Static NAT problem with PIX501

Similar Questions

• Tunnel + static NAT problem

  Hello:

  I configured a Pix501 to establish a tunnel from site to site with a 1710 in the central site and it works fine, except for a small problem. The central site hosts a Domino server that must have an entry static nat to allow servers on the internet to deliver mail to it. So, the problem is that even though I created a road map to avoid NAT in site traffic to site, the static entry seems a priority on the road map and the mail server is always using a NAT. So the SOHO cannot access to him. What can I do to fix this?

  I need to use an entry like this:

  IP nat inside source static tcp 172.16.34.22 1352 200.212.0.66 1352

  Any help?

  Thank you

  You must do the following:

  (1) create a loopback interface with an ip subnet that you are not anywhere in your network. Leave; s 10.10.10.0/30 say:

  loop int 0

  IP 10.10.10.1 255.255.255.252

  (2) create a roadmap to match traffic from the 172.16.34.22 Server destination and from the other side of the tunnel

  access-list 101 permit ip 172.16.34.22 host 192.168.0.0 255.255.255.0

  permissible static route map 10

  corresponds to the IP 101

  set ip 10.10.10.2 jump following (some address to the loopback interface)

  (3) implementing the road map inside the interface of the router where you have the server

  inter e0/0

  Static IP policy route map

  That's all

  Hope that helps

  Jean Marc

• PIX - static NAT problems

  I'm doing a static route to xxx.242.139.164 to 192.168.1.13 and open ports 25 and 443. I am at a loss for what I missed to make this happen. I would also like to open the ICMP traffic or at the least response to echo so I can test the IP addresses and that doesn't seem to work either.

  PIX config attached .txt file.

  Thanks for any help!

  Hi Comoms,

  This is your problem:

  (1) here say you do not NAT traffic.

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  inside_outbound_nat0_acl ip access list allow any xxx.242.139.160 255.255.255.224

  (2) then you use it for the static NAT.

  public static xxx.242.139.164 (Interior, exterior) 192.168.1.13 dns netmask 255.255.255.255 0 0

  (3) it's totally fake, first u say don't not NAT traffic, try you NAT, it. How will it work?

  (4) even if uou help with ACL, it won't work.

  (5) Please check your routes n NAT ACL, NAT STATIC, once again.

  HTH

  MAR

• Static nat problem on ASA (v8.2)?

  Tring to add a new rules static nat, but it seems that I have a not able to do

  Public IP 10.10.10.10

  20.20.20.20 inside the LAN IP address

  try adding:

  FW (config) # static (inside, outside) tcp 10.10.10.10 https 20.20.20.20 https netmask 255.255.255.255

  ERROR: mapped address conflict with existing static

  inside: 20.20.20.20 outside: 10.10.10.10 netmask 255.255.255.255

  The rule with the same public IP already existing, but pointing to the different internal LAN IP address:

  static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255

  Please advice how to solve this problem.

  Thank you!

  Hi Vuèko,

  Please change your existing static nat to a particular port instead of letting it as ip to ip nat.

  "static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255".

  And then you can add second static nat to a different IP address (i.e. within the intellectual property) and it will take it and it should work.

  Thank you

  Rizwan Muhammed.

• IPSEC VPN from Site to Site - NAT problem with address management

  Hi all

  I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.

  The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:

  • If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
  • I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
  • I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.

  The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.

  Thanks for any help.

  Ian

  Thanks, I understand what you are trying to achieve now.

  However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.

  Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210

• Static NAT with the road map for excluding the VPN

  We have problems of access to certain IPs NATted static via a VPN.  After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

  10.1.1.x is the VPN IP pool.

  access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 allow ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map
  corresponds to the IP 130

  IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

  Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1.  What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

  Any ideas on how to get this to work?

  Thank you
  Diego

  Hello

  The following example details exactly your case:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  Try to replace the 192.168.1.0 subnet by the host address.

  It should work

  HTH

  Laurent.

• Public static political static NAT in conflict with NAT VPN

  I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

  interface Vlan1

  IP 192.168.10.1 255.255.255.0

  access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

  list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

  public static 192.168.24.0 (inside, outside) - list of VPN access

  card crypto outside_map 1 match address outside_1_cryptomap

  In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

  public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

  The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

  So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

  What Miss me?

  Hello

  I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

  I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

  I guess you could choose any way seems best for you.

  Let me know if get you it working. I always find it strange that the original configuration did not work.

