GT784WNV NAT and subnets

Similar Messages

• Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

  This setup supports the following features:
  * Requires 1 Network interface total.
  * Supports 1 or more public ips.
  * Allows Zone to Zone private network traffic.
  * Allows internet access from the global zones.
  * Allows direct (via ipfilter) internet access to ports in non-global zones.
  (change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
  Network setup:
  iprb0 65.38.103.1/24
  defaultrouter 65.38.103.254
  iprb0:1 192.168.1.1/24 (in global zone)
  Create a zone on iprb0 with an ip of 192.168.1.2
  ### Example /etc/ipf/ipnat.conf
  # forward from a public port to a private zone port
  rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
  # force outbound zone traffic thru a certain ip address
  # required for mail servers because of reverse lookup
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
  map iprb0 192.168.1.2/32 -> 65.38.103.1
  # allow any 192.168.1.x zone to use the internet
  map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
  map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
  Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
  Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
  Create /etc/init.d/zone_route_hack
  Link this file to /etc/rc3.d/S99zone_route_hack.
  #/bin/sh
  # based on information found at
  # http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
  # http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
  fake_router=192.168.1.254
  public_net=65.38.103.0
  router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
  # send some data to the real network router so we look up it's arp address
  ping -sn $router 1 1 >/dev/null
  # record the arp address of the real router
  router_arp=`arp $router | nawk '{print $4}'`
  # delete any existing arp address entry for our fake private subnet router
  arp -d $fake_router >/dev/null
  # assign the real routers arp address to our fake private subnet router
  arp -s $fake_router $router_arp
  # route our private subnet through our fake private subnet router
  route add default $fake_router
  # Can't create this route until the zone/interface are loaded
  # Adjust this based on your hardware and number of zones
  sleep 300
  # Duplicate this line for every non-global zone with a private ip that
  # will have ipfilter rdr (redirects) pointing to it
  route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
  The following /etc/ipf/ipf.conf defaults to deny.
  # ipf.conf
  # IP Filter rules to be loaded during startup
  # See ipf(4) manpage for more information on
  # IP Filter rules syntax.
  # INCOMING DEFAULT DENY
  block in all
  block return-rst in proto tcp all
  # two open ports one of which is redirected in ipnat.conf
  pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
  pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
  # INCOMING PING
  pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
  # INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
  #pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
  # OUTGOING RULES
  block out all
  # ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
  # remove/edit as needed to actually talk to local private physical networks
  block out quick from any to 192.168.0.0/16
  block out quick from any to 172.16.0.0/12
  block out quick from any to 10.0.0.0/8
  block out quick from any to 0.0.0.0/8
  block out quick from any to 127.0.0.0/8
  block out quick from any to 169.254.0.0/16
  block out quick from any to 192.0.2.0/24
  block out quick from any to 204.152.64.0/23
  block out quick from any to 224.0.0.0/3
  # Allow traffic out the public interface on the public address
  pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
  # Allow traffic out the public interface on the private address (needs nat and router arp hack)
  pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
  # INCOMING TRACEROUTE FIX PART 2
  #pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

  Instead of using the script as a legacy_run script, set it up in SMF.
  First create the file /var/svc/manifest/system/ip-route-hack.xml with
  the following
  ---Start---
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM
  "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
  ident "@(#)ip-route-hack.xml 1.0 09/21/06"
  -->
  <service_bundle type='manifest' name='NATtrans:ip-route-hack'>
  <service
  name='system/ip-route-hack'
  type='service'
  version='1'>
  <create_default_instance enabled='true' />
  <single_instance />
  <dependency
  name='physical'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/physical:default' />
  </dependency>
  <dependency
  name='loopback'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/loopback:default' />
  </dependency>
  <exec_method
  type='method'
  name='start'
  exec='/lib/svc/method/svc-ip-route-hack start'
  timeout_seconds='0' />
  <property_group name='startd' type='framework'>
  <propval name='duration' type='astring'
  value='transient' />
  </property_group>
  <stability value='Unstable' />
  <template>
  <common_name>
  <loctext xml:lang='C'>
  Hack to allow zone to NAT translate.
  </loctext>
  </common_name>
  <documentation>
  <manpage
  title='zones'
  section='1M'
  manpath='/usr/share/man' />
  </documentation>
  </template>
  </service>
  </service_bundle>
  ---End---
  then modify /var/svc/manfiest/system/zones.xml and add the following
  dependancy
  ---Start---
  <dependency
  name='inet-ip-route-hack'
  type='service'
  grouping='require_all'
  restart_on='none'>
  <service_fmri value='svc:/system/ip-route-hack' />
  </dependency>
  ---End---
  Finally create the file /lib/svc/method/svc-ip-route-hack with the
  contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
  'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
  import /var/svc/manifest/system/zones.xml'.
  This will guarantee that ip-route-hack is run before zones are started,
  but after the interfaces are brought on line. It is worth noting that
  zones.xml may get overwritten during a patch, so if it suddenly stops
  working, that could be why.

