PortForward with PAT

Similar Questions

• access-list with PAT

  Hi guys,.

  I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

  example:

  access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

  permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

  If I won't 10.0.0.1 PATed.

  Hello

  It's perfectly legal and quite a common practice.

  Hope that help - rate pls post if it does.

  Paresh

• With PAT on Cisco PIX VPN client

  Dear all,

  I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

  Is there a setting I should put on PIX, VPN client or router?

  Thank you.

  Doug

  And if you still have problems, upgrade your pix, 6.3 and usage:

  ISAKMP nat-traversal

  But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

  Kind regards

• 837 to 837 VPN with PAT?

  I have a working VPN connecting to of Cisco 837.

  The client has a requirement for external access to RDP, POP3 and OWA... seemed pretty simple, just add:

  IP nat inside source static tcp etc... but as soon as I add these PAT, internal access to these services fails immediately via the VPN to the other end (Site B).

  Site to config following (Site B is running 192.168.42.x range with a virtually identical config (No. PAT of good)

  !

  version 12.3

  no service button

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  hostname FNN0755241374

  !

  logging buffered debugging 10000

  no console logging

  Select the secret xxxxxxxx

  !

  xxxxx xxxxxxxx password username

  clock timezone IS 10

  summer clock-time DEST recurring last Sun Oct 02:00 last Sun Mar 02:00

  No aaa new-model

  IP subnet zero

  no ip domain search

  !

  !

  IP cef

  audit of IP notify Journal

  Max-events of po verification IP 100

  No ftp server enable write

  !

  !

  !

  !

  crypto ISAKMP policy 10

  md5 hash

  preshared authentication

  ISAKMP crypto key address 203.x.x.25 xxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set esp - esp-md5-hmac tweed_to_mur

  !

  tweed_vpn 10 ipsec-isakmp crypto map

  defined by peer 203.149.73.25

  Set transform-set tweed_to_mur

  match address 102

  !

  !

  !

  !

  interface Ethernet0

  Description FNN0755241374 LAN

  IP 192.168.40.254 255.255.255.0

  IP nat inside

  No keepalive

  Hold-queue 100 on

  !

  ATM0 interface

  no ip address

  No atm ilmi-keepalive

  DSL-ITU - dmt operation mode

  !

  point-to-point interface ATM0.1

  Description 0755241374 (L2TP)

  PVC 8/35

  aal5mux encapsulation ppp Dialer

  Dialer pool-member 1

  !

  !

  interface FastEthernet1

  no ip address

  automatic duplex

  automatic speed

  !

  interface FastEthernet2

  no ip address

  automatic duplex

  automatic speed

  !

  interface FastEthernet3

  no ip address

  automatic duplex

  automatic speed

  !

  interface FastEthernet4

  no ip address

  automatic duplex

  automatic speed

  !

  interface Dialer1

  Description 0755241374 (L2TP) PPPoa RRSM512

  MTU 1400

  the negotiated IP address

  NAT outside IP

  encapsulation ppp

  Dialer pool 1

  Dialer-Group 1

  No cdp enable

  PPP chap hostname xxxx

  PPP chap password xxxx

  tweed_vpn card crypto

  !

  overload of IP nat inside source list 103 interface Dialer1

  IP nat inside source static tcp 192.168.40.1 21 203.149.71.130 21 expandable

  IP nat inside source static tcp 192.168.40.1 20 203.149.71.130 20 expandable

  IP nat inside source static tcp 192.168.40.1 80 203.149.71.130 80 extensible

  IP nat inside source static tcp 192.168.40.4 25 203.149.71.130 25 expandable

  IP nat inside source static tcp 192.168.40.4 110 203.149.71.130 110 extensible

  IP nat inside source static tcp 192.168.40.4 143 203.149.71.130 143 extensible

  IP nat inside source static tcp 192.168.40.4 80 203.149.67.193 80 extensible

  IP classless

  IP route 0.0.0.0 0.0.0.0 Dialer1

  no ip address of the http server

  no ip http secure server

  !

