NATting a server

I have a Nat problem that is confounding me.

Today, in our lab, I have a video server that is on the subnet 10.16. 42.91/26

This subnet is managed by a L3 with L3 routing switch to the rest of the network.

I need this test server on a WAN access emulated to validate the performance of the Executive Office.

The WAn emulator is all set up and works fine

Now I would like to extend this slow acess outside the laboratory, so that everyone can test the slow lane of their office.

Do this, I added a 2nd router between subnet of video server and the rest of the network

I want to NAT the 10.16.42.91 address to 10.16. .91 44,

Such as... anyone 10.16.44.91 SEO through the slow lane, and anyone using 10.16.42.91 through the GigE

The NAting router is a 881 running 15.3

Should be hide nat return traffic would be routed through the NAT router

I tried several nat configs, but remain confused.

Diagram below... Would appreciate any suggestions

Thanks in advance

Wes

You need two things-

(1) for the return shipping back to the 881 you need for NAT overload all users IPS to the 10.16.42.x on the 881 interface IP. You have the Interior facing users that makes it a lot easier if-

access-list 101 permit ip 10.0.0.0 0.0.0.255 host 10.16.44.91

IP nat inside source list 101 interface overload<- where="" is="" the="" one="" facing="" the="">

Note that I'm not entirely sure the exact order of treatment regarding two statements of NAT, so in the acl above where you have the 10.16.44.91 host, you might need to change it to the real server IP. Try the above first.

(2) a NAT for server-

source 10.16.42.91 IP NAT outside static 10.16.44.91 netmask 255.255.255.255

Edit - I'm assuing you have already assigned 'ip nat inside' to the interface on the 881 to users and the 'ip nat outside' on the interface to the server.

Jon

Tags: Cisco Network

Similar Questions

  • asa5512 V8.6 nat web server cannot access

    Hi all

    asa5512 V8.6 nat web server cannot access.

    my home pc can access www.cisco.com, but external client cannot access my web server inside...

    all of my config, I do not know what is wrong.

    Thank youe help.

    ciscoasa #.

    See the ciscoasa # running

    ciscoasa # show running-config

    : Saved

    :

    ASA 1.0000 Version 2

    !

    ciscoasa hostname

    activate 2KFQnbNIdI.2KYOU encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    address IP XXX1 255.255.255.240

    !

    interface GigabitEthernet0/1

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/3

    Description link to 3560 G0/1

    Speed 1000

    full duplex

    nameif inside

    security-level 100

    192.168.1.13 IP address 255.255.255.0

    !

    interface GigabitEthernet0/4

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/5

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    !

    time-range k3used

    absolute starting 08:00 January 1, 2008

    daily periodical 0:00 to 23:59

    periodical daily 09:00-18:00

    !

    passive FTP mode

    clock timezone BeiJing 8

    network object obj - 192.168.1.0

    subnet 192.168.1.0 255.255.255.0

    network object obj - 192.168.200.0

    192.168.200.0 subnet 255.255.255.0

    network object obj - 192.168.1.2

    host 192.168.1.2

    network object obj - 192.168.1.2 - 01

    host 192.168.1.2

    network object obj - 192.168.1.19

    Home 192.168.1.19

    network object obj - 192.168.1.20

    host 192.168.1.20

    network object obj - 192.168.1.88

    Home 192.168.1.88

    network object obj - 192.168.1.1

    host 192.168.1.1

    network object obj - 192.168.1.2 - 02

    host 192.168.1.2

    network object obj - 192.168.1.6

    host 192.168.1.6

    object obj - X.X.X.3 network

    Home X.X.X.3

    object obj-tcp-source-eq-25 service

    tcp source eq smtp service

    obj-tcp-source-eq-110 service object

    tcp source eq Microsoft pop3 service

    object obj - X.X.X.10 network

    Home X.X.X.10

    obj-tcp-source-eq-8086 service object

    tcp source eq 8086 service

    obj-tcp-source-eq-80 service object

    tcp source eq www service

    network object obj - 192.168.1.1 - 01

    host 192.168.1.1

    obj-tcp-source-eq-3389 service object

    source eq 3389 tcp service

    obj-tcp-source-eq-9877 service object

    tcp source eq 9877 service

    obj-tcp-source-eq-21 service object

    tcp source eq ftp service

    object obj-tcp-source-eq-20 service

    tcp source eq ftp service - data

    network object obj - 192.168.2.88

    Home 192.168.2.88

    network object obj - 192.168.2.88 - 01

    Home 192.168.2.88

    network object obj - 192.168.2.88 - 02

    Home 192.168.2.88

    network object obj - 192.168.1.19 - 01

    Home 192.168.1.19

    network object obj - 192.168.2.2

    host 192.168.2.2

    network object obj - 192.168.2.2 - 01

    host 192.168.2.2

    network object obj - 192.168.2.2 - 02

    host 192.168.2.2

    network object obj - 192.168.3.2

    host 192.168.3.2

    network object obj - 192.168.3.2 - 01

    host 192.168.3.2

    network object obj - 192.168.3.2 - 02

    host 192.168.3.2

    object obj - X.X.X.9 network

    Home X.X.X.9

    obj-tcp-source-eq-8087 service object

    tcp source eq 8087 service

    network object obj - 192.168.1.200

    host 192.168.1.200

    network object obj - 192.168.1.200 - 01

    host 192.168.1.200

    network object obj - 192.168.1.30

    host 192.168.1.30

    network object obj - 192.168.1.30 - 01

    host 192.168.1.30

    network object obj - 192.168.1.1 - 02

    host 192.168.1.1

    object obj - X.X.X.6 network

    Home X.X.X.6

    obj-tcp-source-eq-8088 service object

    tcp source eq 8088 service

    network object obj - 192.168.3.5

    Home 192.168.3.5

    network object obj - 192.168.3.5 - 01

    Home 192.168.3.5

    network object obj - 192.168.3.5 - 02

    Home 192.168.3.5

    network object obj - 192.168.3.5 - 03

    Home 192.168.3.5

    network object obj - 192.168.3.5 - 04

    Home 192.168.3.5

    network object obj - 192.168.2.0

    Subnet 192.168.2.0 255.255.255.0

    network object obj - 192.168.3.0

    subnet 192.168.3.0 255.255.255.0

    network object obj - 192.168.4.0

    subnet 192.168.4.0 255.255.255.0

    network object obj - 192.168.5.0

    192.168.5.0 subnet 255.255.255.0

    network object obj - 192.168.6.0

    192.168.6.0 subnet 255.255.255.0

    network object obj - 192.168.7.0

    192.168.7.0 subnet 255.255.255.0

    network object obj - 192.168.8.0

    192.168.8.0 subnet 255.255.255.0

    vpn_list to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.200.0 255.255.255.0