• NAT and Routed Network with Two ISP's on one router

  I'm sure this has been done covered many times, but I am not finding it.
  I have two ISP connections.
  With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
  With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
  On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
  I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
  Everything on 192.168.100.x should use NAT and go out ISP-B
  I have tried
  ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
  route-map ISP-B permit 10
   match ip address 101
   match interface GigabitEthernet0/1
   set ip next-hop 100.0.0.1
  route-map ISP-A permit 10
   match ip address 111
   match interface Multilink1
   set ip next-hop 1.1.1.1
  The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• I need the IP values and Subnet Mask which is given by the ISP for my jetpack so i can configure my smart tv

  i need the IP values and Subnet Mask which is given by the ISP for my jetpack so i can configure my smart tv

  Your public IP Address is provided by the ISP.  Your smart TV does not need to know this information unless you plan to host some kind of an application or service for folks on the internet through your TV.  It wouldn't work anyways since all Jetpacks sit behind a VZW NAT firewall and blocks hosting capabilities by default.
  What you more than likely are referring to is the Default Gateway and Subnet mask of the Local Area Network being hosted by your Jetpack.  By default these values should be something like 192.168.1.1 and 255.255.255.0.  You can confirm the DG and SM by connecting a computer to the Jetpack.  Every computer has a way to look up the networking information.  On a Windows OS you would open up a CMD window and type in "IPCONFIG".
  If you shoot us the model number of your Smart TV we may be able to look up a User Guide to confirm what kind of info is needed to connect to a wireless network.  Most of the time exchanging the IP information is done automatically during the connection process.  It would also be nice to know which Jetpack model you have so we can compare the User Guide for that device with your TV.

• Client NAT and Source IP Sticky

  How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

  this is possible.
  The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
  It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
  Regards,
  Gilles.

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• Multiple routers and subnets - can't access across subnets

  Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
  Primary router:
  ActionTec MI424WR Rev D (from Verizon)
  WAN IP: From ISP
  WAN NETMASK: From ISP
  LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0
  Secondary router (WAN connected to ActionTec LAN):
  Belkin N750 gigabit w/ 802.11n
  WAN IP: 192.168.1.2
  WAN NETMASK: 255.255.255.0
  LAN IP: 192.168.2.1
  LAN NETMASK: 255.255.255.0
  With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
  So, I added the following static route to the primary router:
  DESTINATION: 192.168.2.0
  NETMASK: 255.255.255.0
  GATEWAY: 192.168.1.2
  Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
  I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
  Any help from the pros here? Much appreciated!
  Solved!
  Go to Solution.

  Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
  Primary Router:
  ActionTec, MI424WR Rev D
  WAN IP/NETMASK:Assigned by ISP
  LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
  Secondary Router:
  Belkin N750 Gigabit w/ 802.11n
  WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
  LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
  Plug Secondary router's WAN port into a LAN port on the Primary router.
  Setup Secondary router to have static LAN address (192.168.1.2)
  At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
  Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
  Create and apply the following static route in the Primary router:  (Advanced > Routing)
  RULE NAME:Network (Home/Office)
  DESTINATION:192.168.2.0(your secondary subnet)
  GATEWAY:192.168.1.2(secondary router's WAN IP)
  NETMASK:255.255.255.0
  METRIC:1
  The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
  Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
  We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:
  1.Click Add. You are now on Edit Network Object screen. 
  2.Set Description to 'Subnet 1'.
  3.In Items section below, click Add.
  4.Set Network Object Type to 'IP Subnet'.
  5.Set Subnet IP Address to 192.168.1.0.
  6.Set Subnet Mask to 255.255.255.0.
  7.Click Apply. You are now back on Edit Network Object screen.
  8.Click Apply. You are now back on Network Objects Screen.
  9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
  Nameubnet 2
  IP Subnet:192.168.2.0
  Subnet Mask:255.255.255.0
  Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
  In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
  Create the following Advanced Filter:
  SOURCE ADDRESSelect 'Subnet 1'
  DEST. ADDRESSelect 'Subnet 2'
  PROTOCOL:'Any'
  OPERATION:'Accept Packet'
  OCCUR:'Always'
  Click Apply. You will now be back on the Advanced Filtering page.
  In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
  Create the following Advanced Filter:
  SOURCE ADDRESSelect 'Subnet 1'
  DEST. ADDRESSelect 'Subnet 2'
  PROTOCOL:'Any'
  OPERATION:'Accept Packet'
  OCCUR:'Always'
  Click Apply. You will now be back on the Advanced Filtering page.
  Click Apply.
  You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. 

