PAT NAT problems,
Hello
My client has a PIX 520. Here is the config.
Global (outside) 20 214.39.43.41 - 214.39.43.101
Global (Dmz) 10 11.254.254.31
Global (clients) 20 11.151.4.51 - 11.151.4.101
NAT (inside) 20 161.2.2.177 255.255.255.255 0 0
NAT (inside) 20 161.2.2.180 255.255.255.255 0 0
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
NAT (Dmz) 20 0.0.0.0 0.0.0.0 0 0
The 161.2.2.177 device (server) is inside the interface. The config above, that this device will be NAT/PAT would have for outgoing interfaces i.e.
(Inside) 161.2.2.177, NAT'd (214.39.43.41 - outdoor 214.39.43.101)
(Inside) 161.2.2.177, NAT'd 11.151.4.51 - 11.151.4.101 (customers)
(Inside) 161.2.2.177, PAT'd (DMZ) 11.254.254.31
The Xlate table, 161.2.2.177 is THAT NAT would have for outdoor & customer interfaces, but PAT translation does not work!
PAT test I used a PC inside the DMZ ping and the PC are PAT had to 11.254.254.31.
Statically mapping 161.2.2.177 to an address on the DMZ also works. But PAT for this device does not work!
Until PAT previously for this unit on the demilitarized zone have worked, no configuration change has attempted all the PIX.
Has anyone encountered this problem before?
Thanks for your help
The 161.2.2.177 address is excluded because you have this:
> nat (inside) 20 161.2.2.177 255.255.255.255 0 0
Any package that inside the host will always use this nat statement since it is the most specific, there a nat 20 id, so you need a command of "global (dmz)" corresponding with the id - nat 20 also.
Tags: Cisco Security
Similar Questions
-
Vuze download is very slow... He pointed out that I have a nat problem
nat problem?
Vuze download is very slow... He pointed out that I have a nat problem... Help please.?
Hello
· What browser do you use to access the internet?
· What is the full error message that you receive?
· Is it only when you download on Vuze?
I suggest that temporarily disable you antivirus software and firewall installed on your computer and check to see if it helps:
Disable the anti-virus software
http://Windows.Microsoft.com/en-us/Windows-Vista/disable-antivirus-software
Enable or disable Windows Firewall
http://Windows.Microsoft.com/en-us/Windows-Vista/turn-Windows-Firewall-on-or-offNote: disabling anti-virus or Windows Firewall can make your computer (and your network, if you have one) more vulnerable to damage caused by worms or hackers.
You can also post your query on Vuze forum to get help:
-
Hi Experts,
One of my office have Cisco ASA 5510 with ios 8.4 (5). Everything is configured and works very well except the static NAT. I have a public IP block, I used to set up static NAT. The internal server that is configured with the static NAT does not receive internet or anything. When I removed the static NAT, the internet is to learn (with the WAN IP interface). The server is placed in the DMZ. I left the server but it does not work.
Kind regards
MARTIN
Hello
In your case the configuration format static NAT for the server would be
network of the object
This would bind the local IP address of the public IP configured on the command "nat" . This means that outgoing connections would also use this public IP address. If you had a static configuration similar PAT already then you wouldn't really need that UNLESS you change the mapped/local port in the "nat" command.
But set up static NAT would mean already that he would cancel the PAT Dynamics for outbound connections from this server. Naturally, there is a small chance according to your current configuration of NAT complete even this static NAT can be overridden, but I doubt it. If the above "packet - trace" is intended for the DMZ server in question then there should be no problem.
-Jouni
-
I have a client who wants to create a tunnel L2L, but said that they will only allow us to use up to three IP addresses. I never had no other customers ask me to do it this way and I'm a little confused as how I should make it work. I'm guessing that a form any NAT/Pat should solve the problem for me. Could someone please point me in the right direction.
Thank you!
Yes, you can use this approach to NAT. Maybe they're "too cautious" with their security.
Concerning
Farrukh
-
ASA 8.3 - SSL VPN - NAT problem
Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.
There are many items on the side - how to disable NAT for vpn pool.
I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.
I so need to vpn clients connected to
be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error. Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.
V8.3 seems is destroying trust in Cisco firewall...
Thank you.
Stan,
Something like this works for me.
192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)
BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ONIf I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.
Marcin
-
"PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.
1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?
2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command
3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"
Thank you
RJ
1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.
2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.
3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Open with a Xbox NAT problems.
When I got my 1900ac I used Media Priortization to get NAT open for Call of Duty Advanced Warfare on my Xbox One. prioritize the Xbox. It worked fine for about 6 months until what I changed my operator of cable/net of Nextech in Ks. This company uses the 1900ac to connect its system to all it's customers (since I already had one they use mine). Unfortunately, I am unable to get an open NAT in this game I tried almost everything, NAT forwarding, triggering, prioritization of the media. Support of NexTech & Xbox Live support, useless. I tried Portforward. com, nothing. Redirect port 53 breaks the connection to the network & making the static ip address change for Xbox has not helped. Almost everything I looked at seem obsolete & I am at my wits end. It would seem by now Linksys should have available solutions, any ideas?
