H323 and NAT issue

Similar Messages

• H323 and nat

  hi all ,
  i'm performing h323 video conf with polycom solution (PVX and Ipower)(one endpoint on private lan one endpoint on internet)
  between ipower and pvx all works fine ,between pvx and pvx video works but i can't use h239 PVX option.
  it looks like a nat issue does anybody still experience that ??
  Is H239 well supported by nat ??
  Thanks

  thanks for answering ,
  i made some etherreal capture and when h239 is activated on pvx the ios firewall (nat) is enable to locate the ip adress in payload
  (all works fine if h239 isn't activared)
  So the pvx sends its video stream to private ip address.
  H239 isn't supported by nat on 12.4(2)T advanced ip

• Double computer name on network and NAT issue with Back to My Mac

  These are the problems I am having:
  When my MacPro workstation (which on the network is named "The Beast") wakes from sleep - I get a message saying "there is already a computer on the network with the name "The Beast". Other computers on the network can now find you at "The Beast-2"" and it gives me a new name in the file sharing preferences - even though it is the only computer on the network with that name.
  Why is this happening???
  The other problem is with BackTo My Mac - When I try to enable it - I get an error message saying "Turn off NAT Addressing" - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  Here is my network setup which consists of the Modem / Router from my ISP - an Airport Extreme Base Station and one Airport Express - which is connected to my MacPro via ethernet. The MacPro does not have an airport card installed and is running OSX 10.6.8 - all other computers / devices are running 10.7.x and iOS6).
  VDSL Modem / Router (from Internet provider) with wireless turned off - (so it is not broadcasting a competing wireless signal) - connected via ethernet to my Airport Extreme Base Station.
  Here are all the settings on the AEBS and the Airport Express: - I am using Airport Utility 5.6.1 on my Mac Pro running OSX 10.6.8 - so the setup prefs are different than the newer version of Airport Utility found on 10.7.x systems - but both work fine. Although I did notice that the option to allow ethernet clients to connect to the Airport Express does not exist (or I just didn't find it) in the newer version of Airport Utility.
  Airport Extreme Base Station is set up as follows:
  Wireless Mode: Create a Wireless Network
  Wireless Settings:
  Allow this network to be extended IS CHECKED
  Radio Mode: 802.11n (b and g compatible)
  Wireless Security: WPA/WPA2 Personal
  Access Control:
  MAC Address Access Control: Not Enabled
  Internet Settings:
  Internet Connection:
  Connect Using: Ethernet
  Connection Sharing: OFF (Bridge Mode).
  TCP/IP:
  Configure IPv4: Using DHCP
  Advanced Settings:
  Logging & Statistics:
  Syslog Destination Address is blank (as in nothing appears in this field).
  Syslog Level: 5 - Notice
  Allow SNMP is CHECKED
  MobileMe:
  Back to my Mac is turned off - but if I try to turn it on I get an error message saying "Turn off NAT Addressing - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  IPv6:
  IPv6 Mode: Link-local only
  As stated - my MacPro with no wifi card -  is connected via ethernet to an Airport Express which connects wirelessly to the AEBS for network and internet access.
  Airport Express Settings:
  Airport Settings:
  Wireless Mode: Join a Wireless Network
  Allow Ethernet Clients IS CHECKED
  Wireless Security WPA/WPA2 Personal
  Internet Settings: Are grayed out (as in I can't change these settings - I assume because they are being controlled by the AEBS) and read as follows:
  Connect Using: Wireless Network
  Connection Sharing: OFF (Bridge Mode)
  TCP/IP:
  Configure IPv4: using DHCP
  All other settings are identical to the AEBS.
  All other WiFi devices in the house (MacBook Pro, iPhones, iPad's, iMac, Apple TV, Nintendo Wii etc…all are able to connect to the network and connect to the internet - no problem.
  Thanks for any insights into what might be causing the double name on the network and why it is asking me to turn off NAT addressing - when both my Airport devices are in Bridge Mode?

