H323 and nat

hi all ,
i'm performing h323 video conf with polycom solution (PVX and Ipower)(one endpoint on private lan one endpoint on internet)
between ipower and pvx all works fine ,between pvx and pvx video works but i can't use h239 PVX option.
it looks like a nat issue does anybody still experience that ??
Is H239 well supported by nat ??
Thanks

thanks for answering ,
i made some etherreal capture and when h239 is activated on pvx the ios firewall (nat) is enable to locate the ip adress in payload
(all works fine if h239 isn't activared)
So the pvx sends its video stream to private ip address.
H239 isn't supported by nat on 12.4(2)T advanced ip

Similar Messages

H323 and NAT issue

Hello all,
I have a router 1812 Version 12.4(15)T16, RELEASE SOFTWARE (fc2). Router is doing NAT.
I have a lifesize videoconference system. Calls with h323 are dropped after 30 seconds.
I have ip inspect rule :
- ip inspect name SDM_LOW h323
- ip inspect name SDM_LOW h323callsigalt
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
When I start a communication, I have
sh ip inspect sessions
Session 85AE7150 (50.59.87.241:60118)=>(192.168.200.200:60016) h323-RTP-audio SIS_OPEN
Session 85AE12C0 (50.59.87.241:60119)=>(192.168.200.200:60017) h323-RTCP-audio SIS_OPEN
Session 85AE39B0 (192.168.200.200:60001)=>(50.59.87.241:62830) h245-media-control SIS_OPEN
Session 841F7CEC (192.168.200.200:60005)=>(50.59.87.241:1720) h323 SIS_OPEN
Session 85AE20A8 (50.59.87.241:60120)=>(192.168.200.200:60018) h323-RTP-video SIS_OPENING
Session 85ADE0B0 (50.59.87.241:60121)=>(192.168.200.200:60019) h323-RTCP-video SIS_OPENING
Session 85AE4D28 (50.59.87.241:60122)=>(192.168.200.200:60020) h323-RTP-data SIS_OPENING
Session 85ADCD38 (50.59.87.241:60123)=>(192.168.200.200:60021) h323-RTCP-data SIS_OPENING
Pre-gen session 85ADA648 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Pre-gen session 85AD92D0 192.168.200.200[1024:65535]=>50.59.87.241[60121:60121] h323-RTCP-video
Pre-gen session 85ADB6F8 192.168.200.200[1024:65535]=>50.59.87.241[60123:60123] h323-RTCP-data
Pre-gen session 85AD9008 192.168.200.200[1024:65535]=>50.59.87.241[60118:60118] h323-RTP-audio
Pre-gen session 85AE5848 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Where 192.168.200.200 is local IP and 50.59.87.241 the server I try to reach.
Any idea of what is going on ? Why calls are dropped after 30 seconds ?
Something with NAT ?

