Nat SRP527W-U problem

Hello

I have nat rules for the troubled peripheral parameter SRP527W-U with the latest firmware 1.2.4 (003). The latest firmware 1.2.4 introduced the ability to create rules specific nat through "ACL policy rules. I try to use this 'new' not available in older versions to get my network configuration made. The configuration I want to do is to have two vlan different. In the vlan1 I want nat point_to_point interface and PC in the vlan2 I want to use Tar so each computer will be accessible via the public ip address.

I configured two different PVC on the device we are going to say:

ADSL_PVC0:

Encapsulation: PAI

multiplexing: LLC

type of QoS: UBR

Automatic detection VPI/VCI: disable

virtual circuit VPI:8 VCI:35

IP settings:

IP: 2.2.2.2 (it isn't my real ip address that's just an example)

subnet mask: 255.255.255.252

Gateway: 2.2.2.1

MTU: automatic

ADSL_PVC1:

Encapsulation: PPPoA

multiplexing: VC

type of QoS: UBR

Automatic detection VPI/VCI: disable

virtual circuit VPI:8 VCI:40

PPPoA settings:

user name: [email protected] / * /

past: xxxxxxx

connection: keep alive

MTU: automatic

in the Internet_setup_menu, I chose:

Default system via ADSL_PVC0 route

voice by default ADSL_PVC1 road

After that I enabled under menu interface_setup-> LAN-> VLAN_settings two different VLANS:

vlan1 (default vlan):

private_lan:

ID: 1

subscription_type: DHCP_server_pool

DHCP pool: DHCPRule_1 (VLAN1)

voice: off

Members: LAN_port1, LAN_port3, LAN_port4, SSID1

VLAN2 (vlan public):

public:

ID: 2

subscription_type: DHCP_server_pool

DHCP pool: DHCPRule_2_public_ip (VLAN2)

voice: off

Members: LAN_port2, SSID2

and I put two different rules of the DHCP:

DHCPRule_1

VLAN 1

ip address local address/subnet 192.168.1.1/24

mode DHCP: dhcp server

GW: 192.168.1.1

DNS proxy: enabled

DHCPRule_2_public_ip

VLAN 2

local ip address/subnet 3.3.3.1/27

mode DHCP: dhcp server

GW: 3.3.3.1

DNS proxy: disabled

DNS1: 8.8.8.8

After that, I put under menu network_setup-> nat-> global_nat:

address translation:

NAT: disabled

Instead, I added this policy under nat_bypass:

policy nat_lan

activated: Yes

inside the interface: vlan1

outside interface: ADSL_PVC0

IP address: 2.2.2.2/30

If I try to join a pc on the lan port 1 I am able to get the ip via DHCPRule_1 configuration I can ping 192.168.1.1 gw but I'm not able to ping 8.8.8.8.

If I try to join a pc on the lan port 2 I am able to get the ip via DHCPRule_2_public_ip configuration I ping 3.3.3.1 gw and I am ABLE to ping 8.8.8.8 and safe surfing on the web.

Side wan I am able to reach the router via the ip address different pubblic two assigned to the PVC ADSL_PVC0, ADSL_PVC1

If I try to activate the nat under global_nat of course, I am able to browse the web, and the device uses the public ip address of the pvc ADSL_PVC0 NAT 'myself. "

I tried configuration multiple times and I tried to apply many different configurations "flavor", but I'm still having trouble getting the configuration made. From my point of view, there is some sort of bug related to nat or something missing in this configuration.

Any help will be really appreciated.

Thanks in advance for your answer.

Hi Paolo,.

The default mode of operation for the RPS is to have active NAT. If the global NAT setting is disabled, then the RPS will run in mode routing only (no NAT never).

For your configuration, leave the global NAT setting as active and create a rule to bypass NAT for traffic in VLAN 2 (effectively ensure that this traffic is routed and not translated).

Rules-based routing policy allows you to set your local traffic PVC must use.

Hope that helps.

Andy

Tags: Cisco Support

Similar Questions

nat ASA 5520 problem

Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897

LAN to LAN service interface is called: lan2lan
one of the internal interfaces is called: colo

I think that is problem with Nat on the SAA but I need help with this.