    vpn_list to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    access-list 101 extended deny ip any host 58.215.78.113

    access-list 101 extended deny ip any host 61.139.126.81

    access-list 101 extended deny ip any host 61.152.94.154

    access-list 101 extended allow host ip 192.168.4.2 all

    access-list 101 extended allow host ip 192.168.4.3 all

    access-list 101 extended allow host ip 192.168.4.4 all

    access-list 101 extended allow host ip 192.168.4.5 all

    access-list 101 extended allow host ip 192.168.4.7 everything

    access-list 101 extended permit ip host 192.168.4.8 all

    access-list 101 extended permit ip host 192.168.4.9 all

    access-list 101 extended permit ip host 192.168.4.10 all

    access-list 101 extended allow host ip 192.168.4.11 all

    access-list 101 extended allow host ip 192.168.4.12 all

    access-list 101 extended allow host ip 192.168.4.13 all

    access-list 101 extended allow host ip 192.168.4.14 all

    access-list 101 extended allow host ip 192.168.4.15 all

    access-list 101 extended allow host ip 192.168.4.16 all

    access-list 101 extended allow host 192.168.4.18 ip everything

    access-list 101 extended allow host ip 192.168.4.19 all

    access-list 101 extended allow host ip 192.168.4.20 all

    access-list 101 extended allow host ip 192.168.4.180 all

    access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any

    access-list 101 extended allow host ip 192.168.2.176 all

    access-list 101 extended allow icmp a whole

    access-list 101 extended allow host ip 192.168.2.3 everything

    access-list 101 extended allow host ip 192.168.2.164 all

    access-list 101 extended allow host ip 192.168.2.171 all

    access-list 101 extended allow host ip 192.168.2.142 all

    access-list 101 extended allow host ip 192.168.2.180 all

    access-list 101 extended allow host ip 192.168.2.149 all

    access-list 101 extended allow host ip 192.168.2.201 all

    access-list 101 extended allow host ip 192.168.2.170 all

    access-list 101 extended allow host ip 192.168.2.168 all

    access-list 101 extended allow host ip 192.168.2.103 everything

    access-list 101 extended allow host ip 192.168.2.34 all

    access-list 101 extended allow host ip 192.168.2.174 all

    access-list 101 extended allow host ip 192.168.2.199 all

    access-list 101 extended allow host ip 192.168.2.253 everything

    access-list 101 extended allow host ip 192.168.2.236 all

    access-list 101 extended allow host ip 192.168.2.214 all

    access-list 101 extended allow host ip 192.168.2.110 everything

    access-list 101 extended allow host ip 192.168.2.127 all

    access-list 101 extended allow host ip 192.168.2.178 all

    access-list 101 extended allow host ip 192.168.2.21 all

    access-list 101 extended allow host ip 192.168.2.24 all

    access-list 101 extended allow host ip 192.168.2.251 all

    access-list 101 extended allow host ip 192.168.2.33 all

    access-list 101 extended allow host ip 192.168.2.120 all

    access-list 101 extended allow host ip 192.168.2.85 all

    access-list 101 extended allow host ip 192.168.2.137 all

    access-list 101 extended allow host ip 192.168.2.113 all

    access-list 101 extended allow ip 192.168.2.20 host everything

    access-list 101 extended allow host ip 192.168.2.101 everything

    access-list 101 extended allow host ip 192.168.2.106 all

    access-list 101 extended allow host ip 192.168.2.140 all

    access-list 101 extended allow host ip 192.168.2.215 all

    access-list 101 extended allow host ip 192.168.2.107 all

    access-list 101 extended allow host ip 192.168.2.234 all

    access-list 101 extended allow host ip 192.168.2.15 all

    access-list 101 extended allow host ip 192.168.2.55 all

    access-list 101 extended allow host ip 192.168.2.41 all

    access-list 101 extended permit ip host 192.168.2.13 all

    access-list 101 extended allow host ip 192.168.2.133 everything

    access-list 101 extended allow host ip 192.168.2.73 all

    access-list 101 extended allow host ip 192.168.2.172 all

    access-list 101 extended allow host ip 192.168.2.175 all

    access-list 101 extended allow host ip 192.168.2.88 all

    access-list 101 extended allow host ip 192.168.2.188 all

    access-list 101 extended allow host ip 192.168.2.136 all

    access-list 101 extended allow host ip 192.168.2.74 all

    access-list 101 extended allow host ip 192.168.2.12 everything

    access-list 101 extended allow host ip 192.168.2.100 everything

    access-list 101 extended allow host ip of 192.168.2.102 everything

    access-list 101 extended allow host ip 192.168.2.152 all

    access-list 101 extended allow ip 192.168.2.4 host everything

    access-list 101 extended allow host ip 192.168.2.5 everything

    access-list 101 extended allow host ip 192.168.2.6 everything

    access-list 101 extended allow host ip 192.168.2.14 all

    access-list 101 extended allow host ip 192.168.2.19 all

    access-list 101 extended permit ip host 192.168.2.16 all

    access-list 101 extended allow host ip 192.168.2.17 all

    access-list 101 extended allow host ip 192.168.2.18 all

    access-list 101 extended allow host ip 192.168.2.22 all

    access-list 101 extended allow host ip 192.168.2.23 all

    access-list 101 extended allow host ip 192.168.2.115 all

    access-list 101 extended allow host ip 192.168.2.116 all

    access-list 101 extended allow host ip 192.168.2.117 all

    access-list 101 extended allow host ip 192.168.2.118 all

    access-list 101 extended allow host ip 192.168.2.119 all

    access-list 101 extended allow host ip 192.168.2.150 all

    access-list 101 extended allow host ip 192.168.2.128 all

    access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any

    access-list 101 extended allow ip 192.168.3.2 host everything

    access-list 101 extended allow host ip 192.168.3.3 everything

    access-list 101 extended permit ip host 192.168.3.4 everything

    access-list 101 extended allow host ip 192.168.3.5 all

    access-list 101 extended allow host ip 192.168.3.6 all

    access-list 101 extended allow host ip 192.168.3.7 all

    access-list 101 extended allow host ip 192.168.3.8 all

    access-list 101 extended allow host ip 192.168.3.9 all

    access-list 101 extended allow host ip 192.168.3.10 everything

    access-list 101 extended allow host ip 192.168.3.11 all

    access-list 101 extended allow host ip 192.168.3.12 all

    access-list 101 extended allow host ip 192.168.3.13 all