  Note access-list 11 * license end customer address space for NAT

  access-list 11 permit 192.168.1.0 0.0.0.255

  Journal of access list 99 license 203.149.69.5

  Journal of access list 99 license 203.149.64.91

  access-list 99 refuse any newspaper

  access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

  access-list 102 deny ip 192.168.40.0 0.0.0.255 any

  access-list 103 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

  access-list 103 allow ip 192.168.40.0 0.0.0.255 any

  Dialer-list 1 ip protocol allow

  Server SNMP community readstring RO

  SNMP-Server RO community readwritestring

  Enable SNMP-Server intercepts ATS

  !

  Line con 0

  exec-timeout 0 0

  password xxxx

  opening of session

  no activation of the modem

  StopBits 1

  line to 0

  line vty 0 4

  access-class 99 in

  exec-timeout 2 0

  password xxxx

  local connection

  !

  max-task-time 5000 Planner

  !

  end

  FNN0755241374 #.

  Kind regards

  MB

  This is because have priority the static NAT NAT overload control and therefore access list 103 is no longer deny these packets to be NAT had

  This example configuration you get:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

• Site VPN to IPsec with PAT through the tunnel configuration example

  Hello

  as I read a lot about vpn connections site-2-site
  and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

  now, I got suite facility with two locations A and B.

  192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
  172.16.16.0/24 Site has

  ---------------------------------------------------------------------------

  Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  ---------------------------------------------------------------------------

  Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
  witch need to access a server terminal server on the SITE b.

  As I have no influence on where and when guests pop up in my Site.
  I would like to hide them behind a single ip address to SITE B.

  If in the event that a new hosts need access, or old hosts can be deleted,
  its as simple as the ACL or conviniently inlet remove the object from the network.

  so I guess that the acl looks like this:

  ---------------------------------------------------------------------------

  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

  ---------------------------------------------------------------------------

  But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
  address for the translation of PAT?

  something like this he will say, it must be treated according to the policy:

  NAT (1-access VPN INVOLVED-HOST internal list)

  Now how do I do that?
  The rest of the config, I guess that will be quite normal as follows:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of AA peers. ABM CC. DD
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

  ---------------------------------------------------------------------------

  On SITE B

  the config is pretty simple:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of peer SITE has IP
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  ---------------------------------------------------------------------------

  Thank you for you're extra eyes and precious time!

  Colin

  You want to PAT the traffic that goes through the tunnel?

  list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

  PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (inside) 1 access list PAT

  Global (outside) 1 192.168.0.3 255.255.255.255

  Then, the VPN ACL applied to the card encryption:

  list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

  Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

  The interesting thing is that traffic can only be activated from your end.

  The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

  Is that what you are looking for?

  Federico.

• VPN site to Site with a side PAT

  Hi all

  I created a VPN site-to site between two ASA 5505 s, with one side having a static public IP address and one side behind a device with PAT. UDP 500 is sent to the ASA.

  The tunnel works very well if the launched of the side behind the PAT, but may not be brought after on the other side.

  Here's what I see in the system log during initialization of the 'wrong' side:

  

  Is it still a problem with PAT?

  Best regards

  Tobias

  Hello

  To be honest, these are sometimes a little hard the problems especially when you do not have access to actual devices.

  For me the newspapers you shared seem to indicate a problem with the negotiation of Phase 1 where this local line sends proposals of Phase 1 to the remote device until he returned their enough responsible for negotiating to complete.

  So, I would try to confirm the device to remote site that this traffic is indeed allowed. For example, you can check the remote via a management connection VPN device when the VPN is NOT upward and see if there is no sign of VPN negotiating taking place when you start the other site traffic. That said if he still sees the initial messages in the direction that has problems with the opening of the tunnel.

  When you launch the negotiation this site VPN, what you see with the release of

  ISAKMP crypto to show his

  or with the latest software

  See ikev1 crypto his

  Try to take out several times while you generate the traffic to the VPN

  If the remote device does not respond at all you would see probably something like MM_WAIT_MSG2, which means that the local VPN device awaits the first response (second message to trading) of the remote VPN device.

  Maybe this will help you narrow down the problem a bit.

  -Jouni

• PAT for two web servers

  Hi all.

  I want to change the MS ISA for Cisco ASA server, but I have problem with PAT.

  The two addresses are published under the same internet address 1.1.1.1 MS ISA server configured static PAT for two web servers, example.web1.com inside the address 192.168.1.10 and example.web2.com inside the address 192.168.1.11.