Config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
OSPF cost 10
OSPF network point-to-point non-broadcast
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.50
VLAN 50
nameif lb
security-level 20
IP 10.1.50.11 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet0/1,501
VLAN 501
nameif colo
security-level 90
eve of fw - int 255.255.255.0 172.16.2.253 IP address
OSPF cost 10
!
!
interface GigabitEthernet1/1
Door-Lan2Lan description
nameif lan2lan
security-level 0
IP 10.100.50.1 255.255.255.248
!
access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
pager lines 24
Enable logging
host colo biggiesmalls record
No message logging 313001
External MTU 1500
MTU 1500 lb
MTU 1500 Colo
lan2lan MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
NAT-control
Global 1 interface (external)
interface of global (lb) 1
Global (colo) 1 interface
NAT (lb) 1 10.1.50.0 255.255.255.0
NAT (colo) - access list 0 colo_nat0_outbound
NAT (colo) 1 10.1.13.0 255.255.255.0
NAT (colo) 1 10.1.16.0 255.255.255.0
NAT (colo) 1 0.0.0.0 0.0.0.0
external_access_in access to the external interface group
Access-group lb_access_in in lb interface
Access-group colo_access_in in interface colo
Access-group management_access_in in management of the interface
Access-group interface lan2lan lan2lan
!
Service resetoutside
card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
lan2lan_map 51 crypto map set peer 10.100.50.2
card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
crypto lan2lan_map 51 set reverse-road map
lan2lan_map interface lan2lan crypto card
quit smoking
ISAKMP crypto identity hostname
ISAKMP crypto enable lan2lan
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
enable client-implementation to date
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 General-attributes
Group Policy - by default-site2site
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
!

The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

p.s. you should affect the question of the security / VPN forum.

NAT on Xbox problems

NAT strict rest type no matter what I try.
I gave up on the phone and chat support live if I'm hoping someone on the forum can help out me. After spending 2 days with support from netgear and nothing...
(Oh you will love this. The last support person I spoke with told me to change the settings and firmware update and guess what! My download speed is below 0.6mbps now)

ISP: Comcast (xfinity)
Brand modem: Arris
Router: Netgear Nighthawk AC1900
Firmware version: V1.0.2.194_1.0.15

Address reservation is configured for an Xbox (192.168.1.3)
Filtering NAT: open
SIP ALG: disabled
QoS upstream: on
Port forwarding: (all listed ports use the same range of ports for internal)
Do not use the DMZ and port forwarding at the same time on one device

WRT1900AC NAT OPEN Xbox problems.

I dove in the forums for days looking for a solution, but I can't get my Xbox to have an open NAT. I booked the IP address, port, and made sure that UPnP is enabled. What Miss me? NOTE (I did not open port 53, which causes only the router lose access to the internet for some strange reason.) Help, please!

I think that it is a private IP address. Anything on a 192, 172 or 10 is a private IP address. You need a public IP address which is #. ##. ###. ###

Link >http://www.practicallynetworked.com/networking/fixing_double_nat.htm and http://computer.howstuffworks.com/nat.htm

I recommend you ask at the service of the ISP and ask questions to get a public IP address of the router in order to obtain if possible OPEN NAT.

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

# sh nat

Manual NAT policies (Section 1)

1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

translate_hits = 0, untranslate_hits = 0

Auto NAT policies (Section 2)

1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

translate_hits = 0, untranslate_hits = 142

2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

translate_hits = 0, untranslate_hits = 2

3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

translate_hits = 0, untranslate_hits = 0

4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

translate_hits = 0, untranslate_hits = 267

6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

translate_hits = 152, untranslate_hits = 4082

9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

translate_hits = 69, untranslate_hits = 0

10 (inside) to the obj_any interface dynamic source (external)

translate_hits = 196, untranslate_hits = 32

I think you must following two NAT config

NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

Please configure them and remove any additional NAT configuration and then try again.

Nat router firewall

I have connected a firewall to a linksys BEFSR41 router.

I put the BEF on a separate subnet

Re: static 192.168.1.2 (on the same subnet as firewall)

Gateway: 192.168.1.1 (firewall inside address)

DNS: 192.168.1.1

LAN:

192.168.2.1

NAT is enabled.