    access-list 101 extended allow host ip 192.168.3.14 all

    access-list 101 extended allow host ip 192.168.3.15 everything

    access-list 101 extended allow host ip 192.168.3.16 all

    access-list 101 extended allow host ip 192.168.3.17 everything

    access-list 101 extended allow host ip 192.168.3.18 all

    access-list 101 extended allow host ip 192.168.3.19 all

    access-list 101 extended allow host ip 192.168.3.20 everything

    access-list 101 extended permit ip host 192.168.3.21 all

    access-list 101 extended allow host ip 192.168.3.22 all

    access-list 101 extended allow host ip 192.168.3.23 all

    access-list 101 extended allow host ip 192.168.3.24 everything

    access-list 101 extended allow host ip 192.168.3.25 all

    access-list 101 extended allow host ip 192.168.3.26 all

    access-list 101 extended allow host ip 192.168.3.27 all

    access-list 101 extended allow host ip 192.168.3.28 all

    access-list 101 extended allow host ip 192.168.3.29 all

    access-list 101 extended allow host ip 192.168.3.30 all

    access-list 101 extended allow host ip 192.168.3.31 all

    access-list 101 extended allow host ip 192.168.3.32 all

    access-list 101 extended allow host ip 192.168.3.33 all

    access-list 101 extended allow host ip 192.168.3.34 all

    access-list 101 extended allow host ip 192.168.3.35 all

    access-list 101 extended allow host ip 192.168.3.36 all

    access-list 101 extended allow host ip 192.168.3.37 all

    access-list 101 extended allow host ip 192.168.3.38 all

    access-list 101 extended allow host ip 192.168.3.39 all

    access-list 101 extended allow host ip 192.168.3.40 all

    access-list 101 extended allow host ip 192.168.3.41 all

    access-list 101 extended allow host ip 192.168.3.42 all

    access-list 101 extended allow host ip 192.168.3.43 all

    access-list 101 extended allow host ip 192.168.3.86 all

    access-list 101 extended allow host ip 192.168.3.88 all

    access-list 101 extended allow host ip 192.168.3.89 all

    access-list 101 extended allow host ip 192.168.3.56 all

    access-list 101 extended allow host ip 192.168.3.55 all

    access-list 101 extended allow host ip 192.168.3.96 all

    access-list 101 extended allow host ip 192.168.3.97 all

    access-list 101 extended allow host ip 192.168.3.98 all

    access-list 101 extended allow host ip 192.168.3.116 all

    access-list 101 extended allow host ip 192.168.3.111 all

    access-list 101 extended allow host ip 192.168.3.175 all

    access-list 101 extended allow host ip 192.168.3.176 all

    access-list 101 extended allow host ip 192.168.3.201 all

    access-list 101 extended allow host ip 192.168.3.202 all

    access-list 101 extended allow host ip 192.168.3.203 all

    access-list 101 extended allow host ip 192.168.3.204 all

    access-list 101 extended allow host ip 192.168.3.205 all

    access-list 101 extended allow host ip 192.168.3.206 all

    access-list 101 extended allow host ip 192.168.3.207 all

    access-list 101 extended allow host ip 192.168.3.208 all

    access-list 101 extended allow host ip 192.168.3.209 all

    access-list 101 extended allow host ip 192.168.3.210 all

    access-list 101 extended allow host ip 192.168.3.213 all

    access-list 101 extended allow host ip 192.168.3.214 all

    access-list 101 extended allow host ip 192.168.3.215 all

    access-list 101 extended allow host ip 192.168.3.101 all

    access-list 101 extended allow host ip 192.168.3.102 all

    access-list 101 extended allow host ip 192.168.3.103 all

    access-list 101 extended allow host ip 192.168.3.106 all

    access-list 101 extended allow host ip 192.168.3.107 all

    access-list 101 extended allow host ip 192.168.3.152 all

    access-list 101 extended allow host ip 192.168.3.151 all

    access-list 101 extended allow host ip 192.168.3.153 all

    access-list 101 extended allow host ip 192.168.3.195 all

    access-list 101 extended allow host ip 192.168.3.45 all

    access-list 101 extended allow host ip 192.168.3.46 all

    access-list 101 extended allow host ip 192.168.3.199 all

    access-list 101 extended allow host ip 192.168.3.157 all

    access-list 101 extended refuse 192.168.3.0 ip 255.255.255.0 any

    access-list 101 extended allow tcp a whole

    access list 101 scope ip allow a whole

    vpnclient_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

    2 extended access-list permit ip 192.168.2.0 255.255.255.0 any

    3 extended access-list allow ip 192.168.3.0 255.255.255.0 any

    4 extended access-list allow ip 192.168.4.0 255.255.255.0 any

    access-list extended 500 k permit ip host XXX1 everything

    access-list extended 500 k allow icmp host XXX1 everything

    access-list 102 extended allow host ip 192.168.1.6 everything

    access-list extended 100 permit tcp any host 192.168.1.1 eq www

    access-list extended 100 permit tcp any host 192.168.1.1 eq 8080

    access-list extended 100 permit tcp any host X.X.X.4

    access-list extended 100 permit ip any host X.X.X.4

    access-list extended 100 permit icmp any host X.X.X.4

    access-list extended 100 permit tcp any host 192.168.1.6 eq smtp

    access-list extended 100 permit tcp any host 192.168.1.6 eq pop3

    access-list extended 100 permit tcp any host 192.168.1.6 eq www

    access-list extended 100 permit tcp any host 192.168.1.6

    access-list 100 scope ip allow any host 192.168.1.6

    access-list extended 100 permit icmp any host 192.168.1.6

    access-list extended 100 permit tcp any host 192.168.1.19 eq 3389

    access-list extended 100 permit tcp any host 192.168.1.20 eq 3389

    access-list extended 100 permit tcp any host 192.168.1.88 eq 3389

    access-list extended 100 permit tcp any host X.X.X.12

    access-list extended 100 permit ip any host X.X.X.12

    access-list extended 100 permit icmp any host X.X.X.12

    access-list extended 100 permit tcp any host 192.168.1.6 eq 8086

    access-list extended 100 permit tcp any host 192.168.1.1 eq 3389

    access-list extended 100 permit tcp any host 192.168.1.6 eq 3389

    access-list extended 100 permit tcp any host 192.168.1.6 eq ftp

    access-list extended 100 permit tcp any host 192.168.1.6 eq ftp - data

    access-list extended 100 permit tcp any host 192.168.2.88 eq 3389

    access-list extended 100 permit tcp any host 192.168.2.88 eq 12172

    access-list extended 100 permit tcp any host 192.168.2.2 eq 3389

    access-list extended 100 permit tcp any host 192.168.2.2 eq 9116

    access-list extended 100 permit tcp any host 192.168.3.2 eq 25243

