Static NAT with asa 5520

Hi all

I have the following situation

The following rules of the static nat

static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

static (inside, outside) 200.200.200.200 tcp 8080 10.0.0.200 80 netmask 255.255.255.255

I would redirect all packets destined for port 8080 and 80 IP address 200.200.200.200,

to the private IP address on port 80 10.0.0.200.

I tried to do that the ASA said there is already a rule, there is a way it be done?

Kind regards.

I don't think you can use port forwarding using the same local destination IP on port 80 in this way, fw will give you duplicate static entries.

You can however get around and give 10.0.0.200 NIC a secondary IP address i.e. 10.0.0.201 and make electricity as follows.

static (inside, outside) tcp 200.200.200.200 www 8080 10.0.0.201 netmask 255.255.255.255

static (inside, outside) tcp 200.200.200.200 80 10.0.0.200 80 netmask 255.255.255.255

See examples of port forwarding

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

concerning

Tags: Cisco Security

Similar Questions

  • VPN site to Site with ASA 5520 * please help *.

    I am using two ASA 5520, and try to put up a site to site VPN.  This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.

    Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.

    Thanks in advance for any help you may have.

    -------------------------------------------------------------------------------------------------------------------------------------------------

    ASA 5520 # 1:

    Crypto ikev1 allow outside

    the local object of net network
    10.0.0.0 subnet 255.255.255.0

    net remote object network
    172.20.0.0 subnet 255.255.255.0

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group [IP #2-WAN] type ipsec-l2l

    IPSec-attributes tunnel-group [#2-WAN IP]
    pre-shared-key cisco123

    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    card crypto oustide_map 1 match address outside_1_cryptomap
    card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto outside_map 1 set pfs Group1
    map 1 set outside_map crypto peer [#2-WAN IP]
    outside_map interface card crypto outside

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    -------------------------------------------------------------------------------------------------------------------------------------------------

    ASA 5520 #2:

    Crypto ikev1 allow outside

    the local object of net network
    172.20.0.0 subnet 255.255.255.0

    net remote object network
    10.0.0.0 subnet 255.255.255.0

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group [#1-WAN IP] type ipsec-l2l

    IPSec-attributes tunnel-group [#1-WAN IP]
    pre-shared-key cisco123

    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    card crypto oustide_map 1 match address outside_1_cryptomap
    card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto outside_map 1 set pfs Group1
    map 1 set outside_map crypto peer [#1-WAN IP]
    outside_map interface card crypto outside

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    Try to correct the mistakes in the two configs.

    In some places, you have 'oustide_map' where you need "outside_map".

  • Static NAT by ASA

    I configured a static NAT through my ASA, which for some

    reason does not work - I think that the problem is with the NAT or

    der rather than the rule itself, but I would be very grateful if someone

    could you help me diagnose the problem.

    command line, the rule is: -.

    static (UKSCMGMT, management) 10.20.20.20 192.168.1.2 255.255.255.255 subnet mask

    My theory is that anything with a destination address of 10.20.20.20 would be considered to be 192.168.1.2 on the UKSCMGMT interface.

    in looking at ASDM rule looks like this

    Type the address of the Source Destination interface trans

    Static empty management 192.168.1.2 10.20.20.20

    There are a few rules exemption related to 192.168.1.2 - but they are host-to-host and should not affect the static translation.

    Yes, quite correct. You can configure NAT exemption by network instead of by each host. If you have guests that can be grouped in a subnet, configure as network instructions instead.

  • Static NAT with the road map for excluding the VPN

    We have problems of access to certain IPs NATted static via a VPN.  After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

    10.1.1.x is the VPN IP pool.

    access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 130 allow ip 192.168.1.0 0.0.0.255 any

    sheep allowed 10 route map
    corresponds to the IP 130

    IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

    Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1.  What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

    Any ideas on how to get this to work?

    Thank you
    Diego

    Hello

    The following example details exactly your case:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

    Try to replace the 192.168.1.0 subnet by the host address.

    It should work

    HTH

    Laurent.

  • Static nat and NAT ACL 0

    All,

    I have nat 0 ACL indicating that an ip address should not be natted, while a static nat statement saying we need natted. I just want to know that we will have precedence.

    Thank you

    It is of the order of operations PIX nat / ASA.

    the NAT 0 acl_name (nameif) has priority.

