Jump to content

Search the Community

Showing results for tags 'NAT'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • ANNOUNCEMENTS
    • ANNOUNCEMENTS
  • CERTIFICATION - - - - - NO REQUESTS IN THESE FORUMS - - - - -
    • CISCO SYSTEMS
    • COMPTIA
    • LINUX
    • MICROSOFT
    • ORACLE
    • PROJECT MANAGEMENT
    • SECURITY CERTIFICATIONS
    • SUN MICROSYSTEMS
    • WIRELESS
    • OTHER CERTIFICATIONS
  • CISCO TECHNICAL SECTION
    • CISCO LABS
    • GNS3
    • NETWORK INFRASTRUCTURE
    • SECURITY
    • WIRELESS
    • SERVICE PROVIDERS
    • COLLABORATION, VOICE AND VIDEO
    • DATA CENTER
    • SMALL BUSINESS
  • MICROSOFT TECHNICAL SECTION
  • OTHER TECHNICAL SECTION
  • TRAINING OFFERS & REQUESTS
  • CERTCOLLECTION MALL
  • GENERAL FORUMS
  • COMMUNITY CENTER

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 17 results

  1. i have NATing conflict to publishing services . as show on below configuration still not publishing Configurations: o On router Static route to gateway 80.49.116.169 o Dynamic NAT on mobily router Access-list Static route with private IP between ASA and mobily router. NATing on ASA with public IPs . router ip nat inside source list natlist interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 80.49.116.x/29 ! ! ip access-list extended natlist permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.22.0 0.0.0.255 any permit ip 40.80.100.0 0.0.0.255 any ASA object network Public_DMZ_1 host 80.49.116.160 nat (DMZ_1,outside) source dynamic DMZ_1_Network Public_DMZ_1
  2. //////////////////////////////////////////// IP NAT inside/IP NAT OUTSIDE double NATTING:==>normally done for overlapping address space //////////////////////////////////////////// Double NAT PNG diagram: [hide][Hidden Content]] Double NAT Clickable IOU file: [hide][Hidden Content]] happy studies guys and good luck in your studies. by :Pravine #sh run | i nat|inter|access ==> to see what is configured in the router (config)#ip nat inside source static ==> translate inside IP to outside IP(LOCALLY inbound and outbound)\ (config)#ip nat outside source static ==> translate outside source IP to new Source IP address(To Hide the source) GOOD Luck to all. Pravine
  3. Hello, Trying to figure out the difference between 15.2(4)M6 and 15.2(4)S7 ... Same config, inside-to-outside NAT (overload) works perfectly fine in the M6 release, but not at all in S7. Any thoughts? Please see attached config. Thanks for any suggestions! ~Laz upgrade fpd auto version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname gw1 ! boot-start-marker boot system disk0:/c7200p-advsecurityk9-mz.152-4.M6.bin boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical ! aaa new-model ! ! aaa authentication login local_auth local aaa authorization network group-auth local ! ! aaa session-id common no ip source-route no ip gratuitous-arps ! ! no ip bootp server ip domain name network.net ip name-server 8.8.8.8 ip cef login block-for 20 attempts 3 within 20 no ipv6 cef ! multilink bundle-name authenticated ! ! archive log config hidekeys ! redundancy ! ! controller ISA 1/1 ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ! ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! interface GigabitEthernet0/0 ip address 1.2.3.179 255.255.255.0 secondary ip address 1.2.3.180 255.255.255.0 secondary ip address 1.2.3.181 255.255.255.0 secondary ip address 1.2.3.182 255.255.255.0 secondary ip address 1.2.3.183 255.255.255.0 secondary ip address 1.2.3.184 255.255.255.0 secondary ip address 1.2.3.185 255.255.255.0 secondary ip address 1.2.3.186 255.255.255.0 secondary ip address 1.2.3.187 255.255.255.0 secondary ip address 1.2.3.188 255.255.255.0 secondary ip address 1.2.3.189 255.255.255.0 secondary ip address 1.2.3.178 255.255.255.0 ip access-group From-Internet-To-Private in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in ip verify unicast source reachable-via rx allow-default 100 duplex auto speed auto media-type rj45 negotiation auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto media-type rj45 negotiation auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 10.254.1.1 255.255.255.0 ip helper-address 10.0.1.21 ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/1.2 encapsulation dot1Q 2 ip address 10.0.2.1 255.255.255.0 ip helper-address 10.0.1.21 ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto negotiation auto no mop enabled ! interface GigabitEthernet0/3 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto negotiation auto no mop enabled ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat pool NetworkProxyExt 1.2.3.188 1.2.3.188 prefix-length 24 ip nat pool NetworkOfficeExt 1.2.3.180 1.2.3.180 prefix-length 24 ip nat pool Datacenter-Ext 1.2.3.181 1.2.3.181 prefix-length 24 ip nat inside source route-map Datacenter-Route pool Datacenter-Ext overload ip nat inside source route-map NetworkOffice pool NetworkOfficeExt overload ip nat inside source route-map NetworkProxy pool NetworkProxyExt ip nat inside source static tcp 10.254.1.24 80 1.2.3.179 80 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.24 443 1.2.3.179 443 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.207 80 1.2.3.180 80 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.207 443 1.2.3.180 443 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.86 80 1.2.3.181 80 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.86 443 1.2.3.181 443 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.31 143 1.2.3.182 143 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.31 465 1.2.3.182 465 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.31 587 1.2.3.182 587 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.31 993 1.2.3.182 993 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.41 53 1.2.3.183 53 route-map no-internal-nat extendable ip