Client behind NAT

I have been searching for a solution for this issue with all that google knows......
I have my client behind NAT with ip 192.168.27.1
And the server behind NAT with some ip (i am not really worried abt this)
Now I register a client object to server for notification. SImply a hash table in server stores all my client objects. On a expected change, I invoke a method in my client objects.
In this scenario I happened to observer that the client objects sent to server had the client ip (192.168.27.1) inside it and not the NAT ip through which they went out.
So when I went invoke the remote method nothing interestingly happens as the client cannot be located.
I tried creating custom sockets in client and binding it to NAT ip --> obvious bind exception for a ip that is not with client
Setting the NAT ip as java.rmi.hostname in client --> no effect, since still the server is trying to notify (192.16827.1)
Help me to root out this issue. I feel that there must be a solution for this, otherwise RMI it would not have been this much successful.

Hi turing,
thanks for your reply
actually my question is
"maybe if you try using the "real" ip (www,whatismyip.com)
your program will work. "
how to do this in the scenario I explained.
Most of the discussions I saw in this forum are about server behind NAT and resolution approach for it. I can't find an answer for this even in the post you mentioned.
Simply,
When I register a client object in server, how will the server identify the client to notify, when the client is behind NAT.
Will the ip address that the remote object carries will also be NAT'ed. I don't see this happening.

Similar Messages

Client behind nat (on a vmware guest os)

hello
i can easily connect from my Windows XP to the VPN server, but when i try
to connect from a Guest OS on VMware (windows too), it connects but don't
reach other computers on VPN
this virtual machine on VMware is set to connect through NAT to the internet
what can i do to make possible connect from the virtual machine?
thank you

i found it..
my version of BorderManager is 3.8.2
> my version of bordermanager is 3.8.x(how can i know the exact version?)
> VMware tools is instaled on the Windows2k guest OS
>
> i had tried with another PC on the network some time ago:
> PC1(winXP) was directly on internet and sharing the connection with PC2
> PC2(winXP) was connecting but not "pinging" other computers on the VPN
>
> the same problem
>
> could the problem be on Windows' Internet Connection Sharing?
>
> thanks
>
> > [email protected] wrote:
> >
> > > what can i do to make possible connect from the virtual machine?
> >
> > There's nothing inherent in the VPN client that would prevent you from
> > doing this. I use the 3.8.16 VPN client via Parallels desktop on a Mac
> > all the time without issue, so VMware should work as well. Are you using
> > the latest VPN client? Do you have the VMware tools installed into the
> > Windows guest?
> >
> > --
> > Jim
> > Support Sysop
>

Cisco VPN client behind NAT

Hi,
We have to setup a VPN connection from a user workstation in our private
network to a third party host.
We have to use the Cisco VPN client v4.0.2 (B).
BM 3.8SP3 with static and dynamic NAT.
2 filter exceptions:
UDP port 500 stateful private network to public host IP
UDP port 10000 stateful private network to public host IP.
We can login to their Cisco box but after that we cannot ping to their
hosts.

Bert wrote:
> Hi Caterina,
>
> I get it worked!
>
> I changed the connection type in the Cisco client to TCP (port 10000).
>
> I deleted the UDP filter exception for port 10000.
> Finally I added a filter for TCP.
>
> So with 2 filter exceptions it seems to work now:
> VPN1 -> source: port 500, destination port 500, stateful, UDP
> VPN2 -> source: port All, destination port 10000, stateful TCP
>
> Now I can ping to hosts at the other side and connect to their
> network with Net use etc.
>
> Thanks for your help.
>
> Regards,
> Bert.
Thank you Bert, you just save me hours of work!
Dan Verbarg
BHDP Architecture
Cincinnati, OH

MapVewer Behind NAT

Hi,
I'm using MapViewer and I integrated it with my ADF application. I've generally no problem. I deployed both of them on weblogic server, and they work great. But when I want to have access to my app server (weblogic) from another place behind NAT, MapViewer doesn't work any longer!
My application page (ADF/JSP) works, but the map object (dvt:map) on my page, doesn't render! I think it causes by IP difference. Everything is the same, but just the IP changes behind the NAT.
Because of network back bone, we forced to have another Server IP in client side for Weblogic Server, instead of real Server IP. (e.g. real server IP is 172.18.10.1 but the client machine behind the NAT can see the server by 172.16.2.3)
I want to emphasize that all pages and all other features in my web applications works, and I can see and have access to MapViewer Server from client (behind the NAT) too. But my Map object (dvt:map) on my pages, doesn't render and just show a blank area without any error!
I know, I don't have any problem in accessing to MapViewer server, because I have access to my MapViewer server control panel from client side (behind the NAT) and MapViewer is installed on Weblogic which my Application is installed on. So, my question is if I can work with my application behind the NAT, why I can't see my map on it!