Hi Alessandro,
configuration below :
ip inspect tcp reassembly queue length 200
ip inspect tcp reassembly timeout 10
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW skinny
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW esmtp max-data 50000000
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW streamworks
WAN_INTERFACE = xxx.xxx.xxx
interface FastEthernet0
ip address WAN_INTERFACE.226 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
Inbound ACL
access-list 102 remark SDM_ACL Category=3
access-list 102 permit tcp any host WAN_INTERFACE.228 eq www log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 443 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 558 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1503 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 4001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 11720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 5060 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60006 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60007 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60008 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60009 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60010 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60011 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60012 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60013 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60014 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60015 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60016 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60017 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60018 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60019 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60020 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60021 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60022 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60025 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 3389 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 3389 log
[ Some ipsec rubles]
access-list 102 permit tcp any host WAN_INTERFACE.230 eq 22
access-list 102 permit tcp any host WAN_INTERFACE.230 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq smtp
access-list 102 permit udp any host WAN_INTERFACE.227 eq 80
access-list 102 permit tcp any host WAN_INTERFACE.227 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq ftp
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 1723
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 47
ip nat inside source static udp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_32 extendable
ip nat inside source static tcp LAN_INTERFACE 80 WAN_INTERFACE.228 80 route-map SDM_RMAP_15 extendable
ip nat inside source static tcp LAN_INTERFACE 443 WAN_INTERFACE.228 443 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp LAN_INTERFACE 558 WAN_INTERFACE.228 558 route-map SDM_RMAP_47 extendable
ip nat inside source static tcp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_77 extendable
ip nat inside source static udp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_78 extendable
ip nat inside source static tcp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_73 extendable
ip nat inside source static udp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_74 extendable
ip nat inside source static tcp LAN_INTERFACE 1503 WAN_INTERFACE.228 1503 route-map SDM_RMAP_75 extendable
ip nat inside source static tcp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_86 extendable
ip nat inside source static udp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_87 extendable
ip nat inside source static tcp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_42 extendable
ip nat inside source static udp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_43 extendable
ip nat inside source static tcp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_28 extendable
ip nat inside source static udp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_44 extendable
ip nat inside source static tcp LAN_INTERFACE 4001 WAN_INTERFACE.228 4001 route-map SDM_RMAP_72 extendable
ip nat inside source static udp LAN_INTERFACE 5060 WAN_INTERFACE.228 5060 route-map SDM_RMAP_29 extendable
ip nat inside source static tcp LAN_INTERFACE 11720 WAN_INTERFACE.228 11720 route-map SDM_RMAP_71 extendable
ip nat inside source static tcp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_45 extendable
ip nat inside source static udp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_46 extendable
ip nat inside source static tcp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_30 extendable
ip nat inside source static tcp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_31 extendable
ip nat inside source static udp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_33 extendable
ip nat inside source static tcp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_66 extendable
ip nat inside source static udp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_34 extendable
ip nat inside source static tcp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_67 extendable
ip nat inside source static udp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_35 extendable
ip nat inside source static tcp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_68 extendable
ip nat inside source static udp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_36 extendable
ip nat inside source static tcp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_69 extendable
ip nat inside source static udp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_37 extendable
ip nat inside source static udp LAN_INTERFACE 60006 WAN_INTERFACE.228 60006 route-map SDM_RMAP_38 extendable
ip nat inside source static udp LAN_INTERFACE 60007 WAN_INTERFACE.228 60007 route-map SDM_RMAP_39 extendable
ip nat inside source static udp LAN_INTERFACE 60008 WAN_INTERFACE.228 60008 route-map SDM_RMAP_48 extendable
ip nat inside source static udp LAN_INTERFACE 60009 WAN_INTERFACE.228 60009 route-map SDM_RMAP_49 extendable
ip nat inside source static udp LAN_INTERFACE 60010 WAN_INTERFACE.228 60010 route-map SDM_RMAP_50 extendable
ip nat inside source static udp LAN_INTERFACE 60011 WAN_INTERFACE.228 60011 route-map SDM_RMAP_51 extendable
ip nat inside source static udp LAN_INTERFACE 60012 WAN_INTERFACE.228 60012 route-map SDM_RMAP_52 extendable
ip nat inside source static udp LAN_INTERFACE 60013 WAN_INTERFACE.228 60013 route-map SDM_RMAP_53 extendable
ip nat inside source static udp LAN_INTERFACE 60014 WAN_INTERFACE.228 60014 route-map SDM_RMAP_54 extendable
ip nat inside source static udp LAN_INTERFACE 60015 WAN_INTERFACE.228 60015 route-map SDM_RMAP_55 extendable
ip nat inside source static udp LAN_INTERFACE 60016 WAN_INTERFACE.228 60016 route-map SDM_RMAP_56 extendable
ip nat inside source static udp LAN_INTERFACE 60017 WAN_INTERFACE.228 60017 route-map SDM_RMAP_57 extendable
ip nat inside source static udp LAN_INTERFACE 60018 WAN_INTERFACE.228 60018 route-map SDM_RMAP_58 extendable
ip nat inside source static udp LAN_INTERFACE 60019 WAN_INTERFACE.228 60019 route-map SDM_RMAP_59 extendable
ip nat inside source static udp LAN_INTERFACE 60020 WAN_INTERFACE.228 60020 route-map SDM_RMAP_60 extendable
ip nat inside source static udp LAN_INTERFACE 60021 WAN_INTERFACE.228 60021 route-map SDM_RMAP_61 extendable
ip nat inside source static udp LAN_INTERFACE 60022 WAN_INTERFACE.228 60022 route-map SDM_RMAP_62 extendable
ip nat inside source static udp LAN_INTERFACE 60023 WAN_INTERFACE.228 60023 route-map SDM_RMAP_63 extendable
ip nat inside source static udp LAN_INTERFACE 60024 WAN_INTERFACE.228 60024 route-map SDM_RMAP_64 extendable
ip nat inside source static udp LAN_INTERFACE 60025 WAN_INTERFACE.228 60025 route-map SDM_RMAP_65 extendable
ip nat inside source static LAN_INTERFACE WAN_INTERFACE.228 route-map SDM_RMAP_76
All SMD_RMAP are like this one below
route-map SDM_RMAP_32 permit 1
match ip address 141
access-list 141 remark SDM_ACL Category=2
access-list 141 deny ip host LAN_INTERFACE 10.0.5.0 0.0.0.31
access-list 141 deny ip host LAN_INTERFACE 10.0.5.40 0.0.0.1
access-list 141 permit udp host LAN_INTERFACE eq 60000 any

