Issue of NAT for ASA running 8.4 (5)

We have a client who is about to hang an ASA off the coast of the demilitarized zone of our firewall that is running 8.4 (5). This firewall is currently on another part of our network, and NAT will be considerably changed. Now, everything on the client firewall must be coordinated outside for the same thing as the IP model internal, for example like the old "static (inside, outside) 172.16.16.0 172.16.16.0 netm 255.255.255.0" command.

When I look at the document from Cisco for (conversion) NAT

( http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp96828), I see not all conversions between the two. This is not a "nat 0" because users need access to certain hosts inside the firewall of our customers.

Can someone tell me please in the right direction? Thank you

Hello

Lets assume that the following is true

  • The new ASA has 'inside' and 'outside' network/interface only
  • The ASA News should do EVERYTHING NAT 'inside' to 'outside' to any kind of situation traffic (your firewall handles this?)

Then you can simply have the ASA with absolutely no. NAT configurations. The ASA with new software releases 8.3 and above all automatically passes all traffic through the ASA UNNATED. We use it on a single client and it works very well.

Please let me know if the above is the case, or can't think of anything else

-Jouni

Tags: Cisco Security

Similar Questions

  • Issue of NAT for VPN

    If I have a LAN or 10.1.1.0/24 and I want NAT all of the hosts in 192.168.1.0/24.  I really don't want to create the object for each unique host network, because it's just for a lot.  I just wanted to confirm by creating two objects then natting them must configure a NAT right one?

    network object obj - 10.1.1.0

    10.1.1.0 subnet 255.255.255.0

    !

    network object obj - 192.168.1.0

    subnet 192.168.1.0 255.255.255.0

    !

    NAT (inside, outside) source static obj - 10.1.1.0 obj - 192.168.1.0 statick "remotely" destination "at a distance".

    Now when the remote network need access to network 10.1.1.0/24 hosts they should just be able to access to?

    10.1.1.1 will map to 192.168.1.1

    10.1.1.2 will map to 192.168.1.2

    10.1.1.3 will map to 192.168.1.3

    and so on...?

    In addition,

    A test on my ASA home

    Configuration

    the object of the LAN network

    10.0.0.0 subnet 255.255.255.0

    network of the REMOTE object

    subnet 10.0.1.0 255.255.255.0

    network of the LAN - NAT object

    10.0.100.0 subnet 255.255.255.0

    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    LAN remotely

    ASA (config) # packet - trace tcp 10.0.0.10 LAN entry 1025 10.0.1.1 80

    Phase: 3

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    Additional information:

    Definition of static 10.0.0.10/1025 to 10.0.100.10/1025

    REMOTE CONTROL FOR LAN

    ASA (config) # packet - trace entry WAN tcp 10.0.1.100 1025 10.0.100.10 80

    Phase: 1

    Type: UN - NAT

    Subtype: static

    Result: ALLOW

    Config:

    LAN LAN destination - static NAT NAT (LAN, WAN) static source REMOTE

    Additional information:

    NAT divert on the LAN of the output interface

    Untranslate 10.0.100.10/80 to 10.0.0.10/80

    -Jouni

  • I need VPN gateway to gateway with NAT for several subnets, RV082

    I have a pair of RV082 routers and I would like to configure a gateway to gateway VPN tunnel, as described in a book, "How to configure a VPN tunnel that routes all traffic to the remote gateway," (name of file Small_business_router_tunnel_Branch_to_Main.doc).  I followed this recipe book and found that my while the main office has internet connectivity, the branch subnet is not an internet connection.

    Routing behaves as advertised, where all traffic goes to the seat.  However, the 192.168.1.0 subnet in the branch receives no internet connectivity.  I read in other posts that the main router will provide only NAT for the local subnet, not the Management Office subnet.  Is it possible to configure the RV082 router to provide NAT for all subnets?

