E900 chained routers - double NAT

Similar Messages

• Since cahnging FIOS Internet provider, which required a router to go in front of "AirPort" I have a blinking yellow on the AirPort and suggested editing in AirPort utility to cahnge from Double NAT to "Bridge Mode" my knowledge base is not clear as t

  How do I clean up my new FIOS connection? I just cahnged ISP Fios and they reqquired a router of thier own in front of my AirPort Extreme. Since then I have blinking yellow light on the AirPort and AirPort utility keeps promting for an edit. Suggests canging from NAT to "Bridge mode". Obviuosly U have some internet or this post would not go anywhere, my knowledge base is not enought to feel comfortable with changing the settings. Correctly editing can be tricky, so how do I make necessary changes?

  How do I clean up my new FIOS connection?
  The FIOS router needs to be in Bridge Mode to prevent the Double NAT error from occurring when two routers are both fighting with each other for control of the network.
  Unfortunately, the likely problem from the FIOS side is that FIOS support will either tell you that their router cannot be configured to operate in Bridge Mode, or if it can, they will not tell you how to do it.
  But, it could not hurt to check with FIOS to see if anything might have changed recently in this regard, so your first call would be to FIOS support.
  If you cannot change the FIOS router to Bridge Mode, the alternate plan would be to change the AirPort Extreme to Bridge Mode. If you are using the Guest Network feature on the AirPort Extreme at this time, that feature will not work correctly when the AirPort is set up in Bridge Mode.

• Why do I lose internet connection when I put airport extreme into bridge mode to correct Double NAT issue

  I reset my airport extreme router the other day because I was too lazy to reset the password on my private network.
  I have been reading the advice found on apple support communities and wide web, but the solutions do not solve any problems and often create new ones.
  I'm regretting because everything was working just fine.
  But I remember having this double nat error when I first set it up a few months back, but now I cannot resolve it.
  I would live with the yellow light, but it seems that this double nat error is preventing my playstation 3 from connecting to the airport extreme.
  When I put the aiport extreme into bridge mode, I loose all my wireless networks, even when I reboot the airport extreme and the modem.
  I try rebooting the modem, then the airport. and vice versa. No internet.
  I switch back to NAT/DCHP and the internet works fine on apple devices, but not the playstation 3, and I have the 1 Double NAT error.
  I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
  I tried setting the DHCP only but it said it didn't like the settings. is there a stock range i could be using?

  I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
  Exact model .. motorola make adsl, cable and probably wireless modems.. with some modems and some modem router.. we need exact info. What kind of broadband do you have?
  I would note.. some of the motorola cable modems seem to have issues with the apple routers. If you are about due to change modems.. now is a good time.. not another motorola.
  If the modem is a straight cable modem, the AE must be in router mode.. but you need to power down the cable modem. maybe for 20min so the new router can pick up the IP address.
  You cannot use DHCP alone.. the ISP do not give you a block of IP addresses.
  You cannot use bridge with a pure modem.. you will find it works.. but only to one device.
  The only reason you get double NAT is the failure to pick up the public IP.
  Give the info required..
  If you have trouble, I need the actual IP of the modem. the actual IP of the AE WAN port when plugged in. Screenshots are good.

• My Time Capsule is giving me a warning that  double NAT situation is occurring and recommends that I set it to bridge mode What is all this about please can it be explained in layman's terms and not martian thank you.

  My Time Capsule is giving me a warning that  double NAT situation is occurring and recommends that I set it to bridge mode What is all this about please can it be explained in layman's terms and not martian thank you.

  You have two devices....the Netgear and Time Capsule both configured to act as routers on the network. You only want one device providing this service.
  I suggest that you configure the Time Capsule in Bridge Mode as suggested to eliminate the Double NAT error. Unfortunately, the Guest Network cannot be enabled in this setting.
  No other adjustments are needed and everything else will operate normally...and the Time Capsule will still be providing your wireless network signal.
  Once the Time Capsule is configured in Bridge Mode, it would be an excellent idea to perform a complete power cycle on the network to allow things to reset properly.
  Just power off all devices on the network in any order that you want
  Wait a minute
  Start the Netgear device first, and let it run a minute by itself
  Start the Time Capsule next the same way
  Continue starting devices one at a time the same way until everything is powered backup
  The other option you have is to "ignore" the error and the light will turn green. The Double NAT error may...or may not cause some issues for you down the line. The next time that you update the Mac operating system, or update the firmware in the Time Capsule, it may likely change the Time Capsule to Bridge Mode automatically.
  If your Guest Network "disappears", you will know why this happened, and you will have to manually configure the Time Capsule again in Router Mode to provide DHCP and NAT services.
  Double NAT can also cause a slow down of web page loading. You may...or may not....notice this.