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• ASA IPSEC site-to-site with NAT problem

  Hello

  I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

  I have a site-to-site between two locations:

  Site A is 192.168.0.0/24

  Site B is 192.168.4.0/24

  I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

  Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems.   But I'm having a problem application where it will be established communications.  I suspect it's the reverse NAT, but I went through the configuration several times.   All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions.    All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

  The system of site B can also ping 10.57.4.50.

  Here's the running configuration:

  ASA 8.3 Version (2)

  !

  hostname fw1

  domain name

  activate the password encrypted

  passwd encrypted

  names of

  !

  interface Vlan1

  Description city network internal

  nameif inside

  security-level 100

  IP 192.168.9.1 255.255.255.0

  !

  interface Vlan2

  Description Internet Public

  nameif outside

  security-level 0

  IP 173.166.117.186 255.255.255.248

  !

  interface Vlan3

  DMZ (CaTV) description

  nameif dmz

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan5

  PD Network description

  nameif PDNet

  security level 95

  the IP 192.168.0.1 255.255.255.0

  !

  interface Vlan10

  Description Network Infrastructure

  nameif InfraNet

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Vlan13

  Description wireless comments

  nameif Wireless-comments

  security-level 25

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan23

  nameif StateNet

  security-level 75

  IP 10.63.198.2 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  switchport trunk allowed vlan 1,5,10,13

  switchport trunk vlan 1 native

  switchport mode trunk

  Speed 100

  full duplex

  !

  interface Ethernet0/2

  switchport access vlan 3

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  switchport trunk allowed vlan 1,10,13

  switchport trunk vlan 1 native

  switchport mode trunk

  !

  interface Ethernet0/5

  switchport access vlan 23

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport trunk allowed vlan 1

  switchport trunk vlan 1 native

  switchport mode trunk

  Shutdown

  !

  exec banner restricted access

  banner restricted access connection

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  domain name

  permit same-security-traffic inter-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  service of the IMAPoverSSL object