The key is that the NAT-enabled router is the one that will require port mapping/forwarding to be configured. In addition, you don't necessarily need for the Internet router to have a static IP address, but it MUST be a Public IP address. If your HOA controls this router, then most likely, they will NOT be willing to configure it to allow port mapping to your IP camera.

FTP-client behind RRAS - unable to connect to external FTP servers

FTP-client behind RRAS - unable to connect to external FTP servers
A small network (10-20PCs) without any segmentation - one LAN with one Gateway.
1. If the Gateway is some small hardware device, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
2. If the Gateway is Win2003+RRAS+NAT or Win2003+ISA2005, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
3. But if the gateway is Win2008+RAS+NAT or Win2012+RRAS+NAT, the computers in the LAN are not able to connect to Internet FTP-servers
I made a few tests:
1. On Win2012+RRAS+NAT
TurnOff Windows Firewall for All profiles (Domain, Private, Public) - the problem disappears, it it possible to connect to external Internet FTP-servers.
2. On Win2012+RRAS+NAT
TurnOff Windows Firewall only for Domain profile - the problem disappears, it it possible to connect to Internet FTP-servers.
3. On Win2012+RRAS+NAT
TurnOn Windows Firewall for All profiles (Domain, Private, Public)
But I excluded the Internal NIC in this list
Windows Firewall / Properties / Domain Profile / Protected network connections
and the problem disappears again
My question is:
What new Firewall rule I have to make and where to place it (to be able to make FTP-connection from LAN to Internet FTP-servers)?
I made some attempts to allow port21, but any success.

Thank you, but did you try this ?
Can you describe in detail "exclusion rule for FTP traffic" ?!
In my previous post, I want to say that if you use Win 2008/2012 RAS+NAT as a network gateway, than it is not possible to make FTP-connections to external FTP servers from the computers behind that gateway.
And the standard attempts to make "Allow"-rules for port 21 in the gateway firewall (Win 2008/2012), do not solve the problem.
No matter which FTP-client you can try to use.
To see this problem, just make few simple tests:
">telnet <ftp-server> 21"
with firewall on/off and inbound/outbound "Allow port 21 rule (All/Domain/Private/Public)"
In my country, the Government Tax Department uses FTP-protocol to collect monthly data from companies.
And it is too stupid scenario (to be a small company and to) upgrade from Win 2003 to a newer 2008/2012 and than to not be able to make all your jobs.
-------EDIT---------
The same problem (and its solution) is described here:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c68aed6-e22b-4cd4-86bd-f3c767e88349/advanced-firewall-blocking-through-ftp-traffic-rras
The magic command:
">netsh routing ip nat delete ftp"
solved the problem for me.
And here is the description of this command - "Disables the FTP proxy on the NAT server."
http://technet.microsoft.com/en-us/library/cc754535(v=ws.10).aspx#BKMK_106

Contivity vpn client behind router with easy server

Hi, I've seen this argument before, but without an effective solution.
I have a contivity client behind a 857 cisco router. This client needs to connect to a remote VPN server.
With NAT enable and easy VPN server disable all works fine.
When I enable easy VPN server on the 857 (I need to connect several dial-up cisco vpn client from outside to this office) the contivity client can't connect anymore to the remote vpn server and hang up with the famous "bannet text" error.
I think that because the external interface of the 857 is waiting for cisco vpn client to connect, it intercepts also the data from the remote contivity vpn server, not forwarding to the client inside the LAN.
If there is a way to "passthrough" the contivity connection data to the internal client it would be very nice.
Many thanks, Stefano.

Hi, I found a possible solution. At this page
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
this is the interesting part:
!--- Dynamic crypto map.
crypto dynamic-map dynmap 1
set transform-set foo
match address 199
access-list 199 permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip host 172.16.142.191 192.168.1.0 0.0.0.255
I try to put the contivity vpn client to another subnet (192.168.3.10) but the easy vpn server still intercepts its encrypted data.
Salutes.