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

  • With an ASA 5520 port forwarding

    Hi all

    I recently bought a Cisco ASA 5520 on eBay for study and I decided to only use it as a firewall between my home LAN and Internet. Wow, what a learning curve! I managed to add my internal networks as objects and create a rule (thanks to youtube) NAT to PAT my internal devices out of the Internet with ASSISTANT Deputy Ministers, but I am really struggling to do the following:-

    -allow all incoming traffic that hits the outside interface for port 38921 and nat at 10.1.10.101:38921

    -allow all incoming traffic that hits the outside interface for port 30392 and nat at 10.1.10.101:30392

    Can someone guide me on how to do it, because I have a couple of services that run behind these ports on a server I want to get when I'm not at home? My (rather messy) config is as follows:-

    hostname FW1

    activate the encrypted password

    encrypted passwd

    names of

    !

    interface GigabitEthernet0/0

    Description * externally facing Internet *.

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface GigabitEthernet0/1

    Description * internal face to 3750 *.

    nameif inside

    security-level 100

    IP 10.1.10.2 255.255.255.0

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    passive FTP mode

    the VLAN1 object network

    subnet 192.168.1.0 255.255.255.0

    Legacy description

    network of the WiredLAN object

    10.1.10.0 subnet 255.255.255.0

    Wired LAN description

    network of the CorporateWifi object

    10.1.160.0 subnet 255.255.255.0

    Company Description 160 of VLAN wireless

    network of the GuestWifi object

    10.1.165.0 subnet 255.255.255.0

    Description Wireless VLAN 165 comments

    network of the LegacyLAN object

    subnet 192.168.1.0 255.255.255.0

    Description Legacy LAN in place until the change on

    the file server object network

    Home 10.1.10.101

    Description File Server

    service object Service1

    tcp source eq eq 38921 38921 destination service

    1 service Description

    the All_Inside_Networks object-group network

    network-object VLAN1

    network-object, object WiredLAN

    network-object, object CorporateWifi

    network-object, object GuestWifi

    network-object, object LegacyLAN

    object-group service Service2 tcp - udp

    port-object eq 30392

    object-group service DM_INLINE_TCPUDP_1 tcp - udp

    port-object eq 30392

    Group-object Service2

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    Outside_access_in list extended access allowed object-group TCPUDP any inactive FileServer object-group DM_INLINE_TCPUDP_1 object

    Outside_access_in list extended access allowed object Service1 any inactive FileServer object

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    MTU 1500 internal

    management of MTU 1500

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 714.bin

    don't allow no asdm history

    ARP timeout 14400

    service interface NAT (inside, outside) dynamic source FileServer Service1 inactive Service1

    NAT (all, outside) interface dynamic source All_Inside_Networks

    Access-group Outside_access_in in interface outside

    Internal route 10.1.160.0 255.255.255.0 10.1.10.1 1

    Internal route 10.1.165.0 255.255.255.0 10.1.10.1 1

    Internal route 192.168.1.0 255.255.255.0 10.1.10.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    Enable http server

    http 10.1.160.15 255.255.255.255 internal

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Telnet 10.1.160.15 255.255.255.255 internal

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    interface ID client DHCP-client to the outside

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    username privilege of encrypted password of Barry 15

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:19be38edefe8c3fd05e720aedee62c8e

    : end

    1. This is just one example of configuration and another option with to reason and avoid to send us the complete configuration of NAT:

    network of the 10.1.10.101 object

    Home 10.1.10.101

    service object 38921

    tcp source eq 38921 service

    service object 30392

    tcp source eq 30392 service

    NAT (inside, outside) 1 static source 10.1.10.101 38921 38921 service interface

    NAT (inside, outside) 1 static source 10.1.10.101 30392 30392 service interface

    Let me know if it works

  • Using Cisco Client to site VPN on a behind a NAT ASA 5520

    I apologize if this has been asked and we answered in the forums.  I looked, and while I found a large number of entries that were dancing all around this question, I never found nothing which addressed this specific issue.   We currently use an ASA 5520 as the head end of a relatively large customer to site IPSEC VPN (approximately 240 users, not consecutively).   This ASA is currently sitting behind a Checkpoint firewall with a real publicly addressable IP address on its public interface.  All of our customers use the legacy Cisco VPN (not the one anyconnect) client.  We plan to a few controllers F5 link set up between ISPS and firewalls.   For VPN connectivity F5 recommends that we NAT IP address (called a broad IP) to point back to a private IP address on the ASA and F5.  My question is, will this work?   I've always heard say that the head of line needed to have a public IP address on this subject because this is what will be placed in packages for the client to respond to.

    For further information, here's what we have now and what we are invited to attend.