• Double Natting Question

  We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
  2 devices are
  Airport Extreme
  Cisco - DPC3825
  I was just upgrarding firmware and I get this message.
  Problem 1/1 - Double Nat
  Screenshot attached of error
  So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
  Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
  Appreciate the help on this.

  You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
  If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
  That....is a virtual guarantee that you will have multiple conflicts on the network.

• Question # 2--how to avoid the DHCP conflict issue, double NAT, etc.

  I'm having a tough day wasting hours working on the TC. It once worked fine for a year. Now, I'm struggling to maintain a connection at all.
  I may be doing this wrong but I'm using two screens to manage this.
  1. preferences/network
  2. the TC internet connection settings
  I had written all of my settings that worked on a piece of paper. Now that I've had to reset everything earlier today by plugging/unplugging stuff per Comcast orders, I'm wondering if all of my previous settings are worthless.
  Reading possible solutions on here I tried to set the connection sharing to bridge to avoid the double NAT issue. This resulted in a message that more than one computer had the same IP address and I couldn't access the internet so I went back to sharing the public IP address like I had before.
  I had, and I'm trying to have now, IPv4 configured manually. When I use settings like I had before, it tells me the DHCP range is invalid. If I increase the 3rd digit/group of numbers to change the range, it re-boots but I'm unable to get to the internet.
  I don't know what I'm doing wrong. Any help?

  Thanks to you both for responding.  I had actually already read that Networking 3.0 document ... and since options 1-3 were not allowing the QuickVPN to work and options 4+ resulted in lost FIOS TV services I wasn't pursuing any of those options.  Out of all of them it sounds like Bridging the Westell would be closest to what I want (enabling the Cisco router to acquire the public IP address).  But I'm not willing to sacrifice my TV functions so even that option is a non-starter for me.
  Over the past two weeks I have spent some 30 or 40 hours researching and then tinkering with the configuration on the routers (and VPN client software -- QuickVPN and shrewsoft VPN client).  So I just invested about 15 minutes in downloading the free TeamViewer software.  And although I didn't want to go the "3rd party software" route I'm actually glad I tried it.  I now have a working VPN connection via TeamViewer, and through the VPN am able to use windows remote desktop just fine -- which was my goal all along.  I'm concerned about the 3rd party software / security ... but at least this works.  And I can always disable the TeamViewer Service when I'm not using the software. 

• I live in an apartment with supplied internet.  I have wireless network with no password.  I have a wall outlet that I can plug into.  When I plug in my TC I get a double NAT error.  I try bridge mode, but I can't get the internet to work.

  Can I get an explanation of what bridge mode is?
  Can I get suggestions on what I should do to use the TC as a wireless device to spread the same wireless device my apartment is broadcasting? 
  Can I get a suggestion on how to use the TC as a different wireless device with it's own password without access to the cable modem.  I only have access to a wall port. 
  I own many apple devices, iMac mid-2011, Macbook Air 2013, 2 ipads, and 2 iphones for the family, and Apple TV. 
  I want all my devices to be on a password related internet but the double nat on my TC makes weird things happen and slow.  I try bridge mode but the internet doesn't work. 
  I hope I have described this situation clearly enough. 
  Thanks

  I want all my devices to be on a password related internet but the double nat on my TC makes weird things happen and slow.  I try bridge mode but the internet doesn't work.
  You building supplied internet is a cheap service that is without proper routable addresses..
  Therefore to use more than one IP you MUST have double NAT.. sorry there is no choice..
  Slow that is because you are sharing internet with every other person in the building.. get your own broadband service.
  Bridge will not work.. it cannot work because the building only has private IP addressing. And they only give you a single address.
  You can put a password on the wireless.. go to the airport utility and put in a password.
  Other than that I don't understand what password you expect.
  Can I get an explanation of what bridge mode is?
  No NAT.. means the TC becomes a dumb Wireless AP and switch.. works fine with a cable modem router.. or any broadband router but useless with your building system.
  Can I get suggestions on what I should do to use the TC as a wireless device to spread the same wireless device my apartment is broadcasting?
  Double NAT, and set your own wireless names. There is no alternative.. sorry.