nat inside source static udp 10.254.1.41 53 1.2.3.183 53 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.42 53 1.2.3.184 53 route-map no-internal-nat extendable ip nat inside source static udp 10.254.1.42 53 1.2.3.184 53 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.32 25 1.2.3.185 25 route-map no-internal-nat extendable ip nat inside source static tcp 10.254.1.36 25 1.2.3.186 25 route-map no-internal-nat extendable ip nat inside source static udp 10.0.2.11 123 1.2.3.187 123 route-map no-internal-nat extendable ip route 0.0.0.0 0.0.0.0 1.2.3.1 ! ip access-list extended From-Admin-To-Router permit ip 10.0.2.0 0.0.0.255 any permit ip 10.0.254.0 0.0.0.255 any permit ip 10.254.1.0 0.0.0.255 any ip access-list extended From-Datacenter-To-Internet deny tcp host 10.254.1.31 any eq smtp deny tcp host 10.254.1.32 any eq smtp deny tcp host 10.254.1.36 any eq smtp deny ip 10.254.1.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 10.254.1.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 10.254.1.0 0.0.0.255 172.16.0.0 0.15.255.255 permit ip 10.254.1.0 0.0.0.255 any deny ip any any ip access-list extended From-Internet-To-Private deny ip 10.0.0.0 0.255.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any permit ip any any ip access-list extended From-NATServices-To-Internet deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255 permit ip 10.254.1.0 0.0.0.255 any permit ip 10.0.2.0 0.0.0.255 any ip access-list extended From-Office-To-Internet deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 10.0.254.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 10.0.2.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 10.0.254.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 10.0.2.0 0.0.0.255 172.16.0.0 0.15.255.255 deny ip 10.0.254.0 0.0.0.255 172.16.0.0 0.15.255.255 deny ip host 10.0.2.11 any permit ip 10.0.2.0 0.0.0.255 any deny ip any any ! logging trap debugging logging facility local2 access-list 100 permit udp any any eq bootpc dialer-list 1 protocol ip permit no cdp run ! route-map NetworkProxy permit 4 match ip address From-Proxy-To-Internet ! route-map Datacenter-Route permit 1 match ip address From-Datacenter-To-Internet ! route-map NetworkOffice permit 3 match ip address From-Office-To-Internet ! route-map no-internal-nat permit 10 match ip address From-NATServices-To-Internet ! ! control-plane ! ! mgcp profile default ! banner motd ^CUnauthorized access is prohibited.^C ! line con 0 login authentication local_auth transport output telnet stopbits 1 line aux 0 login authentication local_auth transport output telnet stopbits 1 line vty 0 4 access-class From-Admin-To-Router in exec-timeout 360 0 login authentication local_auth transport preferred ssh transport input ssh ! ! end
  4. Hello, guys. Regarding New TS Ticket 10 (Telnet from NAS to Server2, NAT ticket). Previously I wrote in my feedback that in order to match the required ouput, R25 should translate outside source to its local loopback. After numerous requests, I prepared a lab to demonstrate the concept. You can find it attached to post. Here are the details on NAT translations: When NAS (192.168.1.xxx) is telnetting to Server2 (Real IP is 10.2.100.100, but the ticket requires to telnet to R25's WAN IP) it is going to 10.99.25.xxx (R25's WAN IP), so passing through R70 it is NATted (192.168.1.xxx -> 10.99.25.xxx). After arriving at R25 telnet packet is first NATted via "nat inside" translation (destination 10.99.25.xxx -> 10.2.200.100), then via "nat outside" translation (source 10.99.70.xxx -> 10.70.25.xxx). Issue, that Minh Khoi pointed out for me, is that in this case R25 will drop the returning traffic. Here are the details of traffic path and NAT translations. (telnet SYN Packet) NAS -> R70 IP.src = 192.168.1.2, IP.dst = 10.99.25.2 R70 -> ISP2 -> R25 IP.src = 10.99.70.2, IP.dst = 10.99.25.2 R25 -> SW210 -> Server2 IP.src = 10.25.70.1, IP.dst = 10.2.200.100 (telnet SYN ACK Packet) Server2 -> SW210 -> R25 IP.src = 10.2.200.100, IP.dst = 10.25.70.1 R25 -> drop The reason for this is that when going from inside –> outside, routing is always done FIRST, followed by NAT. And because R25 has directly connected loopback with IP 10.25.70.1, it decides that SYN ACK packet is destined for R25 itself and resets the connection. As I stated in my feedback, I managed to solve the ticket (match the required output) by adding "ip nat outside source" command. So there are two possibilities: If R25 does not have a loopback with IP 10.25.70.1, then the concept stated above is true. In the attached lab file, you can check this. Maybe, I was wrong and there were no loopbacks on R25 other than L0, and I misled you all because I thought that all this will work only in case R25 has such loopback configured. If R25 does have a loopback with IP 10.25.70.1, there were other config lines that make such concept possible, but unfortunately I could not find a way to make it work. If anyone would be able to find a solution in this case, please share here your opinion. [Hidden Content]
  5. Hey all I have a Cisco ASA 5510 with the public interface connecting to a router owned by the ISP. The network between the router and the firewall uses the public IP addresses 203.0.113.0/28. We bought a new public IP address block (192.0.2.16/28) and the ISP router routes this range to our public IP address (203.0.113.2). Is it possible to use our new address range for static NAT and if so, can I use all 16 IP address for NAT? Since the ISP router routers all 16 IP addresses from 192.0.2.16 through 192.0.2.31 to my firewall, can I create NAT commands like (config)# static(inside,outside) 192.0.2.16 172.0.16.5 netmask 255.255.255.255 tcp 0 0 udp 0 I would assume this to be possible but I am unable to test this on the production firewall and don't have a lab setup.
  6. evolved