I have the ethernet cable between the firewall connected to the WAN port on the BEF

It works very well to go through the firewall to the internet (which also has nat;-I'm not sure how it works with the two nats.) )

Problem: If I disable NAT on the BEF I can't through the internet.

The question: is there a way to configure the BEF with NAT disabled and still get to the internet?

I tried different settings for the WAN on the BEF (in addition to the above) but you have not hit to the right pair.

Any suggestion would be appreciated.

Hugh

If you connect a second external via a router to a different LAN port (main) settings NAT is actually irrelevant. I don't know why talk of various FAQ to disable NAT (router mode switch). It makes not a difference. NAT applies only to packets that passes through the component routing, i.e. travel side LAN to the WAN port or back up. Thus, it is not relevant for a LAN - LAN configuration.

The default setting for a normal router is active NAT because you use IP private addresses inside the local network that must be mapped to the public IP address on the WAN port. That's what NAT. Internally, you have private IP addresses. In the internet, we see only the public IP address.

It is true that with active NAT side LAN is inaccessible from the side WAN (with the exception of redirects to port etc.). Is only a precondition not to do a side fully accessible side LAN WAN turn off NAT. That NAT is now disabled the LAN IP addresses are routed to the side WAN. This means that the side WAN must understand and also forward these IP addresses correctly. In your case, with NAT disabled the computers and router WAN side need to know where to route the packets 192.168.2. *. If you do not set a road for 192.168.2.0/255.255.255.0 on the main router all the packages of 192.168.2. * will be sent to the default gateway, which is in the internet where they are quickly eliminated.

To make a computer connected to the accessible BEF from the internet you have to options:

1. you can expose some ports through port forwarding and NAT enabled on the BEF. You must pass these ports on the firewall and the BEF. The firewall forwards to the WAN IP 192.168.1.2 the BEF. The BEF transmits to the address of the LAN computer, for example 192.168.2.50.

2. If you want to disable the NAT on the BEF, you must configure a static route on the firewall to route 192.168.2.0/255.255.255.0 Gateway 192.168.1.2. In addition, you may need to adjust the NAT rules to include 192.168.2.0/255.255.255.0 for NAT (NAT rules define which IP addresses are mapped to the public IP address and which not).

If you want the computer to be accessible from the internet, you still have to implement the translation of port on the firewall (the firewall because no NAT and thus makes the side LAN firewall inaccessible from the internet). The firewall is not possible: some barrier-lights/routers allow you to set up port forwarding to arbitrary IP addresses and their own LAN IP subnet, i.e. the firewall might not only to transmit not 192.168.1. * but * 192.168.2.

Perhaps you could explain why you must have some computers on a different subnet.

NAT on the router WRT120N.

Hello

I buyed a new router the WRT120N and it works well

But I have a question I had this problem on my other router also but it was easy to stop this it is called NAT, I have problems with it on a game called Gunz.

7700-7800 TCP and UDP ports.

I already found the option turn off NAT, but then I have no more Internet if disable this I have to write anything, because he wants to STATIC ROUTING.

I tried portforwarding wich only helped on my old router, but it does not help.

Eny one tell me what I must write in the stuff of static route? I don't know enough about routers, but this?

Thank you

Niels

I guess that the 168.192.1.104 in the port forwarding is a typo.

The computer is configured for DHCP. You must ensure that you configure a DHCP reservation for the computer.

Your router is connected directly to the internet. It has a public IP address. Good.

Haven't you set up redirects to single port or port triggering?

If this isn't the case, the transmission seems to be set up correctly.

Do you run the firewall on the computer?

Problems with GZip & FTP

Hello

in my application, I need to send a file compressed using ftp.

To do this, I used a class initially write to use with J2SE (SimpleFTP)

I have change for use with RIM API and it work with file bit compressed (like 4 KB) but when I try to send one just a little big (12Ko) I have a problem to decompress: gzip - me to say end of file unexpected.