  I am also having this issue... any updates on this??

• Time Capsule, hardwired to TWO xbox 360's, and NAT issues.

  Hello All,
  I currently have an older Linksys WRT54G (version 1.0 LOL) which has been working fine for years. I recently bought my son an XBOX 360 for Christmas and we went through the issues of NAT and Call of Duty, and basically I have become quite knowledgeable on this topic. I recently added a SECOND XBOX 360, as it became apparent that one would not do with three boys in the house (Plus COD is a blast on line).
  So I created a second Live Account and got the two xbox's running online stably with NAT wide open on both. This required abandoning the Linksys Firmware and installing "Tomato" on the WRT54G. That works GREAT. No modifications were required for the rest of the network including...
  Macbook by Wifi, Minimac Hardwired (ya ya wifi works but hardwire is better), Airport Express (used only to stream music to stereo in family room - from ANY PC/MAC running Itunes...Itunes is VERY NICE), HP printer with network adapter, 5 other PC's including a mix of VISTA, XP, XP Pro, and multiple IPHONES, A Palm Tungsten C, WII, DS and of course the two hard wired XBOXs. NO Problems. The Tomato configuration only required the modifications for the XBOXs specifically as the rest of the network settings were not change after the firmware update.
  What am I interested in? I'd like to upgrade to a Time Capsule for several reasons. One Newer wifi, faster, two frequencies, backup space for growing Mac branch of our network, and as the internet sharing router. AND to be able to access the TC from the internet for file access anywhere! LOVE THAT FEATURE. This requires the TC to be the first device after the cable modem as far as I can tell at this point. (any input on this specific feature would be great).
  So I want to configure the TC with the input from the Cable modem as the main distribution of the internet. Then from the other NETWORK ports connect to my 20 port router for the rest of the house, as well as to the other items currently connected at the site of the current LinkSys Router (Mac Mini, Sony TV).
  Also I need to maintain the current XBOX set up with (as well as Wii) with full open NAT on both XBOXs.
  My question: Anyone here currently using the TC for hardwired connectivity for an XBOX with XBOX live running with open NAT for TWO XBOXs?
  The issues with NAT and TWO XBOXs is that you cannot simply use PORT FORWARDing or PORT Triggering to make sure that the traffic goes to the correct xbox. The XBOX uses specific communication ports and the ROUTER needs to keep the traffic flowing properly or you get disconnected or never get open NAT (must have for XBOX live and internet gaming). There are many write ups on using Port Forwarding for one XBOX and setting the second one in the DMZ, but this does not work all the time.
  The "Tomato" firmware on the LINKSYS allows fooling the router into giving a 'pseudo static' ip address to the XBOX's by doing MAC address based reservation of an IP number and then letting the DHCP give the xbox an IP address. The MAC address based reservation makes sure that the XBOX always gets the same IP address which for some GD reason must be in order for the traffic to be routed to the correct device. (you can of course use the same MAC address reservation for any device on the network).
  Second Question: For those using the TC AND a second WiFi Router to do WIRELESS connection to the XBOX - which device do you have configured as the main INTERNET sharing router? I have read hear what appears to state that the TC is the main router and the other WiFi the secondary. Thus the ROUTING is still being done by the TC and the other wifi device is being used simply as a WiFi Access point/switch. If this is the case would the firmware on the TC allow the proper routing for TWO XBOXs on the network?
  Thank you,
  Mike

  The ports are 53, 80, 88, and 3074. Since you are trying to make two Xbox consoles use those ports and you are trying to connect to a server, what you need to do is to use Port Range Triggering. You can't use Port Range Forwarding since it will only set those ports into listening mode to the IP address you set it. So if you use Port Range Forwarding it will only be open/available to one console(the one using the IP address).
  You need to use PORT RANGE TRIGGERING. Disable Port Range Forwarding and DMZ. You need to enable UPnP as well if your Linksys router have this option (other model doesn't have this option but it is said to be enabled in default settings according to their tech support).
  To solve the lag problem set your MTU size to 1364. This settings will work even if you have one or multiple consoles running behind the router.

