NAT issue?

Similar Questions

• Xbox 360 NAT issues?

  My XBOX 360 Live connection was working fine a few days ago.  Now, I can't join parties or cats.  I was told that this is a NAT problem.  No one knows how to fix?  I have a WRT54G.

  Who is your Internet service provider... ?

  Try to reduce the MTU to 1365 and click on the 'Administration' tab and disable the UPnP option and click on save settings... Now, check the connection.

  If this does not resolve the problem then try to update firmware of the router.

• Static Nat issue unable to resolve everything tried.

  Hello

  I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

  I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and

  my external interface is configured with a static ip address.

  Internet works fine but cannot configure static nat...

  Here's my config running if please check and let me know what Miss me...

  Thank you

  ASA release 9.4 (1)
  !
  ciscoasa hostname

  names of
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP 151.253.97.182 255.255.255.248
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa941-smp - k8.bin
  passive FTP mode
  object remote desktop service
  source eq 3389 destination eq 3389 tcp service
  Description remote desktop
  network of the RDP_SERVER object
  Home 172.16.1.85
  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  management of MTU 1500
  no failover
  no monitor-service-interface module of
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network of the RDP_SERVER object
  NAT (inside, outside) interface static service tcp 3389 3389
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  identity of the user by default-domain LOCAL
  Enable http server
  http server idle-timeout 50
  http 192.168.1.0 255.255.255.0 management

  Telnet 192.168.1.0 255.255.255.0 management
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 192.168.1.0 255.255.255.0 management
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPDN username bricks12 password * local store
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  dynamic-access-policy-registration DfltAccessPolicy
  username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call

  ciscoasa #.

  Hello

  Change this ACL: -.

  outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER

  TO

  outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

  Thank you and best regards,

  Maryse Amrodia

• NAT issue ASA 5510

  Just upgraded my ASA 5510 of 8.2 (1) 8.4 (4) 1.  Well, everything seems to work with one big exception.

  NAT statements I had previously remained in force and even seem to reproduce in some cases.

  Now, my question is I've set up a DMZ (security 50) interface and requiring a few servers to connect to the inside interface (Security 100).  I created the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside the server.  However, all the servers in the DMZ can still ping and connect to ALL inside servers.

  An easy way to limit it?  I try to limit the number of servers on the internal network that can access the demilitarized zone, but it seems that the DMZ has free rein at the present time.

  Am happy to post my configs. I opened a case of TAC, but this firewall is still so new, the assistance contract has not yet been addressed by Cisco.

  Thanks in advance.

  I'll look when get home, but it is a quick answer.

  If 192.168.1.0/24 is DNZ and 10.1.1.0/24 is inside

  ! - can only accommodate 192.168.1.40 DMZ host centimeters inside the network 10.1.1.25
  dmz_access_in ip 192.168.1.40 host access list permit 10.1.1.25
  ! - deny everthing else inside the network
  dmz_access_in list access deny ip 192.168.1.0 255.255.255.255 10.1.1.0 255.255.255.0
  ! - allow access to internet of the DNZ
  dmz_access_in 192.168.1.0 ip access list allow 255.255.255.255 any

  Samuel Petrescu

• ASA Configuration of VPN Site to Site - NAT issues

  Greetings,

  I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address.  Here's what I think I do, but I was wondering what were the thoughts of the community.

  All of the IP addresses represented below are fictitious.

  Internal servers Public IP address         

  10.50.220.150 208.180.170.182

  10.50.220.151 208.180.170.183

  10.50.220.152 208.180.170.184

  Local peer IP: 208.180.254.29

  Distance from peer IP: 207.190.218.31

  Local network: 208.180.170.0/24

  Remote network: 207.190.239.0/24

  From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:

  NAT (inside) 0 access-list sheep

  NAT (inside) 2 10.50.220.150

  NAT (inside) 3 10.50.220.151

  NAT (inside) 4 10.50.220.152

  Global 2 208.180.170.182 (outside)

  overall 3 208.180.170.183 (outside)

  Global 4 208.180.170.184 (outside)

  IP 208.180.170.0 allow Access-list extended sheep 255.255.255.0 207.190.239.0 255.255.255.0 (do I still need this since coordinated to a public IP address still?)

  access-list s2s client scope ip 208.180.170.0 allow 255.255.255.0 207.190.239.0 255.255.255.0

  Route outside 207.190.239.0 255.255.255.0 207.190.218.31

  card crypto off peers set 1 207.190.218.31

  Crypto card outside 1 correspondence address s2s-customer

  [... rest of the configuration failed..]