• No DNS and Double NAT

  Hello, I've recently encountered a very frustrating bug in my system that I could use some help troubleshooting.  I've read several similar posts, some are resolved while others are not, however none of the resolutions have worked for my situation.  Here it goes:
  I have an old macbook pro, a new macbook air, a white macbook and 2 iPhone 4s's all connected to the internet via WiFi through an AirPort Extreme.  The AE is connected to a cable modem which has internet service through Cablevision in NY.  There is also an AT&T Microcell hooked up to the AE to boost my cell signal.   All of this equipment has been working flawlessly together for a long time.  Until recently.  It could have started after an update, there have been several lately on all of the equipment including the firmware in the AE.  Anyway, I'll be connected without any issues - all lights green and happy - when suddenly, the internet will drop off and the AirPort Utility will pop up and warn me that:
  1) On the "internet" icon, it will say "disconnected"  
  2) On the AE icon, it says "No DNS server and Double NAT"
  After a few minutes and nothing done on my part, the lights turn green, the internet reconnects and all is well again. 
  This happens frequently and is really beaching a nuisance.  Due to the frequency of the disconnection, I can no longer download a large file, update, or anything.  Streaming video is impossible.
  So far, I have tried bridge mode and cycled the power in the order recommended to no avail.  When I do that, the AE turns green, but the internet says "not connected".  I have also read that there might be too many IP addresses which is not sitting well with my ISP, so I disconnected everything including unplugging the Microcell.  Lastly, there are no other wireless phones or devises in the house.  All to no avail.
  I should also mention that this began occurring on my Time Capsule, which I replaced with the AE in an attempt to fix this issue. 
  Any help would be greatly appreciated.
  Joe

  Sounds very similar to what I've been trouble shooting for 2 months now, only I have DSL from AT&T and I don't see the Double NAT warning.  My last post on the problem is here. 
  My only emergency solution for getting by day to day on the internet is to unplug the AE and connect one Mac directly to the DSL modem.  There's no shared connection or WiFi.  I looked at hosting WiFi from the Mac, but the only security available with that is WEP which isn't considered secure.  Even with this set up, I think (seat of the pants) that there are quality of service problems. 
  I've replaced the Airport Extreme with 2 different new units and the DSL modem with a new unit to no avail.  The Genius Bar and Apple phone support couldn't solve this, nor have 2 calls to AT&T support and one visit from an AT&T repairman.
  I would like to know how to better test or quantify the poor quality of connection that seems to be the problem.

• Airport Internet Sharing and Double Nat Issue on the road

  The Airport express is a very handy little piece of hardware that is particularly easy to pack in a luggage and carry along for those of us that are spending lots of time out of the office and home.
  So here is the scenario when I travel and check in into an overseas hotel: I got two iphones, one local network, one my home network, and a Mac Book Pro, and soon, [when it finally ships], an iPad.
  That makes it at least 3 MAC addresses in one room, and if i have any visiting colleagues to pack up a presentation, I will have more.
  Usually hotels in Asia are well equipped with ethernet points in every room. The problem comes when I want to allow all my gears to connect to the internet.
  I can use the Mac Book to share its ethernet connection while tethered to the plug, which not only turns it into an unlikely desktop, but also do not champion stability when it goes in stand by or sleeps and at times it even mixes up which is the access point to the net. Therefore this does not seem to be the best solution.
  I can put the AE in bridge mode and plug it straight to the ethernet. But most hotels internet access are designed to charge per MAC address, so every time the router assigns via DHCP an IP to one of my gears it requires to accept new charges for that gear, even if they are all in the same room. This definitely does not seem right either.
  Now if I configure the AE to share a public IP address and force it to ignore the double NAT warning, the AE light turns green but the internet sharing does not seem to work at all.
  My two questions are:
  1) Why can't the AE be configured like the Mac Book to have a simple "Internet Sharing" protocol that will be always live and not going to sleep or stand by like the laptop [As the AE is design to be always online as a wireless connection].
  2) is there any way to make that "Share a public IP - *** double NAT" work?
  Any feedback is welcome.
  Thanks. M