    Current

    ISP - router - firewall-fire - ASA (public IP address as endpoint)

    Proposed

    ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - Firewall - ASA (10.X.X.X as its external interface)

    Proposed alternative

    ISP - router - F5 (public IP address as endpoint using a NAT to ASA) - ASA (10.X.X.X as its external interface)

    All thoughts at this moment would be greatly appreciated.   Thank you!

    Hello

    If there is a static NAT one by one on F5 to the external interface of the ASA, then I don't think they would be any problems.
    Because when the client will attempt to connect to IKE to the translated public IP, F5 will redirect the request to ASA outside interface that is configured for the VPN.

    In addition, to ensure the udp500, 4500 and esp is allowed and then you should be good to go.

    HTH

    Concerning
    Mohit

  • nat ASA 5520 problem

    Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

    No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897
     
    LAN to LAN service interface is called: lan2lan
    one of the internal interfaces is called: colo

    I think that is problem with Nat on the SAA but I need help with this.
     
    Config:
     
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
    OSPF cost 10
    OSPF network point-to-point non-broadcast
    !
    interface GigabitEthernet0/1
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/1.50
    VLAN 50
    nameif lb
    security-level 20
    IP 10.1.50.11 255.255.255.0
    OSPF cost 10
    !
    interface GigabitEthernet0/1,501
    VLAN 501
    nameif colo
    security-level 90
    eve of fw - int 255.255.255.0 172.16.2.253 IP address
    OSPF cost 10
    !
    !
    interface GigabitEthernet1/1
    Door-Lan2Lan description
    nameif lan2lan
    security-level 0
    IP 10.100.50.1 255.255.255.248
    !
    access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
    permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
    pager lines 24
    Enable logging
    host colo biggiesmalls record
    No message logging 313001
    External MTU 1500
    MTU 1500 lb
    MTU 1500 Colo
    lan2lan MTU 1500
    ICMP unreachable rate-limit 1 burst-size 1
    ARP timeout 14400
    NAT-control
    Global 1 interface (external)
    interface of global (lb) 1
    Global (colo) 1 interface
    NAT (lb) 1 10.1.50.0 255.255.255.0
    NAT (colo) - access list 0 colo_nat0_outbound
    NAT (colo) 1 10.1.13.0 255.255.255.0
    NAT (colo) 1 10.1.16.0 255.255.255.0
    NAT (colo) 1 0.0.0.0 0.0.0.0
    external_access_in access to the external interface group
    Access-group lb_access_in in lb interface
    Access-group colo_access_in in interface colo
    Access-group management_access_in in management of the interface
    Access-group interface lan2lan lan2lan
    !
    Service resetoutside
    card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
    lan2lan_map 51 crypto map set peer 10.100.50.2
    card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
    crypto lan2lan_map 51 set reverse-road map
    lan2lan_map interface lan2lan crypto card
    quit smoking
    ISAKMP crypto identity hostname
    ISAKMP crypto enable lan2lan
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 20
    enable client-implementation to date
    IPSec-attributes tunnel-group DefaultL2LGroup
    pre-shared-key xxXnnAA
    tunnel-group 10.100.50.2 type ipsec-l2l
    tunnel-group 10.100.50.2 General-attributes
    Group Policy - by default-site2site
    No vpn-addr-assign aaa
    No dhcp vpn-addr-assign
    Telnet timeout 5
    !
     

    The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

    Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

    p.s. you should affect the question of the security / VPN forum.

  • Public static political static NAT in conflict with NAT VPN

    I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

    The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

    interface Vlan1

    IP 192.168.10.1 255.255.255.0

    access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

    list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

    public static 192.168.24.0 (inside, outside) - list of VPN access

    card crypto outside_map 1 match address outside_1_cryptomap

    In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

    public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

    The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

    So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

    What Miss me?

    Hello

    I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

    I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

    I guess you could choose any way seems best for you.

    Let me know if get you it working. I always find it strange that the original configuration did not work.

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • ASA 5500 and static NAT 1-to-1

    We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.

    However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?

    Here are some of our current NAT config:

    Global interface 10 (external)

    NAT (inside) 10 0.0.0.0 0.0.0.0

    (dmz1, outside) static dmz1-net-net dmz1 netmask 255.255.255.224

    static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

    static (inside, dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

    static (inside, outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255

    static (inside, outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255

    Thank you very much...

    Hello

    The correct syntax for the proxyarp activation will be

    No outside sysopt noproxyarp

    http://www.Cisco.com/en/us/products/ps6120/products_command_reference_chapter09186a00805fb9e9.html#wp1111405

  • Publish a server with NAT anchored through a tunnel VPN with ASA

    Hi all

    Thanks in advance for helping me out - I know somebody did, and I have trouble finding how do.  I don't know that I'm missing something simple.

