Cisco Firewall :: ASA 8.3 Outgoing NAT Not Working Right
Jul 11, 2011
We recently upgraded our ASA to 8.3, most everything went ok, but I am having problems with outgoing nat. It seems that when one our systems that needs to be natted to an outside IP address when connecting out is not doing it. When that system goes out the ip address is our internet IP and not the natted address, however, inbound everything works.
We have one rule that does PAT
nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-18.104.22.168This is the natting statement that should be translating the addressesobject network obj-10.200.0.10
nat (INSIDE,OUTSIDE) static 22.214.171.124I think I need to double nat, is that right if so how?
I have a licensing server. Other computers need to turn on a program, they send a message to the licensing server, and it responds that they have permission to run.Until today the licensing server was plugged into its own ethernet wall socket and configured with a static IP address. Today I put a router into that wall socket and now the server's plugged into the router.The router (WRT-54G) was set to the static IP - and now the internet on its network works. I set all ports to be forwarded to the server's internal IP address - and now my programs can detect and ping it. But now the server won't send back permissions to use licensed software, or even reply with a list of the software which it can license.
Have a asterix PBX running my system and I upgraded my security with a cisco ASA 5505. Now all the extensions are working including the remote once. Everything elase like internet.Other servers all working fine. Only problem is that when ever someone dials a landline number from an extension it does not go through.seems like the firewall is blocking it but I cannot figure out why or how. All the NAT and Access list is fine. Although I have no idea how to accept the SIP PROXY IP through the firewall and I am guessing that might be the problem. There is no any other problem and I am 100% satisfied with the ASA5505 except this problem
We have setup the IP phone proxy on our ASA-5520, we had a couple of issues with the initial setup, but nothing major. It has been up and running for a few weeks and basically everything works perfectly just like we designed it except for 1 strange audio issue on outbound calls. We can make a call to anywhere, no problem, if the call is answered, no problem, perfect call setup and good quality 2 way audio. But if the person we called doesn't answer the call and that call goes to their voicemail we loose all audio from that point forward, we do not hear their outgoing message or get any prompts just dead air. The same situation appears to be true for any "recorded" service on the other end of the call.
i cannot send emails to outside, i have an access rule on interface inside permit source: inside destination: any servic: tcp/smtp and when i make paket tracer it shows me that the packet is dropped but i cant see through which rule!!
For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
I have router which has two physical interfaces Gi0/0 and Gi0/1. G0/0 connects to metro over ethernet and Gi0/1 is configured a s router on a stick, which has many defined. All those interfaces have IP addresses assigned. EIGRP is configured between other metro sites. Here is a sample IP assigment for this site, let's say Site.
I have made 4 as trunk group access on the PBX for E1-PRI and 8 as trunk group access for E1-CAS.I am able to dial 4-1-6261 to place calls on telephone 6261 from 6000(outgoing and incoming over PRI). And I am able to dial 4-2-6261 to place calls on telephone 6261 from 6000(outgoing on PRI and incoming on CAS).But I am not able to dial out from my PBX extensions over the E1-CAS card using 8-1-xxxx or 8-2-xxxx. I have patched two PBXs back to back on their E1-CAS ports and am able to dial out using 8-xxxx. So this means the trunk group allocation on PBX is working fine. The show controller e1 0/0/0 is showing normal stats.When I do a show voice port 0/0/0:1 I see that one of the ds0 timeslots are being seized when I try to dial out on 8-x-xxxx but the Out Status column entry against the timeslot says clear_bak.When I am placing calls on PRI, I don't see any such indication against the timeslot being seized.Basically since I am able to dial in to my E1-CAS port, the line coding, framing, signaling(to some extent) must be right, or so I guess. But am not able to dial out.
within ACS 5.3, I'd like to use 2 external authenticator for the same service, like vpn remote-access.For the authentication, I know I can create an identity chain, to query SecurID and then AD, in case of user not found in SecurID.For the authorization rules, I need to provider a wide vèn access for SecurID users and narrow vpn access for AD user.Are there some parameter to use in compound conditions for SecurID ?