  That look / her right? If this isn't the case, please advise.

  Thank you.

  Yes.

  PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.

  You can create political NAT as well to handle this traffic.

  Federico.

• VPN / Natting issue - connectivity to 3rd Party Partner Site

  Hello

  I received a request to provide a connectivity solution between our private server 10.102.x.y and a3rd advantage partner server. 10.247.x.y solution of VPN site to site. I want to hide our real IP of 10.102.x.y and replace 10.160.x.y (using Natting).

  The configuration is the following:

  3rd party partner server->	3rd party ASA FW->	Tunnel VPN IPSec Internet->	Our ASA FW->	Our server private
  10.247.x.y				10.102.x.y private IP NAT'd IP10.160.xy

  My dogs entered so far (still awaiting 3rd party to set up their ASA)

  name 10.160.x.y OurNat'dServer

  crypto ISAKMP policy 6
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  lifetime 28800

  Crypto ipsec transform-set 3rd Party esp-aes-256 esp-sha-hmac

  3rd party ip host 10.160.x.y host 10.247.x.y allowed extended access list

  tunnel-group 80.x.x.x type ipsec-l2l
  80.x.x.x group of tunnel ipsec-attributes
  pre-shared key xxxxxxxxx

  football match 117 card crypto vpnmap address 3rd party

  card crypto vpnmap 117 counterpart set 80.x.x.x

  card crypto vpnmap 117 the transform-set 3rd Party value

  public static 10.160.x.y (Interior, exterior) 10.102.x.y netmask 255.255.255.255

  The config goes to meet my requirements and the solution envisaged, or is my inaccurate understanding?

  Any help on this would be appreciated.

  Thanks in advance,

  Select this option.

  Hello

  Who will break actually internet traffic with this server because the external address that is sent over the internet is considered to be a 10.160.x.y.  In the past, I did something like this:

  public static 10.160.x.y (Interior, exterior), list-dest-3rdParty access policy

  policy-dest-3rdParty of the ip host 10.102.x.y host 10.247.x.y allowed extended access list

  Who will ONLY perform NAT traffic on this server if traffic is coming from the 10.247.x.y.

• CISCO 861 NAT issues

  Hello

  I have a CISCO router 861, and here is the scenario that I want to achieve (in regard to the ISPS and NAT)

  4 FastEthernet

  Assign IP 89.45.204.117 255.255.255.248 (IP x.x.x.x-x.x.x.x)

  Assign IP 89.45.202.117 255.255.255.240 (secondary x.x.x.x-x.x.x.x ip address)

  VLan1 (dhcp server) 10.11.12.0 255.255.255.0 (fact)

  I want to reach 2 tipes of NAT, as follows:

  1. translation of the external internship (if I'm using different IP addresses, I have)
  2. translation of external to internal-(donc je peux accéder à deles de machines privées locales dele de monde extérieur)

  In CentOS iptables, (1) is something like this:

  iptables-t nat - a POSTROUTING-s 10.11.12.20 o $EXTIF-j SNAT - 89.45.204.118 at the source

  In CentOS iptables, (2) is something like this:

  iptables-t nat - a PREROUTING Pei TCP d 89.45.204.117 - dport 80-j DNAT - to 10.11.12.70:80

  As far as I understood, on a Cisco IOS, (2) is something like this:

  IP nat inside source static tcp 10.11.12.70 80 89.45.204.117 80 extensible

  I do not understand how to configure the number (1)...

  The public IP address of FastEthernet 4 PS are setup with IP and ip address secodnary.

  Thank you very much.

  Hello Sebastian,.

  Let me explain such NAT only implemented on Cisco devices from a different perspective - maybe that will clarify things.

  All the translations that you must configure will be configured with the ip nat inside source command, regardless if the connection is initiated from inside or outside your network.

  The ip nat inside source command is used to define a multitude of different behaviors of NAT:

