Tunnel + static NAT problem

Hello:

I configured a Pix501 to establish a tunnel from site to site with a 1710 in the central site and it works fine, except for a small problem. The central site hosts a Domino server that must have an entry static nat to allow servers on the internet to deliver mail to it. So, the problem is that even though I created a road map to avoid NAT in site traffic to site, the static entry seems a priority on the road map and the mail server is always using a NAT. So the SOHO cannot access to him. What can I do to fix this?

I need to use an entry like this:

IP nat inside source static tcp 172.16.34.22 1352 200.212.0.66 1352

Any help?

Thank you

You must do the following:

(1) create a loopback interface with an ip subnet that you are not anywhere in your network. Leave; s 10.10.10.0/30 say:

loop int 0

IP 10.10.10.1 255.255.255.252

(2) create a roadmap to match traffic from the 172.16.34.22 Server destination and from the other side of the tunnel

access-list 101 permit ip 172.16.34.22 host 192.168.0.0 255.255.255.0

permissible static route map 10

corresponds to the IP 101

set ip 10.10.10.2 jump following (some address to the loopback interface)

(3) implementing the road map inside the interface of the router where you have the server

inter e0/0

Static IP policy route map

That's all

Hope that helps

Jean Marc

Tags: Cisco Security

Similar Questions

Static NAT problem with PIX501

Hi all

We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.

6.3 (4) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit tcp any host x.x.x.26 eq www

access-list 101 permit tcp any host x.x.x.26 EQ field

access-list 101 permit udp any host x.x.x.26 EQ field

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside x.x.x.28 255.255.255.248

IP address inside 192.168.90.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.90.0 255.255.255.0 inside

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.90.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

: end

the problem is the configuration, we are unable to access the web server both inside and outside the network.

All input will be greatly appreciated.

Kind regards

udimpas

activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:

3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80

3363575: ICMP echo request: external untranslating: inside: 192.168.90.3

3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80

3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:

by doing this, you can 1. Check the nat 2. If the server responds to the internet.

do not forget to allow incoming icmp:

access-l 101 permit icmp any one

PIX - static NAT problems

I'm doing a static route to xxx.242.139.164 to 192.168.1.13 and open ports 25 and 443. I am at a loss for what I missed to make this happen. I would also like to open the ICMP traffic or at the least response to echo so I can test the IP addresses and that doesn't seem to work either.

PIX config attached .txt file.

Thanks for any help!

Hi Comoms,

This is your problem:

(1) here say you do not NAT traffic.

NAT (inside) 0-list of access inside_outbound_nat0_acl

inside_outbound_nat0_acl ip access list allow any xxx.242.139.160 255.255.255.224

(2) then you use it for the static NAT.

public static xxx.242.139.164 (Interior, exterior) 192.168.1.13 dns netmask 255.255.255.255 0 0

(3) it's totally fake, first u say don't not NAT traffic, try you NAT, it. How will it work?

(4) even if uou help with ACL, it won't work.

(5) Please check your routes n NAT ACL, NAT STATIC, once again.

HTH

MAR

Static nat problem on ASA (v8.2)?

Tring to add a new rules static nat, but it seems that I have a not able to do

Public IP 10.10.10.10

20.20.20.20 inside the LAN IP address

try adding:

FW (config) # static (inside, outside) tcp 10.10.10.10 https 20.20.20.20 https netmask 255.255.255.255

ERROR: mapped address conflict with existing static

inside: 20.20.20.20 outside: 10.10.10.10 netmask 255.255.255.255

The rule with the same public IP already existing, but pointing to the different internal LAN IP address:

static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255

Please advice how to solve this problem.

Thank you!

Hi Vuèko,

Please change your existing static nat to a particular port instead of letting it as ip to ip nat.

"static (inside, outside) 10.10.10.10 20.20.20.21 netmask 255.255.255.255".

And then you can add second static nat to a different IP address (i.e. within the intellectual property) and it will take it and it should work.

Thank you

Rizwan Muhammed.

Static NAT enable VPN site-to-site.

Hello

We plan to build VPN site to site, but, we have a single public routerable internet IP address to assign VPN on Site A, but Site B is ok.

in this case, I think that we must use static NAT on the router, the simple diagram is as below.

internal a subnet - router VPN - router for Internet of the Site - to - VPN - B B Site internal subnet.

the final goal is to make the communication between internal a subnet and subnet B on IPSEC tunnel.

OK, as I said, Site A having a public IP address, then it must use the static NAT and need to apply on the Site router.

