H323 and NAT issue
Hello all,
I have a router 1812 Version 12.4(15)T16, RELEASE SOFTWARE (fc2). Router is doing NAT.
I have a lifesize videoconference system. Calls with h323 are dropped after 30 seconds.
I have ip inspect rule :
- ip inspect name SDM_LOW h323
- ip inspect name SDM_LOW h323callsigalt
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
When I start a communication, I have
sh ip inspect sessions
Session 85AE7150 (50.59.87.241:60118)=>(192.168.200.200:60016) h323-RTP-audio SIS_OPEN
Session 85AE12C0 (50.59.87.241:60119)=>(192.168.200.200:60017) h323-RTCP-audio SIS_OPEN
Session 85AE39B0 (192.168.200.200:60001)=>(50.59.87.241:62830) h245-media-control SIS_OPEN
Session 841F7CEC (192.168.200.200:60005)=>(50.59.87.241:1720) h323 SIS_OPEN
Session 85AE20A8 (50.59.87.241:60120)=>(192.168.200.200:60018) h323-RTP-video SIS_OPENING
Session 85ADE0B0 (50.59.87.241:60121)=>(192.168.200.200:60019) h323-RTCP-video SIS_OPENING
Session 85AE4D28 (50.59.87.241:60122)=>(192.168.200.200:60020) h323-RTP-data SIS_OPENING
Session 85ADCD38 (50.59.87.241:60123)=>(192.168.200.200:60021) h323-RTCP-data SIS_OPENING
Pre-gen session 85ADA648 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Pre-gen session 85AD92D0 192.168.200.200[1024:65535]=>50.59.87.241[60121:60121] h323-RTCP-video
Pre-gen session 85ADB6F8 192.168.200.200[1024:65535]=>50.59.87.241[60123:60123] h323-RTCP-data
Pre-gen session 85AD9008 192.168.200.200[1024:65535]=>50.59.87.241[60118:60118] h323-RTP-audio
Pre-gen session 85AE5848 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Where 192.168.200.200 is local IP and 50.59.87.241 the server I try to reach.
Any idea of what is going on ? Why calls are dropped after 30 seconds ?
Something with NAT ?
Hi Alessandro,
configuration below :
ip inspect tcp reassembly queue length 200
ip inspect tcp reassembly timeout 10
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW skinny
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW esmtp max-data 50000000
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW streamworks
WAN_INTERFACE = xxx.xxx.xxx
interface FastEthernet0
ip address WAN_INTERFACE.226 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
Inbound ACL
access-list 102 remark SDM_ACL Category=3
access-list 102 permit tcp any host WAN_INTERFACE.228 eq www log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 443 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 558 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1503 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 4001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 11720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 5060 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60006 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60007 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60008 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60009 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60010 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60011 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60012 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60013 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60014 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60015 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60016 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60017 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60018 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60019 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60020 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60021 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60022 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60025 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 3389 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 3389 log
[ Some ipsec rubles]
access-list 102 permit tcp any host WAN_INTERFACE.230 eq 22
access-list 102 permit tcp any host WAN_INTERFACE.230 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq smtp
access-list 102 permit udp any host WAN_INTERFACE.227 eq 80
access-list 102 permit tcp any host WAN_INTERFACE.227 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq ftp
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 1723
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 47
ip nat inside source static udp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_32 extendable
ip nat inside source static tcp LAN_INTERFACE 80 WAN_INTERFACE.228 80 route-map SDM_RMAP_15 extendable
ip nat inside source static tcp LAN_INTERFACE 443 WAN_INTERFACE.228 443 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp LAN_INTERFACE 558 WAN_INTERFACE.228 558 route-map SDM_RMAP_47 extendable
ip nat inside source static tcp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_77 extendable
ip nat inside source static udp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_78 extendable
ip nat inside source static tcp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_73 extendable
ip nat inside source static udp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_74 extendable