    access-list extended 100 permit tcp any host 192.168.3.2 eq 3389

    access-list extended 100 permit tcp any host 192.168.1.200 eq www

    access-list extended 100 permit tcp any host 192.168.1.200 eq 12001

    access-list extended 100 permit tcp any host 192.168.1.30 eq 3389

    access-list extended 100 permit tcp any host 192.168.3.5 eq 4160

    access-list extended 100 permit tcp any host 192.168.3.5 eq 11111

    access-list extended 100 permit tcp any host 192.168.3.5 eq 3389

    access-list extended 100 permit tcp any host X.X.X.10

    access-list extended 100 permit udp any host 192.168.2.88 eq 12172

    access-list extended 100 permit udp any host 192.168.2.2 eq 9116

    access-list extended 100 permit udp any host 192.168.3.2 eq 25243

    access-list extended 100 permit udp any host 192.168.3.5 eq 4170

    access-list extended 100 permit udp any host 192.168.3.5 eq 11111

    access-list extended 100 permit ip any host X.X.X.10

    access-list extended 100 permit tcp any host 192.168.1.6 eq 8087

    access-list extended 100 permit tcp any host X.X.X.9

    access-list extended 100 permit ip any host X.X.X.9

    access-list extended 100 permit tcp any host 192.168.1.30 eq www

    access-list extended 100 permit tcp any host X.X.X.5

    access-list extended 100 permit ip any host X.X.X.5

    access-list extended 100 permit icmp a whole

    access-list extended 100 permit tcp any host 192.168.1.6 eq 8088

    access-list extended 100 permit ip any host X.X.X.6

    access-list extended 100 permit tcp any host X.X.X.6

    access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.186.169.129 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.186.169.129 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.186.169.130 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.186.169.130 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.186.169.131 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.186.169.131 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.186.169.132 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.186.169.132 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.186.169.133 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.186.169.133 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.186.169.129 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.186.169.130 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.186.169.131 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.186.169.132 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.186.169.133 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.186.169.129 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.186.169.130 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.186.169.131 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.186.169.132 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.186.169.133 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 183.64.106.194 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 183.64.106.194 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 183.64.106.194 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 183.64.106.194 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 183.64.106.195 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 183.64.106.195 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 183.64.106.195 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 183.64.106.195 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 14.107.162.32 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 14.107.162.32 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 14.107.162.32 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 14.107.162.32 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 14.107.247.121 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 14.107.247.121 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 14.107.247.121 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 14.107.247.121 X.X.X.2 time-range k3used

    access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 5872 times-range k3used

    access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 8088 times-range k3used

    access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 3389 times-range k3used

    allowed extended access list 100 tcp host 61.128.208.106 host 192.168.1.19 eq www time-range k3used

    access-list extended 100 permit tcp host 61.128.208.106 X.X.X.2 time-range k3used

    access-list extended 100 permit ip host 61.128.208.106 X.X.X.2 time-range k3used

    access-list extended 100 permit icmp host 61.128.208.106 X.X.X.2 time-range k3used

    access-list 100 extended tcp refuse any host 192.168.1.2 eq 5872

    access-list 100 extended tcp refuse any host 192.168.1.2 eq 8088

    access-list 100 extended tcp refuse any host 192.168.1.2 eq 3389

    access-list 100 extended tcp refuse any host 192.168.1.19 eq www

    access-list 100 extended tcp refuse any host X.X.X.2

    access-list extended 100 deny ip any host X.X.X.2

    access-list extended 100 refuse icmp any host X.X.X.2

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    management of MTU 1500

    IP local pool 192.168.200.1 - 192.168.200.20 mask 255.255.255.0 vpn_pool

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) source static obj - obj - 192.168.1.0 destination 192.168.1.0 static obj - 192.168.200.0 obj - 192.168.200.0 non-proxy-arp

    NAT (inside, all) source static obj - 192.168.200.0 obj - 192.168.200.0 destination static obj - 192.168.1.0 obj - 192.168.1.0 non-proxy-arp

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-25 obj-tcp-source-eq-25

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-110 obj-tcp-source-eq-110

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-8086 obj-tcp-source-eq-80

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-3389 obj-tcp-source-eq-9877

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-21 obj-tcp-source-eq-21

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-20 obj-tcp-source-eq-20

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.9 service obj-tcp-source-eq-8087 obj-tcp-source-eq-80

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.6 service obj-tcp-source-eq-8088 obj-tcp-source-eq-80

    NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

    NAT (inside, outside) source dynamic obj - 192.168.1.6 obj - X.X.X.3

    !

    network object obj - 192.168.1.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.200.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.1.2