  1. A static 1:1 mapping between the internal and external IP address (no ports). In this way, you essentially expose the entire station with the internal IP to the outside world using the external address configured. At any time, a connection can be started from the inside IP address (and it will be translated to the address that is configured on the outside), or a connection may be initiated at the external IP address (and it will be translated to the address configured on the inside). The map is 1:1 meaning that a single internal IP address must be mapped to a single outside IP address and an external IP address must be mapped to an internal IP address. In other words, you need as many outside IP addresses as internal IP addresses that you want to expose in this way. The syntax of the command is ip nat inside source static I.I.I.I O.O.O.O where I.I.I.I is inside O.O.O.O IP address is the external IP address.
  2. A static 1:1 mapping between an individual internal and external IP and port transport. The behavior is identical to that described in the previous type, with the significant difference that the translation only applies to traffic coming from the individual inside the IP/port combination, or for traffic destined to the individual outside the IP/port combination. This type of translation is configured using the ip nat inside source static {tcp | udp} I.I.I.I p O.O.O.O P where I.I.I.I and O.O.O.O are inside/outside of the IP addresses, p is inside the port and P is the external port. You can use the I.I.I.I and the O.O.O.O as long the translations are unique, i.e. the particular combination of p, or O.O.O.O, I.I.I.I, and P must never be used twice.
  3. A 1:1 mapping dynamic between a set of internal IP addresses and a pool of the same size (or larger) of the external IP addresses. What is this configuration is assigning each inside a particular outside the IP address IP address each time that a connection is initiated from the inside IP address. This mapping exists for a limited period of time and expires at the end of the inside address IP interrupts the communication with the outside world. Therefore, for a long period of time, one inside the IP may get translated addresses to different outside intellectual property, there is therefore no mapping 1:1 fixed between inside and outside addresses. The mapping is only temporary and changes over time. Connections to the external IP address only succeed if there is that a mapping created for this outside the IP, otherwise they do not. I don't know if you want to set up this kind of behavior NAT, so I'm not including an example configuration now. If you want that your NAT is behaving this way, let me know.
  4. A M:1 dynamic mapping between a set of internal IP addresses and a smaller pool of external IP addresses. It is basically the type of NAT Linux behaviour typical SNAT-j when to hide multiple internal IP addresses under one outside the IP address using the address and the port of rewriting. A special case of this configuration is NATting to the external IP address configured on an interface, similar to the MASQUERADE target in Linux.

  Types 1. and 2. in this description do not apply to ACLs because they are static, meaning that they perfectly define the inside and the outside address already. However, the dynamic mappings in step 3. and 4. above must use an ACL to specify which traffic should be translated. If, therefore, using maps dynamic, it is mandatory to create an ACL that selects the traffic to be handled by the dynamic NAT, and Moreover, this ACL must exempt explicitly traffic already managed by static to be also managed by this dynamic otherwise NAT. NAT entries, this traffic could in circumstances poorly translated.

  What you have said, I think you want to go with the types of NAT 1 configuration. and 2. as described earlier in this post. Would this be what you're looking for?

  Best regards

  Peter

• WRT160N - V3 Xbox NAT strict issue

  Xbox 360 NAT issues resolved! (WRT160N v3).

  I followed the instructions in the link above, but also at least 20 other posts, but I always get strict NAT with a unique XBOX.  I think I tried all combinations and I can't understand why my situation is somewhat different.

  Question - when I go to the STATUS, under the 'Internet connection', "IP address" tab, I see 192.168.1.64 (internal address).  I read somewhere that in other words, there is an another NAT also beyond my router. What is the problem?

  This problem started when I replaced my (default) combination modem/DSL router by an old 2Wire-Homeportal-1000 s, with a brand new Motorola model 2210-02-1022 (modem only) of the AT & T store and combined with a WRT160N V3.

  I tried all combinations of UPnP enabled, redirection port, serial port triggering and DMZ range.  I used a DHCP reservation to affect my Xbox a static IP address and checked that works very well.  But even in the DMZ with UPnP off, I get strict NAT.

  I think I have to empty the Motorola + 160N and buy the current combo modem/router 2Wire AT & T, but I do not do that when I don't know for sure there will be more.

  Others seem to have great success get this cleared up.  Can someone shed light on why none of these techniques work for me?

  Thank you

  I want to thank you because after endless hours trying to remove the XBOX 360 strict NAT son - your advice finally put me on the right track.

  With my particular combination: AT & T DSL, modem Motorola + WRT160N-3 - Bridge mode did not work.  As soon as I put the modem in Bridge mode, the light of the Internet on the front does not to come.  Maybe, if I called AT & T I could find a way around it.  This setting seems to affect the PPOe connection to the router instead of the modem, but some PPOe setting I use (including by providing the user ID and password, etc.) brings me an Internet connection.

  What worked was in the modem settings.  There was no obvious parameter to enable/disable NAT, instead, it reads: "Let device LAN share Internet address?   Choice: "No, use the private IP address", "Yes, use the public IP address.  This is the power switch modem NAT and it must be set to Yes (default is NOT which is what created the 2nd NAT).

  Even in non bridged mode, with the removed modem NAT, the NAT router and other work now setting.  I could put the Xbox successfully in in the demilitarized zone.  The idea is, in the STATE of the router tab, you see now a public IP address instead of the internal address of the modem.

