Question for NAT exemption

I have an ASA 5545 X 9.6 1 code running, and I had a question regarding NAT exemptions for Anyconnect VPN client.

When I initially configured the Anyconnect VPN, I did the usual steps: created a local customer pool, authentication, customer software image and exemptions of NAT using the new syntax. Example of

NAT (inside, outside) static source PROD-PROD-NETWORKS static destination VPN CLIENT VPN CLIENT POOL no-proxy-arp-route search

I also have an ACL of VPN clients.

Then I added a network in the ACL, added a route on the network of the SAA, but I forgot to put this network in the group that the above (PROD-NETWORKS). In other words, I forgot to make an exemption nat for this new network.

But customers were still able to connect to the new network without derogation.

If something has changed? Is - it is no longer necessary? How is this even work?

Hi Colin,

Well usually NAT exemption is necessary 9.X code introduced the volatile PAT PAT and multisession feature, the feature of p. - session is enabled by default and is allowed for better scalability, this feature also is not a timeout which means that you can have more & than multisession (translations of PAT in the course of a single IP address) , this now to return to the initial request, let´s, remember that a dynamic NAT is not bidirectional, so you're from the VPN client to the IP address of the client, and it is allowed. This is (is there an object configured for the internet that must be put in correspondence of NAT?), what line # is the exemption of NAT in? What happens if you delete the exemption of NAT, or place as line 1?

Because you are specifying NAT exemption is still being offset, it seems somehow just, but if you see it in the prospect that the dynamic NAT is one-way for internal hosts, and the current flow rate seems to be: VPN user accesses the SAA and this is allowed because it is a VPN traffic and "Sysopt connection permit-vpn" allows traffic and while he has not matched NAT (right here should the free equivalent of) NAT, if it isn't, it is does not match any other NAT for the host 'outside') then just traffic continues to go to the internal host (path Session Management), then the answer must match this stream via the (Fast Path flow), obviously the package is the encapsulated and encrypted and vice versa as well.

Keep me posted!

Please note and mark it as correct the helpful post!

David Castro,

Tags: Cisco Security

Similar Questions

  • VPN - NAT Exemption?

    Hi all

    Just a mental block, I feel at the moment.

    ASA 5585 code 9.0.x race - there is no NAT configuration at all on the box. This ASA firewall will end a site to site VPN. -

    My question is - is a rule of "NAT exemption" required... .similar to the crypto ACL for the traffic in the tunnel... .or is NAT exemption required only when NAT is configured.

    My apologies if this is a silly question

    Thank you

    James

    When there is no NAT config, the ASA will pass all traffic not translated, which includes the traffic tunnel. If you're right, you don't need any NAT exemption.

    However, you can configure it. For example, if you plan to add NAT at a later stage, then it might be easier to implement than NAT if your NAT exemption is already in place.

  • Public and private IPs on the same Interface by using NAT Exemption/policy NAT

    I'm looking for some feedback on whether my thoughts on the installation program will run.

    Equipment: PIX 515E 6.2 (2)

    Scenario:

    The inside interface of the PIX will host 3 blocks of addresses IP - 24 public 2 blocks and 1 private/16 block. (All IP addresses have been replaced by dummy blocks.)

    Blocks of audiences:

    * 192.168.10.0/24

    * 192.168.20.0/24

    Block of private:

    * 10.50.0.0/16

    Traffic from the public 2/24 blocks should go through the firewall without address translation.

    The two blocs of the public will be able to receive connections initiated from the Internet.

    Public blocks will need to be able to send and receive traffic on a static VPN tunnel to our headquarters without subject to address translation

    Traffic leaving the sector private/16 block should be subjected to PAT before passing through the firewall.

    Private/block 16 will not receive incoming traffic from the Internet (other than responses to outbound connections initiated from within the private block).

    However, the private block will also have to be able to send and receive traffic on a static VPN tunnel to our headquarters * without * subject to address translation (i.e. hosts on our corporate network must be able to initiate connections to the private block and vice versa).

    The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will be responsible for routing all internal (so the PIX will never be routing of traffic on the interface, it was received).

    My ideas on how to implement are:

    * Use the exemption of NAT to exempt public address translation blocks. This will allow incoming and outgoing connections through the firewall.

    * Use the exemption of NAT to exempt the block private NAT when connecting to our head office on the VPN tunnel.

    * Use policy NAT w / PAT to translate the block private connecting to all other hosts.

