Is no ip nat service sip udp port 5060 a valid cmd?

On
# show ver
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)
Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Config file at boot was "startup-config"
FWall up 1 year 33 days
Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1
I keep getting
FWall(config)# no ip nat service sip tcp port 5060                     ^ERROR: % Invalid input detected at '^' marker.

Eric,
This is a command to disable NAT ALG for SIP on IOS routers.
On ASA you can do similar by removing SIP protocol inspection.
If in doubt check the command references, both ASA and IOS versions are available online.
M.

Similar Messages

  • CUBE and NAT without SIP ALG

    I was wondering if anyone had a CUBE SIP Profile example for rewriting SDP to fix private-to-public IP address in the SDP so that CUBE can be used behind a static NAT without SIP ALG.

    Im trying to connect a SIP softphone (on the outside) to a IP PBX on the inside.  I am seeing postings that say that "ip nat service sip" is the command that enables that feature, and others say that it breaks it.  So far my testings shows that it does break it.  Ultimately I want my outside softphone to register to the Phone system as an external IP address.  It seems like SIP normally relays the internal IP address and the ALG router will make the translation on outbound and send it to the right source. 

  • Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

    Hi Experts,
    Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.
    Regards
    Krishna

    Krishna,
    "NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."
    Reference
    So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.
    If one adds an ACL with specific ports, then unexpected results may be expected.
    My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.
    Thanks.
    Portu.
    Please rate any helpful posts

  • ERROR: NAT unable to reserve ports.

    Hi guys,
    I am trying to let the PPTP VPN traffic passing through a new Cisco ASA 5505 but I cannot NAT any UDP traffic using the outside interface as public ip for the incoming VPN connections.
    The error arrears I run these commands:
    object network CUSTOMER-VPN-SERVER-INTERNAL
    nat (inside,outside) static interface service udp isakmp isakmp
    I get the following error:
    ERROR: NAT unable to reserve ports.
    My version is:
    Cisco Adaptive Security Appliance Software Version 8.4(2)18
    Device Manager Version 6.4(5)
    Here below my configuration (sanitized as much as I could). Can you please help me find out where I am mistaking?
    ASA Version 8.4(2)18
    hostname CUSTOMER-SITE1
    domain-name CUSTOMER
    names
    name 192.168.31.0 CUSTOMER-SITE1
    name 192.168.32.0 CUSTOMER-SITE2
    name 192.168.32.253 CUSTOMER-SITE2-FW-LAN
    name YYY.YYY.YYY.YYY CUSTOMER-SITE2-FW-WAN
    name 192.168.31.253 CUSTOMER-SITE1-FW-LAN
    name XXX.XXX.XXX.XXX CUSTOMER-SITE1-FW-WAN
    name 192.168.31.2 USER-TEST-PC
    name 192.168.31.30 CUSTOMER-SITE1-VPN-SERVER-PRIVATE
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address CUSTOMER-SITE1-VPN-SERVER-PUBLIC 255.255.255.252
    object network CUSTOMER-SITE1
    subnet 192.168.31.0 255.255.255.0
    object network CUSTOMER-SITE2
    subnet 192.168.32.0 255.255.255.0
    object network USER-TEST-PC
    host 192.168.31.186
    object network CUSTOMER-SITE1-VPN-SERVER-PUBLIC
    host 116.212.244.138
    description Created during name migration
    object network CUSTOMER-SITE1-VPN-SERVER-INTERNAL
    host 192.168.31.30
    description VPN SERVER
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq pptp
    service-object udp destination eq 4500
    service-object udp destination eq isakmp
    service-object gre
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object gre
    access-list outside_1_cryptomap extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
    access-list inside_nat0_outbound extended permit ip object CUSTOMER-SITE1 object CUSTOMER-SITE2
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object CUSTOMER-SITE1-VPN-SERVER-INTERNAL
    access-list outside_access_in extended permit tcp any object USER-TEST-PC eq www
    nat (inside,any) source static CUSTOMER-SITE1 CUSTOMER-SITE1 destination static CUSTOMER-SITE2 CUSTOMER-SITE2 no-proxy-arp
    object network CUSTOMER-SITE1
    nat (inside,outside) dynamic interface
    object network USER-TEST-PC
    nat (inside,outside) static interface service tcp www www
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer CUSTOMER-SITE2-FW-WAN
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    tunnel-group 116.212.199.226 type ipsec-l2l
    tunnel-group 116.212.199.226 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect pptp
    Thanks,
    Dario