DMVPN Hub and Spoke behind NAT device

Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile cisco

Hi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

Problems with Arrowpoint cookies for clients behind a Proxy

I have in a WebSite clients being load balanced using Arrowpoint cookies to a virtual Server. The CSS load balance between three Apache real servers.
I have some clients that are behind some kind of Proxy Cache and I have seen with a sniffer that the proxies causing the problem Re-use proxy to our server connections for different requests for multiple clients.
Then, as I understand the CSS make the forwarding decission based on the cookie of the first request for the first client behind the proxy after establishing the HTTP connection, but when there is a request from other client using this same connection (that must be forwarded to other real server) the request is forwarded to the original web server and fails because we need sticky connections.
I thought that this wasn't correct but I have read some documents that say that this is called a Proxy role as a "connection cache". Then my question is if there is any workaround for this problem.
Thanks

I believe your problem is that the proxy open a few persistent connections with the CSS and loadbalance your client's request over them.
Once the CSS has associated a connection with a service, it does not look into the request anymore.
The solution is to disable persistence on the CSS with the command 'no persistent' and 'persistence reset'.
Find more info at :
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093e06.shtml#crp
Gilles.

Multiple ichat clients behind firewall?

IS it possible to have multiple ichat clients behind a firewall? I've just bought a macbook pro and would like to purchase two more for ichat functionality. Two of these will be behind one firewall, the other across the country. I can't find any documentation other than how to configure a single ichat client.
Is it possible? It's ok if we have to purchase an xserve and run some kind of server our end - I just want it to work.
Message was edited by: paulgami

Hi paulgami,
iChat will work behind a firewall or routing device.
With routing device the easiest method is UPnP which allows the Apps to open the ports and allows multiple computers to use the same ports.
A device that has Port Triggering can also allow multiple computers to use the same ports.
If you mean that you want the Bonjour side or even the Jabber side (in the iChat Server in OS X serve) to be in the same Network you will have to look to setting up VPNs (virtual Private Networks) to cover the distances you are talking about.
It may be just semantics but it helps if we know which bit of iChat you are talking about.
Tiger 10.4.x OS X Serve has an Jabber Server that can be used with the Jabber side of iChat (iChat 3.x)
Each computer already has the iChat Client.
There are also Public Jabber servers including Googletalk to use with the Jabber side of iChat.
The Main Buddy list obviously uses the AIM service and again this can be world wide.
iChat also has the Bonjour side. This can find any other Mac on the same network. It uses the user's Address Book to broadcast a Screen Name for the other iChat clients (separate buddy List)
Possibly start here
http://www.ralphjohnsuk.dsl.pipex.com/index.html
Just getting started ?
http://www.siriusaddict.com/ichat.html
Collaboration Services Forum in OS XServer
http://discussions.apple.com/forum.jspa?forumID=700
8:44 PM Monday; August 13, 2007

DMVPN behind NAT

Hi,
I'm having a little trouble getting a DMVPN up using a host that is behind a NAT device. It looks as though with my version of IOS i need to use IPSec tunnel mode, but the NHRP registeration on the hub shows the Real address of the spoke and not the NAT'd address. Because of this the spoke can't be seen by any others.
Any idea's where i may be going wrong here?
Thanks in advance for your help!
Andy

DMVPN is supported behind NAT. This is usually seen on routers. Upgrade the router software to12.3(11)T6 or greater to fix this issue.

OEAP602 - Support for APs behind NAT

Support for APs behind NAT
In the 7.2.103.0 release, you can deploy up to 3 OfficeExtend access points (OEAPs) behind a NAT device. You can deploy up to 50 FlexConnect access points (with or without Data DTLS) behind a NAT device.
Source: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
I'm confused, does it mean I can't have more than 3 OEAP602s deployed in the same remote site (let say, a Hotel) with the same Public IP back to my OEAP-WLC ?

I know on 7.0 MR1 only supports 1. I learned that the hard way doing a meeting at a hotel for our staff.
One thing we did was hook up a switch to port 4 and did HREAP with 2 other aps.. Not ideal but I like to test limits ..
Sent from Cisco Technical Support iPhone App

L2TP VPN for servers behind NAT

I have two 2012 R2 servers, both behind NAT, which I'm trying to connect via VPN. I have no problem connecting them via PPTP, but when connecting them via L2TP (with shared key for testing), the dialing server never connects to other server.
I assume that the problem is that they're both behind NAT. In Windows Server 2008, you were able to set a registry value to get the L2TP connections to work under NAT, see
http://support.microsoft.com/kb/926179 by setting the environment variable AssumeUDPEncapsulationContextOnSendRule.
I tried using this with the two servers, but it didn't seem to help. Is there some other way to get the L2TP connection for the two 2012 R2 servers working behind NAT?

