Cisco WAN :: Return Path For NAT'd Traffic - 857 And 877
Nov 14, 2011
I have a problem with the return path of NAT'd traffic on a Cisco 877W router. Here's the network setup:
gatekeeper1 (192.168.0.1) is a Cisco 857gatekeeper2 (192.168.0.253) is a Cisco 857gatekeeper3 (192.168.0.251) is a Cisco 877W
The default route is 192.168.0.1 on all devices, however there are some static route defined so that traffic to certain IP addresses bounce off to 192.168.0.253 and use that Internet connection instead. This new connection is designed so that traffic aimed for a certain internal IP address (192.168.0.190) comes via this third internet connection in order to take the load off of the main line. NAT is all configured and appears to be working when .251 is the default route but as soon as I set it back to .1, the traffic appears to come in but doesn't go out again.
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT: access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
[code]....
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.Everythings work except one major point, the return traffic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communication is not allowed.I've only found two workaround:
-allow inside trafic with static rules, and I say NO ;
-disable the zone based feature by settings all zone to the 0 level…
How I'm supposed to make my state-full firewall work with zone based feature?
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
On a Catalyst 6500, we configured a SPAN session with VLAN 300 as a source. We configured the session bi-directional ("both" keyword). We connect a sniffer on the SPAN destination port.
Strangely enough, we only see the traffic from the VRF to the firewall, but not the reverse traffic ! What can be the problem ?
I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24 Remote Network - 20.20.41.0/24 Remote Peer - 20.20.60.193 .ASA Version 8.2(5) ! hostname ciscoasa
have just set up a WLC 4402 as a Guest WLAN controller on the DMZ of our network. I have successfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was OK but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0.
I changed from a Linksys E4200 to a 5505 and when I use trace route, it doesn't return a DNS name for each hop. I can see the hops shown as asterisks. Do I have to add something to inspect for this to work?
I am looking for a simple First name, surname and email in exchange to unlimited free access to our wifi. Would want the data to load on to Infusionsoft?
Recently, I have had issues with several Internet browsers. All, return with cannot locate remote server issue. I've flushed the DNS through command, and have turned on/off the firewall, reset the network connections, reset the router, uninstalled mozilla, IE, chrome, and opera, and still haven't been able to get any resolutions. I have a bare minimum connection at the moment.
I returned to work and found a note that my Outlook and Windows password had been changed during the night by the IT department. Why would they need to change my password? Are they monitoring my work somehow.
I am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.
Here is the current logical routing path of the network I've inherited:ISP_ASA_1800 --- P2P link_ LAN, However, the equipment is setup up in this inefficient physical topology: Internet_ASA_LAN switch --- 1800 --- P2P link_LAN, The 1800 is the default gateway for all LAN hosts. This means that all traffic not destined for the LAN goes first to the 1800 which has routes for the Internet and for the P2P. If traffic is destined for the P2P, this is no problem. If traffic is destined for the internet, then in my opinion this is an inefficient routing path because the traffic ends up doing this:LAN host > switch > 1800 > back to the same switch > ASA > Internet, So I am thinking of setting up the physical topology to match the logical topology like this:Internet, ASA_1800 ---- P2P link_LAN switch_LAN hosts This means I will connect the 1800 and ASA directly to one another. Am I on the right track? Is this the best way?
I finally can upgrade my 1841 routes from 12.4 to the latest 15.1 IOS. Any info about upgrade path , do I need to modify config file and provide me with upgrade instruction link or something like that ?
Where can I find information regarding the details and upgrade path for the 2821 Intergrated services router. We are looking to upgrade from 12.4 (c2800nmc-spservicesk9-mz.12.4xxx.bin) to 15.1. Is their a spefici location to look for in the download or IOS area for upgrade paths?
I have one questions regarding if C6509 suports "ip tcp path-mtu-discovery" ? apply this command to GRE interface on C6509? if yes, let me know what is the the IOS for that.
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
I am trying to bring the mobility group between 5508 wlc (dmz) and internal 5508 wlc but it says control and data path down. (Ihave allowed port 97 and ports 16666-16667 both ways), should the ntp be sinked inline iwth other controllers ?,should the Mobility group need to match (already discussed this in another forum but experts suggested they never had to match the mobility group), should i first create the ssid and anchor - at the moment i havent created the ssid to anchor.
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s): DATA-BACKUP Name of interface Redundant1.10 DMZ Name of interface Redundant1.900 GUEST Name of interface Redundant1.990 HOSTING Name of interface Redundant1.100 Infrastruktur Name of interface Redundant1.20
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
We are planning to upgrade our controller 5508 from 7.0.116.0 to 7.1.91.0. Is this directly possible or i have to put some other image before directly upgrading it?