cisco 2651XM router with WIC1 adsl card and NM-16ESW switch IOS: c2600-ipbasek9-mz.124-23.bin
I use the following config to export traffic from the adsl card to a fasterthernet port so I can look at the adsl traffic in wireshark on a pc:router(config)#ip traffic-export profile my_rite router(conf-rite)#int FastEthernet 0/0 router(conf-rite)#bidirectional router(conf-rite)#mac-address abcd.efgh.ijkl (mac address of PC) router(conf-rite)#exit router(config)#int dialer0 router(config-if)#ip traffic-export apply my_rite this config works and I can see stuff going on in wireshark but it's only one way. This config only shows traffic going out from my adsl card, but no incoming. There is defintely traffic going both ways because everything about my adsl connection is working perfectly. I've tried using a different fastethernet port, even tried exporting to a different pc but all I see is outgoing ie: source is my public ip address but never as destination . I have bidirectional in the config but it still only shows outgoing. I even tried a different IOS (c2600-adventerprisek9-mz.124-15.T8.bin) but still it doesn't show incoming traffic. Could it be my ISP in some way hiding incoming traffic from view?
is it possible to block outgonig multicast L2 frames on an Ethernet port in outgoing direction on a 2960 Switch?
I tried the "switchport block multicast" command, but the description of this feature relates to only "unknown" multicast!?
But what means "unknown multicast"? Even if activated, I see a lot of multicast traffic going out that port: IGMP, PIM, SSDP, HSRP, OSPF, .. and also pings and VLC streams to multicastaddresses (ip igmp snooping disabled).
I also tried to map a "mac access-list" to that port, but the "mac access-group" interface command is restricted to only incoming traffic.
Reason: we assume, that there are a couple of specific enddevices, that might react strange to some multicast. Therefor we would like to block outgoing multicast on that specific ports.
we've buyed a WRVS4400N to create a IPSEC VPN tunnel to our client in order to access some applications.
After a while trying to configure the router, we have archieved it and the VPN tunnel is up. We can see the tunnel up from here and from client's side as well. Our client supposendly have created the tunnel in order to access a list of specific IPs in the range 10.113.x.x, but if we try to access this IPs via telnet whe cannot obtain any response.
Making a tracert, we obtain... C:UsersHuexxx>tracert 10.113.56.177 Traza a 10.113.56.177 sobre caminos de 30 saltos como máximo. 1 1 ms 1 ms 1 ms 192.168.0.1 2 * * * Tiempo de espera agotado para esta solicitud. 3 * * ^C
... and therefor the client doesn't receive any packet at its firewall.
I've tried to establish a static route for 10.0.0.0 255.0.0.0 to their remote gateway, but I'm unable to add any entry to static routing list... The router tries to do something, but afterall I cannot see the new entry...
What can I do to route the traffic through the tunnel?
We have Cisco 1900 Series Integrated Services Routers (has a wired router and a wireless router) and since this morning we can not send emails.I inquired with both the ISP and the hosting provider and all settings are correct.I can receive emails from outside the router, but can't send any emails out.If I try to telnet mail902.opentransfer.com 25 it doesn't connect.Port 25 is the port we were using all the time and was working through the router.I connected my laptop directly to the modem and was able to send emails using port 25, also was able to telnet to outgoing mail server. I didn't change anything in the router.is there a way to "enable" port 25 or "enable" mail.homeserviceclub.com (smtp server) or mail902.opentransfer.com (hosting mail server) if this would solve the problem?I don't understand why is this happening as I never had to enable or disable any email ports or mail server addresses.
I have a CISCO 1841 ROUTER and sins short our internet speed has decreased dramatically , it does not happens all the time , so I am sure it is not the ROUTER.I have put a small router (CISCO WRT 610N) and it was the same.When I look to the UP and DOWNLOAD GRAPH from my ISP , I see really BIG peeks.
When i try to active the Internet Access Police with Website Blocking by Keyword, the router WRVS4400N block any access to internet, the Access Restriction by time is disable. How i can active this feature without restrict all the access?
Something a little odd happened the other night. I had spent the afternoon updating all necessary programs where updates were available, did a GRC shieldsup test, did a clean and test of my system with AVG and MBAM. Everything looked fine.I went online that night however and as soon as I went to my online banking website, I noticed that there was an outgoing attempt logged in my firewall (ZoneAlarm). It was blocked. The IP address is 126.96.36.199:80 - which apparently fits in GoDaddy's IP range. Googled it and saw that someone else had the same issue.