ip nat inside source static tcp LAN_INTERFACE 1503 WAN_INTERFACE.228 1503 route-map SDM_RMAP_75 extendable
ip nat inside source static tcp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_86 extendable
ip nat inside source static udp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_87 extendable
ip nat inside source static tcp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_42 extendable
ip nat inside source static udp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_43 extendable
ip nat inside source static tcp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_28 extendable
ip nat inside source static udp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_44 extendable
ip nat inside source static tcp LAN_INTERFACE 4001 WAN_INTERFACE.228 4001 route-map SDM_RMAP_72 extendable
ip nat inside source static udp LAN_INTERFACE 5060 WAN_INTERFACE.228 5060 route-map SDM_RMAP_29 extendable
ip nat inside source static tcp LAN_INTERFACE 11720 WAN_INTERFACE.228 11720 route-map SDM_RMAP_71 extendable
ip nat inside source static tcp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_45 extendable
ip nat inside source static udp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_46 extendable
ip nat inside source static tcp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_30 extendable
ip nat inside source static tcp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_31 extendable
ip nat inside source static udp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_33 extendable
ip nat inside source static tcp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_66 extendable
ip nat inside source static udp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_34 extendable
ip nat inside source static tcp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_67 extendable
ip nat inside source static udp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_35 extendable
ip nat inside source static tcp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_68 extendable
ip nat inside source static udp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_36 extendable
ip nat inside source static tcp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_69 extendable
ip nat inside source static udp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_37 extendable
ip nat inside source static udp LAN_INTERFACE 60006 WAN_INTERFACE.228 60006 route-map SDM_RMAP_38 extendable
ip nat inside source static udp LAN_INTERFACE 60007 WAN_INTERFACE.228 60007 route-map SDM_RMAP_39 extendable
ip nat inside source static udp LAN_INTERFACE 60008 WAN_INTERFACE.228 60008 route-map SDM_RMAP_48 extendable
ip nat inside source static udp LAN_INTERFACE 60009 WAN_INTERFACE.228 60009 route-map SDM_RMAP_49 extendable
ip nat inside source static udp LAN_INTERFACE 60010 WAN_INTERFACE.228 60010 route-map SDM_RMAP_50 extendable
ip nat inside source static udp LAN_INTERFACE 60011 WAN_INTERFACE.228 60011 route-map SDM_RMAP_51 extendable
ip nat inside source static udp LAN_INTERFACE 60012 WAN_INTERFACE.228 60012 route-map SDM_RMAP_52 extendable
ip nat inside source static udp LAN_INTERFACE 60013 WAN_INTERFACE.228 60013 route-map SDM_RMAP_53 extendable
ip nat inside source static udp LAN_INTERFACE 60014 WAN_INTERFACE.228 60014 route-map SDM_RMAP_54 extendable
ip nat inside source static udp LAN_INTERFACE 60015 WAN_INTERFACE.228 60015 route-map SDM_RMAP_55 extendable
ip nat inside source static udp LAN_INTERFACE 60016 WAN_INTERFACE.228 60016 route-map SDM_RMAP_56 extendable
ip nat inside source static udp LAN_INTERFACE 60017 WAN_INTERFACE.228 60017 route-map SDM_RMAP_57 extendable
ip nat inside source static udp LAN_INTERFACE 60018 WAN_INTERFACE.228 60018 route-map SDM_RMAP_58 extendable
ip nat inside source static udp LAN_INTERFACE 60019 WAN_INTERFACE.228 60019 route-map SDM_RMAP_59 extendable
ip nat inside source static udp LAN_INTERFACE 60020 WAN_INTERFACE.228 60020 route-map SDM_RMAP_60 extendable
ip nat inside source static udp LAN_INTERFACE 60021 WAN_INTERFACE.228 60021 route-map SDM_RMAP_61 extendable
ip nat inside source static udp LAN_INTERFACE 60022 WAN_INTERFACE.228 60022 route-map SDM_RMAP_62 extendable
ip nat inside source static udp LAN_INTERFACE 60023 WAN_INTERFACE.228 60023 route-map SDM_RMAP_63 extendable
ip nat inside source static udp LAN_INTERFACE 60024 WAN_INTERFACE.228 60024 route-map SDM_RMAP_64 extendable
ip nat inside source static udp LAN_INTERFACE 60025 WAN_INTERFACE.228 60025 route-map SDM_RMAP_65 extendable
ip nat inside source static LAN_INTERFACE WAN_INTERFACE.228 route-map SDM_RMAP_76
All SMD_RMAP are like this one below
route-map SDM_RMAP_32 permit 1
match ip address 141
access-list 141 remark SDM_ACL Category=2
access-list 141 deny ip host LAN_INTERFACE 10.0.5.0 0.0.0.31
access-list 141 deny ip host LAN_INTERFACE 10.0.5.40 0.0.0.1
access-list 141 permit udp host LAN_INTERFACE eq 60000 any
Similar Messages
-
hi all ,
i'm performing h323 video conf with polycom solution (PVX and Ipower)(one endpoint on private lan one endpoint on internet)
between ipower and pvx all works fine ,between pvx and pvx video works but i can't use h239 PVX option.
it looks like a nat issue does anybody still experience that ??