• ASA 5505 9.1 and NAT issues to single dynamic IP

  Good afternoon everybody, 
  a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
  Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP). 
  As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
  <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
  In the same time, the consolle connection shows these two messages :
  Asa5505# ERROR: NAT unable to reserve ports.
  ERROR: NAT unable to reserve ports.
  I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
  This is the configuration file, I  have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
  Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
  ASA Version 9.1(5) 
  hostname Asa5505
  domain-name home
  enable password XXXXXX encrypted
  names
  interface Ethernet0/0
   description ADSLPPoE
   switchport access vlan 2
  interface Ethernet0/1
   description Internal_LAN
  interface Ethernet0/2
   description Management_Net 
   switchport access vlan 3
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   description Uplink
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/6
   description Wireless-POE
   switchport trunk allowed vlan 1,3
   switchport trunk native vlan 1
   switchport mode trunk
  interface Ethernet0/7
   description Webcam-POE 
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.250 255.255.255.0 
  interface Vlan2
   nameif outside
   security-level 0
   pppoe client vpdn group AliceADSL
   ip address pppoe setroute 
  interface Vlan3
   no forward interface Vlan1
   nameif management
   security-level 100
   ip address 10.5.1.250 255.255.255.0 
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
   name-server 192.168.1.4
   domain-name home
  object network Exchange-HTTPS
   host 192.168.1.150
  object network Exchange-SMTP
   host 192.168.1.150
  object network Network_Inside
   subnet 192.168.1.0 255.255.255.0
  object network Network_Management
   subnet 10.5.1.0 255.255.255.0
  access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https 
  access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp 
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu outside 1492
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network Exchange-HTTPS
   nat (inside,outside) static interface service tcp https https 
  object network Exchange-SMTP
   nat (inside,outside) static interface service tcp smtp smtp 
  object network Network_Inside
   nat (inside,outside) dynamic interface
  object network Network_Management
   nat (management,outside) dynamic interface
  access-group Outside_ACL in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 8080
  http 10.5.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access management
  vpdn group AliceADSL request dialout pppoe
  vpdn group AliceADSL localname aliceadsl
  vpdn group AliceADSL ppp authentication pap
  vpdn username aliceadsl password ***** store-local
  dhcpd address 192.168.1.100-192.168.1.130 inside
  dhcpd dns 192.168.1.4 192.168.1.150 interface inside
  dhcpd wins 192.168.1.4 interface inside
  dhcpd enable inside
  dhcpd address 10.5.1.30-10.5.1.40 management
  dhcpd dns 208.67.222.222 208.67.220.220 interface management
  dhcpd enable management
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   port 10443
   anyconnect-essentials
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect ip-options 
    inspect netbios 
    inspect rsh 
    inspect rtsp 
    inspect skinny  
    inspect esmtp 
    inspect sqlnet 
    inspect sunrpc 
    inspect tftp 
    inspect sip  
    inspect xdmcp 
  service-policy global_policy global
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:XXXXXXXX
  : end
  no asdm history enable
  Thanks in advance for your precious help !
  C.

  Update 29th of June :
  Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
  I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
  Two brief questions :
  1) in my NAT statements for PAT, does it change anything if I modify them (for example) from 
  nat (inside,outside) static interface service tcp https https
  to
  nat (inside,outside) dynamic interface service tcp https https 
  ? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
  2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
  Thank you for your precious help and patience !
  C.

• Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

  Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505.   The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet).   I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
  The Error:
  5          Nov 12 2012          13:52:50                    192.168.9.19                                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
  I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes.   Here's my current running configuration.
  : Saved
  ASA Version 8.3(2)
  hostname fw1
  domain-name xxxxxxxx.xxx
  enable password <removed>
  passwd <removed>
  names
  interface Vlan1
  description Town Internal Network
  nameif inside
  security-level 100
  ip address 192.168.9.1 255.255.255.0
  interface Vlan2
  description Public Internet
  nameif outside
  security-level 0
  ip address 173.xxx.xxx.xxx 255.255.255.248
  interface Vlan3
  description DMZ (CaTV)
  nameif dmz
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  interface Vlan10
  description Infrastructure Network
  nameif InfraNet
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan13
  description Guest Wireless
  nameif Wireless-Guest
  security-level 25
  ip address 192.168.1.1 255.255.255.0
  interface Vlan23
  nameif StateNet
  security-level 75
  ip address 10.63.198.2 255.255.255.0
  interface Vlan33
  description Police Subnet
  shutdown
  nameif PDNet
  security-level 90
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,5,10,13
  switchport trunk native vlan 1
  switchport mode trunk
  speed 100
  duplex full
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  switchport trunk allowed vlan 1,10,13
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/5
  switchport access vlan 23
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  switchport trunk allowed vlan 1
  switchport trunk native vlan 1
  switchport mode trunk
  shutdown
  banner exec                     Access Restricted to Personnel Only
  banner login                     Access Restricted to Personnel Only
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name xxxxxxx.xxx
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object service IMAPoverSSL
  service tcp destination eq 993
  description IMAP over SSL     
  object service POPoverSSL
  service tcp destination eq 995
  description POP3 over SSL     
  object service SMTPwTLS
  service tcp destination eq 465
  description SMTP with TLS     
  object network obj-192.168.9.20
  host 192.168.9.20
  object network obj-claggett-https
  host 192.168.9.20
  object network obj-claggett-imap4
  host 192.168.9.20
  object network obj-claggett-pop3
  host 192.168.9.20
  object network obj-claggett-smtp
  host 192.168.9.20
  object network obj-claggett-imapoverssl
  host 192.168.9.20
  object network obj-claggett-popoverssl
  host 192.168.9.20
  object network obj-claggett-smtpwTLS
  host 192.168.9.20
  object network obj-192.168.9.120
  host 192.168.9.120
  object network obj-192.168.9.119
  host 192.168.9.119
  object network obj-192.168.9.121
  host 192.168.9.121
  object network obj-wirelessnet
  subnet 192.168.1.0 255.255.255.0
  object network WirelessClients
  subnet 192.168.1.0 255.255.255.0
  object network obj-dmznetwork
  subnet 192.168.2.0 255.255.255.0
  object network FD_Firewall
  host 74.94.142.229
  object network FD_Net
  subnet 192.168.6.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network obj-TownHallNet
  subnet 192.168.9.0 255.255.255.0
  object network obj_InfraNet
  subnet 192.168.10.0 255.255.255.0
  object-group service EmailServices
  description Normal Email/Exchange Services
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq https
  service-object tcp destination eq imap4
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group service DM_INLINE_SERVICE_1
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq pop3
  service-object tcp destination eq https
  service-object tcp destination eq smtp
  object-group service DM_INLINE_SERVICE_2
  service-object object IMAPoverSSL