Chin_pamz13 thank you very much for your answer. I tried to check if my modem had a public or private ip address, but I don't know how to do this; I read on double NAT elsewhere. Nevertheless, I think I finally found a solution that seems to work so far. I went to the website "tech - recipes.» com "& found an article, 'Xbox one open NAT' by Aaron St. Clair.» I tried his first suggestion regarding the port of release, with additional ports I had'nt seen before. Who has not worked for me so I followed his instructions to the Xbox in the demilitarized zone & it works! I think that my problems from before were the result of bad to configure the static ip address for my router & Xbox. The previous instructions had me change the ip in the console with the router. Aaron said does not do in the Xbox, leave the router to do the work, it's supposed to do & make sure the console settings are on automatic. In the router in the DMZ, I was'nt sure how to proceed, but at the bottom is a section called list of reservations DHCP; clicked on this, XboxOne saw, clicked on that & he filled the top for me MAC address. Then I went to network settings Xbox, advanced & clicked settings on "automatic" to the ip address, subnet and DNS. I checked the connections mutiplayer, toured "hold bumper & trigger buttons" & finally got a NAT open; pulled up to cod Advanced Warfare & also got open NAT it. I could have screwed up when I did the port triggering, but given the difficulty of the DMZ seems to work I'll let things alone. Hope this helps anyone else having problems NAT open.
-
E1000 2.1 and the xbox live NAT problem (I read all the others)
So like everyone, im having troublewith xbox live and NAT, but I feel my situation of dns is unique, so my solution is perhaps just as well. Help, please
Modem-> Router (e1000)-> port 1 (wired): xbox, wireless: mac computer
Configuration: Auto DHCP
MTU: tried 1365 and 1452, currently on 1452
UPnP: off
NAT: on
Port Range Forwarding - (tried reccomendations cisco and xbox, tried the verses of individual ports this range, currently at)
(looked in the outbreak, but as I have 2 devices, if I let a range of open ports, I want that it does match the xbox)
Application: xbox
Start port: 53
End port: 3074
Protocol: the two
IP address: 192.168.1.20
Xbox is set to:
IP: 192.168.1.20
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: automatic
reading only 1 dns (see notes)
Notes:
router port range is 100-149, so DHCP should not be a problem (I guess) if ip xbox is put out of reach ([192.168.1.20] being 20)
In my status tab in the router, it gives me only a dns. When I look at online modem, it gives 2 different DNS.
Each time, I have everything works a turn at a time, the computer always connects, Xbox Live still connects, but he still has the problem of nat.
I don't think it's a matter of double nat, bc when I look at the stats of my modem there is nowhere to configure ports (seems to be the modem only 1 Ethernet only)
Also, I noticed that the mtu of my modem is 1500 (I changed the mtu on the router, but not the mtu of my modem [it only allows me to change the mtu of my modem])
Help, please. I've been dealing with it and try different combinations of ports and options for 4-5 hours now. I'm starting to crack: S :).
Well, I found my own solution. I looked at all options as what could be easier for the components to deal with. Here's what worked:
Computer:
Configuration: Auto DHCP
MTU: 1452
UPnP: on
NAT: on
DMZ:
Source: 192.168.1.100 to 100
Destination: 192.168.1.1
Xbox:
I could leave it on auto dhcp mac address book bc but it looks like this:
IP:192.168.1.100
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: automatic
Combined with a DHCP reservation [via the mac address (for the safety of the DMZ)] all of it worked. With a DMZ, I didn't have to worry about which ports where correct. It was just messy because I was 2 devices of connection and could not choose a single static ip address. So, the example ip ending (20) was not default range of the router of 50 numbers. Pay attention to your range of ip addresses in the router settings.
* Make sure that your DMZ is on only a single or a partition of ip addresses, and you have other DHCP reservations for these ip addresses * you can find the mac address for xbox by accessing the network > configure network > additional settings > click Advanced settings, and not choose a 'different address', you should see a below *.
-
NAT problem? Large amount of NAT translations.
I have a client with a particular site who complains constantly of performance.
They have a 871 at the location remote with 4 tunnels IPsec, built over WAN connections to their provider hosting the database and software.
There are about 50 people who work at this place, but I show 3410 current connections with a peak of 14703. I don't see how that's possible with only 50 people and starts to lean towards the NAT config which can be the cause of the poor performance that users encounter.