  destination eq 993 tcp service

  IMAP over SSL description

  service of the POPoverSSL object

  tcp destination eq 995 service

  POP3 over SSL description

  service of the SMTPwTLS object

  tcp destination eq 465 service

  SMTP with TLS description

  network object obj - 192.168.9.20

  Home 192.168.9.20

  object obj-claggett-https network

  Home 192.168.9.20

  network of object obj-claggett-imap4

  Home 192.168.9.20

  network of object obj-claggett-pop3

  Home 192.168.9.20

  network of object obj-claggett-smtp

  Home 192.168.9.20

  object obj-claggett-imapoverssl network

  Home 192.168.9.20

  object obj-claggett-popoverssl network

  Home 192.168.9.20

  object obj-claggett-smtpwTLS network

  Home 192.168.9.20

  network object obj - 192.168.9.120

  Home 192.168.9.120

  network object obj - 192.168.9.119

  Home 192.168.9.119

  network object obj - 192.168.9.121

  Home 192.168.9.121

  object obj-wirelessnet network

  subnet 192.168.1.0 255.255.255.0

  network of the Clients_sans_fil object

  subnet 192.168.1.0 255.255.255.0

  object obj-dmznetwork network

  Subnet 192.168.2.0 255.255.255.0

  network of the FD_Firewall object

  Home 74.94.142.229

  network of the FD_Net object

  192.168.6.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.10.0_24 object

  192.168.10.0 subnet 255.255.255.0

  object obj-TownHallNet network

  192.168.9.0 subnet 255.255.255.0

  network obj_InfraNet object

  192.168.10.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.0.0_24 object

  192.168.0.0 subnet 255.255.255.0

  network of the NHDOS_Firewall object

  Home 72.95.124.69

  network of the NHDOS_SpotsHub object

  Home 192.168.4.20

  network of the IMCMOBILE object

  Home 192.168.0.112

  network of the NHDOS_Net object

  subnet 192.168.4.0 255.255.255.0

  network of the NHSPOTS_Net object

  10.57.4.0 subnet 255.255.255.0

  network of the IMCMobile_NAT_IP object

  Home 10.57.4.50

  service EmailServices object-group

  Description of e-mail Exchange Services / Normal

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq imap4 service

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq smtp service

  object-group service DM_INLINE_SERVICE_1

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq smtp service

  object-group service DM_INLINE_SERVICE_2

  service-object, object IMAPoverSSL

  service-object, object POPoverSSL

  service-object, object SMTPwTLS

  the purpose of the tcp destination eq https service

  the purpose of the tcp destination eq pop3 service

  the purpose of the tcp destination eq smtp service

  the obj_clerkpc object-group network

  PCs of the clerk Description

  network-object object obj - 192.168.9.119

  network-object object obj - 192.168.9.120

  network-object object obj - 192.168.9.121

  the TownHall_Nets object-group network

  object-network 192.168.10.0 255.255.255.0

  network-object object obj-TownHallNet

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.10.0 255.255.255.0

  object-network 192.168.9.0 255.255.255.0

  the DOS_Networks object-group network

  network-object 10.56.0.0 255.255.0.0

  network-object, object NHDOS_Net

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

  StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

  permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

  PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

  PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

  outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

  outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

  pager lines 24

  Enable logging

  Test1 logging level list class debug vpn

  logging of debug asdm

  E-mail logging errors

  address record

  logging level -l errors ' address of the recipient

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  MTU 1500 Wireless-comments

  MTU 1500 StateNet

  MTU 1500 InfraNet

  MTU 1500 PDNet

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 635.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

  NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

  public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

  !

  network obj_any object

  NAT static interface (indoor, outdoor)

  object obj-claggett-https network

  NAT (inside, outside) interface static tcp https https service

  network of object obj-claggett-imap4

  NAT (inside, outside) interface static tcp imap4 imap4 service

  network of object obj-claggett-pop3

  NAT (inside, outside) interface static tcp pop3 pop3 service

  network of object obj-claggett-smtp

  NAT (inside, outside) interface static tcp smtp smtp service

  object obj-claggett-imapoverssl network

  NAT (inside, outside) interface static tcp 993 993 service

  object obj-claggett-popoverssl network

  NAT (inside, outside) interface static tcp 995 995 service

  object obj-claggett-smtpwTLS network

  NAT (inside, outside) interface static tcp 465 465 service

  network object obj - 192.168.9.120

  NAT (inside, StateNet) 10.63.198.12 static

  network object obj - 192.168.9.119

  NAT (all, StateNet) 10.63.198.10 static

  network object obj - 192.168.9.121

  NAT (all, StateNet) 10.63.198.11 static

  object obj-wirelessnet network

  NAT (Wireless-Guest, outside) static interface

  object obj-dmznetwork network

  interface static NAT (all, outside)

  network obj_InfraNet object

  NAT (InfraNet, outside) static interface

  Access-group outside_access_in in interface outside

  Access-group StateNet_access_in in the StateNet interface

  Access-group PDNet_access_in in interface PDNet

  Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

  Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  http server enable 5443

  http 192.x.x.x 255.255.255.0 inside

  http 7.x.x.x 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set 72.x.x.x counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  card crypto outside_map 2 match address outside_2_cryptomap

  card crypto outside_map 2 set pfs

  card crypto outside_map 2 peers set 173.x.x.x

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet 192.168.9.0 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.9.0 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd dns 208.67.222.222 208.67.220.220

  dhcpd lease 10800

  dhcpd outside auto_config

  !

  dhcpd address dmz 192.168.2.100 - 192.168.2.254

  dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

  dhcpd enable dmz

  !

  dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

  dhcpd enable Wireless-comments

  !

  a basic threat threat detection

  a statistical threat detection host number rate 2

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP server 63.240.161.99 prefer external source

  NTP server 207.171.30.106 prefer external source

  NTP server 70.86.250.6 prefer external source

  WebVPN

  attributes of Group Policy DfltGrpPolicy

  internal FDIPSECTunnel group strategy

  attributes of Group Policy FDIPSECTunnel

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec l2tp ipsec

  support for username password encrypted privilege 15

  tunnel-group 72.x.x.x type ipsec-l2l

  72.x.x.x group of tunnel ipsec-attributes

  pre-shared key *.

  tunnel-group 173.x.x.x type ipsec-l2l

  tunnel-group 173.x.x.x General-attributes

  Group Policy - by default-FDIPSECTunnel

  173.x.x.x group of tunnel ipsec-attributes

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns migrated_dns_map_1

  parameters

  message-length maximum 1024

  Policy-map global_policy

  class inspection_default

  inspect the migrated_dns_map_1 dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  192.168.9.20 SMTP server

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

  : end

  If you do not have access to the remote site, you participate themselves to network and compare each other configurations.  You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

• Dual active/passive failover of ISP with static Nat on Cisco 1941

  Hello world

  I'm working on a configuration of a client and I have everything in place right now except the NAT' static ing.  The config fails during an ISP to another and track als and routes by default static weighted, the PAT rocking with course to each interface maps.  It is, is it possible to switch on the large amount of static NAT entries to the ISP of backup?  So far, everything I've read said no because you can have only one entry per ip/port combo, other than another configuration static NAT double server with a different IP address.  I just want to be sure before making my recommendations, all thoughts are greatly appreciated.

