Cisco WAN :: 1941 Cannot Translate Private To Public IP Address Using NAT
May 4, 2012
I have 5 workstations with 2 servers but the backup server (black) is shut down intentionally.I have 1 cisco gigabit unmanaged 8 port switch and 1 cisco 1941 vpn router.The cisco 1941 vpn router is configured for IPVPN connection to other branches.
Challenge:
1. Configure NAT to enable the 5 workstations to be connected to the internet thru the router to the ISP.
2. Configure NAT to enable the server to be accessed from outside using the public IP address provided by the ISP. [code]
Verification:
1. I can ping other pc on 10.71.5.0/24 network.
2. When I typed in the ISP's public ip address on the browser, i got into the modem user interface for configuration.
I still can't connect to the internet. When i do tracert, it stops on the 192.168.15.1 hop and didnt continue. This shouldn't be the case since i want to connect using the GE0/1 outside port for the internet.
View 6 Replies
ADVERTISEMENT
May 15, 2012
Few are the issues that I am facing on IOS Version 15 and Cisco 1941 Router , this router is currently in production on clients.
•1. I do PAT on router interface , and it has public IP on it , when I send request to Internet via Browser from LAN client , Page does not open and when I check NAT TRANSLATION on router , Router does translate the packets. The work around I found is that when I disabled CEF on router , Web starts browsing , Why does this happen and why I need to disable CEF ?
•2.I have Public IP Pool its subnet mask is /29 , one of the Public IP from this pool is live on the interface. When I perform STATIC NAT a web server resides in LAN , then I can access this server from anywhere in the world by IP. After few days Static NAT stopped working , I again Static NAT it on other Public IP , the same issue rise again , I am not able to access this server from Internet. This issue has been faced at two clients. The same pool i have checked on 1841 router and static nat works fine on the same public IP .
View 2 Replies
View Related
Oct 23, 2011
I guess I'll start with the easy stuff, Cisco ASA 5520 ver 8.2, ASDM ver 6.2, IPSec L2L tunnel with overlapping private IPs.
I have about a dozen L2L connections on our 5520 but never had to do one with overlapping IPs. I have two that I have to build and one definitely overlaps our inside locals, and the other is requesting that we NAT our inside locals to a 10.x.x.x.
I've searched the board and found several good posts including document 112049, but I just don't seem to be able to get my head around how to translate one inside address to another. It would seem like is would be as easy as doing an (inside,inside) static NAT, but most everything has the solution as a policy NAT or doing an (inside, outside) but in the less secure address space place the name of an ACL. I have ordered that brick of a book on ASAs from Cisco Press, but need to get something going and I'm not having much luck getting this thing up and running.
Perhaps my basic understanding of NAT rules is wrong. I thought that when using NAT the command speaks to the interfaces and the direction of travel, (inside,outside). I also thought that the IP adresses used must be valid on the interface refferenced, so any refference to "inside" would have to be an address on the "inside interface of the FW and likewise for the "outside" interface. Finally, to be sure I'm not calling a duck a goose my understanding is that the following are correct; "inside local" = my private, "inside global= my peer, "outside local"= their private, "outside global"= their peer.
So if I'm translating say a 192.x.x.x on my inside local and wanted to present them a 10.x.x.x, wouldn't I need an (inside,outside)? And even though I'm translating my private IP into a different private IP, the translated IP must be on the "outside" interface because that is the interface that I want to present the new private IP on?
So for the scenario I suggested at the top where I need to translate my private 192.x.x.x into a 10.x.x.x and present that 10.x.x.x to the other side, I need something like NAT Static (inside,outside) 10.x.x.x 192.x.x.x?
View 8 Replies
View Related
Oct 14, 2012
I just purchased an ASA 5555 and started to configure. I was successful in natting all the IPs that are on the same subnet as the ASA eth0. I could not get the nat working for the 2nd address block.
Ex:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.33 255.255.255.224
[Code]....