H323 static Nat doesn't work fine on 3900 series router with IOS 15.2(3) T

Hi,
I have a problem with static nat setting on my 3925 router with IOS15.2(3). The scenario is like this:
I set a static nat between 172.16.1.2 and x.x.x.x(public IP address) using following command:
ip nat inside source static 172.16.1.2 x.x.x.x
The intranet IP address is set on a video conference system from Huawei, after setting all these things, ping works fine to this public IP address, but video conference cannot be built. I tried same setting using another 2811 router with IOS12.4 and it worked fine. Which means the problem should be isolated to this 3925 router. Full config is also attached, sorry that I elimated the public IP address and use other characters instead.
Additionally, I debugged ip natting and I see following information when making video calls:
router#debug ip nat h323
IP NAT H323 debugging is on
router#
*Jul 10 09:11:07.343: NAT[0]: H323: received pak, payload_len=0
*Jul 10 09:11:07.343: [NAT[0]: H323 ACK packet ? FALSE
*Jul 10 09:16:15.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:15.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:16:57.215: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:16:57.215: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:02.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:02.731: [NAT[1]: H323 ACK packet ? FALSE
*Jul 10 09:17:14.731: NAT[1]: H323: received pak, payload_len=0
*Jul 10 09:17:14.731: [NAT[1]: H323 ACK packet ? FALSE
This problem has been bothering me for weeks. Hope that someone could help me out. Many thanks in advance.
Regards,
Angran

Hi,
i have the same requirement for a customer, not for video but for audio calls, i have a remote office with h.323 phones and they need to get registered to a gk in central office to send and recieve voice calls, did you make it work? can you share the config please?

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

ASA5505 SOHO public ip range and nat head ache

Hello
Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40
XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router
Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
any info or advice would be gratefully received.
regards
C.

Hello
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https
thanks for the help

Internal DNS server and NAT routing issue.

Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
Thanks

Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

Apple Airport Extreme Base Station for PPPoE, DHCP and NAT with ActionTec DSL modem

I just spent several hours trying to track down proper instructions for setting up my Apple AEBS to do the PPPoE, DHCP and NAT while connected to an ActionTec M1000 (no wireless module). It turns out my initial set ups on both devices were correct, but that the order for rebooting and reconnecting the two devices is critical. All of the threads I found on this forum and on many others suggested this was not possible, but it is. What I don't yet know is whether it is the best method for running my home network DSL connection to my ISP (CenturyLink).
The instructions I found that worked come courtesy of Brandon Konkle's blog and are both simple and clear: http://brandon.konkle.us/post/19637529637/centurylink-actiontec-q1000-airport-ex treme-bridge
The proper settings for the ActionTec DSL Modem can be found under Advanced Setup/IP Adressing/WAN IP Address
Click RFC 1483 Transparent Bridging then click on Apply.
(see also http://qwest.centurylink.com/internethelp/modems/m1000/pdf/M1000_BRIDGE.pdf )
To reduce time, do this BEFORE you reset your AEBS then set the AEBS so that you don't have to wait for the AEBS to reboot.
In contrast to what Brandon described for the Q1000 modem, my AEBS never reconnected to the modem (he describes his as getting an IP from his ISP, then dropping it then getting another over and over - mine never got an IP). Once you have reset both devices as described, the critical steps I have not found described elsewhere were:
1. Disconnect the power from both the modem and the Airport Extreme.
2. Disconnect the Ethernet cable between the two devices
3. Restore power to the 2 devices and allow them to fully reboot. For the ActionTec M1000, this is indicated when the lights stop blinking. (Note that the Internet light will NOT be lit in this instance since the modem is acting only as a bridge. You will NOT have an Internet connection until the AEBS is reconnected.) The AEBS will be blinking yellow.
4. Reconnect the Ethernet cable between the devices (make sure on the M1000 that you are using the connector with the circle icon over it, not the arrow icon).
Within about 60 seconds, the AEBS light went to steady green and the connection to the Internet was restored.
Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
Message was edited by: Bud Shaw