  Hi Bob,
  thanks for your reply. Yes the only way to work it out on a typical hotel set up is to adopt the bridge mode and sometime the do waive your extra logs in. But I am not always so lucky and I often need to come up with less optimal solution.
  This is a bit disappointing when you a have a AE in your luggage and you can't use it properly.
  Yet my Mac can work the problem out effortlessly by just "Sharing a internet connection" with the only major limitation of being physically connected to the Ethernet cable.
  Why can't the Airport Express do the same thing? Basically the AE could share the internet connection like the Mac Book, i guess introducing a secondary layer of NAT after the Hotel modem/router NAT setup [which is what the MAC Book is doing].
  If AE can't do that at all then I guess soon we will just end up shelving it.
  I wonder if this is an actual hardware limitation, MAC Book can wire TCP/IP flow to different sources on a double nat and AE can't, or this is just a software limitation and Apple could fix it with a firmware upgrade.
  Any thoughts on this?

• Time Capsule - No DNS servers and Double NAT

  I'm connecting an MBP running 10.5.6 to a Time Capsule which accesses Virgin Media broadband using a cable modem.
  It has been working fine for 6 months, but I made some changes this morning to get my wireless camera onto the network, which broke the connection, and don't seem to be able to undo them.
  The TC now flashes amber, and going into Airport Utility I get the following errors:
  - No DNS Servers
  - Double NAT
  I've typed the DNS servers' IP addresses for my ISP into Airport Utility but it doesn't seem to recognise them. It also complains about a double NAT problem but I don't have another router assigning IP addresses.
  I've also tried a hard reset on the TC, switched it and the modem off, waited 30 mins and then switched back on again - no luck.
  Screenshots of all the settings on my TC from Airport Utility are here:
  http://web.me.com/julianlove/Site/TimeCapsule.html
  I'm not very knowledgeable about networking so any assistance appreciated.

  Double NAT is an indication that you have two devices on the network both trying to perform routing duties. You only want one device doing this on a network. Solve the NAT issue and the DNS issue will go away as well.
  What is the make and model number of the device that you call your "modem"?

• How do I set up my Airport Express to my Viasat modem, which requires a DHCP connection, without getting a double NAT connection error?

  I have an Airport Express connected to a Viasat 4100 satellite modem. This requires a DHCP connection and is connected to my Airport Express by Ethernet. I then have three computers (two running Mavericks and one running Lion) and two IPhone 5s and an Apple Tv on the network. If the Airport Express is set to DHCP and NAT then the network works and I have internet, but the amber light flashes and I have a double NAT error. If I use it in Bridge mode the airport express goes green but I have no internet. How can I set it up so it works properly? If anyone knows could they please give all the settings I shoud use on the Airport Express as I may have left incorrect setting on it whilst trying to fix the problem. I have checked and it has been confirmed that I cannot change any settings on the satellite modem.

  Go into AirPort Utility, click on the AirPort Express, and click on the "Double-NAT" error. Click Ignore. There's nothing that can be done about the Double-Nat unless you ignore it (no harm) or contact your ISP and get them to change your Modem/Router into Bridge Mode, and even then can't guarantee that you won't get that error.
  Again, best thing to do: Ignore the Double-Nat Error.