    I have a client who wants to view a DVR device through a VPN tunnel that is published through the public firewall to collocation.  Endpoint DVR is endpoint ip assigned dynamically which tunnelle the host on demand (I know that the tunnel could fall).

    So I think / thought I could hairpin hair/policy nat this, but I'm not the best at this.

    Let's see if I can get this

    IP public 1.1.1.1\

    > External interface of ASA

    2.2.2.2 / private ip

    My config as I know it is pertinant is as follows:

    permit same-security-traffic intra-interface

    list of allowed incoming access extended ip any host 168.215.x.x

    Access-group interface incoming outside

    public static 168.215.x.x (outside, outside) 10.10.x.xnetmask 255.255.255.255

    I am running version 8.2.5 of the image of the SAA.

    If you could take a look and let me know what Miss me you please.

    Thank you

    Hello

    The problem here is of course the fact that we can not configure NAT0 without causing all traffic from the remote Internet can flow through the VPN connection.

    So I wonder if another type of NAT configuration would actually work.

    I would call it static political identity NAT if such a name exists yet.

    Something like that

    Note of DVR-POLICY-NAT-list of Direct HTTP access to VPN traffic

    allow to Access-list DVR-POLICY-NAT tcp host 10.10.2.253 eq 80 a

    public static 10.10.2.53 (inside, outside) access list DVR-POLICY-NAT

    This should basically do what

    • When the DVR is sending any traffic source TCP TCP/80 (essentially the traffic back to the connection from the main site) to ANY destination address (The Internet) then the host must translate to himself.
    • If we consider that NAT is performed before the VPN rules are processed this should mean that since we have concerns address itself, it must match the VPN rule only in this particular case where the traffic is TCP/80, which could only be the result of her replying to a link any destination TCP/80)
    • Which leads me to believe it shouldn't cause any problems with the Central connection on remote site (NAT0 is processed before political static NAT) or the RECORDER to Internet
    • Unless the DVR must be accessible directly via the Internet connection of the remote site. (He would send his answers to these HTTP connections outside with the originating source IP address) Or maybe even completely before connecting the phase failure. I have not tested.

    Hope this helps

    Be sure to mark it as answered in the affirmative. And/or useful response rate.

    Ask more if necessary.

    EDIT: typos

    -Jouni

  • ASA 5520 IPSec NAT question

    I like more than 150 of VPN on my ASA 5520.  A specific customer, with that I'll put up a VPN has an overlap of two of the intellectual property, it must reach from its internal network.  It is NATing 10.251.11.177 internal network traffic to my ASA presents itself as 10.251.11.177 of the 10.251.11.176/29 network.  Now the two IP of its internal network, it must reach are 10.1.254.200 and 10.1.254.201.

    Thus, following the documentation on the site Web of Cisco I'm doing Policy Based Routing on the ASA 5520 (my thesis) so that its traffic will 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201.  Once it reaches my ASA 5520 it gets back to these IP tranlated.

    I am using the following configuration, but when I try to add static entries, it won't let me add them.  I even tried "static 1.1.1.1 (exterior, Interior) POLICYNAT of the access list" with the ACL in reverse but no use.

    object-group, network VPN-map

    network-object host 1.1.1.1

    network-object host 1.1.1.2

    !

    POLICYNAT list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

    POLICYNAT list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

    !

    static (inside, outside) 1.1.1.1 access-list POLICYNAT

    public static (inside, outside) 1.1.1.2 - POLICYNAT access list

    Try breaking the IPs in two ACL

    POLICYNAT1 list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248

    POLICYNAT2 list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248

    !

    static (inside, outside) 1.1.1.1 access-list POLICYNAT1

    public static (inside, outside) 1.1.1.2 - POLICYNAT2 access list

    HTH

    GE

  • Dual active/passive failover of ISP with static Nat on Cisco 1941

    Hello world

    I'm working on a configuration of a client and I have everything in place right now except the NAT' static ing.  The config fails during an ISP to another and track als and routes by default static weighted, the PAT rocking with course to each interface maps.  It is, is it possible to switch on the large amount of static NAT entries to the ISP of backup?  So far, everything I've read said no because you can have only one entry per ip/port combo, other than another configuration static NAT double server with a different IP address.  I just want to be sure before making my recommendations, all thoughts are greatly appreciated.