Auffen_Washington #show ip nat statistics
Total active translations: 3410 (static, dynamic 0 3410; 3410 extended)
Translations of crete: 14703, took place there is 2d05h
External interfaces:
FastEthernet4, Tunnel401, Tunnel0, Tunnel11, Vlan3, Tunnel101, Tunnel201
Tunnel301
Interfaces in reverse:
Vlan1, Vlan2
Hits: 574573468 Misses: 0
CEF translated packages: 566630850, CEF punted packets: 45186206
Expiry of the translations: 10381404
Dynamic mappings:
-Source inside
[Id: 1] access-list interface Loopback1 refcount NAT_Wireless_DMS 0
[Id: 2] NAT_Failover interface Vlan3 refcount route map 0
[Id: 3] NAT_Primary interface FastEthernet4 refcount 3410 route map
Doors appl: 0
Normal doors: 0
Queuing of packets: 0Any help would be greatly appreciated.
Thank you
Russell Stamey
NAT translations, by default, remain active for a very long time. If I remember correctly, is 24 hours, but I have to what to look for to be sure. They don't take a lot of memory, so this isn't normally a problem, but if you encounter conditions that you think may be due to this, it is quite easy to limit the wait time.
ip nat translation timeout 1800
This will set the timeout for new connections to half an hour. Existing connections will always keep the original deadlines, then you might want to wait a period of slow to change and the issue a "clear the ip nat translation *" right then to clear existing translations.
-
I've implemented a Cisco ASA 5505 partially. We have access to the internet and can come out without any problem. We have a web server that is on a 2nd IP that I need NAT inside. I did previously on a pix, but for the life of me I can't make it work.
I do not use a DMZ for that. I don't have time to re - ip to the web server on a different subnet. I just need to get this working so that the site works.
Hi David,
Here's how to
public static publicIP (indoor, outdoor) webserverip netmask 255.255.255.255
outside_access_in list access permit tcp any host publicip eq www
Access-group outside_access_in in interface outside
"We have a web server that is on a 2nd IP that I need NAT inside."
If you want to say is, ' your Web server is inside the interface, but not in the same subnet with inside the IP interface ", then what you have to do is create void interfaces. Then place the name of subinterface in above static, instead "inside" and set the gateway on the Web server as void / IP of the interface
Concerning
-
Hello
I have problems entering other networks out of the interfaces of the SAA. Can I VPN in and access anything whatsoever inside interface and beyond in the kernel. When I try and access a DMZ server off the coast of the ASA I get errors on asymmetric NAT. Client VPN is available as an address of 10.112.15.x.
Can anyone help?
I enclose some of the config.
display the ip address:
GigabitEthernet0/0 outside x.x.x.x 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.112.2.250 255.255.255.0 CONFIG
GigabitEthernet0/2.610 DMZ_External 10.112.7.254 255.255.255.0 CONFIG
GigabitEthernet0/2.620 DMZ_Internal 10.112.6.254 255.255.255.0 CONFIG
GigabitEthernet0/2640 DMZ_Mgmt 10.112.10.254 255.255.255.0 CONFIGConfiguration items:
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.7.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.10.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.6.0 255.255.255.0
10.112.0.0 IP Access-list extended sheep 255.240.0.0 allow 10.112.15.0 255.255.255.0NAT-control
Global 1 interface (outside)NAT (inside) 0 access-list sheep
NAT (inside) 1 10.112.0.0 255.240.0.0Route outside 0.0.0.0 0.0.0.0 x.x.x.x. 1
Route inside 10.112.0.0 255.240.0.0 10.112.2.254 1Guidance on what I'm doing wrong?
Thank you.
Hello
The reason is that you don't have a rule for traffic to DMZ sheep.
access-list allowed dmz_nonat 10.112.6.0 255.255.255.0
NAT (dmz) 0-list of access dmz_nonat
This should solve your problem.
Kind regards
NT
-
Hello:
I configured a Pix501 to establish a tunnel from site to site with a 1710 in the central site and it works fine, except for a small problem. The central site hosts a Domino server that must have an entry static nat to allow servers on the internet to deliver mail to it. So, the problem is that even though I created a road map to avoid NAT in site traffic to site, the static entry seems a priority on the road map and the mail server is always using a NAT. So the SOHO cannot access to him. What can I do to fix this?
I need to use an entry like this:
IP nat inside source static tcp 172.16.34.22 1352 200.212.0.66 1352
Any help?