  service-object object POPoverSSL
  service-object object SMTPwTLS
  service-object tcp destination eq https
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group network obj_clerkpc
  description Clerk's PCs
  network-object object obj-192.168.9.119
  network-object object obj-192.168.9.120
  network-object object obj-192.168.9.121
  object-group network TownHall_Nets
  network-object 192.168.10.0 255.255.255.0
  network-object object obj-TownHallNet
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.9.0 255.255.255.0
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
  access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
  access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
  pager lines 24
  logging enable
  logging asdm debugging
  logging mail errors
  logging from-address hostmaster@xxxxxxxxx
  logging recipient-address john@xxxxxxxxx level errors
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  mtu Wireless-Guest 1500
  mtu StateNet 1500
  mtu InfraNet 1500
  mtu PDNet 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-635.bin
  no asdm history enable
  arp timeout 14400
  nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
  nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
  object network obj_any
  nat (inside,outside) static interface
  object network obj-claggett-https
  nat (inside,outside) static interface service tcp https https
  object network obj-claggett-imap4
  nat (inside,outside) static interface service tcp imap4 imap4
  object network obj-claggett-pop3
  nat (inside,outside) static interface service tcp pop3 pop3
  object network obj-claggett-smtp
  nat (inside,outside) static interface service tcp smtp smtp
  object network obj-claggett-imapoverssl
  nat (inside,outside) static interface service tcp 993 993
  object network obj-claggett-popoverssl
  nat (inside,outside) static interface service tcp 995 995
  object network obj-claggett-smtpwTLS
  nat (inside,outside) static interface service tcp 465 465
  object network obj-192.168.9.120
  nat (inside,StateNet) static 10.63.198.12
  object network obj-192.168.9.119
  nat (any,StateNet) static 10.63.198.10
  object network obj-192.168.9.121
  nat (any,StateNet) static 10.63.198.11
  object network obj-wirelessnet
  nat (Wireless-Guest,outside) static interface
  object network obj-dmznetwork
  nat (any,outside) static interface
  object network obj_InfraNet
  nat (InfraNet,outside) static interface
  access-group outside_access_in in interface outside
  access-group StateNet_access_in in interface StateNet
  route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
  route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable 5443
  http 192.168.9.0 255.255.255.0 inside
  http 74.xxx.xxx.xxx 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 173.xxx.xxx.xxx
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.9.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.9.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 208.67.222.222 208.67.220.220
  dhcpd lease 10800
  dhcpd auto_config outside
  dhcpd address 192.168.2.100-192.168.2.254 dmz
  dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
  dhcpd enable dmz
  dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
  dhcpd enable Wireless-Guest
  threat-detection basic-threat
  threat-detection statistics host number-of-rate 2
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 63.240.161.99 source outside prefer
  ntp server 207.171.30.106 source outside prefer
  ntp server 70.86.250.6 source outside prefer
  webvpn
  group-policy FDIPSECTunnel internal
  group-policy FDIPSECTunnel attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  username support password <removed> privilege 15
  tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 173.xxx.xxx.xxx general-attributes
  default-group-policy FDIPSECTunnel
  tunnel-group 173.xxx.xxx.xxx ipsec-attributes
  pre-shared-key *****
  smtp-server 192.168.9.20
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
  : end
  Any ideas would be appreciated.
  John