  When the user try to open the web page example.web1.com the internet ISA Server MS create translates an internal address 192.168.1.10

  When the user try to open the web page example.web2.com the internet ISA Server MS create translates an internal address 192.168.1.11.

  In the cisco example uses single address:

  static (inside, outside) tcp 1.1.1.1 192.168.1.10 www www netmask 255.255.255.25

  but I have two web servers uses the same port 80 and even outside of the address 1.1.1.1

  SAA can create translation URL? For example:

  static (inside, outside) tcp example.web1.com, www www 192.168.1.10 netmask 255.255.255.255

  static (inside, outside) tcp example.web2.com 192.168.1.11 www www netmask 255.255.255.255

  Hello

  To my knowledge, this type of NAT is not possible in the SAA.

  The ASA has nothing to differentiate the 2 translations to eachother other than the order of the NAT configurations. But I think that at the level of your software it doesn't accept even the second NAT configuration that it overlaps with the first. In the most recent software that it would accept the second configuration, but the traffic would still be hit only one of the NAT configurations.

  There must be something on the ISA MS who, in addition to NAT overlapping, knows that static PAT choose based on the requested web page?

  -Jouni

• PAT on IPSEC VPN (Pix 501)

  Hello

  I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.

  I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.

  lines of current config interesting configuration with static mapping:

  --------------------------------------------------------------------------

  access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

  access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host

  access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z

  IP address outside w.w.w.1 255.255.255.248

  IP address inside 10.0.0.1 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0

  Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

  correspondence address card crypto mymap 10 103

  mymap outside crypto map interface

  ISAKMP allows outside

  Thank you!

  Dave

  Dave,

  (1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent

  translation for your guests inside and they will always be this way natted. Use

  NAT of politics, on the contrary, as shown here:

  not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

  Global (outside) 2 z.z.z.z netmask 255.255.255.255

  (Inside) NAT 2-list of access 101

  (2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."

  Delete this because you need to nat 2 nat/global card. (as a general rule, simply you

  If you terminate VPN clients on your device and do not want inside the traffic which

  is intended for the vpn clients to be natted on the external interface).

  (3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first

  translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which

  sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.

  I hope this helps. I have this work on many tunnels as you describe.

  Jamison

• PIX, VPN, PAT and static

  I want to activate an incoming and outgoing VPN on a PIX configured with PAT. I enabled ESP and UDP/500 on the appropriate access to the lists, but must provide a static for inbound traffic. I already use a static for incoming SMTP traffic, and I don't see how to do the same thing for udp/500, but how do I ESP traffic?

  Any suggestions gratefully received.

  If you are referring to a static port, you can create one for ESP since static port can only be created for TCP/UDP and ESP is located just above the intellectual property, it is NOT a TCP/UDP protocol. You will need to create a one-to-one static for this internal VPN server and have your clients to connect to this address. This will chew global IP address to another one, sorry.

• VPN3002 PAT-Mode and individual user authentication

  Hi all

  I have three questions about the VPN3002 connected to a VPN3005 in the PAT mode

  and with authentication of the individual user.

  First of all:

  Is it possible to use this function for several users to the

  private LAN.

  Because I tried this, but when we the second user has been authenticated one could not work more.

  Second:

  When we first meet is YES, can be the users in a group of dispute as the

  VPN3002 Client it self?

  Third:

  That is, when there is a router between the local private network and users?

  Because the field of authentication of user appears only when users

  are directly connected to the private lan.

  I tried with PAT, but this was not possible because the VPN3002 can

  different users.

  I think that it will be possible with NAT, but then I ran to my first question.

  concerning

  Karlheinz

  1 > it is the main function of the user authentication feature see here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3002/3_5/get_star/gs1under.htm#xtocid13

  2 > users cannot be in the other group. Group is dependent of the what the 3002 cumulates in.

  3 > it wouldn't send other subnets connected to the private sector. The design of the 3002 is such that only the subnet behind it, is what it can do vpn for.