    I have translated these thoughts in the following configuration snippet.

    Because the NAT exemption is processed before policy NAT in the evaluation of the NAT rules, I believe that this should allow the public IP blocks treat incoming/outgoing traffic without translation, while submitting the private translation block (except during handling of incoming/outgoing connections to our network of corporate office).

    Can someone confirm my assumptions about this?

    # ----------------------------------------------------------------------

    traffic of # which should be exempted from translation

    permit ip 192.168.10.0 access list nat_exempt 255.255.255.0 any

    nat_exempt 192.168.20.0 ip access list allow 255.255.255.0 any

    nat_exempt ip 10.50.0.0 access list allow 255.255.0.0 10.100.0.0/16

    traffic of # which should be the subject of translation

    policy_nat ip 10.50.0.0 access list allow 255.255.0.0 any

    # Suppose 192.168.5.1 is the address to use for PAT

    Global (outside) 1 192.168.5.1

    NAT (inside) 0-list of access nat_exempt

    NAT (inside) 1 access-list policy_nat

    # assumes that 192.168.10.7 is the IP address of the inside layer 3 switch

    Route inside 192.168.10.0 255.255.255.0 192.168.10.7 1

    Route inside 192.168.20.0 255.255.255.0 192.168.10.7 1

    Route inside 10.50.0.0 255.255.0.0 192.168.10.7 1

    #assume the following configuration sections appear elsewhere: static tunnel VPN, ACL, ifconfig, etc..

    # ----------------------------------------------------------------------

    Yes, this will work, even if you don't need political NAT for the 10.50.0.0 network. For PAT the 10.50.0.0 network when to anywhere (except via VPN) just do:

    Global 1 192.168.15.1 (outside)

    NAT (inside) 1 10.50.0.0 255.255.0.0

    As I said, you have works perfectly, the above is just an easier way to do it.

  • Question for the geniuses of pictures only.

    Question for the geniuses of pictures only.

    You see, I started with iPhoto and later began to use Aperture.  With iPhoto and Aperture, you can have ALL the metadata below the thumbnails, (nice).  Well, I put all my images descriptions in the keywords section because it didn't really matter, because these programs could show them as thumbnails.

    Now, I use this wonderful program of Photos and I found out that it will ONLY show the title of"the image in the thumbnails.  I've got on 30 000 images with keywords but no title.  I want to move / copy the text in the keywords section in the section of the title. I'm not a computer scientist, I guess that my skills are in average.  But I can follow directions.

    Suggestions appreciated.

    Member of ASC compiled some useful on Photos AppleScripts. Maybe one of them will be sufficiently close to your needs.

    http://www.oldtoadstutorials.NET/no.P01.html

  • How to get assistance from mozilla to answer questions for windows when I use a macintosh computer

    How to get assistance from mozilla to answer questions for windows when I use a macintosh computer?

    Look on the right side of the knowlegde base articles, where it is said ' help to ". Here, you can change the operating system and the version of firefox. The content of the article will adjust.

    If you ask a question on the help forum, you can simply say this in your question.

  • Question for Microsoft Support; I have a huge amount of music files .m4a that I can not play on Windows Media Player?

    Question for Microsoft Support;
    I have a LARGE amount of files music .m4a in a storage drive stand alone that I downloaded from an old Apple computer have more possession of. I can't understand how to enter these data into my old Emachines computer Windows Vista run the Media Player program. I tried to copy a few files m4a manually in the file Media Player Music folder, but they do not play. I'm not really all that computer savvy and know only the basics, I need to use my computer really. Can you give me some step by step instructions how to get these converted files or whatever it is I need to do to get them to play and to integrate properly into my library if it is possible? If this isn't the case, I'll have to go out and buy a new Apple computer for my 60 GB music collection. In the past, that I've never had no real problem shooting files to leave this computer based Vista and convert these files to my old computers Apple Itunes Player. So what's the problem with your system of guys that done anyway this such a pain in the butt? I would really like to understand what exactly is happening with this issue? It's very frustrating for me. I'm a finish Carpenter not a computer programmer. Such things should not be so difficult for someone like me to understand. All I intend to buy a really nice computer, probably in the summer and was considering a Microsoft based computer. But if this kind of problem will be spread with Microsoft products, so maybe I should reconsider. help you can offer to alleviate this problem will be greatly appreciated.
    Thank you
    Signed;
    Tim M. from Detroit.