Is H239 well supported by nat ??
Thanksthanks for answering ,
i made some etherreal capture and when h239 is activated on pvx the ios firewall (nat) is enable to locate the ip adress in payload
(all works fine if h239 isn't activared)
So the pvx sends its video stream to private ip address.
H239 isn't supported by nat on 12.4(2)T advanced ip -
Double computer name on network and NAT issue with Back to My Mac
These are the problems I am having:
When my MacPro workstation (which on the network is named "The Beast") wakes from sleep - I get a message saying "there is already a computer on the network with the name "The Beast". Other computers on the network can now find you at "The Beast-2"" and it gives me a new name in the file sharing preferences - even though it is the only computer on the network with that name.
Why is this happening???
The other problem is with BackTo My Mac - When I try to enable it - I get an error message saying "Turn off NAT Addressing" - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
Here is my network setup which consists of the Modem / Router from my ISP - an Airport Extreme Base Station and one Airport Express - which is connected to my MacPro via ethernet. The MacPro does not have an airport card installed and is running OSX 10.6.8 - all other computers / devices are running 10.7.x and iOS6).
VDSL Modem / Router (from Internet provider) with wireless turned off - (so it is not broadcasting a competing wireless signal) - connected via ethernet to my Airport Extreme Base Station.
Here are all the settings on the AEBS and the Airport Express: - I am using Airport Utility 5.6.1 on my Mac Pro running OSX 10.6.8 - so the setup prefs are different than the newer version of Airport Utility found on 10.7.x systems - but both work fine. Although I did notice that the option to allow ethernet clients to connect to the Airport Express does not exist (or I just didn't find it) in the newer version of Airport Utility.
Airport Extreme Base Station is set up as follows:
Wireless Mode: Create a Wireless Network
Wireless Settings:
Allow this network to be extended IS CHECKED
Radio Mode: 802.11n (b and g compatible)
Wireless Security: WPA/WPA2 Personal
Access Control:
MAC Address Access Control: Not Enabled
Internet Settings:
Internet Connection:
Connect Using: Ethernet
Connection Sharing: OFF (Bridge Mode).
TCP/IP:
Configure IPv4: Using DHCP
Advanced Settings:
Logging & Statistics:
Syslog Destination Address is blank (as in nothing appears in this field).
Syslog Level: 5 - Notice
Allow SNMP is CHECKED
MobileMe:
Back to my Mac is turned off - but if I try to turn it on I get an error message saying "Turn off NAT Addressing - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
IPv6:
IPv6 Mode: Link-local only
As stated - my MacPro with no wifi card - is connected via ethernet to an Airport Express which connects wirelessly to the AEBS for network and internet access.
Airport Express Settings:
Airport Settings:
Wireless Mode: Join a Wireless Network
Allow Ethernet Clients IS CHECKED
Wireless Security WPA/WPA2 Personal
Internet Settings: Are grayed out (as in I can't change these settings - I assume because they are being controlled by the AEBS) and read as follows:
Connect Using: Wireless Network
Connection Sharing: OFF (Bridge Mode)
TCP/IP:
Configure IPv4: using DHCP
All other settings are identical to the AEBS.
All other WiFi devices in the house (MacBook Pro, iPhones, iPad's, iMac, Apple TV, Nintendo Wii etc…all are able to connect to the network and connect to the internet - no problem.
Thanks for any insights into what might be causing the double name on the network and why it is asking me to turn off NAT addressing - when both my Airport devices are in Bridge Mode?I am also having this issue... any updates on this??
-
Time Capsule, hardwired to TWO xbox 360's, and NAT issues.