Router

interface x/x

Head of ESCR to the internet

NAT outside IP

!

interface x/x

Head of DESC to internal (VPN)

IP nat inside

!

IP nat inside source static (like IP address x.x.x.x) public (as private VPN interface IP x.x.x.x)

so, wouldn't be work without any problem? I think it will work, but I would find other one just in case.

Hey,.

Is that what you try to achieve:

subnet A - A = vpn router = router B - Sub-B network

and you need communicate between Subnet A and subnet via ipsec vpn b?

Concerning

Static NAT & DMVPN Hub

Hello

I don't think that will be a problem DMVPN supports the rays behind NAT devices, but I anticipate change my network for reasons of security and redudancy autour and putting a pair of ASA firewalls on my Internet collocation. Right now I have a DMVPN race 3845, NAT & ZBFW. I'm going to remove the ZBFW and move the NAT to the ASA, leaving only the DMVPN hub and routing. If I create a static NAT mapping on my ASA to point to the DMVPN hub that will work?

I think it will be, but I just wanted to be 110% sure.

Thank you!

Hi Brantley,

DMVPN with static NAT on the hub is supported in the installer. Just be awear it there are limits.

1, all DMVPN router, hub and spokes must be running at least 12.3(9a) and 12.3 (11) T code.

2, must use ipsec transport mode.

3, so need dynamic tunnel talk to rays, hub should work at least 12.3 (13), 12.3 (14) T and 12.3 (11) T3 code.

See the configuration guide

http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1122466

HTH,

Lei Tian

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

ASA IPSEC site-to-site with NAT problem

Hello

I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

I have a site-to-site between two locations:

Site A is 192.168.0.0/24

Site B is 192.168.4.0/24

I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

The system of site B can also ping 10.57.4.50.

Here's the running configuration:

ASA 8.3 Version (2)

!

hostname fw1

domain name

activate the password encrypted

passwd encrypted

names of

!

interface Vlan1

Description city network internal

nameif inside

security-level 100

IP 192.168.9.1 255.255.255.0

!

interface Vlan2

Description Internet Public

nameif outside

security-level 0

IP 173.166.117.186 255.255.255.248

!

interface Vlan3

DMZ (CaTV) description

nameif dmz

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface Vlan5

PD Network description

nameif PDNet

security level 95

the IP 192.168.0.1 255.255.255.0

!

interface Vlan10

Description Network Infrastructure

nameif InfraNet

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan13

Description wireless comments

nameif Wireless-comments

security-level 25

IP 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

IP 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk vlan 1 native

switchport mode trunk

Speed 100

full duplex

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk vlan 1 native

switchport mode trunk

Shutdown

!

exec banner restricted access

banner restricted access connection

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS server-group DefaultDNS

domain name

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

service of the IMAPoverSSL object

destination eq 993 tcp service

IMAP over SSL description

service of the POPoverSSL object

tcp destination eq 995 service

POP3 over SSL description

service of the SMTPwTLS object

tcp destination eq 465 service

SMTP with TLS description

network object obj - 192.168.9.20

Home 192.168.9.20

object obj-claggett-https network

Home 192.168.9.20

network of object obj-claggett-imap4

Home 192.168.9.20

network of object obj-claggett-pop3

Home 192.168.9.20

network of object obj-claggett-smtp

Home 192.168.9.20

object obj-claggett-imapoverssl network

Home 192.168.9.20

object obj-claggett-popoverssl network

Home 192.168.9.20

object obj-claggett-smtpwTLS network

Home 192.168.9.20

network object obj - 192.168.9.120

Home 192.168.9.120

network object obj - 192.168.9.119

Home 192.168.9.119

network object obj - 192.168.9.121

Home 192.168.9.121

object obj-wirelessnet network

subnet 192.168.1.0 255.255.255.0

network of the Clients_sans_fil object

subnet 192.168.1.0 255.255.255.0

object obj-dmznetwork network

Subnet 192.168.2.0 255.255.255.0

network of the FD_Firewall object

Home 74.94.142.229

network of the FD_Net object

192.168.6.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

object obj-TownHallNet network

192.168.9.0 subnet 255.255.255.0

network obj_InfraNet object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.0.0_24 object

192.168.0.0 subnet 255.255.255.0

network of the NHDOS_Firewall object

Home 72.95.124.69

network of the NHDOS_SpotsHub object

Home 192.168.4.20

network of the IMCMOBILE object

Home 192.168.0.112

network of the NHDOS_Net object

subnet 192.168.4.0 255.255.255.0

network of the NHSPOTS_Net object

10.57.4.0 subnet 255.255.255.0

network of the IMCMobile_NAT_IP object

Home 10.57.4.50

service EmailServices object-group

Description of e-mail Exchange Services / Normal

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq imap4 service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_1