Hi,
Thanks for your pointer and sorry for replying so late.
I am sorry to say that I haven’t found any documents to ensure whether NAT-T is supported in Windows server 2012 R2 or not. In addition,
VPN servers that are located behind NAT is not recommended. When a server is behind a network address translator, and the server uses NAT-T, unintended behavior might occur because
of the way NAT translate network traffic.
Best regards,
Susie

RMI Clients behind firewall

When the RMI client behind firewall tries to access the server the following error is thrown up:
java.rmi.ConnectIOException: Exception creating connection to: 10.130.12.128; ne
sted exception is:
java.net.NoRouteToHostException: Operation timed out: no further informa
tion
java.net.NoRouteToHostException: Operation timed out: no further information
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown S
ource)
at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown S
ource)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at RMIFaxServer_Stub.getResult(Unknown Source)
at FaxTest.main(FaxTest.java:51)

your client is behind the firewall but the server you're trying to access has an address 10.x.x.x which says that it too is behind a firewall and not on the Internet, or is the server in a DMZ. It sounds more like a networking issue than a java problem at this point. If the server is on some side of a firewall, you may need a some sort of "permit established" config setting added to the firewall. Just a thought.

Dealing with client access to servers behind NAT

It depends on your firewall configuration. This is normally known as 'loopback' - a client internal to the network accessing a service on a WAN IP address will be directed to the correct server if loopback is enabled.
I remember, some years ago, dealing with firewalls which explicitly would not allow this to happen, requiring a split DNS strategy. I don't recall needing to regularly flush the DNS cache in this case.

Hi there,This is just a general question about "best practice".Imagine this scenario:a network protected by firewall, all LANs using private IP address, e.g. 10.x.x.x and/or 192.168.x.xaccess to the server from external (www/ftp/etc) will need to go through firewallsetup the firewall with 1-1 NAT
for example: access to 1.2.3.4 on port 8080 goes to the server 10.0.0.10 on port 8765using Windows Server 2008 as DC/DNS
My question is ... how the client deal with that?
I mean, let's say someone grab a laptop and goes to another country.
From the above scenario, accessing the server would be 1.2.3.4 as the destination IP address.But what happen when the laptop goes back to the office? accessing the same server will still give 1.2.3.4 as the destination since it's still cached, right?
does it mean that we need to set up a script to always flush...
This topic first appeared in the Spiceworks Community

Lync Client Behind A Proxy

Can anyone confirm if the Lync client can be configured to route traffic via a proxy, or to use the proxy settings defined in IE?
I have the following scenario...
The environment is heavily locked down, and PC's only have access to the Internet via a defined IE proxy. Internal IM, presence and communication all work fine. We have configured federation with some remote organizations. IM and presence
works fine to these orgs, but when any A/V or application sharing is attempted, the media fails. I can see from traces this is when the client tries (and fails) to access the A/V edge of the remote federated parties edge server.
I've looked at the Lync settings, reg settings, group policy ADM and documentation, and cant find anything to a) confirm if this behavior is correct or b) any way to work around it.
There must be other Lync implementations in hardened environments like this. Opening up outbound ports is out of the question, so what other options do i have?
Dave

Jay, you missed the key word in my last post "internally". Functionally, everything about the edge server is working fine. Clients can login internally and externally. Media flows from internal to external clients is fine. All SIP/AV/WEBCON
DNS entries are fine in public DNS along with supporting SRV records. These interfaces are Nat'd and the AV address is correctly assigned.
My problem only occurs when an AV session is attempted with a federated partner...
When any AV or sharing is attempted, from the internal network, to the federated partner, i can see the Lync client attempting to make connections out to the remote federated partners AV edge (something which it will never be able to do as it's behind a
proxy with no direct Internet access). This is what I'm trying to address.
Should the SIP/AV/WEBCON address exist INTERNALLY
on the corporate DNS servers for internal clients to resolve? Is this what i have missed?
Is there anyway to instruct the Lync client to route traffic bound for the Internet via a proxy?
Surely there must be someone else with this scenario in a locked down environment?

Client behind NAT

Similar Messages

Maybe you are looking for