  I don't see any inspection-commands in your config. Is there a reason for not using any of them?
  If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
  Sent from Cisco Technical Support iPad App

• Internal DNS server and NAT routing issue.

  Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
  We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
  Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
  The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
  Thanks

  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
  The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

• Console Gaming - NAT Issues - Workaround and Solut...

  I've already used the BT Broadband Contact Us, to raise this issue. They said it was beyond them and that they'd forward me an address for a technical forum. They've not managed to do so yet, so I'm trying here.
  Problem:
  NAT hole punching regularly fails between peers/players, manifests as "Cannot chat to player due to NAT Issues" on many different broadband routers.
  TL/DR:
  The BT Home Hub iptables INPUT chain should have a default action of DROP and not REJECT.
  Long Version:
  I'm a network engineer and programmer analyst and have been for approaching two decades. I'm also a gamer. I'm regularly frustrated by NAT Issue errors while trying to play online games with my friends.
  Frustrated for so long, we decided to start analysing the problem. Using packet captures and simulations, we have reproduced the problem and identified dubious logic in the netfilter conntrack module in the Linux kernel.
  When it works:
  When using a Playstation 4 to play Destiny, using either in-game or PS Party chat, each console uses a NAT discovery service to find it's external IP address and make an educated guess as to whether there is port translation.
  At the end of this process, each Player Console receives IP/Port pairs for the other players, they then emit UDP from their desired port to the IP/Port pair of each of the other Players. These UDP packets pass through their NATing routers and establish conntrack entries for the source ip/port, destination ip/port and protocol (here on referred to as five-tuple) with NAT associations with the console's LAN ip address and port; this is the hole-punching.
  All being well, each players console has created an association for each of the other players packets to come back through and then they are able to send each other data on these ports.
  When it doesn't work:
  However, here's the race condition: if player B's packet reaches player A's router before player A has sent theirs, there is no NAT association, no conntrack entry for the 5-tuple. The incoming packet instead considered as intended for the router.
  The iptables configuration on the router says that the packet is not allowed and REJECTs it, sending an ICMP destination unreachable packet in response. This reply is then inspected by conntrack, which decapsulates is and erroneously creates a conntrack entry for the 5-tuple.
  Now when Player A's console does manage to send it's own hole punching UDP packet, the 5-tuple for the desire hole is associated with the router's ICMP destination-unreachable. So Player A's packet can't have the desired port number and is renumbered to the first available port (e.g. 1025). Player B's subsequent packets to A follow the conntrack entry started by the ICMP destination-unreachable and are sent to the router which continues to reject them.
  How to fix this mess
  Linux conntrack
  Arguably the decapsulation of the ICMP payload and the usage of it to create a conntrack entry is erroneous. The ICMP unreach should not stop the port from being used by a NAT client.
  This will take a long time to fix and when fixed may never be back-ported to home routers which may never see new firmware again anyway.
  Modify the routers configuration
  If the router dropped instead of rejecting the traffic (relatively simple administrative task given appropriate access), the ICMP destination-unreachable wouldn't be generated, conntrack wouldn't create the erroneous entry and then even if Player B's packets arrived before Player A had sent theirs, it would still work.
  Disable the "firewall" and put your console in the "DMZ"
  These are terms borrowed from the Home Hub 3 admin interface. If you set your console as the "DMZ", it will receive any internet traffic that isn't associated with an already established flow. Actually at this point I'm not certain whether or not you *have* to set the "firewall" to disabled. It depends on how the "firewall" is implemented.
  On my console disabling the firewall and setting the console to be the DMZ works around the problem. However, you can only have one default NAT target. So any other device suffering from this problem would be out of luck without you reconfiguring your router each time. Also I'm not thrilled by my console receiving unfiltered internet traffic.
  In closing
  Race-conditions depend on timings. This one is exacerbated by low latency between players. In this case the difference between server<->PlayerA and server<->PlayerB latencies has to be lower than the PlayerA<->PlayerB latency. If PlayerA and PlayerB have low latency between each other they are more likely to suffer from this problem.
  Please, please, please bring this to the attention of someone who is responsible for the configuration of your routers. A simple configuration change on the HomeHub would prevent this problem from happening and remove the need for customers to add special configuration to their router and lowering their security.
  Thanks for reading.
  Matt

  Welcome to this forum.
  This is a customer to customer forum only,
  This is where customers help each other get the most out of BT products & services.
  Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
  This is a public forum which can be viewed worldwide, so please do not post any personal information, especially phone numbers, account numbers, fault numbers, address information or email addresses, as this could be used to impersonate you.
  I would suggest that maybe you try using a different router?
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• Complex NAT and ACL issue with multiple VLANS

  Hello Forum. 
  We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
  From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
  From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
  The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
  WHAT WORKS:
  Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
  Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
  I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

  Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

• Moderate to open back and forth NAT issue

  I'm trying to play on Xbox Live but I've been having to reset my router everyday to create an open Nat. I've talked with customer support for Verizon and Actiontec. Verizon set me a new router, which solved nothing, but aside from this I've not been able to reach someone who could understand port forwarding or why I would want to do it.
  My issue is that I would like to forward the necessary ports once, keep them forwarded, and not have to reset (sometimes to factory specs) every day. To be clear, I've set up the forwarding but it is as if the router does not recognize the parameters until it is reset. Sometimes my nat will change during the middle of gameplay as well. This has been very frustrating so any help you can offer would be great because I'm not getting it from the phone techs.
  Specs:
  Actiontec MI424WR rev. l. firmware:40.19.36
  Xbox 360 wired to router
  Fios 75/35
  Ports Forwarded 3074 both, 53 both, 80 TCP, 88 UDP (yes they are set up correctly)
  Static IP set (yes it is set up correctly)
  Additionally, Xbox Live's website notes a bug in the MI424WR that causes nat switching. The solution is to go into the upnp settings, however, access to upnp is not available in rev. l's firmware.
  http://forums.xbox.com/xbox_forums/xbox_support/networking-hardware/01-modems-gateways/actiontec/f/3...
  Solved!
  Go to Solution.

  From http://forums.verizon.com/t5/FiOS-Internet/mi424wr-gen3g-with-hardware-version-g-doesn-t-have-upnp/t...
  UPNP was hidden in this release software.  Fortunately it's there, but you have to know the direct URL.
  Firmware 4.19.36
  UpNP hidden Menu
  http://192.168.1.1/index.cgi?active%5fpage=900
  IGMP proxy Hidden Menu
  http://192.168.1.1/index.cgi?active_page=6059
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• MGCP and H323 redundancy calling issue......

  I have call Manager 7.1 and there is 2 MGCP gateways registered on the CUCM. Each gateway has 1 PRI line and this setup is working fine. Now I am adding new PRI line for redundancy prospect. So I had added the new E1 card for each gateway and then I have created the H323 trunk between the Voice gateway and CUCM. I have configured the Route Group and Route list for MGCP and H323.If primary MGCP is down call auto routed to H323.
  Now when MGCP is down, call is auto routed to H323 and its hitting on the proper PRI port but call is not getting established and incoming is working fine.
  Kindly find the isdn debug for your reference:
  DEL-2921-ROUTER(config)#
  DEL-2921-ROUTER(config)# debug isdn q931
  Jan 31 16:52:34.655: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
  Jan 31 16:52:44.655: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
  Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: Applying typeplan for sw-type 0x12 is 0x0 0x0, Calling num 6272
  Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: Sending SETUP callref = 0x00AC callID = 0x802D switch = primary-net5 interface = User
  Jan 31 16:52:47.267: ISDN Se0/2/0:15 Q931: TX -> SETUP pd = 8 callref = 0x00AC
  Sending Complete
  Bearer Capability i = 0x8090A3
  Standard = CCITT
  Transfer Capability = Speech
  Transfer Mode = Circuit
  Transfer Rate = 64 kbit/s
  Channel ID i = 0xA9839F
  Exclusive, Channel 31
  Calling Party Number i = 0x0081, '6272'
  Plan:Unknown, Type:Unknown
  Called Party Number i = 0x80, '09821444335'
  Plan:Unknown, Type:Unknown
  Jan 31 16:52:47.295: ISDN Se0/2/0:15 Q931: RX <- RELEASE_COMP pd = 8 callref = 0x80AC
  Cause i = 0x82D2 - Identified channel does not exist
  Jan 31 16:52:54.675: ISDN Se0/0/0:15 Q931: Ux_DLRelInd: DL_REL_IND received from L2
  DEL-2921-ROUTER(config)#
  THANKS IN ADVANCE.....