It is a bit of cod used:

//In a thread i create the connection and change to BIN
ftp.connect(ip, port, user, psw, true, apn, apnUser, apnPsw);
ftp.cwd(dir);
ftp.bin();

//here I obtain a csv representation of my object and store it in a //String var
String csv = r.toCSV();

//this method ask to ftp object to store a ByteArray in the file named //file and i want to zip it and return true if all is ok
if (ftp.stor(new ByteArrayInputStream(csv.getBytes("UTF-8")),file,true))
//...do things

the method of object ftp stor have this code:

/**
 * Sends a file to be stored on the FTP server. Returns true if the file
 * transfer was successful. The file is sent in passive mode to avoid NAT or
 * firewall problems at the client end.
 */
public synchronized boolean stor(InputStream inputStream, String filename, boolean zipped) throws IOException {

    sendLine("PASV");
    String response = readLine();
    if (!response.startsWith("227 ")) {
        throw new IOException("SimpleFTP could not request passive mode: " + response);
    }
    String ip = null;
    int port = -1;
    int opening = response.indexOf('(');
    int closing = response.indexOf(')', opening + 1);
    if (closing > 0) {
        String dataLink = response.substring(opening + 1, closing);
        String[] tokenizer = Functions.splitString(dataLink, ',', -1);
        try {
            ip = tokenizer[0] + "." + tokenizer[1] + "." + tokenizer[2] + "." + tokenizer[3];
            port = Integer.parseInt(tokenizer[4]) * 256 + Integer.parseInt(tokenizer[5]);
        } catch (Exception e) {
            throw new IOException("SimpleFTP received bad data link information: " + response);
        }
    }
    String url = "socket://" + ip + ":" + port + urlParam;
    Logger.log(this, "Try to open passive connection to "+url);
    SocketConnection dataSocket = (SocketConnection) Connector.open(url);
    dataSocket.setSocketOption(SocketConnection.LINGER, 5);
    dataSocket.setSocketOption(SocketConnection.DELAY, 5);

    sendLine("STOR " + filename);

    response = readLine();
    if (!response.startsWith("125 ")&&!response.startsWith("150 ")) {
        dataSocket.close();
        dataSocket=null;
        throw new IOException("SimpleFTP was not allowed to send the file: " + response);
    }
    Logger.log(this, "Connected to "+url);

    OutputStream output;
    if (zipped)
        output = new GZIPOutputStream(dataSocket.openOutputStream(),GZIPOutputStream.COMPRESSION_BEST);
    else
        output = dataSocket.openOutputStream();

    byte[] buffer = new byte[512];
    int bytesRead = 0;

    while ((bytesRead = inputStream.read(buffer)) != -1) {
        output.write(buffer, 0, bytesRead);
    }

    output.flush();
    output.close();
    output = null;
    dataSocket.close();
    dataSocket=null;

    response = readLine();
    return response.startsWith("226 ");
}

The readline() and sendline("") methods read or write to the ftp decision-making, a line ended with CR and I so need to send FTP commands

I think that everything is ok, for this problem I find in a forum that the problem will be the use of ASCII in FTP method, but I change to BIN

Any idea?

Thank you in advance!

Hello

Finally, I solved the problem.

I find the solution in the documentation GZIPOutputStream

You must pass OutputStream to GZIPOutputStream, zipping it and then you must close GZIPOutputStream but you must use the original OutputStream.

So in my SimpleFTP class I have to write about gzip, close it then flush() and close() the original outputstream.

Knit

I had the new method of stor() here to see

/**
     * Sends a file to be stored on the FTP server. Returns true if the file
     * transfer was successful. The file is sent in passive mode to avoid NAT or
     * firewall problems at the client end.
     */
    public synchronized boolean stor(InputStream inputStream, String filename, boolean zipped) throws IOException {

        sendLine("PASV");
        String response = readLine();
        if (!response.startsWith("227 ")) {
            throw new IOException("SimpleFTP could not request passive mode: " + response);
        }