    NAT (inside, outside) Static X.X.X.2 5872 5872 tcp service

    network object obj - 192.168.1.2 - 01

    NAT (inside, outside) Static X.X.X.2 8088 8088 tcp service

    network object obj - 192.168.1.19

    NAT (inside, outside) Static X.X.X.12 tcp 3389 8001 service

    network object obj - 192.168.1.20

    NAT (inside, outside) Static X.X.X.12 tcp 3389 8002 service

    network object obj - 192.168.1.88

    NAT (inside, outside) Static X.X.X.12 tcp 3389 12345 service

    network object obj - 192.168.1.1

    NAT (inside, outside) Static X.X.X.4 tcp www www service

    network object obj - 192.168.1.2 - 02

    NAT (inside, outside) Static X.X.X.2 service tcp 3389 8005

    network object obj - 192.168.1.1 - 01

    NAT (inside, outside) Static X.X.X.10 tcp 3389 9876 service

    network object obj - 192.168.2.88

    NAT (inside, outside) Static X.X.X.10 tcp 3389 3129 service

    network object obj - 192.168.2.88 - 01

    NAT (inside, outside) Static X.X.X.10 12172 12172 tcp service

    network object obj - 192.168.2.88 - 02

    NAT (inside, outside) Static X.X.X.10 service udp 12172 12172

    network object obj - 192.168.1.19 - 01

    NAT (inside, outside) Static X.X.X.2 service tcp www 8056

    network object obj - 192.168.2.2

    NAT (inside, outside) Static X.X.X.10 3389 3128 tcp service

    network object obj - 192.168.2.2 - 01

    NAT (inside, outside) Static X.X.X.10 9116 9116 tcp service

    network object obj - 192.168.2.2 - 02

    NAT (inside, outside) Static X.X.X.10 service udp 9116 9116

    network object obj - 192.168.3.2

    NAT (inside, outside) Static X.X.X.10 25243 25243 tcp service

    network object obj - 192.168.3.2 - 01

    NAT (inside, outside) Static X.X.X.10 service udp 25243 25243

    network object obj - 192.168.3.2 - 02

    NAT (inside, outside) Static X.X.X.10 tcp 3389 3130 service

    network object obj - 192.168.1.200

    NAT (inside, outside) Static X.X.X.10 service tcp www 1114

    network object obj - 192.168.1.200 - 01

    NAT (inside, outside) Static X.X.X.10 12001 12001 tcp service

    network object obj - 192.168.1.30

    NAT (inside, outside) Static X.X.X.5 tcp www www service

    network object obj - 192.168.1.30 - 01

    NAT (inside, outside) Static X.X.X.10 tcp 3389 9878 service

    network object obj - 192.168.1.1 - 02

    NAT (inside, outside) Static X.X.X.4 8080 8080 tcp service

    network object obj - 192.168.3.5

    NAT (inside, outside) Static X.X.X.10 4160 4160 tcp service

    network object obj - 192.168.3.5 - 01

    NAT (inside, outside) Static X.X.X.10 service udp 4170 4170

    network object obj - 192.168.3.5 - 02

    NAT (inside, outside) Static X.X.X.10 11111 11111 tcp service

    network object obj - 192.168.3.5 - 03

    NAT (inside, outside) Static X.X.X.10 tcp 3389 3127 service

    network object obj - 192.168.3.5 - 04

    NAT (inside, outside) Static X.X.X.10 11111 11111 udp service

    network object obj - 192.168.2.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.3.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.4.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.5.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.6.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.7.0

    NAT dynamic interface (indoor, outdoor)

    network object obj - 192.168.8.0

    NAT dynamic interface (indoor, outdoor)

    Access-group 100 in external interface

    Access-group 101 in the interface inside

    Route outside 0.0.0.0 0.0.0.0 X.X.X.14 1

    Route inside 192.168.2.0 255.255.255.0 192.168.1.12 1

    Route inside 192.168.3.0 255.255.255.0 192.168.1.12 1

    Route inside 192.168.4.0 255.255.255.0 192.168.1.12 1

    Route inside 192.168.5.0 255.255.255.0 192.168.1.12 1

    Route inside 192.168.6.0 255.255.255.0 192.168.1.12 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    Enable http server

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set esp - esp-md5-hmac ikev1 vpn_set

    Crypto-map dynamic vpn_map 10 set transform-set vpn_set ikev1

    Crypto-map dynamic vpn_map 10 the value reverse-road

    vpnmap 10 card crypto ipsec-isakmp dynamic vpn_map

    vpnmap interface card crypto outside

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet 0.0.0.0 0.0.0.0 inside

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 30

    SSH version 1

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    Server NTP 192.43.244.18

    internal group vpnclient strategy

    vpnclient group policy attributes

    value of server DNS 61.128.128.68

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpnclient_splitTunnelAcl

    cisco 3USUcOPFUiMCO4Jk encrypted password username

    type tunnel-group vpn_group remote access

    tunnel-group vpn_group General-attributes

    address vpn_pool pool

    Group Policy - by default-vpnclient

    vpn_group group of tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    !

    class-map 500 k

    matches the access list 500 k

    class-map inspection_default

    match default-inspection-traffic

    class-map 2

    matches the access list 2

    PAM-class 3

    matches the access list 3

    class-map 4

    corresponds to the list of access-4

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    Policy-map 500 k

    500 k class

    Policy-map 2

    class 2

    class 3

    class 4

    !

    global service-policy global_policy

    context of prompt hostname

    remote anonymous reporting call invites 2

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-Group 13 monthly periodic inventory

    Subscribe to alert-group configuration periodic monthly 13

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:ecead54d7c85807eb47c7cdaf7d7e82a

    : end

    ciscoasa#                                                                     $

    ciscoasa #.

    ciscoasa #.

    Hello

    You have changed the source IP address of the order I suggested?

    There is no reason to use the 192.168.1.1 IP address as the source of this command "packet - trace" that the source will NEVER be this IP address, because it is a private IP not routable on the public Internet.

    Then you can try with the order I suggested.

    entry Packet-trace out tcp 1.1.1.1 12345 61.186.236.4 80

    I guess that the above command / test failed because you were using the real server IP address as the IP source for the test.

    -Jouni

  • Under NAT VPN server static. All advice?

    Hello

    Is it possible to configure a VPN server in DMZ under a static NAT translation? I have 2911 as a border router, another 2951 as a firewall with four areas - inside1, inside2, external, DMZ. All IP addressing between edge and the firewall is private. Web and mail servers work in the DMZ under the static NAT. It is - I can also configure VPN server in the DMZ under the static NAT? Clients to establish VPN tunnels will work with DMZ servers (other) only. Thank you!

    Yes, this can be done. For the IPSec VPN, just make sure that NAT-Traversal is not disabled.

    Sent by Cisco Support technique iPad App

  • Internet/DNS problems in a NAT Windows Server guest domain

    Guys, I'm sorry if someone posted a similar question before, but I couldn't find everything concerning my problem using the tool of research or surfinf nets.