Now I have to see if this is a more stable configuration than the flaky one I had before while using the AEBS as a bridge and the M1000 to do everything.
Does anyone think or know if it will make a difference?
No one can accurately predict in advance what the actual results might be. I've tried both ways with different products and cannot say that one method is better than the other. What works is best.
In theory, it is preferable to have the modem provide the PPPoE connection service since it is the device connected directly to the Internet.
In practice, results vary depending on the service provider, products used, phase of the moon, alignment of the planets, etc.

How to set up DHCP and NAT for QNAP NAS MyCloud service?

I have an Apple AirPort Extreme Base Station (AEBS) attached to my DSL model (no router in the modem). My QNAP NAS is attached via ethernet to the QNAP NAS. My iMac (running AirPort Utility 6.x) is connected to the AEBS via wifi.
I've found several folks who've tried this (and apparently succeeded) but I'm a networking novice and am having trouble making this work. What I did was to go into the AirPort utility and in the networking section configure "DHCP and NAT" and then called out the static IP and MAC address of the QNAP NAS (as well as the ports I'd like to remain open). However, when I did this and applied the changes, my iMac (connected to the AEBS via wifi) could no longer see the AEBS, which then required me to reset the AEBS, re-configure it back to the previous known good conifiguration and start over. After about 5 cycles of this I gave up.
So, what am I doing wrong here? Do I need to go in and configure every device that is going to access the AEBS as static and call out each device's IP and MAC address? (hopefully not, that'd be a major PITA).
Help. Anyone?

When I run diagnostics with the QNAP, here is the reply I get (IPs redacted):
------ NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : xx.x.x.x
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned 0 (OK)
Public IP address : 192.168.xxx.xxx
epoch = 2621
closenatpmp() returned 0 (SUCCESS)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://xx.x.x.x:60606/8CC1212D0C6D/Server0/ddd
st: upnp:rootdevice
desc: http://xx.x.x.x:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/nrc/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:55000/dmr/ddd.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/4/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/2/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xx:49152/0/description.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:8200/rootDesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49152/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49153/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:49155/gatedesc.xml
st: upnp:rootdevice
desc: http://xx.x.x.xxx:9000/TMSDeviceDescription.xml
st: upnp:rootdevice
UPnP device found. Is it an IGD ? : http://xx.x.x.x:60606/
Trying to continue anyway
Local LAN ip address : xx.x.x.xxx
GetConnectionTypeInfo failed.
Status : , uptime=3217870016s, LastConnectionError :
Time started : Wed Mar 13 17:04:03 1912
MaxBitRateDown : 7 bps MaxBitRateUp 0 bps
GetExternalIPAddress() returned -3
GetExternalIPAddress failed.
GetGenericPortMappingEntry() returned -3 ((null))

Cucm 10.1version - training videos and hand guides on understanding voice gateway h323 and SIP? thanks

cucm 10.1version - any free training videos and hand guides on understanding voice gateway h323 and SIP and how to configure one? thanks

Learncisco gives a very good introduction to CUCM - I recommend you start there.