  Kind regards

• Request for responses with multi-Select fast

  Hello
  
  Hoping someone can help - I need to create a prompt in a request for answers to allow users to choose a customer - I need this to be similar to a multiple selection in a dashboard command prompt so that the user can type begins by and find the customer what they want. Currently, the only options of answers is to scroll through the entire list or type the value directly. The application is simply posted as a link on a page of dashboard - I'd rather not have to create another page of dashboard if possible.
  
  I would be grateful for any ideas.
  
  With our thanks,
  Patricia

  Patricia, you try to do this more difficult it must be. Of after what you say, just use value Interaction > Browse the report which lists all the names "begins with Pat. Put "is invited" on the name of the destination report cust column and it will give you the "last step" you are looking for.

  P.S. a lot of useful tips in this thread. It would be nice to price messages with points.

• Satellite M30-604 only see a capacity of 128GB HARD drive from 320 GB HARD disc

  I have a M30 604 with XP - SP2 and bios version 1.7
  I installed a new internal 2.5 "320 hard drive - but the XP Disk Manager sees only 128 GB of total capacity. There is not yet any unallocated space.
  East phoenix 48-bit LBA compatible bios?

  Akuma is right. This is a technical limitation and there is nothing you can do about it.
  With SATA HDD, it might be possible to see all HARD drive capacity, but not with PATA old drive.

• Cloned new HDD for Pavilion 1210.uk does not start

  I am new to the forum so Hi everyone.

  I just installed a new HDD (SATA) to my office. BIOS identiified unit correctly and I cloned using HDClone software. He succeeded with 0 read and write errors. All files are accessed through drive letter access. So far so good, I thought. I then tried to boot from the disc again by changing the BIOS boot order. Hoewver, when the trunk begins with the new PC HARD drive crashes with a white/black screen with the cursor blinking in the upper left corner. It is the logo of Microsoft and o/s linen starts (XP).

  Some additional information:

  * Old HARD drive still boots without problem with or without the new drive.

  * I changed the transfer rate of 3.0 GB to 1.5 GB being the SATA 2 drive. That made no difference, then changed back.

  I don't know what is wrong, someone has also experienced this or knows what is the problem?

  Thanks for reading.

  The cloned system was not built with PATA and SATA drivers.  This could be the problem. You still get the blinking cursor?  You can send an email to technical support HDClone and ask of PATA, SATA problem of cloning.

• LRT224 Port forwarding of specific Port

  Is it possible with this router to do port forwarding on a specific port to a pc?

  I have a basic need:

  Transfer the incoming request to WAN port 37777 to RDP port 3389 to the local server xxx.xxx.xxx.xxx.

  I try to do a formward configured like this:

  Service: 37777 (custom)-37777

  IP address: XXX.XXX.XXX.XXX:3389

  But I can't save this configuration (wghite page is displayed).

  How can I access with RDP on my public IP address on a specific (not the standard 3389), the port of my business and be sent to a specific server?

  for example: RDP at yyy.yyy.yyy.yyy:37777 connects to the server local xxx.xxx.xxx.xxx

  So far, I can only access this server with rdp standard port on the public ip address.

  Thank you

  The LRT224 supports the translation of address of Port (PAT). With PAT, each computer on the LAN is translated at the same IP address, but with a different port number assignment.

• Cisco ASA 8.4.1 address Destination NAT?

  I have a situation where I have a deployed asa5505 8.4.1 running.

  The customer has a mail server existing which is located on their local network and has Port configured NAT for normal mail ports, etc. 25,110,993,587.

  It works very well for incoming mail and any jerky mail user off the external server or by visiting the webmail from outside the network.

  However when the users within the LAN to connect through the ASA test back entering the IP address on the external Interface of the ASA, they are unable to do so.

  I came up with the solution is split DNS.   well does he rely on users not changing their dns servers.

  I was wondering if it is possible to make a sort of NAT that rewritten traffic destined to the above ports on the external IP address to the internal LAN Ip instead.

  This is probably a stupid question, but I couldn't find an answer may I use the terms wrong to get one.

  In any case, I was hoping someone here could point me in the right direction.

  Thank you

  You can only configure DNS rewrite rewrite if you have static NAT 1 to 1, with static PAT as advised, rewriting DNS is not supported because with PAT static, it is potentially different internal IP mapping, so the DNS rewrite is not exactly at the right address.