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_2

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

the obj_clerkpc object-group network

PCs of the clerk Description

network-object object obj - 192.168.9.119

network-object object obj - 192.168.9.120

network-object object obj - 192.168.9.121

the TownHall_Nets object-group network

object-network 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.9.0 255.255.255.0

the DOS_Networks object-group network

network-object 10.56.0.0 255.255.0.0

network-object, object NHDOS_Net

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

Enable logging

Test1 logging level list class debug vpn

logging of debug asdm

E-mail logging errors

address record

logging level -l errors ' address of the recipient

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

MTU 1500 Wireless-comments

MTU 1500 StateNet

MTU 1500 InfraNet

MTU 1500 PDNet

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 635.bin

don't allow no asdm history

ARP timeout 14400

NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

!

network obj_any object

NAT static interface (indoor, outdoor)

object obj-claggett-https network

NAT (inside, outside) interface static tcp https https service

network of object obj-claggett-imap4

NAT (inside, outside) interface static tcp imap4 imap4 service

network of object obj-claggett-pop3

NAT (inside, outside) interface static tcp pop3 pop3 service

network of object obj-claggett-smtp

NAT (inside, outside) interface static tcp smtp smtp service

object obj-claggett-imapoverssl network

NAT (inside, outside) interface static tcp 993 993 service

object obj-claggett-popoverssl network

NAT (inside, outside) interface static tcp 995 995 service

object obj-claggett-smtpwTLS network

NAT (inside, outside) interface static tcp 465 465 service

network object obj - 192.168.9.120

NAT (inside, StateNet) 10.63.198.12 static

network object obj - 192.168.9.119

NAT (all, StateNet) 10.63.198.10 static

network object obj - 192.168.9.121

NAT (all, StateNet) 10.63.198.11 static

object obj-wirelessnet network

NAT (Wireless-Guest, outside) static interface

object obj-dmznetwork network

interface static NAT (all, outside)

network obj_InfraNet object

NAT (InfraNet, outside) static interface

Access-group outside_access_in in interface outside

Access-group StateNet_access_in in the StateNet interface

Access-group PDNet_access_in in interface PDNet

Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

http server enable 5443

http 192.x.x.x 255.255.255.0 inside

http 7.x.x.x 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set 72.x.x.x counterpart

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 set pfs

card crypto outside_map 2 peers set 173.x.x.x

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet 192.168.9.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.9.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd outside auto_config

!

dhcpd address dmz 192.168.2.100 - 192.168.2.254

dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

dhcpd enable dmz

!

dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

dhcpd enable Wireless-comments

!

a basic threat threat detection

a statistical threat detection host number rate 2

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 63.240.161.99 prefer external source

NTP server 207.171.30.106 prefer external source

NTP server 70.86.250.6 prefer external source

WebVPN

attributes of Group Policy DfltGrpPolicy

internal FDIPSECTunnel group strategy

attributes of Group Policy FDIPSECTunnel

VPN-idle-timeout no

Protocol-tunnel-VPN IPSec l2tp ipsec

support for username password encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

72.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x General-attributes

Group Policy - by default-FDIPSECTunnel

173.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

!

global service-policy global_policy

192.168.9.20 SMTP server

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

: end

If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

Static Nat issue unable to resolve everything tried.

Hello

I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4

I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and

my external interface is configured with a static ip address.

Internet works fine but cannot configure static nat...

Here's my config running if please check and let me know what Miss me...

Thank you

ASA release 9.4 (1)
!
ciscoasa hostname

names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 151.253.97.182 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa941-smp - k8.bin
passive FTP mode
object remote desktop service
source eq 3389 destination eq 3389 tcp service
Description remote desktop
network of the RDP_SERVER object
Home 172.16.1.85
outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
no monitor-service-interface module of
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network of the RDP_SERVER object
NAT (inside, outside) interface static service tcp 3389 3389
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
identity of the user by default-domain LOCAL
Enable http server
http server idle-timeout 50
http 192.168.1.0 255.255.255.0 management

Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 management
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN username bricks12 password * local store
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
dynamic-access-policy-registration DfltAccessPolicy
username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call

ciscoasa #.