Thank you
You must do the following:
(1) create a loopback interface with an ip subnet that you are not anywhere in your network. Leave; s 10.10.10.0/30 say:
loop int 0
IP 10.10.10.1 255.255.255.252
(2) create a roadmap to match traffic from the 172.16.34.22 Server destination and from the other side of the tunnel
access-list 101 permit ip 172.16.34.22 host 192.168.0.0 255.255.255.0
permissible static route map 10
corresponds to the IP 101
set ip 10.10.10.2 jump following (some address to the loopback interface)
(3) implementing the road map inside the interface of the router where you have the server
inter e0/0
Static IP policy route map
That's all
Hope that helps
Jean Marc
-
IPsec client for s2s NAT problem
Hello
We have a remote site (Paris) with a 5512 with some s2s and RA light customer vpn (anyconnect IPsec) tunnels. AnyConnect has no problem, but the ipsec client can not pass traffic on the LAN. The subnet behind the fw is 10.176.0.0/16 and the RA 10.172.28.0/24 customer pool. However, we have a s2s than nat 10.0.0.0/8 tunnel and it appears that customers vpn IPSEC RA being bound traffic matches this rule and prevents connectivity to local resources via vpn ipsec client.
......
hits = 485017, user_data = 0x7fffa5d1aa10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=10.176.0.0 SRC, mask is 255.255.0.0, port = 0
IP/ID=10.0.0.0 DST, mask is 255.0.0.0, port = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc
...
Manual NAT policies (Section 1)
1 (outdoor) static source Paris_Network Paris_Network static destination Remote2_LAN_Networks Remote2_LAN_Networks non-proxy-arp-search to itinerary (inside)
translate_hits = 58987, untranslate_hits = 807600
2 (inside) (outside) static source Paris_Network Paris_Network static destination DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2-route search
translate_hits = 465384, untranslate_hits = 405850
3 (inside) (outside) static source Paris_Network Paris_Network static destination Remote1_Networks Remote1_Networks-route search
translate_hits = 3102307, untranslate_hits = 3380754
4 (outside) (inside) static source Paris_RA_VPN Paris_RA_VPN static destination Paris_Network Paris_Network-route search
translate_hits = 0, untranslate_hits = 3
This method works on other sites with almost identical configuration, but for some reason, it doesn't work here. I can't specify different subnets for the s2s tunnel because there is too much of. Can someone help me and tell me why I can't get this to work?
Hello
So you're saying that the AnyConnect is working but not IPsec? What is the the AnyConnect VPN? It is outside the 10.0.0.0/8 network?
You should be able to substitute the NAT VPN L2L configuration by simply configuring a separate NAT for the local network for VPN pool traffic at the top of your NAT configurations
For example
being PARIS-LAN network
10.176.0.0 subnet 255.255.0.0
object netwok PARIS-VPN-POOL
10.172.28.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source PARIS PARIS - LAN LAN destination PARIS-VPN-POOL PARIS-VPN-POOL static
This should ensure that the first rule on the SAA is the NAT rule that matches the VPN Client for LAN traffic. Other aircraft in the L2L VPN should still hit the original NAT rule to the VPN L2L
If this does not work then we must look closer, the configuration.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Static NAT problem with PIX501
Hi all
We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit tcp any host x.x.x.26 eq www
access-list 101 permit tcp any host x.x.x.26 EQ field
access-list 101 permit udp any host x.x.x.26 EQ field
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside x.x.x.28 255.255.255.248
IP address inside 192.168.90.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.90.0 255.255.255.0 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1
Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.90.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
: end
the problem is the configuration, we are unable to access the web server both inside and outside the network.
All input will be greatly appreciated.
Kind regards
udimpas
activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:
3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80
3363575: ICMP echo request: external untranslating: inside: 192.168.90.3
3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80
3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:
by doing this, you can 1. Check the nat 2. If the server responds to the internet.
do not forget to allow incoming icmp:
access-l 101 permit icmp any one
Maybe you are looking for
-
importer of cd for ipod touch 5 with no disk drive
Hello I have a macbook pro retina mid-2014 running Mavericks OSX 10.9.5 no disk drive and I would like to buy a series of CDs for the purpose of importation on my ipod touch 5: what is the best way to do this please? Thank you
-
HP all-in-one 20-e014: add memory to HP while a 20-e014
I have a HP while a 20-e014 I'm trying to upgrade the memory to. There is a metal casing on what looks like a very small motherboard... When I try to unscrew and lift the box she raises well the motherboard together. I can't understand how to reach e
-
"File permission error" during deleting files on Windows 7
Hello I'm running Labview 2011 and have an application that has been developed to run on Windows XP. The part of the application deletes a file from the System32 folder, and then replaces it with another version of the same file (based on a specific
-
Insert a new CD does not change the last torn CD
WMP 11 XP SP3 does not change the info of CD in the RIP, a new CD of screening. WMP 11 found no new updates when updates has been requested. If I close WMP 11 and reopen WMP11 new info of the CD are correct. It must be a problem of buffer informa
-
iTunes 7 (127 of Windows error) error on Windows Vista
Original title: error 7 (Windows error 127) I'm trying to re - install iTunes and every time I get the message iTunes has not been installed correctly. Please reinstall iTunes. Error 7 (Windows error 127). My system is Vista. I've not unhooked iT