        String ip = null;
        int port = -1;
        int opening = response.indexOf('(');
        int closing = response.indexOf(')', opening + 1);
        if (closing > 0) {
            String dataLink = response.substring(opening + 1, closing);
            String[] tokenizer = Functions.splitString(dataLink, ',', -1);
            try {
                ip = tokenizer[0] + "." + tokenizer[1] + "." + tokenizer[2] + "." + tokenizer[3];
                port = Integer.parseInt(tokenizer[4]) * 256 + Integer.parseInt(tokenizer[5]);
            } catch (Exception e) {
                throw new IOException("SimpleFTP received bad data link information: " + response);
            }
        }
        String url = "socket://" + ip + ":" + port + urlParam;
        Logger.log(this, "Try to open passive connection to "+url);
        SocketConnection dataSocket = (SocketConnection) Connector.open(url);
        dataSocket.setSocketOption(SocketConnection.LINGER, 5);
        dataSocket.setSocketOption(SocketConnection.DELAY, 5);

        sendLine("STOR " + filename);

        response = readLine();
        if (!response.startsWith("125 ")&&!response.startsWith("150 ")) {
            dataSocket.close();
            dataSocket=null;
            throw new IOException("SimpleFTP was not allowed to send the file: " + response);
        }
        Logger.log(this, "Connected to "+url);

        OutputStream output = dataSocket.openOutputStream();
        byte[] buffer = new byte[512];
        int bytesRead = 0;

        if (zipped){
            GZIPOutputStream zipOutput = new GZIPOutputStream(output,6, GZIPOutputStream.MAX_LOG2_WINDOW_LENGTH);;
            while (!isAskForAbort() && (bytesRead = inputStream.read(buffer)) != -1) {
                zipOutput.write(buffer, 0, bytesRead);
            }
            zipOutput.close();
        } else {
            while (!isAskForAbort() && (bytesRead = inputStream.read(buffer)) != -1) {
                output.write(buffer, 0, bytesRead);
            }
        }
        if (isAskForAbort()){
            abor();
            output.close();
            output = null;
            dataSocket.close();
            dataSocket=null;
            try {
                setAskForAbort(false);
            } catch (BbException e) {/*nothing to do. Here ftp is conected*/}
            return false;
        }
        output.flush();
        output.close();
        output = null;
        dataSocket.close();
        dataSocket=null;

        response = readLine();
        return response.startsWith("226 ");
    }

Thank you much for the help.

NAT + OpenVPN

Hello
On my data center, I have a machine with VMwre server Debian installed on it and hosting a Windows 2003 Server VM. NET configuration is NAT.
Debian is configured as a server OpenVPN (10.11.0.1).
The Windows 2003Server is a customer of OpeVPN (10.11.0.6).
On my desk at home, I have a Windows 2003 Server which is both a client OpenVPN (10.11.0.10)
The OpenVPN works correctly, all computers can ping each other but one. He who is not the ping is:
remote computer 10.11.0.10 for virtual machine 10.11.0.6
Because the 10.11.0.6 ping to10.11.0.10 works, makes me think that there is a problem with the configuration of my VMware NAT or IPtables on the Debian server. It of like the external computer is unable to pass the NAT VM, remember that 10.11.0.10 can ping the 10.11.0.1 OpenVPN server.
Could you please provide counsel on this configuration?
Is - this pposible to run OpenVPN on a VMware NAT implemented?
Thank you very much

Hello. I'm under OpenVPN via NAT without any problem. If you set your OpenVPN server in client-client mode, I'm sure that your problems will disappear. Try adding the following line to your server.ovpn

customer-to-customer

If you found this information useful please give points.

See you soon

Kevin

SPA9000 outgoing call won't. Get the "busy" signal and "CallEnded" message.

Hello

I have 9000 SPA with SPA400 and 8 configured SPA941. Everything worked up until the service has changed the proxy. Now because of them I'm trying to configure a iristel Line3 lines. Incoming calls are coming. But not able to make outgoing calls using the iristel line. I tried to change the line. No use. Can be Server NAT is a problem. I use the LAN and the router is WRT300N. How do I enable port forwarding and what are the values of beach to give? Any help welcome.

Thank you. Hope it will work. I did the port forwarding today on WRT300N. To see the results tomorrow. Hope that the SIP line will remain registered until tomorrow.

No internet with SG300 and RV320

Hello

Kind of a number is double.