    According to research on the Internet, Windows Media Player, atleast this is version 11 (included in Windows Vista and available for Windows XP SP2 +) cannot play Apple loseless type .m4a audio files without having to install any codecs.

    If you want to use Windows Media Player, you can follow the instructions mentioned here to install the necessary codecs and plugins.

    (In the related instructions above, in the first step talks about codecs - your .m4a files are files Apple loseless then follow the party referred to in the first stage about Apple loseless .m4a)

    Personally, I prefer using alternatives to Windows Media Player rather than installing codec packs.

    If you don't want to install codecs, download no matter what media player from "programs that open. M4A files"- Windows category list on this page.

    If you use a spare player - VLC Media Player is my choice.

  • Question for all developers, who participated in the offer of Playbook 2012

    Hello

    Ive got a question for all the developers who participated in the BB PB 2012 bid. Have you received E-mail about your shipping information (giving your address for shipping) immediately with enamel, that said, that your application has been approved? or did you get it later?

    Thank you.

    A few days later.

  • Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

    Hello world

    Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

    https://supportforums.Cisco.com/message/3688980#3688980

    I had the great help but unfortunatedly my problem is a little different and connection problem.  Here, I summarize once again our configurations:

    hostname pix535 8.0 (4)

    all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

    interface GigabitEthernet0
    Description to cable-modem
    nameif outside
    security-level 0
    IP 70.169.X.X 255.255.255.0
    OSPF cost 10
    !
    interface GigabitEthernet1
    Description inside 10/16
    nameif inside
    security-level 100
    IP 10.1.1.254 255.255.0.0
    OSPF cost 10
    !
    !
    interface Ethernet2
    Vlan30 description
    nameif dmz2
    security-level 50
    IP 30.30.30.30 255.255.255.0
    OSPF cost 10
    !
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface

    ......

    Global interface 10 (external)
    Global (dmz2) interface 10
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 10 inside8 255.255.255.0
    NAT (inside) 10 Vlan10 255.255.255.0
    NAT (inside) 10 vlan50 255.255.255.0
    NAT (inside) 10 192.168.0.0 255.255.255.0
    NAT (inside) 10 192.168.1.0 255.255.255.0
    NAT (inside) 10 192.168.10.0 255.255.255.0
    NAT (inside) 10 pix-inside 255.255.0.0

    Crypto isakmp nat-traversal 3600

    -------

    Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

    #1: when the PC uses static NAT, it is good of outgoing VPN:

    54 packets captured
    1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
    5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
    6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
    7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
    8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
    9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
    10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
    11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
    12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
    13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
    14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
    15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
    16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
    17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
    18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
    19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
    20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
    21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
    22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
    24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
    25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
    26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
    28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
    29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
    30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
    32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
    34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
    35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
    37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
    38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
    39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
    40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
    41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
    42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
    43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
    44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
    45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
    46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
    47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
    48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
    49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
    50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
    51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
    52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
    53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
    54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

    #2: same PC with Dynamic NAT, VPN connection fails:

    70 packets captured
    1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
    5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
    6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
    7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
    8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
    9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
    10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
    11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
    12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
    13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
    14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
    15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
    16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
    17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
    18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
    19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
    20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
    21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
    22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
    24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
    25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
    26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
    27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
    28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
    30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
    31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
    34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
    35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
    36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
    37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
    38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
    39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
    40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
    41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
    42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
    43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
    44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
    45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
    46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
    47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
    48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
    49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
    50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
    51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
    52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
    53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
    54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
    55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
    56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
    57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
    58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
    59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
    60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
    61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
    62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
    63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
    65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
    69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
    70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
    70 packages shown

    We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

    Sean

    Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

    VPN-udp-class of the class-map

    corresponds to the list of access vpn-udp-acl

    vpn-udp-policy policy-map

    VPN-udp-class

    inspect the amp-ipsec

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 768

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the http

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the pptp

    inspect the amp-ipsec

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    IP verify reverse path to the outside interface

    Thank you

    Rizwan James

  • Oracle cert exams are equal weight to each of the questions - for example 1z0-117?

    Oracle cert exams are equal weight to each of the questions - for example 1z0-117?

    For example, 1z0-117 Oracle 11 g r2 SQL Tuning has 75 questions.

    Some of these questions you will have to look a long explain plan

    and determine what is happening.

    Other issues could be just take 2 of the 4.

    Is equal weight each question.