Hello All,
I currently have an older Linksys WRT54G (version 1.0 LOL) which has been working fine for years. I recently bought my son an XBOX 360 for Christmas and we went through the issues of NAT and Call of Duty, and basically I have become quite knowledgeable on this topic. I recently added a SECOND XBOX 360, as it became apparent that one would not do with three boys in the house (Plus COD is a blast on line).
So I created a second Live Account and got the two xbox's running online stably with NAT wide open on both. This required abandoning the Linksys Firmware and installing "Tomato" on the WRT54G. That works GREAT. No modifications were required for the rest of the network including...
Macbook by Wifi, Minimac Hardwired (ya ya wifi works but hardwire is better), Airport Express (used only to stream music to stereo in family room - from ANY PC/MAC running Itunes...Itunes is VERY NICE), HP printer with network adapter, 5 other PC's including a mix of VISTA, XP, XP Pro, and multiple IPHONES, A Palm Tungsten C, WII, DS and of course the two hard wired XBOXs. NO Problems. The Tomato configuration only required the modifications for the XBOXs specifically as the rest of the network settings were not change after the firmware update.
What am I interested in? I'd like to upgrade to a Time Capsule for several reasons. One Newer wifi, faster, two frequencies, backup space for growing Mac branch of our network, and as the internet sharing router. AND to be able to access the TC from the internet for file access anywhere! LOVE THAT FEATURE. This requires the TC to be the first device after the cable modem as far as I can tell at this point. (any input on this specific feature would be great).
So I want to configure the TC with the input from the Cable modem as the main distribution of the internet. Then from the other NETWORK ports connect to my 20 port router for the rest of the house, as well as to the other items currently connected at the site of the current LinkSys Router (Mac Mini, Sony TV).
Also I need to maintain the current XBOX set up with (as well as Wii) with full open NAT on both XBOXs.
My question: Anyone here currently using the TC for hardwired connectivity for an XBOX with XBOX live running with open NAT for TWO XBOXs?
The issues with NAT and TWO XBOXs is that you cannot simply use PORT FORWARDing or PORT Triggering to make sure that the traffic goes to the correct xbox. The XBOX uses specific communication ports and the ROUTER needs to keep the traffic flowing properly or you get disconnected or never get open NAT (must have for XBOX live and internet gaming). There are many write ups on using Port Forwarding for one XBOX and setting the second one in the DMZ, but this does not work all the time.
The "Tomato" firmware on the LINKSYS allows fooling the router into giving a 'pseudo static' ip address to the XBOX's by doing MAC address based reservation of an IP number and then letting the DHCP give the xbox an IP address. The MAC address based reservation makes sure that the XBOX always gets the same IP address which for some GD reason must be in order for the traffic to be routed to the correct device. (you can of course use the same MAC address reservation for any device on the network).
Second Question: For those using the TC AND a second WiFi Router to do WIRELESS connection to the XBOX - which device do you have configured as the main INTERNET sharing router? I have read hear what appears to state that the TC is the main router and the other WiFi the secondary. Thus the ROUTING is still being done by the TC and the other wifi device is being used simply as a WiFi Access point/switch. If this is the case would the firmware on the TC allow the proper routing for TWO XBOXs on the network?
Thank you,
MikeThe ports are 53, 80, 88, and 3074. Since you are trying to make two Xbox consoles use those ports and you are trying to connect to a server, what you need to do is to use Port Range Triggering. You can't use Port Range Forwarding since it will only set those ports into listening mode to the IP address you set it. So if you use Port Range Forwarding it will only be open/available to one console(the one using the IP address).
You need to use PORT RANGE TRIGGERING. Disable Port Range Forwarding and DMZ. You need to enable UPnP as well if your Linksys router have this option (other model doesn't have this option but it is said to be enabled in default settings according to their tech support).
To solve the lag problem set your MTU size to 1364. This settings will work even if you have one or multiple consoles running behind the router. -
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C. -
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
Internal DNS server and NAT routing issue.
Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
ThanksIs there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying. -
Console Gaming - NAT Issues - Workaround and Solut...
I've already used the BT Broadband Contact Us, to raise this issue. They said it was beyond them and that they'd forward me an address for a technical forum. They've not managed to do so yet, so I'm trying here.
Problem:
NAT hole punching regularly fails between peers/players, manifests as "Cannot chat to player due to NAT Issues" on many different broadband routers.