I recently bought my book live 3TB everything works well with it, I can stream movies upload them, remote access and much more with a good speed, the problem is when I direct connect my book live to my PC via Ethernet, windows can't find the path of the drive. However, I tried to direct connect via Macbook and it works with no problem.I tried to fast reset my book live to factory default settings and direct connect from my book live to my PC via Ethernet, simply it worked! But then it stopped working for some unknown reason.Its a pain when i need to transfer large files via wireless.
Recently I've changed my all local I.P. series in the server from 192.168..to 10.219..& the server 2008 providing through DHCP.So, I've to re mapped the share folder to change the path in every system.But few files in 1 PC are still keeps the old share folder path when trying to open & failing or taking long time! NOT all files in that machine
I'm a network admin for a medium-sized (500-700 people) multi-site business and I have a simple question. Is there any utility or method I can use to identify the physical path a packet of data takes from a workstation on the LAN to a server on the same LAN?
For example, if I send a tracert command at google.com, I can see every router the packet touches before it gets to Google's router. Is there a method I can use to determine a similar path with switches in my internal network? If I use tracert or pathping, I only get a single hop since the workstations are on the same LAN as the servers even though I know there are two physical switches between them.
Basically, I want to send packets from a group of workstations behind a couple switches to a server and see if the packets are being lost in the switch somewhere to identify if there is a failing switch or something causing network slowdowns. map out the network more accurately so it would be useful to know.
i have 9 pcs on a lan. when i attempt to view the workgrp i get a message that indicates the the workgrp is not accessible and network path not found. i have tuned off windows and mcafee firewalls so that the only firewall functioning is with the modem/router(netopia) if i change the workgrp to the default(mshome) i can see the pcs.
I have a wireless network of PC, Acer Extensa laptop (laptop1), and Acer Aspire notebook (laptop2) which connect wirelessly to a Livebox. All machines are running XP (SP3). Laptop2 connects to the Livebox via a Broadcom 802.11g adapter.There is no problem with any of these accessing the internet. Until recently (not sure how long ago) there was no problem with any of them accessing each other.Yesterday we discovered that laptop2 has lost contact with PC. All other connections are fine (including PC to laptop2). I have checked evrything I can think of and have carried out a System Restore taking the machine back as far as I can but that has made no differenceLaptop2 appears to recognise the workgroup in its 'preferred networks' box but the PC does not appear in its list of computers on the network and any attempt to access the network (My Network Places>Entire Network>Microsoft Windows Network & click on MSHOME) results in "you do not have permission ..." then followed by "Windows cannot find the network path.."
I have attached my home network configuration. Only one part is not working. When the David-PC (win 7) tries to access the SharpeLaptop (XP) i get error code 0x80070035; NETWORK PATH NOT FOUND. This fails on wireless or ethernet hookup. All PC's are using McAfee Virus software which is supplied with ATT U-verse service. Trying to access the the daves-dell PC (XP) works fine Either of the 2 XP PC's can access the David-PC OK. The only failure is trying to access the laptop from the David-PC.If I disable the McAfee firewall on the laptop, then the David-PC can access the laptop. I have tried duplicating all the McAfee settings of the two XP P
I've Cisco7609-S with IOS 12.2(33)SRC2 met an issue is that "show ip route x.x.x.x" and "show ip cef x.x.x.x" shown next-hop is not actual switched next-hop.
For example, "show ip route 192.168.1.1" and "show ip cef 192.168.1.1" shown correct next-hop is 10.1.1.1, but the traffic destine to 192.168.1.1 actually not through 10.1.1.1, but always through the default route next-hop. Everything works normal after rebooted the router. Suppose it should caused by a bug? BTW, my Cisco7609 is runing BGP with ISP which received about 10K routes.
what the upgrade path is for 5505 ASA . I have one which is version 7.2 and need to upgrade it to 8.4(5). I have read that it needs to upgraded btwn major release versions.Not sure if I need to upgrade from 7.2 - 8.0 , then form 8.0 - 8.2, then from 8.2 - 8.3 and finally 8.3 to 8.4 or can I just upgrade from 7.2 - 8.2 and then from 8.2 - 8.4 .Also what is the minimum memory requirements for vers 8.4 .my ASA running on vers 7.2 currently has 256Mb Memory and I will be upgrading this to 512MB before I do the upgrade the image above?
I have always connected to other computers in my network, including my file server, and all of a sudden, it will not work. This is only happening on one computer. You can connect fine on all the others. I am running Windows 7 SP1, and in the network window, I can see the computers, but when I click on them to connect, it says "The network path was not found". If I access them via their IP in windows explorer, then I can access them . I have never seen this before. I attempted to disable Norton, I even un-installed it, and it still does the same thing.
