I have a nat statement to nat a subnet to a host address. Only the host address is allowed to traverse the VPN. However when I use a route map to do this, I cannot see NAT being performed and my VPN does not come up. When I use a static NAT for a 1 to 1 host translation I can see nat being performed and the VPN comes up. Using the route map method, the other party said our source IP is 0.0.0.0 0.0.0.0.
View 6 RepliesI have a situation which requires some non best practice stuff to be done. There is a box behind an ASA that has a lot of code that references public DNS names and therefore needs access to itself and a number of other boxes on the same subnet via the public DNS names (that obviously resolve to public IPs). This traffic is dropped on some pretty fundamental ASA characteristics.I know this isn't really ideal, and it should be handled by DNS nstead, but I'm in somewhat of a bind and need to know if the ASA can allow this traffic.I figure I could match the traffic and exempt it from state-checking and that would probably work, but it's not a very graceful solution.
View 2 Replies View Relatedwhy the command "source cpu rp" has been removed from IOS15.0(1)SY1. I can succesfully configure the following ERSPAN on 12.2 SXJ3 but not on ios 15.x. Did not understand why cisco has descoped this command.
monitor session 10 type erspan-source
shutdown
source cpu rp rx (--- 15.0 has no such option on 6500 )
destination
[code]....
I have configured my Cisco 881 and it is quite stable but now I am working on some minor details.
I have several Public WAN IP addresses which are NATing to internal web server. When I go to the WAN IP at port 80 from the Internet, the NAT works fine and it maps perfectly to the internal Web server. However, when I try the same same WAN IP from the LAN which contains the web server, the Router blocks the traffic and I get nothing back.
I have verified that I can get to the Inernet from the LAN but it seems that I cannot go bfrom the LAN to the Internet and back into the LAN via NAT.
we use the latest LMS version (4.2.2). Under Monitor->Performance Settings->IPSLA->Devices i see all devices. When creating a IPSLA collector not all devices are listed in the source section but in the target section. Why is this happening?
View 2 Replies View RelatedI need to change the source IP of a packet for one of my NAT's.I currently have an Cisco 1812.I have an PPPoE connection as Dialer 0.I have another VLAN that is connected to an Netscreen SSG5 VPN gateway via another Cisco switch.I have a vlan trunk between the switch and the 1812. What I would like to achive is the following :-For any traffic going to the following three ranges make it apear as if it was coming from the VLAN50 address [code]I can ping my netscreen on 10.27.30.255 fine from the Cisco 1812. But any other PC fails, as for some reasion the traffic has a source of my Dialer 0 interface.How can I write a nat to change the source just for the tree destitnations ?
View 7 Replies View RelatedI have been trawling the interenet looking for an answer to the i but to no avail.Can you change the source port that windows uses when it makes a connection to another host.
[code]...
i have issue with whenever i m trying to download any file it's get upto almost 95-98%,but after suddenly stop.this issue with firefox, chrome browser
View 1 Replies View RelatedEvery year I attend a local motorsport event and I am usually responsible for providing a live online video broadcast of the event which I do using a website such as ustream.tv or similar. The event is non-profit so spending as little money as possible or none at all is the best option for us. We use a 3G card/dongle and a laptop with 2 or 3 webcams for the video feed....The results/scoring system in use at the event is controlled by the organisers and they have setup a VNC server where teams can connect with their laptops via a wireless network to view results, what I would like to do, is to include the results screen in my video feed. So somehow, I need to trick my computer into thinking that the VNC viewer software is a video input device.I have looked for something similar last year but didn't have much success, If separate laptops are needed, I have 3 windows laptops at my disposal and a macbook pro which will be on the same network. Whichever one will be most suitable for the task will be used.
View 2 Replies View RelatedI have router which has two physical interfaces Gi0/0 and Gi0/1. G0/0 connects to metro over ethernet and Gi0/1 is configured a s router on a stick, which has many defined. All those interfaces have IP addresses assigned. EIGRP is configured between other metro sites. Here is a sample IP assigment for this site, let's say Site.
View 3 Replies View RelatedSome network pros have setup our Cisco 3620 many years back during implementation.
I've just added a new server, with new ip, wanted to change the ip of ip nat translation in this router.
I did a show run, the config is this;
interface FastEthernet0/0
ip address 57.31.132.116 255.255.255.240
no ip redirects
[Code]......
I have an 1811 with 2 WAN connections, Fiber and ADSL (both Ethernet). I'm having a heck of a time getting traffic out the ADSL link.As it stands, I can ping the next hop 75.158.58.1, but no further. ping source FastEthernet1 times out to any external address nor can I NAT internal subnets out the interface.I'm really at a loss as to why, especially since I can ping
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
[code]...
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54
2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address
3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
I am getting input errors/runts on 2 of my gigabit interfaces that connect to our WAN service provider's network. In relation to total packets, its not a large number, so its probably not a big deal, but I'd just like to find the source so I stop seeing the errors in Solarwinds. Our service provider says that they don't see any errors on their side, but the errors are incoming to us.
I've tried to capture the traffic with Wireshark, but discovered that often these packets are either discarded or padded by NICs so Wireshark will not see them, or at least will not see them as undersized.
Is there any other way I can capture these packets so I can find the source and figure out how to stop them? Our equipment is 3750G running 12.2(55)SE. Its not a trunk port. I know there was a bug in prior IOS that would cause some frames to be marked as runts even though they were forwarded successfully.
I need to open a port in a Cisco 2911 router to permit the conexion to an equipment that is inside the LAN, but I my configuration doesn't workt.