TL/DR:
The BT Home Hub iptables INPUT chain should have a default action of DROP and not REJECT.
Long Version:
I'm a network engineer and programmer analyst and have been for approaching two decades. I'm also a gamer. I'm regularly frustrated by NAT Issue errors while trying to play online games with my friends.
Frustrated for so long, we decided to start analysing the problem. Using packet captures and simulations, we have reproduced the problem and identified dubious logic in the netfilter conntrack module in the Linux kernel.
When it works:
When using a Playstation 4 to play Destiny, using either in-game or PS Party chat, each console uses a NAT discovery service to find it's external IP address and make an educated guess as to whether there is port translation.
At the end of this process, each Player Console receives IP/Port pairs for the other players, they then emit UDP from their desired port to the IP/Port pair of each of the other Players. These UDP packets pass through their NATing routers and establish conntrack entries for the source ip/port, destination ip/port and protocol (here on referred to as five-tuple) with NAT associations with the console's LAN ip address and port; this is the hole-punching.
All being well, each players console has created an association for each of the other players packets to come back through and then they are able to send each other data on these ports.
When it doesn't work:
However, here's the race condition: if player B's packet reaches player A's router before player A has sent theirs, there is no NAT association, no conntrack entry for the 5-tuple. The incoming packet instead considered as intended for the router.
The iptables configuration on the router says that the packet is not allowed and REJECTs it, sending an ICMP destination unreachable packet in response. This reply is then inspected by conntrack, which decapsulates is and erroneously creates a conntrack entry for the 5-tuple.
Now when Player A's console does manage to send it's own hole punching UDP packet, the 5-tuple for the desire hole is associated with the router's ICMP destination-unreachable. So Player A's packet can't have the desired port number and is renumbered to the first available port (e.g. 1025). Player B's subsequent packets to A follow the conntrack entry started by the ICMP destination-unreachable and are sent to the router which continues to reject them.
How to fix this mess
Linux conntrack
Arguably the decapsulation of the ICMP payload and the usage of it to create a conntrack entry is erroneous. The ICMP unreach should not stop the port from being used by a NAT client.
This will take a long time to fix and when fixed may never be back-ported to home routers which may never see new firmware again anyway.
Modify the routers configuration
If the router dropped instead of rejecting the traffic (relatively simple administrative task given appropriate access), the ICMP destination-unreachable wouldn't be generated, conntrack wouldn't create the erroneous entry and then even if Player B's packets arrived before Player A had sent theirs, it would still work.
Disable the "firewall" and put your console in the "DMZ"
These are terms borrowed from the Home Hub 3 admin interface. If you set your console as the "DMZ", it will receive any internet traffic that isn't associated with an already established flow. Actually at this point I'm not certain whether or not you *have* to set the "firewall" to disabled. It depends on how the "firewall" is implemented.
On my console disabling the firewall and setting the console to be the DMZ works around the problem. However, you can only have one default NAT target. So any other device suffering from this problem would be out of luck without you reconfiguring your router each time. Also I'm not thrilled by my console receiving unfiltered internet traffic.
In closing
Race-conditions depend on timings. This one is exacerbated by low latency between players. In this case the difference between server<->PlayerA and server<->PlayerB latencies has to be lower than the PlayerA<->PlayerB latency. If PlayerA and PlayerB have low latency between each other they are more likely to suffer from this problem.
Please, please, please bring this to the attention of someone who is responsible for the configuration of your routers. A simple configuration change on the HomeHub would prevent this problem from happening and remove the need for customers to add special configuration to their router and lowering their security.
Thanks for reading.
MattWelcome to this forum.
This is a customer to customer forum only,
This is where customers help each other get the most out of BT products & services.
Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
This is a public forum which can be viewed worldwide, so please do not post any personal information, especially phone numbers, account numbers, fault numbers, address information or email addresses, as this could be used to impersonate you.
I would suggest that maybe you try using a different router?
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Complex NAT and ACL issue with multiple VLANS
Hello Forum.
We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
From outside the firewall, people need to be able to get to the webserver via http, https and a custom port (3390). From outside the firewall, no one needs DNS access.
From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
WHAT WORKS:
Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciatedTried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work
-
Moderate to open back and forth NAT issue
I'm trying to play on Xbox Live but I've been having to reset my router everyday to create an open Nat. I've talked with customer support for Verizon and Actiontec. Verizon set me a new router, which solved nothing, but aside from this I've not been able to reach someone who could understand port forwarding or why I would want to do it.