    I have a domain controller Windows Server 2008 R2 running in a Vmware Workstation 7.1.6 / Windows 7 Enterprise x 64. I use the NAT option for the network, because I need to use this virtual machine to several different networks and a domain controller needs a fixed IP address. The DNS is correctly configured to forward and reverse and the nslookup returns the IP address and the host name of the guest.

    The problem is that I can't connect to Internet in Virtual Machine, if I configure a fixed IP address (I am disabling the DHCP of VMware service at the moment). If I change in dynamics and start the VMware DHCP service, I don't have any problems.

    I looked at the gateway, the DNS and the mask subnet values provided by the ipconfig/all command when the server uses a dynamic address and the server if setuped values of static. It did not work.

    Anyone have a tip for this desperate man?

    Because the domain controller is also running the DNS server, I guess that DNS serer entries in the client IP settings point to the guest himself!

    If you are able to ping to Internet addresses by its IP address, you may need to configure the DNS server on the domain controller to transfer DNS queries for other areas to the (usually 192.168.xxx.2) NAT gateway for proper name resolution.

    André

  • Dual active/passive failover of ISP with static Nat on Cisco 1941

    Hello world

    I'm working on a configuration of a client and I have everything in place right now except the NAT' static ing.  The config fails during an ISP to another and track als and routes by default static weighted, the PAT rocking with course to each interface maps.  It is, is it possible to switch on the large amount of static NAT entries to the ISP of backup?  So far, everything I've read said no because you can have only one entry per ip/port combo, other than another configuration static NAT double server with a different IP address.  I just want to be sure before making my recommendations, all thoughts are greatly appreciated.

    Thank you

    Brandon

    In fact, you can also long as you use standard NAT ("ip nat inside source static") or not NVI ('ip nat static source') for your attackers. You apply the roadmap by the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

     ip access-list extended ACL_NAT permit ip 192.168.0.0 255.255.255.0 any ! route-map RM_NAT_ISP1 match ip address ACL_NAT match interface GigabitEthernet0/1 ! route-map RM_NAT_ISP2 match ip address ACL_NAT match interface GigabitEthernet0/2 

    Using port 80/tcp for example, you can do this:

     ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1 ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2 

    Just replace x.x.x.x with the LAN address of the machine that you are shipping y.y.y.y with the WAN address you are shipping on isps1 and z.z.z.z with the address of the ISP WAN you are shipping on ISP2. The static NAT will be conditional on the roadmap, at this point.

    This works with TCP, UDP, and IP forwarding, but does not require that you use an IPv4 address to your WAN address. For some reason, it does not work if you use an interface... so if you're using dynamic addresses, it will be more complicated.

  • ASA 5510, 8.4 (4) totally confused 1 NAT

    I'll try to keep this simple. I spent about 18 hours of research, research and experiences and it is an honest figure, I kept track of my time so far.
    I need to run a home server on our network inside, but have the outside be able to reach it through the protocols and specific ports 3.
    I had HOPED to use objects and groups of y to achieve and do not have to redefine this server or 3 times the host and execute instructions from NAT 3 or more like this losses completely the concept and purpose of things, isn't? But the NAT statement seems to refuse to deal with the GROUPS. I can put a single SERVICE or a single port in the NAT, but I can't get a single NAT line under a single object - this server to several ports which are not a range.

    Here the need - I'll set every thing first to hold simple and straight (at least in my head):
    Interface that must face or sits on the dirty Internet is named "WAN" (why I don't know, but it is and it is too complex to change it now)
    The WAN, the external interface has an IP address of 1.1.1.66
    Our supplier has given us 16 public guests or we can use the addresses.
    (1.1.1.67 is on the ASA failover for the same interface).
    My server inside LAN is 10.10.10.70
    I need to use ANOTHER address I need to keep it out of 1.1.1.66 and 1.1.1.67 on the WAN 5510 interface pair.

    I want to use a specific 1.1.1.68 to outside Internet address to access the server sitting on 10.10.10.70 inside.
    BUT, I want access to UDP 500 and UDP 4500, ESP only, nothing else.

    The idea is this - something outdoors, which means on the Internet, need my server inside, so hit the WAN interface this IP 1.1.1.68 port UDP 500 or 4500 or ESP for join my server on the LAN inside.
    The ASA has noticed the UDP 500 traffic, 4500 and ESP to 1.1.1.68 and it translates the SAME ports on 10.10.10.70.
    So I need a NAT device that will tell hit 1.1.1.68 UDP 500 or UDP 4500 or ESP traffic should be sent to 10.10.10.70 UDP 500, or UDP 4500 or ESP.

    The server must meet the back course!
    If very simple, he did all the time. "port forwarding" and a static NAT - this server always would be 1.1.1.68 If you were to research outside and he also always came out under this address. but inside we know it as 10.10.10.70

    I can't seem to get the SENATE to take if I use a single service or define a single service, but when I create a service group that has ESP, UDP 4500 and UDP 500 in it, it does not recognize any group - he pours out if I say any word except the NAT statement SERVICE.

    It is in a way I tried, but then 8.3 and later do not seem to like it and the term "origin" is killing me and I cannot find mention anywhere.

    Object service VPN-4500
    service destination udp 4500 eq
    Object service VPN - 500
    udp destination eq isakmp service

    service object-group mygroup
    purpose purpose of service VPN-4500
    purpose purpose of service VPN-500

    (I also now ESP in there but it is of no consequence that it won't work even with just these two)

    network servernetworkobject object
    Home 10.10.10.70
    My server description
    vpn-out network object
    Home 1.1.1.68
    Second description IP address to use when the view from my server

    NAT (inside, WAN) source static servernetworkobject WANsecondIP service mygroup mygroup

    where servernetworkobject is the name I've defined for the network object in the ASA and WANsecondIP is the address that I want to use defined as a network and mygroup object is the group, I created which contains the 3 services or ports.
    These aren't real names or addresses is not really that lame in the configuration, I just cleaned it for public use

    All of THE examples that I find on the web, including Cisco sites, are very similar to this, but then I also see, it must be defined with the object network itself and which is different from that of the samples on Cisco websites! I'm SO confused... Object should simplify this in spades, instead it is making it much more difficult and make configuration a lot bigger and clumsier.