Hello

Change this ACL: -.

outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER

TO

outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389

Thank you and best regards,

Maryse Amrodia

NAT problem

Hi Experts,

One of my office have Cisco ASA 5510 with ios 8.4 (5). Everything is configured and works very well except the static NAT. I have a public IP block, I used to set up static NAT. The internal server that is configured with the static NAT does not receive internet or anything. When I removed the static NAT, the internet is to learn (with the WAN IP interface). The server is placed in the DMZ. I left the server but it does not work.

Kind regards

MARTIN

Hello

In your case the configuration format static NAT for the server would be

network of the object

This would bind the local IP address of the public IP configured on the command "nat" . This means that outgoing connections would also use this public IP address. If you had a static configuration similar PAT already then you wouldn't really need that UNLESS you change the mapped/local port in the "nat" command.

But set up static NAT would mean already that he would cancel the PAT Dynamics for outbound connections from this server. Naturally, there is a small chance according to your current configuration of NAT complete even this static NAT can be overridden, but I doubt it. If the above "packet - trace" is intended for the DMZ server in question then there should be no problem.

-Jouni

Static NAT by ASA

I configured a static NAT through my ASA, which for some

reason does not work - I think that the problem is with the NAT or

der rather than the rule itself, but I would be very grateful if someone

could you help me diagnose the problem.

command line, the rule is: -.

static (UKSCMGMT, management) 10.20.20.20 192.168.1.2 255.255.255.255 subnet mask

My theory is that anything with a destination address of 10.20.20.20 would be considered to be 192.168.1.2 on the UKSCMGMT interface.

in looking at ASDM rule looks like this

Type the address of the Source Destination interface trans

Static empty management 192.168.1.2 10.20.20.20

There are a few rules exemption related to 192.168.1.2 - but they are host-to-host and should not affect the static translation.

Yes, quite correct. You can configure NAT exemption by network instead of by each host. If you have guests that can be grouped in a subnet, configure as network instructions instead.

Static NAT with the road map for excluding the VPN

We have problems of access to certain IPs NATted static via a VPN. After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

10.1.1.x is the VPN IP pool.

access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 allow ip 192.168.1.0 0.0.0.255 any

sheep allowed 10 route map
corresponds to the IP 130

IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1. What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

Any ideas on how to get this to work?

Thank you
Diego

Hello

The following example details exactly your case:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Try to replace the 192.168.1.0 subnet by the host address.

It should work

HTH

Laurent.

Static NAT question

Hi Experts,

Please help me on this. I enclose my diagram network with this post.
My firewall is cisco ASA 5510 running with version 8.4 of software. I set up static NAT for all three servers (in the diagram, server 1,2 and 3). The question is, the static NAT works only with the first server. No trades do go to other two server (2 and 3). All servers are in the DMZ.

When I remove the static NAT for Server 2 and 3, all traffic going to the server with the IP WAN address of the firewall, which means that the dynamic NAT works. I am also attaching the configuration file.

(NOTE: NAT works for the 72.16.34.1 Server)

Kind regards
Martin

HI San,

Would you be able to try this workaround: -.

https://supportforums.Cisco.com/blog/149276/asapix-proxy-ARP-vs-gratuito...

I think the problem is with the IP addresses provided by the ISP.

Thank you and best regards,

Maryse Amrodia

2 static NAT on the same Interface

I have an ASA 5510 (8.2 (5)) and I'm trying to set up a VPN site-to site of one of our suppliers. The problem I am running into is that they want me NAT one specific to one of our servers private IP, and this server already has a static NAT from the outside of a demilitarized zone. It's the current rule NAT:

static (DMZ1, external) 65.43.x.x 10.0.0.3 netmask 255.255.255.255

and they want card me 172.28.9.42 on the same server, so I tried to add:

(DMZ1, external) 172.28.9.42 static 10.0.0.3 netmask 255.255.255.255

but can not because it's a double translation.

Any help would be greatly appreciated.

Hello

It seems to me you must configure a static NAT to politics

Configurations would be as follows

DMZ-POLICY-NAT of ip 10.0.0.3 host allowed access list

(DMZ1, external) 172.28.9.42 static access-list DMZ-POLICY-NAT

Regarding configurations
- Name of the ACL can be naturally you want
- Destination network can be a single host if necessary IP address
- You should be able to configure multiple lines if necessary
Note that you need to have this NAT configuration before the real public IP address command static NAT. You need to remove the existing static NAT to configure the above and add the original.

This is because if you do not configure static NAT of politics first in the configuration, all traffic will keep hitting the normal rule of the static NAT for the public IP address.

-Jouni

Tunnel + static NAT problem

Similar Questions

Maybe you are looking for