My issue is that I would like to forward the necessary ports once, keep them forwarded, and not have to reset (sometimes to factory specs) every day. To be clear, I've set up the forwarding but it is as if the router does not recognize the parameters until it is reset. Sometimes my nat will change during the middle of gameplay as well. This has been very frustrating so any help you can offer would be great because I'm not getting it from the phone techs.
Specs:
Actiontec MI424WR rev. l. firmware:40.19.36
Xbox 360 wired to router
Fios 75/35
Ports Forwarded 3074 both, 53 both, 80 TCP, 88 UDP (yes they are set up correctly)
Static IP set (yes it is set up correctly)
Additionally, Xbox Live's website notes a bug in the MI424WR that causes nat switching. The solution is to go into the upnp settings, however, access to upnp is not available in rev. l's firmware.
http://forums.xbox.com/xbox_forums/xbox_support/networking-hardware/01-modems-gateways/actiontec/f/3...
Solved!
Go to Solution.From http://forums.verizon.com/t5/FiOS-Internet/mi424wr-gen3g-with-hardware-version-g-doesn-t-have-upnp/t...
UPNP was hidden in this release software. Fortunately it's there, but you have to know the direct URL.
Firmware 4.19.36
UpNP hidden Menu
http://192.168.1.1/index.cgi?active%5fpage=900
IGMP proxy Hidden Menu
http://192.168.1.1/index.cgi?active_page=6059
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
MGCP and H323 redundancy calling issue......
I have call Manager 7.1 and there is 2 MGCP gateways registered on the CUCM. Each gateway has 1 PRI line and this setup is working fine. Now I am adding new PRI line for redundancy prospect. So I had added the new E1 card for each gateway and then I have created the H323 trunk between the Voice gateway and CUCM. I have configured the Route Group and Route list for MGCP and H323.If primary MGCP is down call auto routed to H323.
Now when MGCP is down, call is auto routed to H323 and its hitting on the proper PRI port but call is not getting established and incoming is working fine.
Kindly find the isdn debug for your reference:
DEL-2921-ROUTER(config)#
DEL-2921-ROUTER(config)# debug isdn q931
Jan 31 16:52:34.655: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
Jan 31 16:52:44.655: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: Applying typeplan for sw-type 0x12 is 0x0 0x0, Calling num 6272
Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: Sending SETUP callref = 0x00AC callID = 0x802D switch = primary-net5 interface = User
Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: TX -> SETUP pd = 8 callref = 0x00AC
Sending Complete
Bearer Capability i = 0x8090A3
Standard = CCITT
Transfer Capability = Speech
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA9839F
Exclusive, Channel 31
Calling Party Number i = 0x0081, '6272'
Plan:Unknown, Type:Unknown
Called Party Number i = 0x80, '09821444335'
Plan:Unknown, Type:Unknown
Jan 31 16:52:47.295: ISDN Se0/2/0:15 Q931: RX <- RELEASE_COMP pd = 8 callref = 0x80AC
Cause i = 0x82D2 - Identified channel does not exist
Jan 31 16:52:54.675: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
DEL-2921-ROUTER(config)#
THANKS IN ADVANCE.....Hi Rupesh,
The cause code "Idenfied channel does not exist" means:- This code indicates a call attempted on a channel that is not configured on the far end. This could happen if you are using a fractional PRI
Please ask to remote end for the number of channels configured and you can configure that number of channels accordingly at your end.
In CUCM 7.1 there is a service parameter which will help you to use the number of channel as per your requirement and rest of the channels you can mark it as busy so that CUCM won't select that channel.
Service Parameters > Call Manager > Advanced > CTRL-F > "maintenance"
In that you will find "Change B-Channel Maintenance Status" and mark channel as 1 which you don't want you to use.
For further information regarding this parameter you can click on that parameter and you will get more information.
And to enable above mentioned parameter, go to MGCP Gateway configuration page and check the box "Enable Status Poll"
Regards,
Nishant Savalia -
NAT issue - WRT54G Version 1.1 with Vista Home Premium
Router = WRT54G Version 1.1
I am trying to figure out the cause of my problems, this router or Vista?
