Not saying you are totally wrong because the two NAT as above will do exactly that. Perfectly aware of it.
My question is exactly how to avoid it - Do you understand ?
I need the two NAT - 1st one because i need to NAT without port translation in regards to the access required by the related ACL and the 2nd one because i need port translation for that specific port.since my APP is listening on 9443.
Now. Do you know how to acomplish this ????
... View more
Thanks but that is not the case, it goes like this
I need a NAT from a 200.X.X.X to 10.0.0.X any any to cover for the access List below
Source port any >= 1024 TCP destination 10.0.0.X on 2776,1720, 15000-19999, 5060
Source por any >= 1024 UDP destination 10.0.0.X on 36000, 36001, 36002-59999
Also need a NET from 200.X.X.X to 10.0.0.X with port translation 443 to 9443 TCP for ACL
Source port any TCO destination 10.0.0.X on 9443
How can i do both NATs to work together ?
... View more
I tried to configured two object nat as below:
Source Y (Internet) to destination Z (DMZ) translate port 443 into 9443 - I need this for a specific solution that only answers requests from Internet on this port
Source Y (Internet) destination Z (DMZ) any any - I need the NAT without port translation as well
When i do apply the configuration i does not do the port translation because always goes through the NAT without it
How can i have NAT configured where one of NATs does port translations and the other does NOT for the same IP address ???
... View more
Hello all We did implemented a METRO running MPLS L3 VPN on +100 sites. The ring topology connects several ME-3600X-24FS-M - IOS Version 12.2(52)EY2. The issue we are facing is caused by the fact that most customer connected to the METRO don´t have inteligent L2/L3 switches or routers and are using the L3 interface on the ME has the default gateway to their LANs. Not a good design i would say but we can´t change that at moment. L3 interface on ME (PE) to LAN SW (CE): interface GigabitEthernet0/7 description CONEXAO CE XXX port-type nni no switchport ip vrf forwarding GLOBAL ip address 10.xx.0.1 255.255.255.0 Where the ip address above is the default GW for customer LAN. The links between ME are configured this way: description UPLINK ME-ME port-type nni no switchport mtu 1600 ip address 10.XX.YY.WW 255.255.255.252 no ip redirects ip ospf authentication message-digest ip ospf message-digest-key 2 md5 7 135740425E5E547B7A76786166381C2324 ip ospf network point-to-point ip ospf mtu-ignore mpls ip bfd interval 70 min_rx 70 multiplier 3 When a loop happens in a customer LAN, for instance connecting the same cable in two distinct interfaces on the same switch, the RP on the CPU gets above 40% and BFD drops the conection between the MEs, OSPF and BGP adjacencies are also killed. We are pursuing ways of reduce the impact of the DoS, but so far no definitive solution was obtained. 1) Control Plane Policy cannot be implemented because most featured on IOS 12.2EY are not available in IOS 15.2(2)S or above for CPP. 2) Storm Control seems to be enable in L3 interfaces (Strange because should be only L2) and we tested it in a LAB for broadcast but only works for certain type of traffic generated by the loop (CDP and STP not included) interface GigabitEthernet0/1 port-type nni no switchport no ip address storm-control broadcast level 6.00 storm-control action shutdown interface GigabitEthernet0/1 port-type nni no switchport no ip address storm-control broadcast level 6.00 storm-control action shutdown 3) We are also considering changing teh BFD parameters on the Uplinks to other MEs but do not have so far como values the would avoid the incident Can any help please, advise on possible solutions to avoid Customer LANs to cause this type of issue on the ME3600 Regards Pedro
... View more
Agent Fails to Initiate Posture Assessment The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate. The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok. The redirected URL is working fine (SEE Evidence) We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete. The operations status remains with postering status pending forever and nothing else happens. Symptoms or Issue The agent login dialog box does not appear to the user following client provisioning. Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user authentication session. Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. . CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK • Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE. - OK • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon, choose Properties, and check the discovery host.) - OK (See evidence) • Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE) • If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE) • Ensure that the default gateway is reachable from the client machine. (TESTED OK)
... View more