helps the nat rule

Similar Questions

• Clarification of the NAT rules

  Hi all

  I understand the notion of NAT and why it is used.  However, I am a little confused given the following command:

  object network obj-internal

  nat (inside,outside) dynamic interface

  Please correct me if I'm wrong, but until now, I understand that this command creates a network called "obj-internal" object and creates a rule for traffic from the interface inside of the external interface.  However, I'm confused with the dynamic interface part.  Could someone please elaborate more on the meaning and usage of this part?  Any help is greatly appreciated.

  To create an object you also a definition of what is this object. You also need somethng as a host or a subnet statement.

  For this object that you want to specify how to resolve the internal IP address (inside the network) are translated when communicating with the external network. The NAT command in your example uses a dynamic conversion (unlike the static NAT which is generally used for outside - inside the traffic, or when an inside host should always get the same IP address to the outside) who always uses external IP of the SAA. So no matter what internal host communicates with the outside world, they all appear with a single IP address on the destination system.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• help the CSS rule

  I am new to Dreamweaver CS4. I created a css and try to apply a rule to selected text. When I text highlight and go to the 'target rule' and highlight the rule I want, do not. It goes back automatically to < new css rule >. Any suggestions as to what I'm doing wrong? Thank you.

  Another thing that I left out...

  Is your passage of CSS & HTML code validation?  Wrong code can cause DW to have hiccups.

  HTML Validator - http://validator.w3.org 

  CSS Validator - http://jigsaw.w3.org/css-validator/

  Nancy O.
  ALT-Web Design & Publishing
  Web | Graphics | Print | Media specialists
  www.Alt-Web.com/
  www.Twitter.com/ALTWEB
  www.Alt-Web.blogspot.com

• Allowing OWA NAT rule breaks the Web page links

  We organize our own website (old IIS 6 on Server 2000) and it works fine using a new sonicwall TZ 500 with public server installation wizard based.  We also have on site Exchange 2003.  When I followed the article https://support.software.dell.com/kb/sw4535 OWA works fine, but now all links to other pages on our site are broken. As soon as I turn off the NAT for OWA policy and links to the site running again.  Would welcome suggestions for a fix.

  The only question I expect eventually, is that your OWA uses the same ports as the server else so now that traffic is missing each achieved.

  Thank you
  Ben D
  Reference Dell SonicWALL
  #iwork4Dell

• Asymmetric NAT rules

  I am trying to configure another ipsec VPN group and political.  So far, I can communicate with her, and I can ping the ASA 5505, but nothing else inside.  The funny this is that I have another configuration group and the policy that works very well.  I tried to imitate him, but I can't understand what I'm doing wrong.  I get this error in the log:

  Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.4.71.104 inside: 10.4.70.2 (type 8, code 0) rejected due to the failure of reverse NAT.

  A network diagram is attached.  Thanks for your help.

  Andy,

  Yes 8.3 makes a difference

  Well I can suggest a few ways out of it.

  And that's what you need to add... kind of nat provides previous versions.

  NAT (inside, all) source static obj - 10.4.70.0 obj - 10.4.70.0 destination static obj - 10.4.71.0 obj - 10.4.71.0

  Edit: fixed IP addresses. If 10.4.70.0/24 is local and remote 10.4.71, you need to add an exemption here.

• sequence Analyzer: data transfer between the Analyzer rule one sequence to another

  Is there a way by which I can send data to the Analyzer rule a sequence to another.

  I've created rules to count the number of SCOPE, step REQUIREMENT TEXT step, step in the PROCESS

  Now, I want to create another regulation that reads the values of each of these rules

  Tah44-

  One of my colleagues brought a different, probably better idea to my attention this morning:

  Use the AnalysisContext.GetRuleAnalysisData method to access the data of other rule analysis: http://zone.ni.com/reference/en-XX/help/370052P-01/tsref/infotopics/sa_creating_analysis_modulesimpl...

  -Jeff

• In all the hearts of Windows games, it seems that they do not know the rules. The Queen of Spades is just like a heart in the real rules

  In all the hearts of Windows games, it seems that they do not know the rules.  The Queen of Spades is just like a heart in the real rules. I don't have to play the Queen.  If hearts have been broken, and all I have left is some hearts and the Queen of Spades, I can play a weak heart rather than being forced to play the Queen.  The windows game apparently does not know this rule.

  original title: rules of hearts

  Hello

  Actually if the Queen of Spades breaks hearts and cannot therefore be considered a heart
  is optional. The basic rule is that the Queen of Spades does not break hearts and must be conducted
  If a player has the Queen of spades and still hearts if hearts have been broken.