View 4 Replies
View Related
Oct 2, 2012
I'm trying to translate my inside network of 192.168.20.0 to my outside ISP address on ASA 5505. The ping from all hosts to 4.2.2.2 works, but it still only let's one address out to translate.My configuration is:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
still doesn't work.
View 2 Replies
View Related
Oct 2, 2012
I'm trying to translate my inside network of 192.168.20.0 to my outside ISP address on ASA 5505. The ping from all hosts to 4.2.2.2 works, but it still only let's one address out to translate.My configuration is:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
still doesn't work.
View 3 Replies
View Related
Dec 8, 2011
I know the CSS is too old but I have one in production environment and I was asked if it is possible to CSS to make NAT from inside addresses and translate them into one external IP address to diferent kind of communications, for example: 172.16.4.9 and 172.16.4.10 (inside addresses) should start connection to external IP addresses destinations 50.50.50.50 / 60.60.60.60 70.70.70.70 / 80.80.80.80 and so on, the default gateway to those Servers is the CSS and I would like to know if it is possible that all connection to external world to be translate into one IP address 172.16.4.100.
My CSS is 11503
Version: sg0810106
View 2 Replies
View Related
Aug 25, 2011
Is it possible to use 1 private IP through VPN and same private IP mapped with Public IP? For example 192.168.0.1 is configured in VPN tunnel. i m able to ssh on both ends. ( VPN phase 1 and phase 2 gets completed)But when i map 192.168.0.1 with some public IP problem starts. when i try ssh i see public IP in my destination firewall logs. IPSEC: Received an ESP packet xx.xx.xx.xx "mapped public IP". The decapsulated inner packet doesn't match the negotiated policy in the SA, The packet specifies its destination as
View 2 Replies
View Related
Nov 9, 2012
I have a virtual machine running in my desktop which connected on the gigabit lan port on EA4500 with firmware 2.0.37.What I want to be able to do forward a port that came from an external ipv4 address to the ipv6 address and a different port to my virtual machine (to remote desktop port 3389).The reason I want to convert the traffic to ipv6 is because virtual machine is running vpn and is not reacheable through ipv4 (unless bunch of routes are setup and things get complicated etc). I verified my phsical server and virtual server get both ipv6 ip addresses through ipv6 tunnel from comcast. Without tunneling I could not get ipv6 setup using automatic mode with comcast, it simply did not work for some reason.
View 1 Replies
View Related
Aug 18, 2011
We have a VPN router(ASA5505) which connects to the client, B. IP address for one si 195.xx.xx.xx and for B it is 14.xx.xx.xx. Both can extablish a IPSEC VPN nicely.Now, B throws a condition that the IP coming thru the VPN has to be PUblic. They want it as such so that they can be routed across the VPN tunnel.It still can because the firewall does not do NAT.
View 5 Replies
View Related
Jul 22, 2012
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
View 9 Replies
View Related
May 19, 2011
My partner imposes that i create a VPN connexion with CISCO ASA5505 and send requests by public IP on my private network.Is it possible to create NAT rules with this possibility?
View 2 Replies
View Related
Sep 5, 2012
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
View 7 Replies
View Related
Feb 18, 2012
I have been tasked to install the first "hosted & managed" network setup at work. I've actually been tasked to clean this up, since one of the other engineers on my team botched the install. Here's my issue:
A small business customer ordered 4 VoIP phones/numbers, a T1 circuit, and a managed firewall service from my company. We provided them with Cisco 504s, T1 router with two Ethernet ports, a Layer 2 switch for their phones, and a Fortigate firewall to manage their network. They also wanted us to install & configure their Linksys wireless router for net access on their laptops and i Pads. The higher ups decided that V LANs were not an option, and they wanted to have the Voice and data on two separate Ethernet interfaces.