    Roger

    Is equal weight each question.

    Yes.  And each issue is 100% right or 100% false.  There is no middle ground with multiple answer questions.

  • Anyone know if there is no CC or BC apps or other alternatives that allow a way to create an online survey consisting of 3 questions for the participants to a trade appear to fill out and submit for the purposes of data collection?  Offlin data collection

    Anyone know if there is no CC or BC apps or other alternatives that allow a way to create an online survey consisting of 3 questions for the participants to a trade appear to fill out and submit for the purposes of data collection?  Offline data collection is a must. Ability to export data to Excel would be an added bonus. Thanks for the tips.

    Hi Nathan,

    This link might help: Create PDF fillable, creative forms of PDF form. Adobe Acrobat DC

    Kind regards

    Sheena

  • Change the range of dhcp addresses for nat Vmnet8 for VMPlayer/Linux

    Hello.

    Vmplayer/fedora running. Trying to change the host address of range/ip dhcp for nat (vmnet8).

    Within the vmplayer gui, there is no apparent way to change the range/nat dhcp data.

    I see that there are a few vmware apps in/usr/bin pertaining to vmware, who seem to have an impact on the range/dhcp/nat address, but I can't find docs on exactly how it works. Also, where is the configuration for the dhcp protocol entry.

    Basically, I would put the dhcp/vmnet8 192.168.12.1 and present the range to be 192.168.12.128 - 192.168.12.135.

    Thank you

    If you have only installed VMware Player 3.x, then you have not the editor of virtual network, as in VMware Workstation and without it, here are the commands to run in a Terminal.

    sudo su
/usr/bin/vmware-networks --stop
cp -a /etc/vmware/networking /etc/vmware/networking.bak
nano /etc/vmware/networking
cp -a /etc/vmware/vmnet8/dhcpd/dhcpd.conf /etc/vmware/vmnet8/dhcpd/dhcpd.conf.bak
nano /etc/vmware/vmnet8/dhcpd/dhcpd.conf
/usr/bin/vmware-networks --start
exit

  • A few question for vsphere

    Hello

    I have a few question for vSphere

    1 > what kind of network, I'll use for my win xp VM destop (flexible, E1000, V...) What is the difference between that?

    2 > I give 5 or 4 GB memory for my VM (WIN 2003) servers, but a lot of time I can see alert the CPU usage or memory usage? ... Why then, can it be optimized, which will be the way?

    3 > if in 1 ESX I have 8 core (Processor) & I create 25 VM (win XP)... which gives 1 CPU each... then how it is possible to have 8 processor & distribution processor 25, what is the funda?

    Must be waiting for your reply.

    Thank you

    Rashid

    There is a selection list of the CPU (1,2,3,4,5,6,7,8) when creating VM, now my question is this amount of processor or number of processor?

    For example if I choose 5, then it means I selected 5 Fifth number of the processor or processors?

    This selection will be the number of vCPU, you give to your guests.  My suggestion would be to start with 1 vCPU and see how is the performance.

  • FMS 3 Questions for live video conferencing

    We have a few basic questions for installation of the server (windows 2003/FMS3) for an applicationt of videoconference with max 10 rooms for 3 persons x room remote connection:
    (1) is there an upgrade for components optimized for FMS3 fms? If this is not the case, should go us with the 'old'?
    (2) is there a way to detect the client bandwidth and latency and optimize Audio/video based on that basis by customer?
    (3) what we have hight latency problems which are not acceptable for video conferencing (5-10 sec): is there a way to optimize the configuration of the server for that? Is it possible to have the quality of Service that is configured on the network as for Voip applications?
    (4) I'we read in the manual that 44 hz encoding is faster than lower rates for audio? I expected the opposite. As the audio is more important for our system is a way to optimize that?
    We have large echoes (also with echo to reduce settings) and poor quality. Any way to improve this?

    I'll try to answer a couple of these...

    (1) the current components of the FMS works FMS3, but some features (such as redirection) are supported only in the last component of reading. If everything works fine for your application, so don't think that you need to upgrade from.

    (2) FMS3 has the same capabilities of detection of bandwidth based on a script like FMS2, but also a 'native' bandwidth detection feature new and more effective. Discover the FMS3 live docs for how to use this feature. Latecny detection is not supported natively, but you can easily write SSAS to measure time and back a few seconds precision.