I currently have a SG300 L3 mode and a RV320 router. My original thought was to have the L2 switch and have the handle RV320 routing, DHCP, and DNS. I was told by some of my colleagues that I should have the L3 switch manages the Routing and use the RV320 just at the gates of the internet with firewall/NAT. The problem I have now is, according to the Administrator's guide, the RV320 must be in gateway mode since it will be the device actually connected to the internet... Problem is that ping outside the internet does not work, DNS relay seems to work, but nothing else. How are the packages supposed to get out if the router has not a '. '. 1"address. In addition, one-to-one NAT and PAT is not enabled, is NAT works not at all?

I put virtual local networks in place in the RV320 and roads seem to be there. What I am doing wrong? I'm about to give up and return to the L2 mode on the switch.

Also, I had to give the DHCP responsibility towards the SG300 as the RV320 handed himself a default gateway '.» 60"and not the". " 1 "the SG300. What is the problem with that? I want to use RV320 as my DHCP/DNS box, but that seems to be easier said than done.

SG300:

VLAN104

VLAN105

192.168.4.1

192.169.5.1

RV320:

VLAN104

VLAN105

192.168.5.60

192.168.4.60

I don't think its possible to do, but maybe cisco can ring if it is possible or not

Help with Cisco PIX 506th

I need help setting up a Cisco PIX 506th Version 6.3 (5)

I use the PDM to configure the device, because I don't know enough of CLI. I want to just the simplest of configurations.

Here is what is happening, I set up then I hang the Interface 1 to my laptop and use DHCP to get an ip address, but I can't get out to the internet like that. Thanks PDM tools, I can ping outside the IPS very well.

6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of DkreNA9TaOYv27T8
c4EBnG8v5uKhu.PA encrypted passwd
hostname EWMS-PIX-630
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
object-group service udp test
port-object eq isakmp
inside_access_in ip access list allow a whole
access-list inside_access_in allow a tcp
access-list inside_access_in allow icmp a whole
Allow Access-list inside_access_in esp a whole
inside_access_in tcp allowed access list all eq www everything
inside_outbound_nat0_acl list of permitted access interface ip inside 10.10.10.96 255.255.255.240
inside_outbound_nat0_acl ip access list allow any 10.10.10.192 255.255.255.224
pager lines 24
timestamp of the record
recording of debug trap
host of logging inside the 10.10.10.13
Outside 1500 MTU
Within 1500 MTU
IP outdoor 75.146.94.109 255.255.255.248
IP address inside 10.10.10.250 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.1 255.255.255.255 inside
location of PDM 10.10.10.13 255.255.255.255 inside
location of PDM 10.10.10.253 255.255.255.255 inside
location of PDM 75.146.94.105 255.255.255.255 inside
location of PDM 75.146.94.106 255.255.255.255 inside
location of PDM 10.10.10.96 255.255.255.240 outside
location of PDM 10.10.10.192 255.255.255.224 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 75.146.94.110 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-RADIUS (inside) host 10.10.10.1 server timeout 10
AAA-server local LOCAL Protocol
Enable http server
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
ISAKMP allows outside
ISAKMP peer ip 206.196.18.227 No.-xauth No.-config-mode
ISAKMP nat-traversal 20
ISAKMP policy 20 authentication rsa - sig
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 1 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
part of pre authentication ISAKMP policy 40
encryption of ISAKMP policy 40
ISAKMP policy 40 md5 hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP policy 60 authentication rsa - sig
encryption of ISAKMP policy 60
ISAKMP policy 60 md5 hash
60 2 ISAKMP policy group
ISAKMP strategy life 60 86400
Telnet 10.10.10.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.10.10.2 - 10.10.10.5 inside
dhcpd dns 68.87.72.130
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
btork encrypted Ww3clvi.ynWeGweE privilege 15 password username
vpnclient Server 10.10.10.1
vpnclient-mode client mode
vpnclient GroupA vpngroup password *.
vpnclient username btork password *.
Terminal width 80
Cryptochecksum:5ef06e69c17b6128e1778e988d1b9f5d
: end
[OK]

any HEP would be appreciated.

Brian

Brian

NAT is your problem, IE.

NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

presumanly first NAT is fot your good VPN that acl looks a little funny, what exactly are you doing with that?

The second NAT is the real problem but for outgoing internet access - the NAT statement, you said not NAT one of your addresses 10.10.10.x which is a problem as 10.x.x.x address is not routable on the Internet.

