '. NAT, static routing and dynamic routing (RIP).    IS this NORMAL, OR should HAVE a MODE (e.g. switch) AS REFERRED to IN THE HELP FILES?

  [2] even if a connection wireless or wired to the WRT600N works very well, the WRT600N himself is unable to connect to the internet. It cannot connect to NTP to set the time and I can't ping past the gateway router using the ping of the WRT600N diagnostic utility. I ping the gateway 192.168.1.4 port inside, but I can't use the diagnostic the WRT600N ping ping utility something beyond this gateway port. The routing of the WRT600N table is below. THE GATEWAY SHOULD NOT BE 192/168.1.4? HOWEVER THE WRT600N DON'T ME LETS NOT CHANGE IT.

  Destination LAN IP Subnet Mask gateway interface

  192.168.1.0 255.255.255.0 192.168.1.71 LAN & Wireless

  127.0.0.0 255.0.0.0 * LAN & Wireless

  Topic 1. Linksys, used to have a mode option to switch between the modes 'Bridge' and 'router '. The latest routers call it now better NAT power. Gateway mode means THAT NAT is enabled. Router mode means THAT NAT is disabled. The help files are probably a little bit over. But the option is still the same.

  Re 2. It's normal if you use it as only access point (i.e. do not use the WAN port). The router always takes into account that the internet connection via the WAN port, i.e. it will always use the default gateway on the WAN port. If nothing is connected to the WAN port on the router itself has no default gateway and therefore has no access to the internet. Generally, you are not able to establish the default route in either advanced routing page. It is a known limit of these routers if you do not use as a router.

• As a simple router WRT610N

  Hi all...

  I just installed a new WRT610N to replace my old router + access point who died days ago.

  The Setup is simple enough:

  WAN interface with address static 192.168.0.2/24 GW 192.168.0.1 (my main firewall)

  LAN interface with 192.168.10.0/24 static address, DHCP enabled to assign addresses to 192.168.10.100 to 192.168.10.199

  Everything works from a computer connected to the WRT610N LAN subnet (wired or wireless)... I can ping 192.168.10 *, * 192.168.0, 192.168.2 * (the subnet connected to the firewall DMZ) and internet connection (also through the firewall) works as expected.

  But from a computer on the network * 192.168.0 (the subnet on which the WAN WRT610 interface is connector), there is no way to reach the machines that are on the LAN subnet. I created a static route in the main firewall, and to be sure, I also tried with a static route on a computer that is connected to the subnet 192.168.0 * (route add 192.168.10.0 mask 255.255.255.0 Gateway 192.168.0.2)... no way.

  SPI Firewall is disabled and also each of the filters.

  What I am doing wrong?

  Thank you in advance...

  CiaoCiaoSergio

  Your router should still active NAT. With NAT, the router only translation of IP addresses between the address LAN IP addresses as well as the WAN IP address. Because of this, the LAN is inaccessible. That's how any consumer type router protects the LAN from the internet.

  You must disable NAT. It is usually on the Advanced Routing page. It is call "NAT" or "Mode of operation".

  Bridge mode = active NAT.
  Router mode = disabled NAT.

  If you have configured the correct static route on your firewall, it should work then...

  Make sure that your firewall then, provides NAT for the subnet WRT. With disabled NAT IP addresses * 192.168.10 will get to the firewall. If your firewall is not configured to do NAT for 192.168.10. * He'll send those not changed in the internet where they will be discontinued.

  Of course, if you want a full interconnectivity between WRT LAN and WAN side then you should consider setting up as plain simple access point connecting it via a LAN port to your existing LAN. That would save all routing and NAT problems...

• Add a static route to a RV042

  I have configured the RV042 dual WAN port for backup smart link connected to two different ISPS.  The subnet behind this is 192.168.2.xxx.  I have a second router linksys Garland with the 192.168.2.250 WAN port and subnet behind it is 192.168.20.xxx.  My problem is that I have a not able to route traffic fron 192.168.2.xxx to 192.168.20.xxx.  How can I add a static route so that clients on 192.168.2.xxx can access resources on 192.168.20.xxx?

  1. the second Linksys router must be changed of gateway (active NAT) in router mode (NAT disabled) mode. With NAT the LAN behind the second Linksys will be not accessible from the outside unless you configure port forwarding.

  2. on the RV042 set up a static route for the subnet 192.168.20.0/255.255.255.0 to the gateway IP address 1921.68.2.250 on the LAN interface.

  3. Ideally, you must configure the same static route on all clients connected to the RV042. If you don't want to do this, you must configure the firewall on all clients on the RV042 accept ICMP redirect messages. This is important because otherwise all traffic from 192.168.2. * to * 192.168.20 would be sent to the RV042 and from there to the second Linksys that is unnecessary and could create a bottleneck.

• HP Photosmart 5520 series: what ports app to print Basic or advanced within the router?

  It is common for wireless printing open certain application ports in the firewall NAT to router for wireless communications is working properly?

  This was not mentioned during the installion of software, but I found out about it after searching the site of HP support on WiFi printing problems.

  I discovered that my router is blocking traffic on the TCP/UDP #4129 port (id: nuauth) and therefore refused all the print jobs AND ePrint work correctly... ?

  In addition, I needed to add rules for TCP/UDP ports to 9100 and 9220...
  I guess the 9100 (hp-pdl-datastr) is necessary for real communication?

  My router is a Ubee EVW321B.

  Nice interface easy to use, but maybe a bit more protection... ?

  I would like to read if other users did assign certain ports for the 5522 PS works fine on a WiFi connection?