  Thank you

  Brandon

  In fact, you can also long as you use standard NAT ("ip nat inside source static") or not NVI ('ip nat static source') for your attackers. You apply the roadmap by the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

   ip access-list extended ACL_NAT permit ip 192.168.0.0 255.255.255.0 any ! route-map RM_NAT_ISP1 match ip address ACL_NAT match interface GigabitEthernet0/1 ! route-map RM_NAT_ISP2 match ip address ACL_NAT match interface GigabitEthernet0/2 

  Using port 80/tcp for example, you can do this:

   ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1 ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2 

  Just replace x.x.x.x with the LAN address of the machine that you are shipping y.y.y.y with the WAN address you are shipping on isps1 and z.z.z.z with the address of the ISP WAN you are shipping on ISP2. The static NAT will be conditional on the roadmap, at this point.

  This works with TCP, UDP, and IP forwarding, but does not require that you use an IPv4 address to your WAN address. For some reason, it does not work if you use an interface... so if you're using dynamic addresses, it will be more complicated.

• VPN with static nat for a whole subnet

  Hey there,

  For some reason, I can't do this on the router. Errrr...

  I'm trying to config a static nat (many to one), which will be in effect only when traffic needs to go on our vpn tunnel to the remote location.

  example:

  internal LAN 192.168.0.0

  remote network: 10.10.10.0 and 10.10.15.0

  When traffic passes over the tunnel vpn - at the remote site, I need to translate my internal network (192.168.0.0) to an ip address 172.16.32.65 static

  any ideas?

  also on my crypto map ACL, which must be specified for interesting traffic? my local network or static ip address search?

  Let me know your thoughts on the matter.

  Kind regards

  R.

  NAT you describe is named PAT or overload, at least in terms of Ciscos...

  What you need:

  (1) a NAT - ACL when you describe your traffic which should be natted.

  (2) a nat pool with your 172.16.32.65 address

  (3) a statement-NAT for dynamic NAT inside based on the ACL for the pool

  Here are some examples:

  http://www.Cisco.com/en/us/docs/iOS/ipaddr/configuration/guide/iadnat_addr_consv_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1073436

  Your crypto ACL then referred to the NATted IP as NAT happens before encryption.

• After the upgrade of the APEX 4.2 to 5.0 problems with static files

  Hello

  After the upgrade from 4.2 to 5.0 works of apex APEX (Apex runs on thothgateway 1.4.1 Morten Bråten.) but once the connection I get this message: "there are problems with the configuration of static files in your environment. Please see the section "Configuration static file Support" in the application Express Installation Guide. "and the page designer says"no page or page has no templates".

  OTN I found only advice for APEX with ADR.

  I tried to apex_rest_config and apex_epg_config.sql but without result.

  Apex works on thothgateway Morten Bråten 1.4.1. (I know: it is not supported.)

  Best regards

  Marco

  Hi Marco W.

  In the "Setup Guide" to "Thoth Gateway 1.4.1" go to 'step 3.' Configuration of DAD' and change/add the parameter:

  • PlsqlPathAlias the r value
  • The value PlsqlPathAliasProcedure wwv_flow.resolve_friendly_url

  Re-start the Middle Tier and check.

  It is of note for OSH who said:

  Note:

  PlsqlPathAliasand PlsqlPathAliasProcedure are required new parameters that must be added to an existing DAD. This is important when the upgrade to Application Express version 5.0.

  Reference: https://docs.oracle.com/cd/E59726_01/install.50/e39144/http_server.htm#HTMIG29263 (see the note below point 2)

  Kind regards

  Kiran

• APEX 5 - problem with static files after Installation

  Hello

  I've updated my development environment of APEX 4.2.6 to 5.0.0 with REST Data Services.

  Whenever I enter the Administration Services login page or run my application, I get the following message:

  There are problems with the configuration of static files in your environment. Please see the section "Configuration static file Support" in the Guide of the Installation Application Express.