    If this is not the case, what product Cisco will provide connectivity VPN Tunnel as well as the NAT for all subnets?  The RV082 can be used as part of the final solution or are my RV082s a wasted expense?

    Here is the configuration that I had put in place, (real IP and IKE keys are false).

    Bridge to bridge

    Remote Head Office

    Add a new Tunnel

    No de tunnel                  1                                               2

    Name of the tunnel:, n1 n1-2122012_n2-1282012-2122012_n2-1282012

    Interface: WAN1 WAN1

    Enable :                   yes                                             yes

    --------------------------------------------------------------------------------

    Configuration of local groups

    Type of local security gateway: IP only IP only

    IP address: 10.10.10.123 10.10.10.50

    Local security group type: subnet subnet

    IP address: 192.168.1.0 0.0.0.0

    Subnet mask: 255.255.255.0 0.0.0.0

    --------------------------------------------------------------------------------

    Configuration of the remote control groups

    Remote security gateway type: IP only IP only

    IP address: 65.182.226.50 67.22.242.123

    Security remote control unit Type: subnet subnet

    IP address: 0.0.0.0 192.168.1.0

    Subnet mask: 0.0.0.0 255.255.255.0

    --------------------------------------------------------------------------------

    IPSec configuration

    Input mode: IKE with preshared key IKE with preshared key

    Group of the phase 1 of DH: Group 5 - 1536 bit group 5 - 1536 bit

    Encryption of the phase 1: of THE

    The phase 1 authentication: MD5 MD5

    Step 1 time in HIS life: 2800 2800 seconds

    Perfect Forward Secrecy: Yes Yes

    Group of the phase 2 DH: Group 5 - 1536 bit group 5 - 1536 bit

    Encryption of the phase 2: of THE

    Phase 2 of authentication: MD5 MD5

    Time of the phase 2 of HIS life: 3600 seconds 3600 seconds

    Preshared key: MyKey MYKey

    Minimum complexity of pre-shared key: Enable Yes Enable

    --------------------------------------------------------------------------------

    If you are running 4.x firmware on your RV082, you must add an additional Allow access rule for the Branch Office subnet (considered one of the multiple subnets in the main office) may have access to the internet. Note the firmware version has more details about it.

    http://www.Cisco.com/en/us/docs/routers/CSBR/rv0xx/release/rv0xx_rn_v4-1-1-01.PDF

  • HOW connection NAT on ASA 5505

    Hello guys

    first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

    Today, I have some question on NAT

    We HAVE site-to-site VPN, his job very well.  our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.

    THIS IS THE CASE

    OUR COMPANY = USES CISCO ASA 5505

    OUR PUBLIC IP ADDRESS: 155.155.1555.20

    PRIVATE IP: 192.168.7.2 SOUND LINUX SERVER, THEN HOW WE CAN NAT THIS IP PRIVATE AND CHANGE IN PUBLIC

    Thank you very much

    If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

    However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

    Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

  • public ip address for asa

    Hello...

    We have router Cisco No. 2851 and asa firewall. We have configured on the connected he for phones IP and ISP router. The ISP directly plugged into the router and asa firewall connected to the router. We want to configure VPN on the router. We have the available public ip address. If I configure VPN on the firewall to configure the local ip address of firewall to the public ip address. SO how do you configure the firewall local ip to public ip? Where we can set up, average on the router or firewall. Please see the configuration of my router and firewall...

    Help, please...

    The ASA would generally when configure you your public IP address. The firewall must normally have a public IP address on the external interface for this work. Once it does, you can perform the dynamic NAT for outbound connections ("global (outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).

    But on the config you plugged your external interface address private (RFC 1918):

    interface Ethernet0/3

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP 192.168.255.2 255.255.255.252

    In addition, it is that a 30 only gives you two addresses - one for the ASA and the other for Gi0/0 of the router (by this config you have also attached). It is a weird Setup, but it seems to have been hacked together to work using the statement of routing on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2.