  WOW that was difficult and time consuming to get to this point!

• Airport express to extend wi - fi using the adapter but NOT extreme airport

  Hello

  I am looking to buy an express airport in order to listen to music through my stereo and also create another network wireless upstairs in my house.

  My question is, I currently have no apple down wireless router and I have connected to a line adapter with an adapter of the power line on the floor. If I connect the airport express base station to the adapter on the floor, I'll be able to create another network on the floor as well as the flow of my music, even if the router that comes from the connection is not apple router?

  Thank you

  Andy

  If the floor of the Airport Express will be connected via the WAN port using a regular power adapter ethernet cable carrier online and will be in Bridged mode, you can create a wireless network to the floor. Not bridged mode, you can see double-NAT issues, which should be avoided.

• Windows Explorer crashes when moving from one network to the other card

  Hi people,

  Here's my problem: I suspect his cause and resolution will be very simple, but I can't find an answer until now.

  I use a laptop Windows XP SP3, joined to a domain in native mode Windows 2003.
  As is common these days, the portable computer is multihomed, with a card Intel Gigabit Ethernet and Intel combined 802.11n / Bluetooth adapter.

  My problem is this: I often need to take me off the cable to the office network and join a wireless network. This is how I can access our assets via public IP addresses to avoid NAT issues ' ing. In general, I do this simply by pulling the ethernet cable, then activation of the wireless adapter and join the required network. Note tehre is no firewall or filtering with the wireless network, and it uses NAT.

  In about 10 seconds, Windows Explorer will be locked up for about 15 seconds, then return to life. This behavior is repeated on what seems a fairly short cycle, perhaps every minute.

  While I think it could be linked to the machine looking for domain resources, the command binding adapter or similar, I was unable to make an impact on this behavior.

  If I return the config by disabling my adapter wireless and reconnect the wired adapter, everything returns to normal and performance is as expected.

  I have not tried to change binding adapter - my wireless adapter was higher than the wired NETWORK adapter already but seemed worth - no dice.
  I also tried releasing the config on the wired adapter, DNS and ARP cache flush, and then connect the wi - fi. See no difference.

  I'd love to hear any constructive suggestions how to solve this problem; attempts to use ProcMon and Wireshark for the cause were unsuccessful, but maybe I'm looking at the wrong data.

  Let me know what you might like information and I'll see if I can give him.

  Thank you

  Stevie

  Hi Stevie,

  The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums:

  http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

• Port before 1723 Linksys WRT1900AC (VPN)

  I can't establish a VPN tunnel to my desktop using PPTP (built in vpn windows) machine.

  I have a Linksys WRT1900AC, latest firmware (1.1.8.164461)

  I implemented the single port forwarding (this machine has a static ip address below):

  

  I can ping the machine externally, but when I telnet as the machine and the port number (EXTERNAL telnet. IP 1723), his look is no (external).

  I have disabled the windows firewall (although all ports and the gre are defined in the case). I even disabled the firewall of the router to test and helped passtrhough:

  

  I did the research strongly, and the only thing I can think is a NAT behind NAT issue? (Not too well known in network). But I'm not on a DSL modem is a modem cable (Charter company).

  I'm stuck, I know that the VPN tunnel does not work because the port is not listening, but how can I get?

  Thanks in advance,

  Scott

  Yes, the IP address that starts with 192.168.x.x is a private LAN and non routable IP address.

  Your ISP Modem must also be a router with a DHCP server.

  Two Options:

  1. Configure the Modem for Bridge Mode or DMZ
  2. Configure the same port forwarding rule in the modem to the IP address of the WRT1900AC (192.168.44.x). If the modem passes to the WRT1900AC which redirects to the PPTP in Windows 8 Server.

• Switching mode of EPC 3925 / router E3000 speed 20% loss

  my setup is EPC 3925 Switch mode - E3000 router mode

  my ISP speed is 200 Mbps I only have 160 MB/s maximum and is not stable

  When I use the EPC 3925 I get 200 Mbps

  can someone explain why this happens

  takwansani wrote:

  Thanks Meegosh and nerD_sayer for answers

  one last question what happens if ask my ISP to swap the 3925 to a modem router as the 3208

  I gain speed?

  Yes. It is better to have just a modem ordinary to avoid double NAT issues as well as port easier opening if it is necessary to do so.