    TS4 NAT Ticket

    Hello, As you may notice I'm pretty making a topic per question for the troubleshooting tickets to ensure I have the most valid information and hopefully it helps others. Okay, this ticket is in regards to TS4- NAT Can anyone please verify that this is what they are looking for and that my NAT translations output is proper. Once this is verified we can start injecting faults and learn anything that we may see in the lab. Ticket - NAT Telnet traffic from R20 to 10.1.1.28 (R28-loopback 0) should be translated with the Ethernet IP address of R22 as NAT source address HTTP traffic from R20 to host 10.1.1.28 (R28-loopback 0) should be translated with the Loopback IP address of R22 as NAT source address . ip access-list extended NAT_IN permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.28 eq telnet ip access-list extended NAT_WWW permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.28 eq www ! route-map NAT_IN permit 10 match ip address NAT_IN ! route-map NAT_WWW permit 10 match ip address NAT_WWW ! ip nat inside source route-map NAT_IN interface Loopback0 overload ip nat inside source route-map NAT_WWW interface Ethernet0/1 overload ! interface Ethernet0/1 desc faces R28 ip address 172.16.12.22 255.255.255.252 ip nat outside ! interface Ethernet0/0 desc faces R20 ip address 172.29.7.6 255.255.255.252 ip nat inside R22# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 172.29.7.6:26809 172.16.12.22:26809 10.1.1.28:23 10.1.1.28:23 tcp 10.1.1.22:42727 172.16.12.22:42727 10.1.1.28:80 10.1.1.28:80 Topology: [Hidden Content]
  7. Change Log: 29 January 2013 --------> removed mutual redistribution on R26 and applied static NAT. Hi friends, There has been many comments about the PPP multilink ticket, so I wanted to suggest my solution. 1. First , you must fix the PPP multilink between R25 and R26 , and this task is easy and was a lot discussed, you must get this on R25 and R26: R25 username ccieR26 password 0 cisco interface Multilink1 description # Multilink PPP # ip unnumbered Loopback0 ppp chap hostname ccieR25 ppp chap password 0 cisco ppp multilink ppp multilink links minimum 1 ppp multilink group 1 ppp multilink fragment disable interface Serial0/1 no ip address encapsulation ppp ppp multilink ppp multilink group 1 serial restart-delay 0 interface Serial0/2 no ip address encapsulation ppp ppp multilink ppp multilink group 1 serial restart-delay 0 R26 username ccieR25 password 0 cisco interface Multilink1 description # Multilink PPP # ip unnumbered Loopback0 ip nat outside ip virtual-reassembly ppp authentication chap ppp chap hostname ccieR26 ppp chap password 0 cisco ppp multilink ppp multilink links minimum 1 ppp multilink group 1 ppp multilink fragment disable interface Serial1/0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no fair-queue serial restart-delay 0 interface Serial1/1 no ip address encapsulation ppp ppp multilink ppp multilink group 1 serial restart-delay 0 2. On R26 configure static NAT: R26 ip nat inside source static 192.168.20.2 interface Loopback 0 Remark: This solution doesn't make use of the ACL 100 provided on the pre-configs of R26. Thank you.
  8. Crabs