    It's really a bit of a mess and extending further may be possible but will make it even more complicated. I advise you to have someone to sit down and rework the way public IP addresses are routed to make it look like a more typical configuration.

  • analyze two times for each run?

    Oracle 11.2.0.3 Std Ed One

    Oracle Linux 64-bit 5.6

    New guy was trying to use MS Data Integrator for 1.7 million lines of charge of MSSQL to Oracle.  Process took more than 4 hours.  I started an on the session 10046 trace, let it run for about 5 minutes, then produced the report tkprof.  As I expected, the process was slow-by-slow transformation, issuing an INSERT for each line.  But what I wasn't expecting, it is the count analysis was twice the number of execution.  I am at a loss to explain this.

    callCountycentral processing unitelapseddiscquerycourselines

    ------- ------  -------- ---------- ---------- ---------- ----------  ----------

    Parse 832261.211.210000
    Run 4161341,4143.1954173228278641613
    Go get 0.000.000000

    ------- ------  -------- ---------- ---------- ---------- ----------  ----------

    Total 12483942,6244,4154173228278641613

    Chess in the library during parsing cache: 1

    Lack in the library during execution cache: 1

    Optimizer mode: ALL_ROWS

    I convinced the new guy to let me write a simple PL/SQL proc to do an INSERT... SELECT and it ran in under 4 minutes...  but I'm still curious about this count analysis.  In fact, I'm a bit puzzled by the results on my proc as well.  This time, 1 run (as expected) but ZERO parsed?

    callCountycentral processing unitelapseddiscquerycourselines

    ------- ------  -------- ---------- ---------- ---------- ----------  ----------

    Parse00.00
    		0.000000
    Run1106.03193.34144849822433678739292
    Fetch00.000.000000

    ------- ------  -------- ---------- ---------- ---------- ----------  ----------

    total1106.03193.34144849822433678739292

    Chess in the library during parsing cache: 0

    Lack in the library during execution cache: 1

    Optimizer mode: ALL_ROWS

    The analysis of the user id: 656(recursive depth: 1).

    Clearly it 'parse' without 'run '.

    I've seen this before.

    Here is an example how it occurs when:

    SQL statement with some analysis but no executions or extraction on the remote database SQL Distributed (Doc ID 580301.1)

    Analysis number is high, but no executions (Doc ID 1335913.1)

  • Test driver for agilent 8960 for instruments run CDMA

    Hi, just wonder if there is an instrument for agilent 8960 for driver run CDMA tests? I know 8960 has E1963 and E1968, but 1963 is designed for W-CDMA and GSM/GPRS/EGPRS 1968. So there is a driver designed for CDMA mode? Thank you very much!

    Unfortunately, it is not that there is currently a.  When I search the Instrument Driver Network, I can't find that both pilots that you pointed out.

    Brandon Treece

    Technical sales engineer

    National Instruments

  • For loop runs with the value of N unwired

    In this case will be a loop run connected to the loop N worthless? I have seen a few examples of the loop for run without a certain number of times set to be ran wired or for example a size of table or something like that.

    PauldePaor wrote:

    Here's a program I am and as you can see the image that the program runs without the loop N being wired. The program will run without problem

    As everyone else has said, you don't have to plug something on N.  If you wire up a table for loop for input "auto-index", the loop for will run automatically the smaller table size.

    Perhaps an example will help:

    This makes a loop on my table size (in this case, long of 5 elements).  On the edge of the loop for which resembles [] brackets, indicates that it is auto-indexé.  The loop should go through each item one at a time (1, then 2, then 3, then 4, then 5).

  • Capture of sequences of images - issues with nested for loops

    Hi all

    I've written a vi. to capture a number of images ("Image") and save these images, sent to a folder of my choice.  Each image is identified sequentially.  However, I would like to make a number of iterations ("run") of this capture sequence, such that each image file name would be "Filename (Run) _(Image_No).png", for example run 5, image 10 'Filename 5_10.png.  I tried a nested for loop for this but I have an error message 'Current asynchronous i/o Operation' (I have attached a printscreen).