    The best way to do this is:

    1. define the static nat rule

    2. Add an access-list (or access list entry in the existing WAN_in (or what you call)) to allow the service group.

    So you should have:

    network servernetworkobject object
    Home 10.10.10.70
    My server description
    vpn-out network object
    Home 1.1.1.68
    Second description IP address to use when the view from my server

    NAT (inside, WAN) source static vpn-out servernetworkobject

    .. .and

    WAN_in list extended access allowed object-group mygroup any object servernetworkobject

  • Write syslog to ASA 5505 VPN tunnel on syslog server?

    Hello

    Is it possible to let the ASA 5505 write syslog messages to a syslog server on the core network where the ASA 5550 is? (on the ipsec tunnel?)

    I tried this. The tunnel is up, but I get the message from routing could not locate the next hop for the NP (ASA 5505 ip) udp inside: (ip of the syslog server).

    THX,

    Marc

    MJonkers,

    I would suggest that you configure inside interface as the interface for management access. Include IP and IP address NAT syslog server interface inside 0 ACL and ACL crypto.

    You can order the "access management" when you want to run an ASA inside of interface through the VPN 7.2 below command reference:

    http://www.Cisco.com/en/us/customer/docs/security/ASA/asa72/command/reference/m_72.html#wp1780826

    I am running the VPN configuration on 8.2 and querying SNMP works.

    I hope this helps.

    Thank you

  • ASA 5505 Firewall Transparent with a Server Web Question

    I need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Server Web will have a public IP with relevant ports remains open.

    The simple illustration is the Internet---> firewall Transparent - Web Server (With public IP Address)

    1. There should be no natting

    2. the web server must have a public IP address and be accessible from the internet.

    3 ports can be blocked or re-opened.

    Please let me know if its possible to conclude this agreement.

    If so, can I get a command line sequence that allows this work.

    My version is

    Cisco Adaptive Security Appliance Software Version 4,0000 5

    Version 6.4 Device Manager (9)

    Thanks in advance

    Post edited by: Don Charles

    It is a minimum configuration for your needs (runs on ASA 5520).

    !
    transparent firewall
    !
    interface GigabitEthernet0
    Description - the Internet-
    nameif outside
    Bridge-Group 1
    security-level 0
    !
    !
    interface GigabitEthernet3
    Description - connected to the LAN-
    nameif inside
    Bridge-Group 1
    security-level 100
    !
    !

    interface BVI1

    Description - for management only-
    IP 10.1.10.1 255.255.255.0
    !

    !
    network of the WWW-SERVER-OBJ object
    Description - webserver-
    host 123.123.123.123

    !
    !
    WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
    Description - Serices published on the WEB server-
    port-object eq www
    EQ object of the https port
    !
    !
    OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
    !
    !
    Access-group OUTSIDE-IN-ACL in interface outside
    !

    Samuel Petrescu

  • Static NAT question

    Hi Experts,

    Please help me on this. I enclose my diagram network with this post.
    My firewall is cisco ASA 5510 running with version 8.4 of software. I set up static NAT for all three servers (in the diagram, server 1,2 and 3). The question is, the static NAT works only with the first server. No trades do go to other two server (2 and 3). All servers are in the DMZ.

    When I remove the static NAT for Server 2 and 3, all traffic going to the server with the IP WAN address of the firewall, which means that the dynamic NAT works. I am also attaching the configuration file.

    (NOTE: NAT works for the 72.16.34.1 Server)

    Kind regards
    Martin

    HI San,

    Would you be able to try this workaround: -.

    https://supportforums.Cisco.com/blog/149276/asapix-proxy-ARP-vs-gratuito...

    I think the problem is with the IP addresses provided by the ISP.

    Thank you and best regards,

    Maryse Amrodia

  • ASA 8.4 (1) source-nat over vpn site-to-site

    I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

    10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

    network of the ServerA object

    host 10.1.0.1

    NAT 10.2.255.1 static (inside, outside)

    network of the object server b

    host 10.1.0.2

    NAT 10.2.255.2 static (inside, outside)

    the object server c network

    host 10.1.0.3

    NAT 10.2.255.3 static (inside, outside)

    the LOCAL_SUBNET object-group network

    object-network 10.2.255.0 255.255.255.128

    the REMOTE_SUBNET object-group network

    object-network 10.2.255.128 255.255.255.128

    VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

    Thank you

    Your configuration is correct, but I have a few comments.  Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

    Is your internet firewall as well? What your servers out of the internet?  They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is.  If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

    network of the ServerA_NAT object

    Home 10.2.255.1

    NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

    This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic.  Of course, if this is not your internet connection firewall can do abstraction.

  • NAT scenario

    Dear,

    I'm looking for some help under the IPSEC VPN scenario: -.

    • Please note this application on both sides without Private IP allowed, meaning that VPN configuration will need to both Server and remote server using public ips and public ips to establish the tunnel as well. in any case in the below all I care about is the local side of the server not the remote.

    Server (172.16.5.8)-(172.16.5.1)core switch(172.16.55.2) -L2 switch---(172.16.55.1)VPN concentrator(192.168.3.2) -L2 switch---(192.168.3.1)PIX(Public Peer VPN: x.x.x.x)-Internet---(Public Peer VPN: y.y.y.y)remote---(adresse IP publique f.f.f.f)remote server

    (1) the VPN configuration will be on the VPN concentrator as PIX is running using context so VPN termination is not permitted.

    (2) given that the vpn tunnel is configured on the VPN concentrator using the interface with ip 192.168.3.2 a NAT will be on the PIX for the public IP x.x.x.x (Tunnel VPN estabilished without any problem)

    (3) a part of the public ip address of x.x.x.x who will establish the vpn tunnel, I have another another z.z.z.z of the public ip address that is available as there are the PIX interface, my question is that I can here 172.16.5.8 to the IP nat public z.z.z.z. (speak ipsec traffic do not forget both side limit that traffic must come from the public IP address)

    Conculsion

    I think that it won't work because package when its goes 1) VPN concentrator will be source: 172.16.5.8 and the destination: f.f.f.f, 2)
    When the outbound traffic of VPN to PIX the package has source: 192.168.3.2 and the remote server IP public y.y.y.y 3) when it gets to the pix configured 192.168.3.2 will be coordinated to x.x.x.x and destination y.y.y.y. So PIX will not be able to nat 172.16.5.8 to z.z.z.z because it will be already encrypted by ESP, please correct me if im right

    So incase im right which can do in this case?