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Removing Logical Networks and Subnets from Hyper-V Host Network Adapters that are greyed out

  Hello All
  I am new to SCVMM 2012 R2 and I have create a Hyper-V Cluster and now creating Logical Networks and Port Profiles and Logical Switches. I have figured out how to create all of them properly now, but I have made some mistakes in the past. I have a Logical
  Switch created and assigned to network adapters on the hosts. Now I am trying to add the other switches to other adapters, but I have associations on network adapters to Logical Switches and Subnets that are not correct and need to be removed so I can add
  the correct ones, but in the console the network adapters that I need to work with the information is grayed out and I can't change the information. 
  I am not an expert at Powershell. Below you can see a Logical Network and Sunets associated
  to a Network adapter. Can someone help figure out how to remove the information so I can assign the correct Logical Network?
  I woul so much appreciate this. I know there is a way to do this in
  PowerShell but I don't know Powershell that much. I
  am savoing all the
  powershell scripts ever time I configure something in SCVMM but I have had no luck trying to
  revearse what I did.
  Help Please
  Christopher
  Christopher Scannell

  This shows that an Uplink profile associated with this host, links to these logical networks. In order to remove this successfully, you must remove the logical switch and uplink deployed to the hosts.
  For a complete overview and guidance on the required configuration, have a look at the whitepaper we created. 
  http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
  -kn
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

• FMS: NAT and Firewall

  I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
  My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.

  FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
  as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible.  RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
  we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.

• ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

  Hi,
  I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
  permit ip any "Nat_subnet"
  After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
  Regards,
  Muds
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
  object-group network d1-dr-nat_nets
  network-object 192.168.128.0 255.255.248.0
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net !
  object network 10.210.14.0_Net
  nat (outside,inside) static 192.168.128.0_Net
  object network 10.210.16.0_Net
  nat (outside,inside) static 192.168.129.0_Net
  object network 10.210.80.0_Net
  nat (outside,inside) static 192.168.130.0_Net
  object network 10.210.84.0_Net
  nat (outside,inside) static 192.168.131.0_Net
  object network 10.210.86.0_Net
  nat (outside,inside) static 192.168.132.0_Net
  object network 10.210.88.0_Net
  nat (outside,inside) static 192.168.133.0_Net
  access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
  access-group prod_lan-in in interface inside

  Hi,
  As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
  Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
  Let me give an simple example
  object network STATIC
  host 10.10.10.10
  nat (outside,inside) static 192.168.10.10
  access-list INSIDE-IN permit ip any host 10.10.10.10
  or
  access-list INSIDE-IN permit ip any object STATIC
  - Jouni

• How to configure the eth1 port of NIcRIO 9024 to another IP address and subnet mask

  Hi ,
  I am using cRIO 9024 and am planning to configure it to be an MMS server that interacts with a client which is in another network with different IP and subnetmask. I want to run the server VIs from the host computer via the eth0 port and want to communicate the MMS messages through the eth1 port. the eth0 port is configured as a static IP as shown in the screenshot attached and would like to assign a separate IP and subnet mask to the other port . But when I try to save the configuration I get the error "Could not save your changes tot he target.The subnet mask for eth1 is invalid" .
  I have already directly cross connected the Crio and have disabled the firewalls and still am not able to configure it.
  1) is it possible to configure the ethernet ports to have separate IPs corresponding to different networks and thus the subnet masks?
  2) If its possible then what is the mistake i am doing while configuring it ?
  I would be extremaly grateful to have a reply on this as its pretty desperate to spend a lot of time just to set up the IP configurations..!!!!!
  Regards
  Abhinav

