How To NAT A Public Interface In Xenserver 5.6
Mar 14, 2012
I've got a 1U server that has Citrix XenServer 5.6 installed on it. It has 2 physical ethernet interfaces, both connected to the same network switch, one interface has a public IP address on it and the 2nd interface has a private rfc1918 address on it (this can be changed if necessary). I use the private1918 interface to do administrative tasks, transfer data amongst the servers and guest VMs, etc. I'm given a /29 IP address allocation by a friend to use for my servers (using his FTTP internet connection). I want to set up a few guest VMs, but really most of them do not need to be using public IP addresses.
Is there a way to NAT the public interface on XenServer so that guest VMs can use rfc1918 addresses & get online, instead of using the few IP addresses I am given? Also how would I enable portforwards so that I can get applications to work like asterisk, SMTP, etc.?
Listing of interfaces on the Xenserver:
Code...
View 6 Replies
ADVERTISEMENT
Sep 16, 2012
We're setting up a Citrix Cloudstack/XenServer environment and having a heck of a time getting VLAN communication to work with the Cisco SG300-28 switches we've got. We have 4 hosts that are running physically connected to 2 SG300-28 switches.The Guest Network NICS are running on XenServer with a VLAN configuration. As you'll see below our problem lies in that the vm on Host1 (10.1.1.254) cannot communicate to the vm on Host2 (10.1.1.5).Our SG300-28 is currently in L2 mode with Trunked ports for the NICS. It's allowed the VLAN 133 as tagged. Here's the guest networking:here's how our SG300-28 are configured for VLAN traffic GE1,2,13,14 are the connected ports with VLAN133 being one of the tagged VLANS
View 8 Replies
View Related
Aug 28, 2011
I have two Windows Boxes connected to RV042 ; each has its own static IP assigned to it and each runs bunch of virtual machines , for which I had configured port forwarding .My hosting company claims that my server(s) are listening on IP 192.168.0.1 on a public interface (i.e., one that uplinks to their network). They see this same IP on two different MACs my uplink interface. I am not really sure how it is possible since 192.168.0.1 was assigned to router itself.
View 7 Replies
View Related
Sep 23, 2011
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes
!
! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
[Code].....
View 6 Replies
View Related
Jul 24, 2012
I have a 2621 that I am configuring on the internet. My ISP gives me a static DHCP assigned address and then two more static addresses that are not part of the same block. (e.g. 1.2.3.4 is static via dhcp and then they give me 5.6.7.8/30).
I have fa0/0 getting 1.2.3.4 ia dhcp. I have 5.6.7.8 on a loopback interface for PAT/NAT as I have the main one on fa0/0 doing vpn to a remote ASA. The problem is that I have yet another device that needs a public IP, mainly 5.6.7.9... I want to hook that device up to fa0/2 (this box has three fa interfaces). How do I setup fa0/2 if I want to give the device on it a real live public IP address? I have done this before, but it must have been 10 years back on an even older CISCO and I can not remember how I did it.
View 2 Replies
View Related
May 10, 2012
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
View 10 Replies
View Related
Jun 4, 2013
Our ASA 5510 was configured with a public interface, a DMZ interface, and a private interface. I have a remote access VPN using AnyConnect client and LDAP authentication for Active Directory. We are changing ISP (groan!), which means all new public IP addresses. The new circuit is installed, so I have a second public interface (same security level as the first public interface, wholly different IP address range) enabled on the ASA. I hope to transition whatever I can, which means get the VPN access through either public interface. Can I just enable client access on the second public interface at the Anyconnect Connection Profiles tab in ASDM? That seems too simple. Can they share the one address pool?
View 1 Replies
View Related
Aug 23, 2012
How would I go about giving a server on the inside interface of my ASA a public IP address. I have a /28 on the outside interface and I'd like to give a server a public IP and not NAT.
I'd not sure how to go about getting this done.
show run nat=
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup(code)
View 8 Replies
View Related
Jul 9, 2012
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
View 3 Replies
View Related
Mar 10, 2011
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
View 1 Replies
View Related
Jul 31, 2012
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
View 3 Replies
View Related
Oct 30, 2012
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
View 7 Replies
View Related
Oct 12, 2011
how to totaly disable Admin/ASDM access on our public interface of our 5510. I don't want to change IPSec or SSL access to the outside interface. Just totaly disable access to Admin/ASDM from the outside without halting all other access.
View 3 Replies
View Related
Apr 2, 2013
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
.ASA Version 8.2(5)
!
hostname ciscoasa
[code]....
View 4 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
May 9, 2012
i have a 1841 cisco router and i recently purchased a 1 port HWIC wan interface card. My problem is that I cannot see the interface in my config file. Is there something i am missing?
View 8 Replies
View Related
Oct 31, 2011
I share a modem and router with my building, and connect to the internet using an ethernet cable which plus right into the wall in my apartment. When I hover over the network/internet icon it tells me that I have a local connection only and can't get online. No changes were made to my computer between it working and not working - I have not installed any new software and the modem+router have not been changed.