I have 3 interfaces configured: two WAN interfaces (one is a backup of the other) and a LAN interface. The configuration is this (public IPs are changed):
track 1 ip sla 1 reachability
!
!
interface GigabitEthernet0/0
description backup
ip address 176.55.25.25 255.255.255.252
ip nat outside(code )
We have a SRP527W, we have created VLAN for DATA and VOICE remotly connected to an office by VPN.
VPN is working fine.
Now we want to register SIP lines integrated in SRP527W to a Cisco Call Manager located in our office.
The problem is that the source of SIP packets is WAN interface of the SRP527W, so packet wont pass in the VPN. Is possible to change the IP source of the SIP registration ? The most useful will be to set the IP source SIP on the voice VLAN.
Does ASA 8.4.3 check the source IP address of a DNS reply and drop it if the reply address is different to that in the query?
Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.
Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.
I have a Cisco ACE with a server farm "intranet" with real servers rsrv1 and rsrv2 (round robin) and i have two sites A (IP Address A) and B (IP Address B) in the WAN. I want to that Site A conect to ACE 4710 via VIP, but this connection will be to srv1 and Site B conect to ACE 4710 via VIP, but this connection will be to srv2.
View 3 Replies View RelatedI have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall. The traffic flow will be Partner A company users will be accessing my company's Citrix server. I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server. The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25. So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements. I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form. What I do need is NAT portion of the configuration.
{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's}
10.100.12.103 68.108.244.25
My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:
global (inside) 9 interface
nat (outside) 9 access-list PartnerA_source_nat
access-list extended PartnerA_source_nat permit host 68.108.244.25 host 10.100.12.103
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
I am not able to find information of how to configure a balance in CSS11500 depending of the IP source. I want to do the next:
Site A : 192.168.1.0/24
Site B : 192.168.2.0/24
Both sites access to the same VIP: http://vip_balnace_IP but depending of the source the should be balanced to diferentes servers.
Site A -> VIP_balance -> server1
Site A -> VIP_balance -> server2
how to do that?
I'm trying to set the tcl source to the flash card on an 1861 router with the following command; TestBox(tcl)#source flash:101.tcl and I get the following message; couldn't read file "flash:101.tcl": File not found.I've copied the file to the flash card by putting the cf in my pc and just dragging it there. What's the proper syntax to set source to flash? I've tried flash0 and flash1 with the same result.
View 9 Replies View RelatedI've configured the ACE4710 to bring the logging to a syslog server! Here's the configuration
[...]
logging enable
logging fastpath
[Code]....
I saw to log with connection on the syslog server but It would be interesting to know the "source ip address" and my question is : It may be possible to configure for the logging a kind of "transparent pass through"?
we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.
I am running a Cisco ASA 5550 in active/standby mode. We are currently running ASA OS v8.2(3)5. I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface. Does the ASA have a feature/ACL syntax that supports this?
View 2 Replies View RelatedI am terminating GRE vrf-lite on my 7600 and using loopback as source for each client.I found one problem where 7600 seems to be not forwarding traffic until I delete create the tunnel interface.Worked fine for a week. Then stopped again. I had to delete,create again tunnel interface.
View 6 Replies View RelatedI hav ACE 4710, I am trying to configure a policy in which when specific Client tries to access the specific Destination. ACE should not send the traffic to load balancing. It should directly send to the next Hop.
I configred the below but didnt able to achieve my object.
access-list source_IP line 8 extended permit ip host 192.168.146.123 host 198.xx.xx.2
class-map match-all CM_BYPASS_SOURCE 2 match access-list source_IP
policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE class class-default forward
But I am not able to reach to destination. MY source traffic is still diverting to the Load balancing server. I dont want it to redirect to LB server
I wonder if there is no any issue when we are using one loopback interface as source address in case multiple GRE tunnel.However, the destination IP address different per each tunnel, only having same source loopback.
for example),
interface loo0
ip address a.a.a.a 255.255.255.0
!
interface tunnel 10
[code].....
I saw warning message when I apply 2nd GRE tunnel on C7613, SRD6 IOS. we have a plan to enagle one more GRE tunnel in same.I need to decide to use adding one more loopback IP or just use this with ignoring warning message in terms of configuration easily.
The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
i would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.
I have a Cisco 819 router which has a built in GPS capability. GPS recieves a very accurate time from the satellite. Is it possible to use this accurate time source to set the time on the router, and then use it as an NTP server?
View 7 Replies View RelatedI'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
I have a VoIP application that I'm trying to run over the PPTP VPN tunnel on a RV120W router.
The system is a NEC SV8100 PBX communicating with the NEC soft phone (SP310). The system uses SIP to set up the call and for other signaling information. It uses RTP to transmit/receive the audio stream.
The problem I'm having is that there is no audio stream from the soft phone. The SIP communication and the audio stream to the soft phone works fine. The symptom is: from the soft phone, the remote party cannot hear you, but you can hear them.
I did a packet trace on the RV120W and found the following:
No.TimeSourceDest.ProtocolInfo9489.358957
192.168.1.252
192.168.1.52
[Code].....
As you can see, the Source IP address is being changed from its original 192.168.1.52 to 192.168.1.1. The NEC PBX is expecting the packet to be coming from the softphone, (192.168.1.52) not the RV120W (192.168.1.1). As a result it ignores the RTP packet from the soft phone and does not relay it to the remote party.
Is there any reason why the RV120W is performing NAT on PPTP packets? Can this be disabled somehow?