Here's the problem: In the initial work order our T1 router (an Adtran900 series - a reverse engineered Cisco OS) will connect the VoIP phones to the F0/0 interface (using the layer 2 switch) and act as the DHCP server, using Private IP adressing. In order to perform this, the first engineer enacted the Adtran's firewall, configured NAT, and setup an IP policy to allow the phones to communicate (allow any any basically). On the F0/1 interface, the firewall is connected. The Firewall is given a Public IP using the F0/1 address as the default gateway, and performs NAT to their internal data network. The problem is that outbound traffic works fine, and inbound/outbound works on the F0/0 interface where the phones are connected and the Adtran is performing NAT - but I cannot get access the firewall from the outside world. I know the issue has to do with the firewall on the Adtran router, and it trying to block inbound attempts to the public IP block assigned to the second interface. I attempted setup firewall rules to allow all traffic to that sub net and interface, but it did not work. As soon as I disabled the firewall feature on the main router, voila! - the Fortigate firewall was accessible from the outside world. But, this disabled their phones from working, as this disabled NAT for the private IPs for the phones.
Ideally I could use the switch and setup V LANs to segment the voice/data traffic, but that option was denied. I think the way we're doing this is over-complicated, but this is the desired configuration from my boss. He doesn't really understand V LANs and Firewall rules too well, so he wants the two interfaces approach. To make things even more complicated and redundant, I'll need to setup 1-to-1 NAT rules in the Fortinet firewall to allow access to the /29 we have allotted the client for their connections to Ford/GM/& Chrysler. I can't think of an efficient way to make this work - every scenario I come up with hits a roadblock. I've attached a network diagram so this can make some sense. The IPs have been changed.
View 6 Replies
View Related
Oct 9, 2012
I have two link on two edge routes from same ISP for Active/Standby. I am using the private AS and ISP provided IPs, now i got own Public IPs and AS number. I want to publish my IPs and migrate the AS number from private to Public. But currently i do not want migrate my device IPs. just want to publish network and ASN.
current config is :-
Router 1
router bgp 64530
no synchronization
bgp log-neighbor-changes
[Code].....
View 12 Replies
View Related
Mar 1, 2012
How can a public ip be traced back to private ip. for instance if the ip is 5.5.5.5 it is traced as
4.4.4.4
2.2.2.2
1.1.1.1
10.10.10.10
5.5.5.5
I thought it could be VPN but then u still need a public facing ip , or can it be the fact that the public ip is router to nat and from nat to internet but then 10 range will need to be converted back to public which does not happen as from the private 10.10.10.10 it moves to the next router which is an isp device and not clients one?
View 1 Replies
View Related
Apr 16, 2013
I have a customer who wants to do a static mapping in order to prevent any downtime for one of his public web servers. Any good example to follow? FYI, the edge device is:
CISCO1941W-A/K9 (configured as a zone based firewall)C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(1)T
View 1 Replies
View Related
Nov 8, 2011
How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.
View 1 Replies
View Related
Jul 27, 2011
We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons. We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel. Im using a Cisco 3000 concentrator.
View 1 Replies
View Related
Mar 10, 2013
I'm trying to make a setup on my Cisco 881 router, but I'm having some trouble.I've managed to configure logging in with a Public-Private key pair over SSH, but it's also still possible to log in over SSH with just a username and password. I'd like to prevent this, if possible. I imagine I might have manually configured this to be allowed at some point, but I can't quite figure out how I did this, as no matter what I've tried to remove, it keeps allowing this option. I still need to be able to log in with a username, because I want users to have different privileges.
Once I've logged in using the Public-Private key, I don't automatically go into privilege mode, even though the user is configured with a privilege level. I'd like to configure that users that I've configured to use a certain privilege mode, automatically go into privilege mode without a password prompt. I know it did this before I started using the Public-Private key (or before I used AAA, which was configured around the same time), so I wondered if it's possible to do this still.
View 7 Replies
View Related
Jan 9, 2013
is it possible to set up a public and private password on a single router so that the public connection can be dissabled without having to turn off the private one?
I have some unruly housemates that like to try to take advantage and i only have one cat5 cable and that is already connected to a computer. i have 4 other devices that i use my wifi on and i want to be able to use them without letting my roomies use my connection. and only allow them to use the web during the day.