    NAT question K6

    Hello, I've just checked the solution of the NAT question for K6. It's working fine and I've checked with wireshark on GNS3, only the destination addresses are translated for ping requests and replies. But we only need to put "ip nat ouside" on the serial interfaces?? There is no "ip nat inside"!! But it works! How can the router do the translation without the "ip nat inside" command on an interface?
  9. Dear All, For new lab please help me confirm the below things, 1. In IPS, what is the direction of the configure signature a. To-service b.From-Service 2. In ASA section ZBF is the below correct and final or the final arrangement is different interface FastEthernet0/0.1 zone-member security internal interface FastEthernet0/0.2 zone-member security internal interface FastEthernet0/1 zone-member security external 3. Is the NAT question same as old lab or it is different ? 4. What about the backup interface should it be the part of OSPF or not ? Mentioning that I have finalized these solutions from my behalf and willing to share the whole configuration what so ever with any body. Also I have verified solution for the very old lab which was not coming and which the new lab is predecessor off. Thanks
  10. Good morning everyone, I'm not sure 100% if this is the right forum section to post in, however I'm quite desperate, at the moment. In early february i bought a Cisco ASA5505 (ver. 9.1.5 with sec. plus license upgrade) and started setting it up in my new home. 2 weeks ago I decided to move my virtual appliance running Microsoft Exchange 2013 to the new site. I have followed the guidelines I have found on the internet in order to set up the NAT rules to allow both SMTP and HTTPS from the outside network (a PPPoE connection with dynamically assigned address) to the inside. Since the rules are established, everything seems to work...for a few hours or so. After that, ONLY the two nat rules related to the Exchange host are deleted (I guess so since they both disappear) from the configuration and from that moment on, I can't access my OWA anymore. The generic NAT rules from inside to outside and from management to outside still persist. I have absolutely NO IDEA what happens That blue box is possessed Any clue to help me solve this issue that's driving me crazy ? I'll attach to this post the ASA configuration. Another short note: i had to specify in the interface vlan 3 (management) no forward interface vlan 1 otherwise my access point, connected to the physical interface 0/6 seems to screw up and misbehave. If there's a "cutiest method" to totally separate the two vlans without using this statement I would be grateful to know it ^^ Final remark : sorry for my rough english and have a nice day everyone! Kaisaron update seems like the NAT rules are removed from the config as soon as the external IP address changes. In fact my DSL connection isn't stable and the router itself keeps dropping the line at least twice a day and reconnecting at lower speeds. As soon as this happens the external address changes and the 2 static NAT statements are gone. How can I fix this ? config.txt
  11. Hey Guys I have created 3 videos to understand NAT technology. Please watch and let me know how you like it. Please subscribe to the channel as more videos will be coming. Thanks. CCIE#36410
  12. Hi All how can I do one-to-one static NAT for a range of public IP range to a range of private IP range? I do not want to use one line to NAT one IP.
  13. Hello, On the NAT ticket of the MPLS TS, do we have to put "ip nat outside" on the loopback0? According to me it is necessary. Can you confirm? Thank you!
  14. Anyone know the lab about Nat and ACL that can fall on CCNA exam ?? To be more specific is the topic about: Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network. If someone can help me, thank you so much.
  15. Hello! I have a Win7 64bit rig at home and a Debian VM running in it. An app within the VM generates a private ip, say, 192.168.111.11 and I can access it from my Windows firefox browser by typing in the address in the address bar. So what I am trying to do is try to access the app from work by typing in the public ip assigned to me by my isp at home. I think there is some NAT involved but I don't have a router with me at the moment and just need to access it using the tools available in Windows itself.Is this possible? bte the app in question is this. Please help. Thanks.
  16. omarse

    problem with NAT

    Guys i do really have problem with understanding the NAT and how to troubleshooting so any easy way to understand source reading or video or even if you can explain it here
  17. HI folks, I was working with UD's MPLSv3: Q10: NAT; not able to solve it, after applying the configuration, i getting Excess Collision messages from the R22; below is the config. R22# ip nat enable ip nat enable ip nat enable ip nat pool TELNET 172.16.11.9 172.16.11.9 prefix-length 30 ip nat pool WWW 10.1.1.22 10.1.1.22 prefix-length 30 ip nat source list NAT_IN pool TELNET ip nat source list NAT_IN_HTTP pool WWW Please advise/
×
×
  • Create New...