You must change this setting IE. -

(1) remove the second NAT statement IE. "no nat (inside) 0 0.0.0.0 0.0.0.0.

(2) add a new statement of NAT - ' nat (inside) 1 0.0.0.0 0.0.0.0.

(3) add a corresponding statement global - global (outside) 1 interface.

This will be PAT all your 10.10.10.x to external IP addresses.

Apologies, but these are some CLI commands that I don't use PDM.

Jon

ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

We have configured a site 5, site to site VPN scenario. Last week, we have upgraded 2 devices ASA 5505 to 8.4.2. Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA. While we were on 8.2, remote equipment successfully ping the inside interface. After that we went to 8.4.2 we can do a ping to this interface. We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic. We can ping successfully from local hardware interface inside and the external interface of remote devices successfully. In addition, we can ping material behind the two devices in both directions successfully.

We are unable to remotely manage the device through the VPN tunnel

Net is:

ASA #1 inside 10.168.107.1 (running ASA 8.2)

ASA #2 inside 10.168.101.1 (running ASA 8,4)

Server 1 (behind the ASA #1) 10.168.107.34

Server 2 (behind the ASA #2) 10.168.101.14

Can ping server 1 Server 2

Can ping server 1 to 1 of the SAA

Can ping server 2-ASA 2

Can ping server 2 to server 1

Can ping server 2 ASA 1

Can ping ASA 2 ASA 1

can not ping ASA 1 and 2 of the ASA

can not ping server 1 and 2 of the ASA

cannot access the ASA 2 https for management interface, nor can the ASDM software

Here is the config on ASA (attached) 2.

Any thoughts would be appreciated.

Hey Joseph,.

Most likely, you hit this bug:

CSCtr16184 Details of bug

To-the-box traffic switches vpn hosts after upgrade to 8.4.2.

Symptom:
After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the)
ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can
fail the IP access address to the administration. Conditionsof :
1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1.
2. the user directly logged in the face of internal interfaces no problem with
ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround:
The problem goes back to a Manual NAT statement that straddles the
address IP-access to the administration. The NAT must have both the
source areas and destination. Add the keyword "research route" at the end of
the statement by NAT solves the problem. Ex:
IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
VPN-vpn-obj static obj! New declaration:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
public static obj - vpn vpn-obj-research route

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

HTH,

Raga

VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

Hello

I'm a little confused as to which is the problem. This is the premise for the problem I have face.

One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

So essentially the encryption field is configured as follows:

access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

Free NAT has been configured as follows (names modified interfaces):

NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

NAT (interface2) 0-list of access VPN-SHEEP

VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list

Phase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream

Phase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outside

Phase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group interface interface1
access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:

Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:

Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:

Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:

-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:

-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:

Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next module

Result:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow

So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

If there is any essential information that I can give, please ask.

-Jouni

Jouni,

8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

Marcin

NAT on SRP527W (distant)

Hi all

Implementation of ACB (on a 1841) for customer specific traffic through a SRP527W. Now the CPR strategy seems to work - I debugged and confirmed I get policy matches and ACB is correctly forward traffic to the SRP527W.

Problem I'm having, is that I can't achieve anything beyond the public IP address on the LAN interface. I came to the conclusion that the SRP527W is happy to provide NAT functionality because it is directly connected IP subnet. A client machine on the subnet (10.10.10.0/29) comes out OK, but as soon as the customer is behind another router, I can't access the Internet.

I confirmed routing everything is OK and can ping from a client using the 192.168.2.x on the LAN and the WAN of the PRS interface, but not beyond.

Can anyone confirm if my NAT theory is true?

Firmware is 1.01 (17). Interestingly, the Administration menu does not provide an option to upgrade (or backup, restore or any one would expect to find another date and time). It was a unit of Telstra-provided with DSL service.

Kind regards

Russell

Hi Russell,

It is a limitation known to the SRP520, which we are trying to address in future releases/products.

BTW - you do not see these additional menus that you log on with user account (cisco). All features are available via the administrator (admin) account. The account admin, the default password is 'admin' - not sure that Telstra would be locked down or not.

If you need the new code for this device, please contact Telstra.

Kind regards

Andy

Nat SRP527W-U problem

Similar Questions

CSCtr16184 Details of bug

Maybe you are looking for