  Hi Rupesh,
  The cause code "Idenfied channel does not exist" means:- This code indicates a call attempted on a channel that is not configured on the far end. This could happen if you are using a fractional PRI
  Please ask to remote end for the number of channels configured and you can configure that number of channels accordingly at your end.
  In CUCM 7.1 there is a service parameter which will help you to use the number of channel as per your requirement and rest of the channels you can mark it as busy so that CUCM won't select that channel.
  Service Parameters > Call Manager > Advanced > CTRL-F > "maintenance"
  In that you will find "Change B-Channel Maintenance Status" and mark channel as 1 which you don't want you to use.
  For further information regarding this parameter you can click on that parameter and you will get more information.
  And to enable above mentioned parameter, go to MGCP Gateway configuration page and check the box "Enable Status Poll"
  Regards,
  Nishant Savalia

• NAT issue - WRT54G Version 1.1 with Vista Home Premium

  Router = WRT54G Version 1.1
  I am trying to figure out the cause of my problems, this router or Vista?
  I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
  I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
  I have no option to run the trouble shooter (greyed out)…….
  If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
  Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
  I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
  I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
  Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
  Message Edited by jomuir on 08-23-2007 02:50 AM

  user11241256 wrote:
  Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
  You might be able to get the things running on an unsupported combination but there is no guarantee about the stability.

• H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

  Hi,
  I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
  I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
  ip nat inside source static 172.16.1.2 x.x.x.x
  The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
  Additionally, I debugged ip natting and I see following information when making video calls:
  router#debug ip nat h323
  IP NAT H323 debugging is on
  router#                
  *Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
  *Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
  *Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
  *Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
  *Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
  This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
  Regards,
  Angran

  Hi,
  i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?

• New nat issue

  Never had this happen before. Installed Border in a lab setting..nw6.5
  sp1a overlay cd, then border 3.8, then sp2 then tcp645j...
  The first thing I always try to do is get dynamic NAT working then I
  worry about the proxy services and so on. Opened icmp all the way so I
  could test ping.
  Server can ping both it's public and private interface, and can ping
  points beyond on both sides of those two interfaces.
  Workstation can ping border's private and public IP's but nothing beyond
  the public IP. Traceroute never returns anything. Seems like Nat just
  isn't working. Turned it off and back on...no help there.
  I've set this up many times in outerlying offices and in my lab...for
  some reason this time it won't work. I've even blown it out and redone
  my set up from the beginning...same thing....Yes, dynamic nat passtru is
  set on....
  Tried to do the tcpip debug = 1 thing...the packets rolled off logger
  such that I could not get an F2 to save a darn thing....You woulnd't
  think a brand new box would have all the much traffic just yet...
  Version of NAT is 7.00.07, trying very hard to understand what's going
  on here. Ideas on why nat won't work?

  Jim Michael wrote:
  > jim fixit wrote:
  >
  >
  >>nw65 sp1a as indicated, bm 3.8sp2 not happy together....
  >
  >
  > I'm running that combo here (sanem NAT.NLM too), and don't have the NAT
  > issue you describe.
  >
  > --
  > Jim
  > NSC SYsop
  hmm yes...I'm running a similar set up in a number of branch offices so
  I'm really hard pressed to understand what is with NAT or if it is even
  NAT at all that is having the issue.....

• JMF Player Applet and NAT

  Hi,
  I have built an entire rtsp/rtp server to stream multimedia files and the webcam.
  I can more or less succesfully stream video content on a LAN, but even if I make my server public on the internet, there remain NAT issues regarding the client.
  What I wish to do, is to embedd an applet within the webserver so that the end-user doesn't require a third-party client to watch his content.
  I've built an applet following the SimplePlayerApplet example, which works on a LAN.
  Now what I would like to do, is to get informations from the RTSP session, particularly RTP source port, in order to send a single datagram, so that the firewall/router can bind the internal client port to its public port. This way the server can serve RTP/UDP packets that may able to cross the router. I read STUN server used this method to resolve UDP crossing of routers.
  The thing is that with a Player object, I can't get any information regarding RTP session. I'd rather avoid to use an RTPManager because this way, I would have to redo all the RTSP(client-side) thing.
  Can you please help ?
  Thanks in advance.

  If you need to play a real player file then see the Java Media Framework API, it's support many media file types, also you can play any media file from server side.
  go to :
  http://java.sun.com/products/java-media/jmf/index.html