View 3 Replies
View Related
Apr 2, 2012
I just moved into an apartment where the internet is being provided to me via wifi (open). The landlord doesn't have a private network, he is with me. What I'm was curious about is if it is possible for me to use a second router to create a secured network for all my devices? My thought would look like this: ISP>Landlords Router>wireless>MyRouter. I know you can have private and public wifi but the two routers have to be connected. I haven't talked to him about the fact that he needs to secure his router mainly because we never cross paths.
View 6 Replies
View Related
Jul 25, 2011
I have an existing network with several computers running Vista and XP. My new computer has Windows7. The WIN 7 computer can access the router and the internet. But it is invisible to the rest of the network. It is currently set up as "private network". I think it should be "public network". How / where can I change it ?
View 1 Replies
View Related
Dec 14, 2011
Is there a simple way to have a web server have both a static public ip (I have a block of static IP's) and an static private ip (ex 192.168.0.60)? I am running a web project management application....
View 4 Replies
View Related
Jul 22, 2013
I handle the network at a small business; it's not my primary job but one that I am in charge of. My boss owns a house next to the office that he use as a general meeting area and as a guest house for friends and family. The house is close enough to the office that our office WLAN covers most of the house.
Our office router (Cisco Linksys EA4500) supports a "guest" network, which is okay for people that pop in for meetings, but not so great for family and friends that may stay for several days or a week. The guest profile times out, and they have to reconnect. I have no way to set the timeout period for the guest profile. But mainly, there are several "dead spots" in the wifi coverage in the house.
There is an Ethernet cable running from the office to the house that is not currently being used. Optimally, I would just use the spare Ethernet cable to setup a seperate WLAN in the house. But I don't know how to do it so that the guests cannot get access to our office network.
I would like to leave the office network hardware and configuration unchanged if at all possible. I am open to purchasing something, and even flashing it with DD-WRT if needed. I just need a configuration that keeps the office network private.
View 1 Replies
View Related
Mar 27, 2012
i have Cisco 1941(with security lic) and i have been asked to make a VPN with public IP addresses so there will be no info about internal networks. Other side has ASA 5520 and they provided me with 2 public IP addresses. i have done many different VPNs but this is first with public IP addresses and i cannot figure it out.So here is the question:
1. How to do it ? (maybe some example)
2. Do i need two public IPs to do it ?
View 1 Replies
View Related
Jul 18, 2011
We have a private network, multiple vlans etc. for our domain users/employees across several amenities. We also have a Public network, that we have managed by a 3rd party for guests/conference rooms/attendees.Private network is all static ips, mac restricted port security, as strict as possible from a security and PCI Compliance standpoint. The public network is all DHCP with hundreds of users. Having them physically separate has always been the best option. Separate switches, server, and I even have the uplinks separated on a 3825 router. However, unfortunately it seems as though that luxury is coming to an end.One of the meetings that is taking place is going to be at one of our outer amenities so I've got to push that "public" network through my network, over my backhaul to the other side.
My suggestion was to create a new vlan on the switches with the shortest path possible to get where it needs to go. This way the traffic never goes through our ASA, and it has a small footprint on our network, it plugs into the switch access port with the dedicated vlan at the entry point into our network, and leaves from an access port on the other end. To me that seems to be the best/most secure way to handle it. We're also in the process of rolling out Public Wifi through the entire property and since we'll want to push both Public and Private vlans over it....merging the two networks to a point is only inevitable. Especially since it will be going through a controller and the property covers a good 7000 acres.
A good IDS/IPS...other than already having port security on every port, I'd definitely like to know if somebody inadvertently cross connects the two networks and it starts flooding whatever vlan access port it's plugged in to with dhcp...especially since a lot of the laptop users on the domain are set to DHCP first with a static in the alternate for working at the office and remote.