• Error FTP WRT54GH 425

  I've been running a FTP FileZilla Server for more than 2 years now. When I arrived in FTPs was actually the first time I had to port forwarding. External router forward 21 TCP 21 on the LAN, everything was good, FTP works. A few days ago the old router died, and to get a new one, I went for a WRT54GH. When I put in place I have also made sure to forward port 21 to the machine. Now, I try to access the FTP and after a long wait, I get an error 425 unable to open data connection.

  I double checked and checked - is not only the port properly transmitted, but FileZilla actually gets the request and the two negotiate a bit. Since I change anything in the FTP and FTP still works fine on the LAN IPs I will of course blame the router!

  What should I do and how can I solve this problem?

  I do usually not reproduced but I fixed it and I leave this info here for future reference to others:

  It seems that - at least with the first version of the firmware - router alters network packets if she sees they are sent on port 21. He changes IPs their LAN PASV commands, which connecting clients cannot work with. In addition it seems that some other obscure port opening the issue once the connection is established.

  In order to circumvent the arbitrary conversion of NAT on the router, you must forward external port 21 to some other internal ports, for example 12345. The FTP server on the computer must be configured to listen on this port. This will get around the NAT issue.

  For the second question, the server PASV mode must be given a range of fixed ports, for example 65000 to 65100, and in turn these ports should be sent to the FTP hosting machine in the settings of the router.

  -Important set of notes on one or more ports forward!

  Ports passed before changing the address LAN IP (e.g. 192.168.1.x to 192.168.0.x) range MUST be disabled, saved and re-checked, otherwise the rules no longer works! In addition, if the SPI Firewall settings are changed in any way, all ports beaches (beaches, ports not only) MUST be disabled, saved and checked in order to work! Yet another note, DMZ seems to have similar problems. Not knowing this topic can lead to unexpected with the implementation results not only the FTP, but also other applications that rely on shipping, because the router will claim a set of settings, but do not use it.

• NAT with Snow Leopard issue

  For the poster who will say "Google is your friend", no it is not, or I wouldn't be here.

  I tried for a while now to solve the only problem I have with Snow Leopard Server.

  MySql has fallen lion and, apparently, no one knows how to use postgrl so I installed MySql and plundered with her for a few hours to get this working.  There were various other issues with Lion.  Finally, I went to Yosemite.  Hey Apple, where is the GUI?  Then at el Capitan and finally tried Sierra (no server app at all yet).

  For me, each 'step-up' taking things and running weaker than the last.

  Welcome to Snow Leopard.  I'll stick with it for a while to come.

  The only problem I have with Snow Leopard, it's that when it restarts, the NAT will not start upward.  Other than that, it does a magnificent job to maintain my home network.  I searched high and low for an answer without success.  A few posters who have addressed this problem specifically here never got a response.

  As this seems to be about three years or more, since this question was asked and it seems that some have migrated to the SLS, I was wondering if anyone has found a solution.

  As it is now, as soon as there is a need to reboot, I just disable the NAT service, restart and turn it back on.  In the case of a failure of current (longer than the inverter can maintain) or just a random crash, I have to kill the firewall and NAT then the configuration of the gateway of new service that requires fixing the various omissions and errors and I'm good to go again.

  Any help would be greatly appreciated.

  You have posted in the forum of Snow Leopard Client.  I ask that to move this post.  In the meantime, you can see the various forums about this trick:

  http://discussions.Apple.com/docs/doc-2463

• 8.4 ASA using NAT VPN issue.

  Hello

  I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

  Traffic between indoors and outdoors:

  It works with a specific manual NAT rule of source from the server 10.10.10.10 object

  Inside

  SRC-> DST

  10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

  It works with a specific using the NAT on the server of 10.10.10.10 object

  Remote

  SRC-> DST

  1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

  If we have the manual NAT and NAT object it does anyway.

  So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

  With the NAT object out it does not work as it is taken in ouside NAT inside all:

  Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

  and I tried a no - nat above that, but that does not work either.

  Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

  Kind regards

  Z

  Hello

  I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

  You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections

  • Section 1: Manual / twice by NAT
  • Section 2: Purpose NAT
  • Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
  • The Sections are passed by from 1 to 2 and 3 in order to find a match.

  You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

  I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

  As a general rule 3 of the Section the PAT above default configuration would be the following

  NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

  This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

  If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

  I'm not quite sure of what your setup of the foregoing have understood.

  You're just source NAT?

  I guess that the configuration you do is something like this?

  network of the LAN-REAL object

  10.10.10.0 subnet 255.255.255.0

  purpose of the MAPPED in LAN network

  1.1.1.0 subnet 255.255.255.0

  being REMOTE-LAN network

  1.1.2.0 subnet 255.255.255.0

  NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

  If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

  -Jouni