  My preferences are the Queen of Spades or a heart can be played on the 1st round Sub in the Clubs.
  And the Queen of Spades does not break the hearts and must be conducted if only he and hearts are
  left in the hands and hearts have not been broken. Those who make for much more difficult game
  MY HUMBLE OPINION.

  Hearts
  http://www.Pagat.com/reverse/hearts.html

  Hearts, the rules
  http://www.toycrossing.com/hearts/basic-rules.shtml

  Hearts
  http://en.Wikipedia.org/wiki/hearts

  Hearts
  http://www.kemenel.org/cards/hearts.php

  Plays in the heart and stings for years, but the bridge is even more fun.

  Bridge Base online - play for free at all levels (beginner to the World Champions and yes the world
  Champions play there - it has same vugraphs live tournaments around the world - free.)
  http://www.bridgebase.com/

  I hope this helps.

  Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">

• How to open the NAT for a Linksys 160N with a WRT54G2 wireless ethernet bridge?

  Hello, I have a Linksys 160N2 router, and I hooked a version w / updated router Linksys WRT54G2 {v24 sp1} DD - WRT.  It worked great, but now my sons xBox 360 States that the NAT is moderate and should be opened.  I don't know how to open the NAT.  Any help will be greatly appreciated.

  This do-

  Open an Internet Explorer browser on your computer (desktop) wired page. In the address bar type - 192.168.1.1 and press ENTER... Let the empty user name & password use admin lowercase...

  Click on the tab "Games and Applications" and then click the sub-tab "Port Range Forwarding"...

  (1) on the first line in the box, type Application in ABC, in the start box, type in 53 and type in 3074 service box, leave the Protocol as and under type 192.168.1.20 ip address and check the box to enable, click on save settings once it's been...

  (2) once you return to the game to the top page, click the Security tab and uncheck block anonymous Internet requests and click on save settings...

  3) click on Setup and change the size of the MTU to 1452 and click on save settings... Click the status tab, and take note of DNS1 and DNS2 address...

  (4) address IP, Goto settings XBox network settings and assign the following on your Xbox and select manual IP settings
  IP address:-192.168.1.20, subnet mask:-255.255.255.0 default gateway:-192.168.1.1...

  (5) also assign addresses DNS on Xbox
  Use DNS1 and DNS2 addresses you took note of the primary router as secondary DNS & DNS status tab for the xbox...

  (6) turn off your modem, router and Xbox... Wait a minute...

  (7) plug the power to the modem first, wait a minute and plug the router power cable, wait another minute and turn on the Xbox and... test it connects...

• Help setting Nat MW2

  I am completely new to wireless internet, but in any case, my problem is I do not know how to configure my router to open the Nat, I don't know what it is.  The problem is with modern warefare 2 and it is 'strict' nat setting.  I don't know what to do to open nat for I can put more server.  It may have been answered before but I need help.

  My router is.  WRT160N

  Thanks Wizard which worked very well.

• VPN on ASA 5506 without internet access, help with NAT?

  Hello

  I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

  For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

  Our offices internal (inside) network is 192.168.2.0/24

  Our VPN pool is 192.168.4.0/24

  I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

  Here is my config:

  Result of the command: "sh run"
  