View 2 Replies
View Related
Mar 25, 2013
How to setup 3 SG300-52 (in L2 mode) as per this diagram:Port 1 on all switches should be able to talk to each other and access the blob at the right.The ports 25 on the other hand should only be able to talk among themselves in their own private vlan. They are to carry sensitive traffic. So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666 with the intent of segratating vlan 10 from vlan 78. My attempts so far have failed. ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following cli output (excerpts of the startup config):
vlan database
vlan 10,78,666
exit
interface vlan 1
ip address 172.16.10.11 255.255.255.0
[code]....
Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove the access links to the blob they can! Obviously, at that point port gi1 lose access.Is such a topology feasable or even advisable?
View 7 Replies
View Related
Sep 3, 2012
So, I have a bit of a problem getting out Natted Cisco 7960 working with our external SIP providers behind NAT.
We have a block of IPs available to us, however when I asign a static NAT rule for the internal phone, outgoing calls are fine but incoming provides no audio.
We have no ACL blocking or anything, it's fully open to the outside world with the IP assigned to it via NAT.
Our static NAT rule for the phone:
ip nat inside source static 192.168.0.250 xxx.xxx.xxx.xxx
NAT is configured on the phone, with the external IP set correctly.
Also, after a while, it seems as the the registration times out or something because incoming calls no longer work.
I thought a static NAT rule would just allow full access to incoming connections to the internal IP specified? Our main router config (with unnecessary information removed):
version 15.1
no service pad
service timestamps debug datetime msec
[Code].....
View 4 Replies
View Related
Oct 5, 2012
In my office we have a private LAN of 10.0.0.0 having no access to internet/broadband. To connect to internet, we do it by using broadbandconnection/Modem from MTNL. Both things require a separate NIC card. My query is "Can I use my BroadBand Modem to connect to internal LAN". I have heard this is possible by some suitable changes in Current Control Set in Windows
View 3 Replies
View Related
Jan 27, 2012
I'm planning to set up a network with two routers and one cable connection. One router will be for public wifi at my business and the other will be for my Point of sale system and private use. I think I have it figured out but want to double check the set up. Someone tell me if this isn't correct or if there's a better way of doing it.Cable modem --> connect via ethernet to Router #1 WAN port. Router #1 Lan port 1: connect via ethernet to router #2 WAN. Now, router 1 and 2 will have two different subnets; 192.168.1.x and 192.168.2.x respectively. Router #2 is the one that I should use for my private network and for the POS system since it can't be accessed by users from router #1 correct? I have DD-WRT installed on both routers but I plan on putting Tomato firmware for router #1 to limit bandwidth for public wifi and keep DD-WRT installed for router #2.
View 1 Replies
View Related
Dec 23, 2012
I would like to understand how public IP works in remote access. I do have belkin router and when I access it remote I type my public IP and after it the port number for example xxx.xxx.xxx.xxx:80 and if I would like to access an IP cam remotely in the same network i would do the same thing xxx.xxx.xxx.xxx:5656 (public IP). I do know my Public IP is unique.Thus, its quite logical I can access my devices remotely. my understanding of the port number is application specific that addresses packets in different applications in the same computer. For example port 80 is for HTTP connection used browsing the web, for chatting in MSN i will use different port number specifically for MSN...etc. my question is how I can access my belkin router remotely by typing the public IP and the port number knowing that the port number is application specific not device specific? My second question is, is it possible to access two routers in the same network remotely?
View 7 Replies
View Related
May 26, 2011
I have set up a private domain network at home. I have a domain controller, a DNS server, and a DHCP server all running on one Windows 2003 Server machine. I have about 10 other machines around the house, getting their IP addresses from this DHCP server.
I have a Netgear WNDR3700 router.
I am about to get 5 public IP addresses from my ISP, and I would like to make some of these machines publicly accessible (while still accessible from the other machines in the network).
I found this link that says on my web server (one of the public machines), that I should use a second NIC and set that up to connect to my router (and get a private IP address from my DHCP server).
View 1 Replies
View Related