    Thank you

    Brandon

    In fact, you can also long as you use standard NAT ("ip nat inside source static") or not NVI ('ip nat static source') for your attackers. You apply the roadmap by the end of the static NAT statement to indicate which interface it should apply to. So, if you have something like this:

     ip access-list extended ACL_NAT permit ip 192.168.0.0 255.255.255.0 any ! route-map RM_NAT_ISP1 match ip address ACL_NAT match interface GigabitEthernet0/1 ! route-map RM_NAT_ISP2 match ip address ACL_NAT match interface GigabitEthernet0/2 

    Using port 80/tcp for example, you can do this:

     ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 route-map RM_NAT_ISP1 ip nat inside source static tcp x.x.x.x 80 z.z.z.z 80 route-map RM_NAT_ISP2 

    Just replace x.x.x.x with the LAN address of the machine that you are shipping y.y.y.y with the WAN address you are shipping on isps1 and z.z.z.z with the address of the ISP WAN you are shipping on ISP2. The static NAT will be conditional on the roadmap, at this point.

    This works with TCP, UDP, and IP forwarding, but does not require that you use an IPv4 address to your WAN address. For some reason, it does not work if you use an interface... so if you're using dynamic addresses, it will be more complicated.

  • Routing with Cisco ASA 5520 VPN

    I have installed IPsec vpn remote users in the Cisco ASA 5520 using RADIUS in my main network. Works very well. I have a site to my Cisco ASA5520 tunnels going to other sites, some of the tunnels have Cisco ASA and some have SonicWalls. I wish that my users VPN remote IPSec to be able to navigate in these tunnels is a site to access remote subnets attached to these tunnels. Do I need to use a combination of routing and the ACL? Or can I just use ACL only? Or just use routing only?

    Thank you

    Carlos

    Hello

    The key to set up here is the two ACL of VPN L2L end points that determine the 'interesting' traffic to connect VPN L2L. You will also need to confirm that the connection of the VPN Client is configured so that traffic to the remote sites have sent to the connection of the VPN client. There are also other things that you should check on your ASA plant

    Here most of the things you usually have to confirm

    • Set up 'permit same-security-traffic intra-interface' if it is already present in your configuration

      • This setting will allow connections to form between the hosts that are connected to the same interface on the ASA. In this case, applies because the VPN client users are connected to the interface 'outside' of the ASA and also remote sites are connected to the ASA to "external". If the traffic between the remote VPN Client and VPN L2L sites will be to enter and exit the same interface
    • You will need to check how the customer if configured VPN connection. Split or full Tunnel tunnel
      • If the connection of the VPN Client is configured as Split Tunnel then you need to add all the networks from the remote to the Split Tunnel, so that the connections between the VPN Client is transmitted to the ASA and from there connections VPN L2L
      • If the connection of the VPN Client is configured as full Tunnel, then there no problem that all traffic is transferred to the Client VPN connection all its assets
    • Define the VPN pool in the ACL of VPN L2L
      • You should make sure that the pool network VPN Client is defined in the ACL that define 'interesting' traffic to connect VPN L2L. So, you need to add the pool VPN VPN L2L configurations on the sites of Central America and remote control
    • Configure NAT0 / NAT exempt for remote VPN Client to L2L VPN Site traffic at both ends of the VPN L2L
      • You must ensure that the NAT0 / exempt NAT rules exist for the VPN Client for Remote Site traffic. This will have to be configured on the SAA "outside" interface. Format of configuration varies naturally a bit on the ASA Central his software level.

    These should be the most common things to set up and confirm for traffic to flow between the VPN Client and Remote Sites

    Hope this helps please rate if yes or ask more if necessary.

    -Jouni

  • Static NAT problem with PIX501

    Hi all

    We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.

    6.3 (4) version PIX

    interface ethernet0 car

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    pixfirewall hostname

    domain ciscopix.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit tcp any host x.x.x.26 eq www

    access-list 101 permit tcp any host x.x.x.26 EQ field

    access-list 101 permit udp any host x.x.x.26 EQ field

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside x.x.x.28 255.255.255.248

    IP address inside 192.168.90.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    location of PDM 192.168.90.0 255.255.255.0 inside

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0

    Access-group 101 in external interface

    Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

    Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 192.168.90.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    Terminal width 80

    : end

    the problem is the configuration, we are unable to access the web server both inside and outside the network.

    All input will be greatly appreciated.

    Kind regards

    udimpas

    activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:

    3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80

    3363575: ICMP echo request: external untranslating: inside: 192.168.90.3

    3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80

    3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:

    by doing this, you can 1. Check the nat 2. If the server responds to the internet.

    do not forget to allow incoming icmp:

    access-l 101 permit icmp any one

Maybe you are looking for