  The here document contains information on port settings for the printer Photosmart 5520.  Your router is not, but he suggested the following for unlisted cases:

  1. If your firewall software is not listed in the table, manually unlock the ports used by the printer.

• Cisco 2911 and ASA 5512 remove double NAT

  Greetings,

  I have 2 subnets on Cisco 2911 router

  192.168.3.0/24 and 192.168.1.0/24

  3rd network 192.168.4.0/24 is natting internal interface to the modem for internet access. creating 2 NAT (NAT in router) and NAT in Modem

  I just bought Cisco ASA 5512, no chance I could remove the Cisco 2911 router NAT and set the default gateway for Cisco ASA?

  Yes you are right...

  You must ensure that you get the routed LAN traffioc to hit inside the interface ASA in ASA, you can do PAT/NAT to access...

  Concerning

  Knockaert

• NAT Ports inaccessible over the site to site VPN

  We have a series of 2900 SRI at HQ and several of Cisco WRVS4400N VPN routers to small branch offices. The branch offices are connected to HQ via IPSec site-to-site. Everything seems to work fine, except users in the box executive offices not access all the services on servers HQ where the port was NAT'd to the outside. For example, we organize Office services remotely via https, port 443 is NAT made appeal to the outside, but users in the branch offices cannot access this port. They receive a time-out error. I tried searching but all I can find is info on crossing IPSec NAT. thank you...

  With this config-NAT, your router ensures that the internal server has to be accessible by the public IP address. You can add a roadmap to your NAT static entry exempt of NAT VPN traffic. Which might look like the following:

  ip nat inside source static tcp 10.0.0.11 443 xxx.xxx.xxx.165 443 route-map SERVER-NAT extendable!ip access-list extended SERVER-NAT-ACL deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip any any!route-map SERVER-NAT permit 10 match ip address SERVER-NAT-ACL

• Outgoing NAT does not not for a VPN L2L

  We have an ASA5510 which has two LAN to LAN IPSEC VPN configured.  VPN tunnels themselves are on the rise and a VPN works great.  But the other VPN is not working properly the outgoing NAT traffic (inbound is very well of all the VPN endpoints).  When I ping from the ASA using 'ping inside the 10.200.4.x', it works.  When I ping from a box sitting inside the subnet I get the following error in the ASA logs:

  failed to create translation portmap for udp src inside:10.26.32.2/137 dst outside:10.200.4.x/137

  I would really appreciate if someone could tell what I did wrong with the NAT or routing configuration. This is the first time I setup two L2L VPN on a SAA.  The relevant parts of the configuration below, are properly anonymized.

  Edit: I forgot to mention that, once it works I need then for the inbound NAT to web.server.public.ip to 10.26.32.2 and add ACL entries for www and https.

  Thank you

  Matt.

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 1.2.3.33 255.255.255.248

  !

  interface Ethernet0/2

  nameif inside

  security-level 100

  IP 10.26.32.1 255.255.255.0

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.61.1 255.255.255.0

  management only

  !

  access extensive list ip 10.26.32.0 outside_1_cryptomap_1 allow 255.255.255.0 192.168.0.0 255.255.0.0

  access extensive list ip 10.26.32.0 outside_20_cryptomap_1 allow 255.255.255.0 10.200.4.0 255.255.255.0

  ICMP allow any inside

  ARP timeout 14400

  NAT (inside) 0-list of access outside_1_cryptomap_1

  NAT (inside) 1 access-list outside_20_cryptomap_1

  NAT (inside) 2 0.0.0.0 0.0.0.0

  Route outside 10.200.4.0 255.255.255.0 broken.vpn.endpoint.ip 1

  Route outside 0.0.0.0 0.0.0.0 gateway.ip.address.here 1

  Route outside 192.168.0.0 255.255.0.0 working.vpn.endpoint.ip 1

  the ssh LOCAL console AAA authentication

  http 192.168.61.0 255.255.255.0 management

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-SHA-256 aes-256-esp esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-3DES-SHA

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

  card crypto outside_map 1 match address outside_1_cryptomap_1

  card crypto outside_map 1 set pfs

  card crypto outside_map 1 set working.vpn.endpoint.ip counterpart

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map map 1 lifetime of security association set seconds 28800 crypto

  card crypto outside_map 1 set security-association life kilobytes 4608000

  card crypto outside_map 20 match address outside_20_cryptomap_1

  card crypto outside_map 20 set pfs

  card crypto outside_map 20 peers set broken.vpn.endpoint.ip

  outside_map crypto 20 card value transform-set ESP-SHA-256

  life safety association set card crypto outside_map 20 28800 seconds

  card crypto outside_map 20 set security-association life kilobytes 4608000

  outside_map interface card crypto outside

  ISAKMP allows outside

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 aes-256 encryption

  ISAKMP policy 20 chopping sha

  20 5 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  ISAKMP nat-traversal 20

  tunnel-group working.vpn.endpoint.ip type ipsec-l2l

  working.VPN.endpoint.IP Group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group broken.vpn.endpoint.ip type ipsec-l2l

  broken.VPN.endpoint.IP Group of tunnel ipsec-attributes

  pre-shared-key *.

  Telnet timeout 5

  Console timeout 0

  management-access inside

  192.168.61.2 management - dhcpd addresses 192.168.61.254

  dhcpd lease 3600

  dhcpd ping_timeout 50

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  Policy-map global_policy

  class inspection_default

  inspect the dns-length maximum 512

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  These 2 lines are incorrect. The list of access crypto-list and you should not only applied to the NAT statement.

  NAT (inside) 0-list of access outside_1_cryptomap_1

  NAT (inside) 1 access-list outside_20_cryptomap_1

  Please remove the 2 statements of NAT above, but keep the access list because those that are applied to the card encryption.

  Then you must configure the following:

  10.26.32.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0

  IP 10.26.32.0 allow Access-list extended sheep 255.255.255.0 10.200.4.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Once the changes above, pls make "clear xlate.

  Hope that helps.