When I try ipconfig/release is says it can't perform the operation while the media is disconnected. It also tells me that "an error occurred while releasing interface Loopback Pseudo-Interface 1: The system cannot find the fie specified".
[code]...
View 1 Replies
View Related
May 1, 2012
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
View 2 Replies
View Related
Apr 9, 2011
Is it possible to set up a WAN interface on a FastEthernet interface of a Cisco 877 Adsl Router ?Due to my ISP, i've to use an external VDSL modem and must connect it to my cisco 877 router (and leave it's adsl interface unused).But i don't know how to set up a wan port, other than the adsl interface itself (dialer0), on my cisco.
View 7 Replies
View Related
May 28, 2013
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
View 2 Replies
View Related
Feb 13, 2012
I have a 1t3/e3 card in a new 2951. When I statred the router, I found no interface corresponding to this module when do "show ip interface brief"
View 3 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Mar 18, 2013
I've got a ASA 5550 firewall interface failover issue. (File attached).
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
View 6 Replies
View Related
Apr 22, 2012
Needing to bridge from my wic interface to an ethernet interface on a 2900 series router so that I can pass through the ip address given to the WIC, to my ASA so that I don't have to give my ASA a private range address. (Just like a service provider might do when bringing a T1 with managed router in to my prem)
View 1 Replies
View Related
Apr 5, 2011
I have five 877 routers connected to ADSL circuits provided by Vodafone. Each has a VPN tunnel back to a PIX.
Occasionally one of the sites will lose it's connection to the PIX.
When we check the log, we find entries like these:-
Apr 5 01:31:54.085 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to downApr 5 01:33:19.344 UTC: %CRYPTO-
[Code].....
As you can see, the physical interface (ATM0) is not being reported as changing state to down, neither is the Dialer interface.
When the router is in this state we have to SSL to the public IP address of it and manually restart the ISAKMP SA.
When the router sees the ATM interface go down and subsequently come back up, the VPN connection to the PIX also recovers.
So - in a long winded way I think I'm asking....why does the Virtual interface go down and is there anything I can do to stop it happening?
View 3 Replies
View Related
Mar 3, 2013
what difference is between these two ports?
I have a router with ISDN/BRI interface and i am planning to buy router with E1/PRI interface. Will i be able to connect them?
View 2 Replies
View Related
Apr 23, 2012
We have a T1 connection at our office with a block of 5 IPs. The external interface is simply one RJ45 jack. Currently we have a home spec router connected to the external interface, and then a switch connected to the router. Certain ports are forwarded to our server in the home spec router for things like OWA, etc.I would like to start putting our other IPs to use. Is this usually done by having a switch connected to the external device and then have multiple routers connected to the switch? Or is it one router capable of VLAN or is it something entirely differentReally, what I want to know is what the rest of the industry typically does to use their multiple IPs.
View 7 Replies
View Related
Jan 4, 2011
how can i make my PC as public IP? do i need to wrt som servlet program 4 it?and how to mak my mobile as public IP by setting its domain?
View 1 Replies
View Related
Nov 21, 2012
How to Configure VPN SERVER with Public IP. Is there any free and secure tool so that we can create multiple vpn client and access the vpn network, Requirement Only one public Ip.
View 3 Replies
View Related
Jan 5, 2012
Recently I added a second web-server to my network. I have 2 static public ip's from my isp. My setup will be:
isp(two static ip's)---->Verizon MI424WR Router--->server 1 and server 2.
I currently have server 1 with IP: 192.168.1.100 and server 2 with IP: 192.168.1.101
If I have the two static public ip's xxx.xxx.xxx.27 and xxx.xxx.xxx.28. How do I forward xxx.xxx.xxx.27 to 192.168.1.100 and xxx.xxx.xxx.28 to 192.168.1.101
I read somewhere where i have to set the iptables on the router to do it. Do I have to buy a special firewall/router to do this or can mine do the trick.
View 1 Replies
View Related
Oct 24, 2011
Is it possible to have more public addresses to more internal addressees? I have an internet provider which is in control of my router and he is telling me it is not possible. It's a Cisco router and I have static IP address.
View 1 Replies
View Related
Apr 30, 2011
I'm trying to setup my DMZ so all my servers will have public IPs assigned to them. I'm currently trying to use two interfaces on each server, one with a private IP and then one with a public IP. All my internal traffic will go over the private interfaces...this is working. However, I'm having a problem trying to get it so the public interfaces work. Ultimately, these will be VM Hosts and have VM guests on them, each guest will have it's own public IP.
View 14 Replies
View Related
Apr 6, 2011
am running 2 PCs (one desktop and one laptop) both with windows vista home premium, both are in a home group, are connected by a DIR-615 D-link router/wireless access point, and have file sharing and network discovery enabled, but when I try to access the public folder on either PC from the other I get "The network path could not be found".When I try to troubleshoot this it tells me my modem is having connectivity issues and attempts to find out "why I can't connect to the internet" which is extremely bizarre, as this has nothing to do with the internet connection, I simply wish to access the public folder on a private network
View 7 Replies
View Related