I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
I have no option to run the trouble shooter (greyed out)…….
If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
Message Edited by jomuir on 08-23-2007 02:50 AMuser11241256 wrote:
Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
You might be able to get the things running on an unsupported combination but there is no guarantee about the stability. -
H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T
Hi,
I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
ip nat inside source static 172.16.1.2 x.x.x.x
The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
Additionally, I debugged ip natting and I see following information when making video calls:
router#debug ip nat h323
IP NAT H323 debugging is on
router#
*Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
*Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
*Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
Regards,
AngranHi,
i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please? -
Never had this happen before. Installed Border in a lab setting..nw6.5
sp1a overlay cd, then border 3.8, then sp2 then tcp645j...
The first thing I always try to do is get dynamic NAT working then I
worry about the proxy services and so on. Opened icmp all the way so I
could test ping.
Server can ping both it's public and private interface, and can ping
points beyond on both sides of those two interfaces.
Workstation can ping border's private and public IP's but nothing beyond
the public IP. Traceroute never returns anything. Seems like Nat just
isn't working. Turned it off and back on...no help there.
I've set this up many times in outerlying offices and in my lab...for
some reason this time it won't work. I've even blown it out and redone
my set up from the beginning...same thing....Yes, dynamic nat passtru is
set on....
Tried to do the tcpip debug = 1 thing...the packets rolled off logger
such that I could not get an F2 to save a darn thing....You woulnd't
think a brand new box would have all the much traffic just yet...
Version of NAT is 7.00.07, trying very hard to understand what's going
on here. Ideas on why nat won't work?Jim Michael wrote:
> jim fixit wrote:
>
>
>>nw65 sp1a as indicated, bm 3.8sp2 not happy together....
>
>
> I'm running that combo here (sanem NAT.NLM too), and don't have the NAT
> issue you describe.
>
> --
> Jim
> NSC SYsop
hmm yes...I'm running a similar set up in a number of branch offices so
I'm really hard pressed to understand what is with NAT or if it is even
NAT at all that is having the issue..... -
Hi,
I have built an entire rtsp/rtp server to stream multimedia files and the webcam.
I can more or less succesfully stream video content on a LAN, but even if I make my server public on the internet, there remain NAT issues regarding the client.
What I wish to do, is to embedd an applet within the webserver so that the end-user doesn't require a third-party client to watch his content.
I've built an applet following the SimplePlayerApplet example, which works on a LAN.
Now what I would like to do, is to get informations from the RTSP session, particularly RTP source port, in order to send a single datagram, so that the firewall/router can bind the internal client port to its public port. This way the server can serve RTP/UDP packets that may able to cross the router. I read STUN server used this method to resolve UDP crossing of routers.
The thing is that with a Player object, I can't get any information regarding RTP session. I'd rather avoid to use an RTPManager because this way, I would have to redo all the RTSP(client-side) thing.
Can you please help ?
Thanks in advance.If you need to play a real player file then see the Java Media Framework API, it's support many media file types, also you can play any media file from server side.
go to :
http://java.sun.com/products/java-media/jmf/index.html
Maybe you are looking for
-
How to manage huge (3 gb+) files in photoshop
I have started creating 3gb+ files in CS2 photoshop and my computer is taking 3 minutes to open and 10 minutes to save, etc - driving me mad with the delays. My system (3.166 mhz core duo, ASUS P5K SE/EPU motherboard, 4GB Kingston DDR2 800 RAM, Quadr
-
hi: Could someone tell me the function of the PO response? How to use it? Tks.
-
Should I use cache_version if we rename jars with each release?
We started renaming our jars with each release to avoid caching problems on the browser side which we were having. Before, we were using the cache_version to handle caching. This shouldnt be needed anymore since we will only have one release per jar
-
New iMac blocks sometimes, Dashboard doesn't show any deatils
I am the proud owner of a new iMAC -- 17" 2GHz Intel Core 2 Duo. Looks great, works fine, but then I try transferring files and settings from my old iMAC -- a 1GHz PowerPC G4 with OS X 10.2.8 Suddenly weird things start to happen. For example: I clic
-
Hi Everyone- I'm trying to create a model connection to the HFPBM model in order to view the sample scorecard. When I go to manage models in the admin console, and fill out all of the credentials, I am able to successfully test the connection to the