    (3) Unfortunately, there is nothing that can be done on the server to overcome high-latency link. Real-time communications will always be 'trolling' on this type of connection. (Have you ever watched a satellite live feed on TV?)

    (4) I have no specific details on the speed of encoding for different sampling rates, so I won't comment on that. I will say that, in general, encoding introduced no significant latency (unless your client happens to have a * very * slow processor). The latency of the network and the network congestion that won't do more harm. For the best experience, try to keep the total flow of water as low as possible and don't forget to use bandwidth detection, etc. to ensure that you are never exceeding the features of the client connection.

  • NAT exempted for pool vpn in ASDM

    I read everything I can find it, and I think I understand what is asked of me, but I'm not exactly sure how do within the ASDM

    I used the "wizard" to implement the anyconnect VPN and think it's well.

    But the wizard reminded me that I had to add a rule to exempt nat ok then the wizard isn't such a wiz after all and cannot put everything in place.

    My VPN pool is 10.10.35.1 through 50

    My internal networks is 10.10.30.0/24 and 10.10.10.0/24

    Do I need 2 nat rules exempt to allow remote desktop windows for internal machines via AnyConnect?

    and if so, how do I that in ASDM (I'm totally distraught on the use of the CLI, and if that works better, I would like a step by step)

    Thank you

    Dennis

    Hello

    You can insert the following configuration to configure the NAT0 / exempt NAT required

    Note of the INTERIOR-NAT0 NAT0 for VPN access-list

    access list for the INTERIOR-NAT0 allowed ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

    the INTERIOR-NAT0 10.10.10.0 ip access list allow 255.255.255.0 10.10.35.0 255.255.255.0


    NAT (inside) 0-list of access to the INTERIOR-NAT0

    You can use the CLI directly or you can use the ASDM--> tools--> command-line Interface. You can choose the option "several lines" before inserting the commands to send to the ASA.

    Hope this helps

    -Jouni

  • The Global NAT FVRF questions - for Expert

    Hi Expert,

    I have a client with a DMVPN network. Here is a simple drawing of installation:

    First I set the router og BRANCH1 config: BRANCH1 - Config.txt

    What the client wants is simple:

    Host 200.200.200.200 reach the host 192.168.100.2 on port 3389.

    So I thought to do the static NAT like this:

    IP nat inside source static tcp 192.168.100.2 3389 100.10.10.2 3389

    but it does not work because the BRANCH1 router is configured with FVRF who wants to say outside interface is in a VRF and local area network inside interface is globally. I couldn't see any traffic coming to the server (192.168.100.2) but I could see the translation in the nat process.

    So I tried to configure the virtual interface of NAT (NVI) I read that NVI works best in the VRF environment. This time with these lines:

    interface FastEthernet0/0
    Description * WAN connection *.
    bandwidth 20000
    IP vrf forwarding DMVPN-VRF
    IP 100.10.10.2 255.255.255.0
    IP access-group OUTSIDEACL in
    activate nat IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    Description * to connect to the computer 3 *.
    IP 192.168.100.1 address 255.255.255.0
    NBAR IP protocol discovery
    activate nat IP
    IP virtual-reassembly
    load-interval 30
    automatic duplex
    automatic speed
    No cdp enable

    IP nat source static tcp 192.168.100.2 3389 100.10.10.2 3389 extensible

    Then I finally got some entries of traffic in the server 192.168.100.2. See the Wireshark log:

    200.200.200.200 192.168.100.2 TCP stgxfws > ms-wbt-Server [SYN] Seq = 0 Win = 64240 Len = 0 MSS = 1260


    192.168.100.2 200.200.200.200 ms-wbt-Server TCP > stgxfws [SYN, ACK] Seq = 0 Ack = 1 win = 64240 Len = 0 MSS = 1460

    So far so good but but... the router sends an ICMP destination 13 unreachable code to the server:

    10.1.0.1 192.168.100.2 ICMP Destination unreachable (Communication administratively filtered)

    I guess that is because the router performs a search in the global routing table instead of the destination FVRF.

    Anyone know how I can fix this problem?

    Maybe a solution to HUB1 for this so everything is managed central, what do you thing?

    Best regards

    Laurent Rlap

    I can't spoke1 config. But first the routing needs to work and I would like to try a leak of the VRF the way in Global.

    IP route 200.200.200.200 255.255.255.255 FastEthernet0/0

    When this is fixed we can watch NAT.

    / Ralph

Maybe you are looking for