Trying to split a supplied fixed IP address to multiple wireless devices so that I can piggy back on the internet connection in my office. Cause the IT dept refuse to provide a router.I plank to use a router for the job above.
how I could possibly get all my e-mails of which I send my clients through my outlook to be registered on my Home-outlook, Office-Outlook and my mobile-outlook? like on the server? something similar to when you open yahoo or G-mail from any given location you can view your sent Items,inbox etc.
I want to be able to use port 1-80 for all outgoing traffic. I have a VPS outside my home, which can redirect the packets to the prober ports.Is it possible with an application on the computer and VPS? Or is it impossible?
I went a bought a brand new model V4.3. I had trouble installing it right from the word GO, but I did successfully get that acomplished, how ever one of the important features "logging of incoming and out going ip" won't work at all. I tried deleting the old logview.exe and rebooting everything, then installed the "new" logviewer.exe. Well absolutely nothing happens. I have double and triple checked the setting in the router...logging is turned on, the computer which has the logviewer.exe installed is the confirmed network ip i.e. 192.168.1.101 and I can and do access the internet and all other computers on the network from that computer.
One of my customers uses Comcast email and all of a sudden couldn't send messages the other day, telling me it was giving her an error. She said that she reset her router, and the email started working again.When I finally got over there to check it out, the email had started experiencing problems again. The error she was having was Error 550: Message Rejected (when trying to send email). There didn't appear to be any issues with her internet connection, and she wasn't having issues connecting to the email server, it was simply rejecting her messages.
I told her that she would have to contact Comcast, as there was really nothing I could do to fix their email server returning an error. She wasn't too happy, and remained convinced that her router had something to do with it. It's a Netgear WNDR3700 or WNDR3800 that I setup for her last year, it's a fine router.Has anyone ever had a Comcast email server randomly start rejecting messages? I noticed that her outgoing email was set to use port 587 which seems like a nonstandard port and also no authentication, but I have no idea what the Comcast email settings are supposed to be.
I cannot get my server to send outgoing traffic through my network. I.e. If i try to connect to any of my services i get a very weak connection. Now, i can still CONNECT, i just don't get any data flow. I cant even PING the server internally, it just times out. Now, regardless of whether i use my internal IP/external domain, i get the same issue. I logged onto my computer and tried a speed test the download was normal (around ~20mbit) but the upload times out.
Here is the fun part, if i connect to the server using a switch, everything works fine! Is it my router or some stupid configuration issue? Router is a WRV54G (I hate this thing). Server is running windows 2008 and has a virtual machine.
Region : Others Model : TL-WR740N Hardware Version : V4.20.0 Firmware Version :
I bought today new TP-Link TL-WR740N and I connected it with my cable modem as it is in manual instructed. There is problem with outgoing signal from router. It is about 1/10 from it should be (it is around 2Mbps from 20 Mbps). Same speeds are going out from router through LAN port and WiFI signal.
I have got a Cisco router connected to a LAN and to the internet.I was wondering if I could nat https traffic from inside to internet to a local server (Proxy) on a given port for example tcp 8080.
int tunnel0 ip address 192.168.0.1 255.255.255.0 ip nat inside int fa0/1 des internet connexion ip address 41.x.x.x.x 255.255.255.248 ip nat outside ip access-list extended Proxy_Redirect permit tcp 192.168.0.0 0.0.0.255 any eq 443
I have a WRT160N router (firmware 1.53.0) that is connected to my broadband. It is giving me problems with VOIP/SIP Traffic.My SIP client connects fine and makes calls, but I cant hear any incoming/outgoing sound. The SIP client works fine when connected directly to broadband. I tried DMZ and that didn't work. Disabled SPI and that didn't work too.
I'm having a difficult time getting the logging mechanism to work on my DD-WRT Router. I've gone through all the accepted methods for enabling logging: Seems there're others having issues too, but no answers: URLS
Specs: Router Model WZR-HP-AG300H Firmware Version DD-WRT v24SP2-MULTI (11/20/11) std - build 17798
I investigated a little further on the router. I enabled ssh, logged in, and found the log the firewall reports too. So I know the logging is performed, it's just not linked up to the incoming/outgoing log web page. Here's the log:
I am trying to limit the incoming and outgoing traffic on a l2 port to 8mbps for a ip subnet within the nexus 7000. The port is connected to my ISP router which has a bandwidth of 20mbps.Policing won't work on a l2 Port and shaping cannot be applied on a port level. url...I have been reading thru the qos guide for nexus release v6 and have problems understanding the different queues.