• NAT overload is not working when i configure Double NAT for VPN

  I have Cisco 2921 router with OS version 15.1(4)M1.
  the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
  Double NAT translation
  ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
  ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
  ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
  Nonat
  access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  VPN encrypted traffic over the tunnel
  access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  Problem:
  as soon as i apply Double NAT translation command the  NAT overload stop working and client cannot reach to the internet
  the router partial configuration is as below
  REACH-R01(config)#do sh run
  Building configuration...
  Current configuration : 19233 bytes
  ! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
  ! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
  ! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname REACH-R01
  boot-start-marker
  boot-end-marker
  card type t1 0 0
  logging buffered 51200 warnings
  no aaa new-model
  clock timezone MST -7 0
  clock summer-time MST recurring
  network-clock-participate wic 0
  network-clock-select 1 T1 0/0/0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.20.1 192.168.20.99
  ip dhcp excluded-address 192.168.20.250 192.168.20.255
  ip dhcp pool CISCO_PHONES
  network 192.168.20.0 255.255.255.0
  default-router 192.168.20.254
  option 150 ip 192.168.20.254
  no ip domain lookup
  ip domain name reach.local
  ip inspect name ethernetin ftp timeout 3600
  ip inspect name ethernetin h323 timeout 3600
  ip inspect name ethernetin http timeout 3600
  ip inspect name ethernetin rcmd timeout 3600
  ip inspect name ethernetin realaudio timeout 3600
  ip inspect name ethernetin smtp timeout 3600
  ip inspect name ethernetin sqlnet timeout 3600
  ip inspect name ethernetin streamworks timeout 3600
  ip inspect name ethernetin tcp timeout 3600
  ip inspect name ethernetin tftp timeout 30
  ip inspect name ethernetin udp timeout 15
  ip inspect name ethernetin vdolive timeout 3600
  multilink bundle-name authenticated
  isdn switch-type primary-ni
  trunk group PRI
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3180627716
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3180627716
  revocation-check none
  rsakeypair TP-self-signed-3180627716
  voice-card 0
  dsp services dspfarm
  voice service voip
  allow-connections sip to sip
  fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
  sip
  voice translation-rule 1
  rule 5 /^7804981231/ /401/
  voice translation-rule 2
  rule 5 // /7804981231/
  voice translation-profile DID_INBOUND
  translate called 1
  voice translation-profile DID_OUTBOUND
  translate calling 2
  license udi pid CISCO2911/K9 sn FGL1540114P
  license accept end user agreement
  license boot module c2900 technology-package securityk9
  hw-module ism 0
  hw-module pvdm 0/0
  username test test
  redundancy
  controller T1 0/0/0
  cablelength long 0db
  pri-group timeslots 1-6,24
  no ip ftp passive
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
  crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
  crypto map VPN-TUNNEL 1 ipsec-isakmp
  description COMPUGEN
  set peer 33.33.33.33
  set transform-set ESP-AES256-SHA
  match address 115
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description Outside Interface To the Internet
  ip address dhcp
  ip access-group outside_access_in in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN-TUNNEL
  interface ISM0/0
  ip unnumbered GigabitEthernet0/1.20
  service-module ip address 192.168.20.2 255.255.255.0
  !Application: CUE Running on ISM
  service-module ip default-gateway 192.168.20.254
  interface GigabitEthernet0/1
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1.10
  description VLAN 10 DATA VLAN
  encapsulation dot1Q 10
  ip address 192.168.10.254 255.255.255.0
  ip nat inside
  ip inspect ethernetin in
  ip virtual-reassembly in
  interface GigabitEthernet0/1.20
  description VLAN 20 VOICE VLAN
  encapsulation dot1Q 20
  ip address 192.168.20.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  interface GigabitEthernet0/1.30
  description VLAN 30 WIRELESS VLAN
  encapsulation dot1Q 30
  ip address 192.168.30.254 255.255.255.0
  ip nat inside
  ip inspect ethernetin in
  ip virtual-reassembly in
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface ISM0/1
  description Internal switch interface connected to Internal Service Module
  no ip address
  interface Serial0/0/0:23
  no ip address
  encapsulation hdlc
  isdn switch-type primary-ni
  isdn incoming-voice voice
  trunk-group PRI
  no cdp enable
  interface Vlan1
  no ip address
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip http path flash:CME8.6/GUI
  ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
  ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
  ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
  ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
  ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
  ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
  ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
  ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
  ip route 192.168.20.2 255.255.255.255 ISM0/0
  ip access-list extended outside_access_in
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit tcp any host 22.22.22.22 eq 1723
  permit tcp any host 22.22.22.22 eq 3389
  permit tcp any host 22.22.22.22 eq smtp
  permit tcp any host 22.22.22.22 eq 443
  permit tcp any host 22.22.22.22 eq domain
  permit udp any host 22.22.22.22 eq domain
  permit tcp any host 22.22.22.22 eq 123
  permit icmp any host 22.22.22.22 unreachable
  permit icmp any host 22.22.22.22 echo-reply
  permit icmp any host 22.22.22.22 packet-too-big
  permit icmp any host 22.22.22.22 time-exceeded
  permit icmp any host 22.22.22.22 traceroute
  permit icmp any host 22.22.22.22 administratively-prohibited
  permit icmp any host 22.22.22.22 echo
  permit tcp any host 22.22.22.22 eq 987
  permit tcp any host 22.22.22.22 eq 47
  permit gre any host 22.22.22.22
  permit udp any host 22.22.22.22 eq isakmp
  permit esp any host 22.22.22.22
  access-list 23 permit any
  access-list 101 deny   ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  access-list 101 permit ip 192.168.20.0 0.0.0.255 any
  access-list 101 permit ip 192.168.30.0 0.0.0.255 any
  access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
  access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
  access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
  Solution: Support forums team

  I have the same problem also.  Restarting isn't helping and the auto lock/unlock button is on.  Plus a couple of time when I turn it on it is asking if I want to power off.  That is when I push the button on the front to wake it up.  Not the power button on top.  I have an IPAd 2. Worked fine before the update. 