  Dear Abhinav,
  I'm sorry but what you are tryining to do is not suported by the Second Ethrnet Port on any cRIO and so you getting this error meeage.
  Here a abstract out ouf the KnowledgeBase How do I Configure the Dual Ethernet Ports on Real-Time Controllers?:
  Ethernet port 2 is currently not supported to communicate outside its own subnet. There is no capability of configuring the Default Gateway for Ethernet port 2 and therefore cannot connect to a large isolated intranet.  However, there appears to be a common misconception that this port can only be used for communication between NI products: this is not the case, though any communication through the secondary port must be within the same subnet.
  Kind Regards,
  SG3 | Applications Engineering | National Instruments | NIG |

• Airport Extreme best practice configuration for Sleep Proxy, DHCP/NAT and PPPOE

  Hi
  I have recently bought a Airport Extreme and it is working well.  One of the reasons I bought is to take advantage of the Bonjour Sleep Proxy on it so I can wake my MAC up remotely from my iPad using the REMOTE app to stream things like iTunes etc...  I followed the set up instructions and basically let it configure itself.  I have an ISP router / modem which currently is providing DHCP services, NAT and PPPOE.
  The Airport detected all of this and set itself up as bridge only.  The speed of the network outo to the internet is fine (more or less what it was before).  However, in doing a bit of research, I have found out that if I want the Airport to act as a sleep proxy, I need it to "host" the network.  I am not an expert in networking but from what I understand I need the Airport to be moved from "Bridge Only" to at least be providing DHCP to my internal network clients.
  This has prompted me to ask what is "Best practice" when it comes to configuring the Airport given I want to have Sleep Proxy enabled.  I think the two options I have are as follows but would really welcome feedback on which is the best option to go for or if there are other options I should be thinking of
  (1)  Have the Airport perform DHCP for my internal clients and leave the ISP router/modem doing NAT
  (2)  Have the Airport perform DHCP and NAT.  I think to do this I need to turn the ISP router / modem into Bridge mode only.  (I've looked and I seem to have this option on the device.  It's an Irish ISP branded device but I think it is a Zyxel)
  I have no reason to believe the ISP router / model is doing a bad job but given I understand the Airport Extreme is a reasonably high-end device (I think?) I am wondering if option 2 is the way to go.
  In addition, during my research, I have also discovered that many people seem to have their Airport Extreme also handle PPPOE.  This is currently being done by my ISP router/modem.  I am  inclined to leave it this way (following the mantra if it isn't broken, don't fix it) but if there was a good reason to have the Aiport do this, perhaps I should make the switch?  Having said this, I have seen on this forum and others, some posts about problems with Internet connection drops when the Airport is handling PPPOE.
  So, a bit of a long post, but if anyone has any information or perspective on this, I'd very much appreciate it. 
  Thanks
  Dave

  I forgot to thank you, John Galt. Yap, it solve my problem by restoring back the original firmware to 7.6.1. My unit is Airport Extreme 2012. I am still using double NAT because I cannot figure it out on how to set DHCP only in the Network tab.
  My goal it to use the airport extreme to the internet and to share the internet to all my devices in the house. Just like my previous Accesspoints. Before I use AP+router Linksy$ WRT54G and D-l!nk DIR-655 without activating the NAT to share my internet connection and they work.
  My problem is that when I set it to DHCP in the internet tab and DHCP in the Network tab in Airport Utility inorder to solve the double NAT situation, only one of all my devices (wired or wireless) can connect to the internet. Each time I connect the other device(s) to the internet my subscriber will verify my subscription (web browser based verification) in which I have to manually enter my account number, etc to validate my subscription.
  So I stick to double NAT so that I can share the internet
  Our broadband provider uses DHCP to link us to the internet. If I change the settings to Static in the Internet Tab, my broadband provider will not let me connect to the internet. In the Airport Utility if I set to static in the Internet Tab inorder to set it to solve the double NAT, a message box appear informing me that I have invalid beginning IP address in the DCHP range in the Network Tab when it appears that only the last 3 digits of the DHCP range is editable.
  Is there any way of configuring the Airport Utility's Internet TAB to DHCP and Network TAB to DHCP to connect to the internet with all my devices without the double NAT and without the aid of another device such as AP or router or switch connected to the Airport or vice versa?

• Can we track or get the list of sites and subnets deleted from ActiveDirectory?

  Can we track or get the list of sites and subnets deleted from Active Directory?

  Are you looking of the previous history? If you have saved all the event log and auditing is enabled, you can go back and search. 
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.