  : Saved
  
  :
  : Serial Number: JAD194306H5
  : Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
  :
  ASA Version 9.5(1)
  !
  hostname ciscoasanew
  domain-name work.internal
  enable password ... encrypted
  names
  ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
  !
  interface GigabitEthernet1/1
   nameif outside
   security-level 0
   ip address 192.168.3.4 255.255.255.0
  !
  interface GigabitEthernet1/2
   nameif inside
   security-level 100
   ip address 192.168.2.197 255.255.255.0
  !
  interface GigabitEthernet1/3
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/4
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/5
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/6
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/7
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface GigabitEthernet1/8
   shutdown
   no nameif
   no security-level
   no ip address
  !
  interface Management1/1
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  !
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup management
  dns server-group DefaultDNS
   name-server 192.168.2.199
   domain-name work.internal
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network 173.0.82.0
   host 173.0.82.0
  object network 173.0.82.1
   subnet 66.211.0.0 255.255.255.0
  object network 216.113.0.0
   subnet 216.113.0.0 255.255.255.0
  object network 64.4.0.0
   subnet 64.4.0.0 255.255.255.0
  object network 66.135.0.0
   subnet 66.135.0.0 255.255.255.0
  object network a
   host 192.168.7.7
  object network devweb
   host 192.168.2.205
  object network DevwebSSH
   host 192.168.2.205
  object network DEV-WEB-SSH
   host 192.168.2.205
  object network DEVWEB-SSH
   host 192.168.2.205
  object network vpn-network
   subnet 192.168.4.0 255.255.255.0
  object network NETWORK_OBJ_192.168.4.0_24
   subnet 192.168.4.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.0_24
   subnet 192.168.2.0 255.255.255.0
  object-group network EC2ExternalIPs
   network-object host 52.18.73.220
   network-object host 54.154.134.173
   network-object host 54.194.224.47
   network-object host 54.194.224.48
   network-object host 54.76.189.66
   network-object host 54.76.5.79
  object-group network PayPal
   network-object object 173.0.82.0
   network-object object 173.0.82.1
   network-object object 216.113.0.0
   network-object object 64.4.0.0
   network-object object 66.135.0.0
  object-group service DM_INLINE_SERVICE_1
   service-object icmp
   service-object icmp6
   service-object icmp alternate-address
   service-object icmp conversion-error
   service-object icmp echo
   service-object icmp information-reply
   service-object icmp information-request
  access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
  access-list outside_access_in remark AWS Servers
  access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
  access-list outside_access_in extended permit ip any any inactive
  access-list outside_access_in remark Ping reply
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
  access-list outside_access_in remark Alarm
  access-list outside_access_in extended permit tcp any interface outside eq 10001
  access-list outside_access_in remark CCTV
  access-list outside_access_in extended permit tcp any interface outside eq 7443
  access-list outside_access_in extended deny ip any any
  access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
  access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
  access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
  access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 16000
  logging asdm-buffer-size 512
  logging asdm warnings
  logging flash-bufferwrap
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 7200
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
  !
  object network obj_any
   nat (any,outside) dynamic interface
  object network DEVWEB-SSH
   nat (inside,outside) static interface service tcp ssh ssh
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  service sw-reset-button
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
   no validation-usage
   crl configure
  crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
   enrollment self
   fqdn none
   subject-name CN=192.168.2.197,CN=ciscoasanew
   keypair ASDM_LAUNCHER
   crl configure
  
  snip
  
  dhcpd auto_config outside
  !
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  !
  no threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
  ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ssl-client
  group-policy workVPN2016 internal
  group-policy workVPN2016 attributes
   dns-server value 192.168.2.199
   vpn-tunnel-protocol ikev1
   split-tunnel-policy tunnelall
   ipv6-split-tunnel-policy tunnelall
   default-domain value work.internal
   split-dns value work.internal
   split-tunnel-all-dns enable
  dynamic-access-policy-record DfltAccessPolicy
  
  !
  class-map inspection_default
   match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  !
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:
  : end
  

  Hi Ben-

  What you are trying to accomplish is called VPN crossed.  Depending on your initial configuration, you have 2 NAT problems.  The first has to do with the NAT you place your order.  In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

  My general rule for control of NAT is like this:

  1. Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
  2. Purpose of NAT - Use this section to the static NAT instructions for servers
  3. Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

  Then, never use 'all' as an interface for all training of NAT.  This may seem like a good idea, but it will bite you.  Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ.  Always be specific about your interface for NAT pairs.

  To this end, here is what I suggest that your NAT configuration should resemble:

  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface

  The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC

• Windows 7 firewall, just after the power rules

  Hello

  Setting up a private workgroup-to-peer network (not homegroup, no servers or domain) of several PC windows 7.  Have all network connections, defined as 'private' of networks.  At that time, the private firewall is disabled, and the Public firwall is enabled.  Administration tool using remote third 3rd RAdmin connect and control the PC.

  Strange behavior just after turn on/off the PC.  Can ping from one PC to another, but RAdmin tool fails to connect to a PC on just.  The 'Public' windows firewall log shows the RAdmin TCP packet dropped.  Once someone has logged on locally to the computer and then connected to the wide, the RAdmin packages are no longer considered (fell or permitted) by the Public firewall, and the RAdmin progam works great.

  I added a test rule to allow all TCP traffic through any firewall from any PC, any user, any port, etc. (essentially large open) and still have the problem where RAdmin specific TCP packets are lost by the Public firewall.

  I can get it to work by setting the 'incoming connections' for the Public firewall to 'Always allow', but is not an acceptable solution.

  I worked with the provider of 3rd party s/w (famatech) and they also have no idea why it works this way.