  In Administration Services everything looks and works very well, but in my application there is no static file from the workspace loaded (for example CSS-files, images,...). The links "broken" to these files are translated in this way:

  <link rel="stylesheet" href="lets/static-files-not-configured/files/static/v1Y/lets.css" type="text/css">
  

  After some research, I discovered, that static files normally appear in my workspace in the Administration Services - I can access it and download it. BUT: When I compared the scheme with APEX_050000 APEX_040200 in the database, I discovered, that static files were not copied to the new instance (in the view APEX_WORKSPACE_FILES are just a few files...).

  Does anyone have an idea what the reason would be so?

  Thank you

  Christian

  Hi Christian Klingbacher,.

  I've updated my development environment of APEX 4.2.6 to 5.0.0 with REST Data Services.

  Whenever I enter the Administration Services login page or run my application, I get the following message:

  There are problems with the configuration of static files in your environment. Please see the section "Configuration static file Support" in the Guide of the Installation Application Express.

  In Administration Services everything looks and works very well, but in my application there is no static file from the workspace loaded (for example CSS-files, images,...).

  • You have configured the RESTful Services during the installation of Oracle APEX?

  Reference: https://docs.oracle.com/cd/E59726_01/install.50/e39144/listener.htm#HTMIG29335

  • Have you configured users required for RESTful Services when installing ADR?

  Reference: http://docs.oracle.com/cd/E37099_01/doc.20/e25066/install.htm#AELIG7217

  The file Support static configuration to demand Express Installation Guide (using ORDS) says:

  RESTful Services configuration is necessary when upgrading to Oracle Application Express version 5.0 and RESTful Services were not configured in a previous version.

  
  

  See the thread with the same question: How to configure * application and the workspace of static files after upgrade from 4.2 to 5.0?

  I hope this helps!

  
  

  Kind regards

  Kiran
  

• SE "There are problems with the configuration of static files in your environment" after the APEX 5 install using Oracle HTTP Server

  There is not much information in the doc around the new configuration of static file.  Someone at - it an example of this dads.conf he file should look similar to static files?  Everything else seems to work fine - it's my only hang up now.

  Thank you!

  Exact pop-up message:

  There are problems with the configuration of static files in your environment.  Please see the section "Configuration static file Support" in the Guide of the Installation Application Express

  I figured it out on my own - the doc has a section "6.5.4 configuration Support for static file" which basically said yes, it is now supported for static files, then a "see also:" link to the dads.conf section, that I'm not good enough to see there are now 2 new parameters in your dads config file...  All is ready!  It works!  YAY!

• Static NAT with asa 5520

  Hi all

  I have the following situation

  The following rules of the static nat

  static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

  static (inside, outside) 200.200.200.200 tcp 8080 10.0.0.200 80 netmask 255.255.255.255

  I would redirect all packets destined for port 8080 and 80 IP address 200.200.200.200,

  to the private IP address on port 80 10.0.0.200.

  I tried to do that the ASA said there is already a rule, there is a way it be done?

  Kind regards.

  I don't think you can use port forwarding using the same local destination IP on port 80 in this way, fw will give you duplicate static entries.

  You can however get around and give 10.0.0.200 NIC a secondary IP address i.e. 10.0.0.201 and make electricity as follows.

  static (inside, outside) tcp 200.200.200.200 www 8080 10.0.0.201 netmask 255.255.255.255

  static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

  See examples of port forwarding

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

  concerning

• Problem with the VPN and NAT configuration

  Hi all

  I have a VPN tunnel and NATing participates at the remote site.

  I have the VPN tunnel from the absolutely perfect traffic from users, but I am struggling to manage the device via SNMP through the VPN tunnel.

  Remote subnet is 192.168.10.0/24

  That subnet gets PAT'd to 192.168.4.254/32

  The subnet to HQ is 10.0.16.0/24

  IP address of the ASA remote is 192.168.10.10

  Of course, as this subnet is NAT would have I created a static NAT so that the 192.168.4.253 translates 192.168.10.10.

  I can see that packets destined to the 192.168.4.253 device address comes to the end of the tunnel as long as the number of packets decrypted increases when you run a continuous ping to the device.

  However, the unit will not return these packages. The wristwatch that 0 packets encrypted.

  Please let me know if you need more information, or the output of the configuration complete.

  When I start a capture on the ASA remote, I don't see ICMP packets to reach the ASA REAL ip (192.168.10.10). Maybe I set my NAT evil?

  Also, there is no Interface inside, only an Interface outside. And the default route points to the next router ISP Hop on the external Interface.

  Hope that all of the senses.

  Thank you

  Mario Rosa

  No, unfortunately you can not NAT the ASA outside the IP of the interface itself.