    Hello

    I must begin by saying that I have absolutely no expirience NAT configuration on the VPN concentrators.

    If the VPN concentrator is able to make the NAT before negotiating VPN (which I assume he can) then you should be able to use any desired IP address as NAT IP address of your local server behind the hub.

    The right remote end must also ensure that the IP address that you have chosen because address IP NAT will serve you as their IP of destination in the L2L VPN configurations

    -Jouni

  • VPN NAT problem

    I was informed by an outside vendor they need me to install a VPN site-to site on our ASA 5510/8, 4.

    I have configured the VPN IPsec site to site, but they have a weird requirement. For some reason, they want me

    NAT the server in question for 172.19.10.1/29, who already like a CARESS to the outside. Then, I would have

    to create a policy NAT who said if 192.168.225.10 needs to access the 172.29.0.0/29 then NAT at 172.29.10.1.

    My only concern is, the only connections on the SAA is the external interface that goes to the WAN, and a

    internal interface that goes to a switch. There is no interface that has 172.29.10.0/29 this partner network.

    I thought you could only NAT to an interface that has an address that is mapped to it.

    The router connected to the ASA will never see that such intellectual property that it is located in the VPN tunnel. Only your IPSec peer sees this and if all goes well, he knows what to do with this address, if he asked that NAT.

    Your NAT should be changed if the remote network is HCAS:

    Static NAT to destination for the FSU HCASNAT static HCAS HCAS source (indoor, outdoor)

    EDIT: This rule should be placed before your General NAT statement, which the ASA addresses the rules high NAT down.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Comments from Ubuntu gets new NAT IP whenever I wake up from my laptop

    I have 64-bit Ubuntu 12.04 (has happened with earlier versions, too) installed in a guest operating system in VMware Player 5.0 on a Windows 7 64 bit host.  The customer has configured NAT interface.  The host is a laptop and I frequently got him to sleep during the journey to and from the office.  Whenever I put the laptop to sleep with the client running, when the laptop from sleep, I wake, the NAT NIC is assigned a new IP NAT.

    How can I get a compatible address assigned?

    Can I configure the VMware Player DHCP server in the subnet NAT?  To make static DHCP?

    Is there a way to know which pool is available to the NAT DHCP server so I could assign a static IP address for the customer who would be without danger of collisions?

    Thank you.

    Why don't assign you a static IP address for this virtual machine?
    Use an IP address in the range of x.y.z.3 - x.y.z.127

    or change the duration of the lease - in vmnetdhcp.conf
    Max-lease-time 7200
    at a much higher value

  • E2500 used as access point

    I use a Linksys E2500 in a LAN wired as an access point by connecting to one of the LAN ports not the internet port. The IP address is 192.168.1.2. The default gateway (192.168.1.1) is a Paul 6218 - I2 - xxx wireless modem router ADSL, which is also the active DHCP server. In the E2500 DHCP server is disabled but NAT is enabled. Everything works fine and the wireless clients to connect without a problem and get an IP address from the Paul 6218. Customers can browse the network and the internet.

    I can access the web management page anywhere on the LAN on http://192.168.1.2/ . I have the 6218 Paul set up with Virtual Server NAT and DNS entries dynamic to enable Remote Desktop, as well as access to a Web server on the Internet. I am also able to access the web page of the 6218 management Paul remotely by specifying the port: 8080 after the URL. However, I can't access the web page of the Linksys E2500 despite having management remotely set up a password and selecting port 8081 to avoid the Paul 6218 conflicted with the remote port. The NAT virtual server entry in the Paul 6218 passes external port 8081 to port 8081 192.168.1.2. When you perform a remote port probe, all transferred ports respond by 'listening' with the exception of port 8081 who responds as "filtered". All unused ports respond with "listening do not.

    How remote management can be accomplished when the E2500 is used as an access point? I thought to turn off NAT and use of dynamic routing, but I have no experience.

    1 correct. With a LAN - LAN connection the E2500 is not accessible from the outside nor Internet access itself (for example the clock does not on the E2500). This is because with this kind of configuration the E2500 himself will review the default gateway in the internet and so would expect a working internet connection on the internet port.

    2. make sure you have the latest firmware installed. I think the latest firmware should have the ability to configure the connection mode internet mode "bridge." In Bridge mode, connect via the internet port. In bridge mode, you can configure a default gateway on the E2500, and he will have a working internet connection.

  • Impossible to achieve secondary with VPN tunnel

    Hello

    I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

    When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

    The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

    PIX from IP 10.1.0.254

    Router 10.1.10.254 IP address

    Secondary router IP address 10.2.10.254

    Secondary server IP address 10.2.0.1

    The default gateway on the local network is 10.1.10.254

    This router is a gre tunnel 3 of to 10.2.10.254

    On this router, there is a default route for the pix (for internet).

    Hello...

    Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

    You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

    on sheep access list, allow all traffic from the pool of secondary for the IP pool...

    I hope this helps... all the best...

Maybe you are looking for

  • How to search for on the labels to my favorites

    I have a long list of bookmarks, organized in folders separated and labeled however I can't find on the labels. So either the labeling is of no use or I would like to learn how to use labels to search for my favorites? Can you help me? Thank you.

  • Satellite L500-12 q - change or replace the graphics card

    Hey guys I'm new in this placeCould someone change or replace the graphics card on Satellite L500-12 q with a better game card? I searched the Web for a better card, but couldn't find any info on my laptop with the exception of increasing the perform

  • NB550D - unable to establish connection

    Hi all I use a netbook Toshiba NB550D, Windows 7 starter. 3 weeks, trying to connect to my network without wire of the University, this TosKillIndicator.exe began to appear. You can see a printscreen here:https://picasaweb.Google.com/LH/photo/VIEQ9nz

  • M57 6072CTO no usb after system restore

    I just did a system restore by using the disks IBM XP SP2 and none of the USB ports is enabled once windows starts to boot, os I have no keyboard or mouse and no other way to access the computer. No idea how I can get around this (there is no PS2 Con

  • All-in-one Officejet J6450

    I installed this on my new computer with Windows 7 64 bit. It will not print duplex automatically as before. Also print the odd pages and closes unexpectedly.