  Any ideas how the Windows 7 firewall works right after that the PC is on, but before the user login?  Any ideas how can I do an acceptable firewall rule which will be in force after powering on, but before that the user log?

  Thank you in advance for any help or any other ideas,

  Rick

  Answered my own question.  Found that a set Local GPO do not merge rules defined by the user.  When I moved the RAdmin rule throughout the local Group Policy object, problem goes away.

• Cisco has a software or a device can save the NAT information?

  Hi experts,

  Here's a government rule in our country, to provide at least 90 days NAT balls (or source called traces) if the market or the hotel provides internet services.

  I just want to know, just about any device cisco can does support this?

  ASA or firepower with ISE and internal drives?

  Thank you very much.

  Of course, ASAs will record all the NAT actions they take. Also all the connection records - assuming that you have logging enabled at the correct level.

  You must send your syslog events to an external server for the archiving of history.

  See something like suggesting this thread:

  https://supportforums.Cisco.com/discussion/12515061/show-NAT-tranlations...

• Cannot delete a NAT rule

  Hello

  I make a mistake typing in CLI a NAT rule and I can't delete it because this tells me is that it is used...

  UC540 (config) #no ip nat inside source static A.B.C.D interface Dialer0
  % Input static to use, cannot be deleted

  An idea for there remedy?

  Thanks in advance,

  Roman

  Hello Romain,.

  I'm really not an expert on IOS, but I found cel on Google don't know however if it works:

  "You may need to remove the nat inside and nat outside interface command, and then clear the translations until you can remove it. "This is an example of SDM:

  interface Ethernet0
  no nat inside ip
  output
  interface Ethernet1
  No external ip nat
  output
  do not delete ip NAT. forced translation
  no nat ip inside source static tcp 172.16.5.2 interface Ethernet1 3389 3389
  interface Ethernet0
  IP nat inside
  output
  interface Ethernet1
  NAT outside IP
  output

  Nice day.

  Dominique.

• LAN-2-LAN, with inside the NAT

  Hi all

  I have a LAN LAN 2 return VPN connection to HO from a remote location. This router also has some NAT set to allow RDP access on the internet etc.

  Is there a way to allow RDP by using the internal address of the server once the NAT in place? Currently, I can only access the server using RDP via its public address.

  Thanks in advance

  IP nat inside source static tcp 172.28.9.1 3389 3389 Dialer0 interface

  Thank you

  Hi Glen,

  It works, and why you should use ACB (the policy-based routing). Assuming that the remote end subnet is 192.168.1.0/24.

  Here are the steps that you must follow:

  1: create an access list to identify traffic:

  access-list 101 permit ip 172.28.9.1 host 192.168.1.0 0.0.0.255

  2: create a loopback interface:

  Loopback int 1

  IP 1.1.1.1 255.255.255.0

  output

  3: create a roadmap for CPR:

  pol_nat allowed 10 route map

  corresponds to the IP 101

  set ip next-hop 1.1.1.2

  output

  4: apply the road map to the LAN interface:

  int fasteth0/0

  IP policy route map pol_nat

  output

  That should do it!

  * Please rate if helped.

  -Kanishka

• Understand the NAT translation with route map

  Hello

  I try to configure the server EZVPN on SAA and EZVPN client on router 881. I found on the documentation to the NAT translation on the client side

  My confusion is that I should use the deny on the access list statement? If anyone can explain this, enjoy it.

  IP nat inside source overload map route EzVPN1 interface FastEthernet4

  access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 103 allow ip 192.168.3.0 0.0.0.255 any

  allowed EzVPN1 1 route map
  corresponds to the IP 103

  Hello

  So that's the explanation for the statement "denied" on the ACL for NATing.

  Based on the config, 192.168.3.x here is the network behind your 881 and 192.168.2.x is the network behind the ASA. Let's suppose you're trying to install between 192.168.2.10 and 192.168.3.10. When this package is delivered to the 881, it checks first the characteristics of penetration on the incoming interface (such as the ACL, political, policy-services, etc.) and before checking the 'IPSEC security associations", it checks the NAT configuration.

  Now, your IPSec security association will specify for 192.168.2.x 192.168.3.x traffic to be encrypted and then sent. If we do not have the declaration of 'decline' in the ACL, the 881 will be NAT incoming packets and then the IP source in the package will get changed the IP address of the interface of SA4.

  This match is no longer the configuration of IPSEC SA and therefore not get encrypted. Therefore, we must have the statements 'decline' to ensure that VPN traffic is not coordinated and is therefore correctly.

  Hope this helps!