• Back to my Mac: Double NAT error

  I can't seem to get Back to my Mac to work. My Airport Extreme says that I have a double NAT error. I have tried to put it in Bridge mode, but doing so disables the wireless capabilities of the Airport Extreme.
  The geography of my network is as follows:
  Cable port on wall> Cable modem
  Cable modem> Ethernet> Airport Extreme
  Airport Extreme> WiFi> Macbook Pro
  I have a Motorola surfboard modem, which I have called Motorola about and they say that it does not provide a layer of NAT. I have called my ISP and they confirmed that they do not provide a layer of NAT as well.
  Does anyone have any ideas on how to resolve this issue?

  FiggyOO wrote:
  I have confirmed that my modem is simply a modem, no gateway. In case you were wondering its a Motorola SB5101U. According to the Airport utility, my IP is 10.1.4.104.
  If that's really the "WAN" IP address of your AirPort unit, then it's a "private" IP address, as it's in one of the private address ranges of 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255. You can verify that address in the AirPort Utility Internet panel, TCP/IP tab. Unless your ISP tells you otherwise, you should have the "Configure IPv4" set to "Using DHCP" and the WAN IP address should be just below that.
  If that address checks out, something "upstream" of your AirPort unit is doing a NAT operation.
  The manuals I found for your modem seem to confirm that it has no router functionality, so it would be unable to be the source of the NAT.
  I'd call your ISP and ask them why your modem is passing you a "private" IP address. There no need (at least initially) to mention what you have connected to the modem, as that would only tend to confuse the support people.

• Double NAT Error with Airport Extreme and Airport Express

  I have an Airport Extreme 802.11n base station which is connected to my DSL Modem/ Router via Ethernet. I have a MacPro which does not have an airport card installed so I bought an Airport Express 802.11n - which is connected to my MacPro via ethernet - and thus provides my MacPro with internet access.
  Originally I had the APExtreme and the APExpress set up in a WDS - all worked well - my other wifi equipped macs and devices in the house connected to the network with no problem, but I did notice that the maximum throughput I was getting was 802.11g speeds - this is of course due to the overhead of the WDS.
  I originally purchased these 802.11n devices because I wanted the higher throughput - so I decided to terminate the WDS and just have the APExpress (attached to my MacPro) "join" the wireless network instead of extending it - which works and I am enjoying the 802.11n speed.
  So, I just upgraded a couple of my Macs to 10.6.2 and was going to start using "Back to My Mac" and I got the error that there is a double NAT address problem and that "Back to My Mac" won't work until this is resolved.
  I know that going back to a WDS will resolve the double NAT problem - but I don't want to take the performance hit that goes with the WDS.
  So, short of buying an Airport card for my MacPro (which would eliminate the need of the APExpress)
  Is there any other way to resolve this double NAT problem besides WDS?
  Thanks for any advice.

  First of all thanks for your quick reply!
  Connecting my MacPro to the Airport Extreme would be a serious pain as the DSL Modem and APExtreme are upstairs near the only connection point in the building to a phone line - and my MacPro is downstairs.
  I suppose I could dig out a very long ethernet cable to perform the test. But before I jump through that hoop - please explain to me what you are trying to get at - in other words - what does it mean if this resolves the double nat error - and what does it mean if it does not?

• How do I correct a Double NAT status?

  I have used time capsule 2TB for a while, made changes many times,never had a problem but today after I made changes it is giving me a blinking amber light from the time capsule unit and from the airport wireless utility status "Double NAT". How can I correct this status?
  Thank you in adavnce for the help.

  Hi Thortey,
  If you are having issues with a "Double NAT" notification, you may want to take a look at the following article; while it speaks to Double NAT specifically in the context of Back to My Mac, the information and resolution steps for a Double NAT configuration should be universal:
  Back to My Mac: "Double NAT" configurations may prevent Back to My Mac connections
  http://support.apple.com/kb/TS1208
  Cheers,
  - Brenden