    Can someone help me solve this problem?  Please find attached my vi.

    Sincere greetings and thanks,

    Miika

    Hi toto26,.

    Thank you for your response.  I solved the problem by using a sequence structure flat - file in the first image and all the treatment in the second.

    Kind regards

    Miika

  • How can I stop my computer to go to the screen saver when I for example runs a scan of the computer, sometimes my scan takes a long time to finish?

    My problem is? How can I stop my computer to go to the screen saver when I for example runs a scan of the computer, sometimes my scan takes a long time to finish? Example I have Microsoft Security Essentials set allow to run daily on 1200 AM and until he finishes my computer goes to screen saver Mode. and when I click on my mouse, I must sign completely new in my computer > how to stop this from happening, I want to keep my Security Scan open until there finishes?

    All the solutions for this?

    Original title: Windows Vista systems

    Hello

    This can help you:

    "Enable or disable the screen saver.

    http://Windows.Microsoft.com/en-us/Windows/turn-screen-saver-on-off#1TC=Windows-Vista

    And this is how do to change the time to wait before the screensaver comes on (article 8) and how to disable the password to logon to him (art. 9):

    http://www.Vistax64.com/tutorials/85539-screen-saver.html

    "How to disable or enable Protection by password on Wake Up in Vista"

    http://www.Vistax64.com/tutorials/102686-password-protection-wakeup.html

    See you soon.

  • Microsoft has never issued an update for the Win7 disk defragment utility?

    Microsoft has never issued an update for the Win7 disk defragment utility?  Thank you.

    Original title: Win7 updates

    To my knowledge, the Defragmenter from Windows 7 has not been maintained since the liberation.  You have a problem with it?

  • Cisco Anyconnect/WebVPN license for ASA 5510

    Hello

    Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.

    You are welcome.

    1 Yes

    2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.

    Here is a document TAC on the Java questions if you want more details.

    Please take a moment to note the useful messages and mark your answers questions.

  • GANYMEDE for ASA 5550

    Hello

    How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.

    Thank you.

    Hi Gavin,

    Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x  yyy   [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL   [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL    [same as above but for ssh session] aaa authorization exec authentication-server    [this enables exec authorization for the telnet and ssh sessions.] 
    aaa authentication http console TEST LOCAL [for HTTP]
    order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.]  On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.
    

    You can find more details: -.
    

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
    

    The GBA, you need to add ASA as device under config network with Protocol Ganymede.
    

    Thank you
    

    Vinay
    

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • VPN with static nat for a whole subnet

    Hey there,

    For some reason, I can't do this on the router. Errrr...

    I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.

    example:

    internal LAN 192.168.0.0

    remote network: 10.10.10.0 and 10.10.15.0

    When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static

    any ideas?

    also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?

    Let me know your thoughts on the matter.

    Kind regards

    R.

    NAT you describe is named PAT or overload, at least in terms of Ciscos...

    What you need:

    (1) a NAT - ACL when you describe your traffic which should be natted.

    (2) a nat pool with your 172.16.32.65 address

    (3) a statement-NAT for dynamic NAT inside based on the ACL for the pool

    Here are some examples:

    http://www.Cisco.com/en/us/docs/iOS/ipaddr/configuration/guide/iadnat_addr_consv_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1073436

    Your crypto ACL then referred to the NATted IP as NAT happens before encryption.

  • I can't get the first CS5 for import running under Windows 10 .mov files.  MOV files will play on Windows 10 direcstly

    I can't get the first CS5 for import running under Windows 10 .mov files.  MOV files will play on Windows 10 direcstly.  Can anyone help?  I tried quicktime player loading but it will not work with Windowws 10

    You need to find an older version of Quicktime, from Apple, to be able to install on Win10

Maybe you are looking for