Problem with passive mode FTP server and NAT

Hi,
I have a problem with Passive mode FTP and NAT.
I am trying to run both an FTP server and sharing the Internet connection via NAT. I have by the way specified the passive ports to use in ftpaccess (65000-65534). Everything works fine until someone tries to connect via Passive mode. I have tracked the problem down to the firewall and the rule that handles NAT.
Firewall rule config without NAT:
00001 allow udp from any 626 to any dst-port 626
01000 allow ip from any to any via lo0
12300 allow ip from any to any
65535 allow ip from any to any
Firewall rule config with NAT
00001 allow udp from any 626 to any dst-port 626
00010 divert 8668 ip from any to any via en1
01000 allow ip from any to any via lo0
12300 allow ip from any to any
65535 allow ip from any to any
So, passive ports do not work when NAT is on. If I turn it off, Passive ftp works like a charm.
But how do I solve my problem? I have in my quest for the answer stumbled upon "-punch_fw" but do not know how to use it or if it even helps me at all?
Best regards,
Peter
B&W G3 Mac OS X (10.4.5)

Media/Lacrosse-1-tiny.3gp
I can't find the file on your server.
They may also need to edit the .htaccess file to allow the .3gp file extension be used. Call them.

Guest Public Network behind 10.4 Server running DHCP and NAT

I am wondering if it is possible to use APE's guest networking capabilities while still using OS 10.4 server and my DHCP and NAT servers? Is there a way to set the Airport to run its own DHCP NAT and have everything routed correctly?
Or do I still need to use two separate Airports in order to have a public and private network at my home.

I figured it out. I just deiced to run a double NAT configuration

Running H323 and SIP on the same cisco gateway

Hi there!
I running Yate and Asterisk/IAX2 in the same box, to get H323 and convert to SIP, but I have a costumer that wants to send H323 with codec g723, but it doesn?t work good at all. So, can have H323 and SIP running on the same box like a c3600 or c2600?
Thanks,
Jonas

I may go out of topic, but:
1. If you want reliable protocol (H323<-> SIP) and codec conversation and
2. If you wanto to show your cusotomer nice PBX features,
then go fo either MERA MVTS or Alterteks PSS softswitches.

DCHP and NAT, or off (Bridge-Mode)?

If I want to connect my MacBook and iPod touch to the internet using the AirPort Express, do I need to set router mode to DCHP and NAT, or off (Bridge-Mode)? I can't seem to get them both happily connected at once. My iPod especially doesn't like being connected now that I played with the settings to get rid of the long-standing flashing amber status.

After I turn it on each time, I need to have my laptop on and open up Safari, before the iPod touch will connect.
Normally, you want to power-up the modem first. Let it initialize for about 10 minutes. Then plug-in your AirPort Express. Give it a couple of minutes to initialize as well. Then power-up any of the other wireless clients.
I need to have my laptop on and open up Safari, before the iPod touch will connect. Otherwise it comes up with a pop-window saying "Authentication required" asking for a username and password, or sometimes it'll say "your password will be sent in the clear" (something like that).
Is your ISP providing you with DSL or ADSL service? These typically require that you first enter your user credentials (username & password) prior to gaining Internet access. If this is the case you will want to configure the AirPort Express to do this for you so you don't have to enter them via the PC.

Change the ike and NAT-T port

I would like to change the ike and NAT-T port from UDP 500 and 4500 to 505 and 4505
Is it possible to do that. This is because i already port forward udp 500 and 4500 to another router (Router B)
This router B will setup a VPN to remote site.

click settings on the phone, click store, click Apple ID: [email protected], select sign out, then sign in with the new ID

AS5400 Performance runining Both H323 and SIP

Dear All,
Is there any way to run Voice Gateway like AS5400 with two protocol H323 and SIP simultaneously? Any voice gateway performance afftected? or Voice quality affected? if we run both protocol in only one gateway?
Best Regards,
Daneth

AS5400 supports H.323 and SIP dial-peer at the same time without problems.
I've used AS5400 in IP2IP gateway mode to convert SIP in H.323 and vice versa with about 150 concurrent calls.
In lab I also tested SIP, H.323 and MGCP at same time.
In default configuration SIP and H.323 are both active.
AS5400 uses H.323 like default signalling protocol. Is sufficient create a voip dial-peer. To specify SIP you must use the command "session protocol sipv2" under a dial-peer.
To shut down SIP use
voice service voip
sip
call service stop
To shut down H.323 use
no gateway

H323 and nat

Similar Messages

Maybe you are looking for