    (sanitized)
    ASA Version 8.4(2)18
    hostname xxxxxx
    enable password xxxxxx
    passwd xxxxxx
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxxxxx 255.255.255.224
    boot system disk0:/asa842-18-k8.bin
    ftp mode passive
    clock timezone SGT 8
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server xxxxxx
    name-server xxxxxx
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Public_Address
    host xxxxxx
    object network VPN-TCP
    host 192.168.1.2
    object network VPN-UDP
    host 192.168.1.2
    object network xxxxxx
    host 192.168.1.2
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object gre
    access-list outside_access_in extended permit ip any any
    access-list outside_access_in_1 extended permit gre any host 192.168.1.2
    access-list outside_access_in_1 remark VPN TCP Connection
    access-list outside_access_in_1 extended permit tcp any object VPN-TCP eq pptp
    access-list outside_access_in_1 remark VPN UDP Connection
    access-list outside_access_in_1 extended permit udp any object VPN-UDP eq isakmp
    access-list inside_access_in remark All inside to outside connections
    pager lines 24
    logging enable
    logging asdm informational
    logging mail alerts
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-641.bin
    no asdm history enable
    arp timeout 14400
    object network VPN-TCP
    nat (inside,outside) static interface service tcp pptp pptp
    object network VPN-UDP
    nat (inside,outside) static interface service udp isakmp isakmp
    object network Kaseya-TCP
    nat (inside,outside) after-auto source dynamic any interface description Default NAT from Inside to Outside
    access-group inside_access_in in interface inside
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 XXXXXX
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable 11443
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    http redirect inside 80
    snmp-server host inside 192.168.1.2 community *****
    snmp-server host inside 192.168.1.5 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec fragmentation after-encryption inside
    crypto ipsec fragmentation after-encryption outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
        XXXXXX
      quit
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh XXXXXX 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd dns XXXXXX XXXXXX interface inside
    threat-detection basic-threat
    threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
    threat-detection scanning-threat shun duration 3600
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 118.107.60.254 source outside
    ntp server 121.0.0.41 source outside
    ntp server 202.60.94.11 source outside prefer
    webvpn
    port 11443
    enable outside
    group-policy DfltGrpPolicy attributes
    webvpn
      url-list value Administration
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username XXXX password XXXXXX encrypted privilege 15
    vpn-group-policy DfltGrpPolicy
    tunnel-group ClientlessVPN type remote-access
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect ctiqbe
      inspect dcerpc
      inspect icmp
      inspect icmp error
      inspect ils
      inspect ipsec-pass-thru
      inspect mgcp
      inspect snmp
      inspect waas
      inspect pptp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:af0d8ba03c99dd37540a4d0a4bf569d2
    : end

  • Incoming RTP traffic blocked by SPA112 ATA: UDP port unreachable

    Hi folks,
    I'm using a Cisco SPA112 ATA behind a NAT, where port 5060,5061 and 16384-16482 are forwarded. Registration to the SIP proxy also works fine. However, I'm struggling with audio issues, meaning that the RTP session is not setup properly.
    When investigating this issue at the packet-level, I found that the ATA itself is blocking traffic:
    21:00:21.857655 IP 192.168.x.y > 82.197.a.b: ICMP 192.168.x.y udp port 16452 unreachable, length 208
    The blocked port number depends per session, but is always between 16384 and 16482.
    Actually, the issue sounds very much like in [1]. However, the proposed solution (disabling CDP) is not of any help to me, since it's disabled on my ATA by default. Any clue what could be the reason for this behaviour? Your help is greatly appreciated.
    [1] https://supportforums.cisco.com/discussion/11470321/spa-962-intermittently-no-audio-rtp-port-closedunreachable

    Hi,
    You can try this packet Tracer:-
    packet input outside udp <External Source Ip on the internet>  45657 <Outside interface IP> 43139 det
    For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
    For more information on captures:-
    https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
    Let me know if you have any further queries.
    Thanks and Regards,
    Vibhor Amrodia

  • TS1629 Apple destination ip addresses for well known TCP and UDP ports used by Apple software products

    I work for a large enterprise organisation with dual layer firewalls. The Apple article titled "allowing well known ports through the firewall "does not provide enough information on what the destination ip addresses of Apple servers are which host Apple ICloud services.
    Does anyone have information on the destination Apple Ip addresses? So that I can lock down my firewall rules, just so that Apple devices, access Apple services on the Internet.
    Many thanks

    One option is to use "connection-reuse" cli under sip-ua configuration mode.
    sip-ua
      connection-reuse
    This will enable the 7200 to create a connection with source and destination udp port number set to 5060. This feature is available in IOS 12.4(25d) which requires minimum of 256 / 512MB DRAM (depends on the feature set) and flash of 48 MB.

  • DMVPN-Why received packet doesn't use UDP port 4500 but 500?

    Hello everyone
    I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.
    *Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange
    *Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 
    *Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
    *Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
    *Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching 
    *Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found
    *Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *Sep 10 08:56:02 UTC: ISAKMP:      encryption 3DES-CBC
    *Sep 10 08:56:02 UTC: ISAKMP:      hash MD5
    *Sep 10 08:56:02 UTC: ISAKMP:      default group 1
    *Sep 10 08:56:02 UTC: ISAKMP:      auth pre-share
    *Sep 10 08:56:02 UTC: ISAKMP:      life type in seconds
    *Sep 10 08:56:02 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
    *Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
    *Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
    *Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
    *Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 
    *Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 
    *Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 
    *Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
    *Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!
    *Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
    *Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT
    *Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
    *Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match -  this node inside NAT
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4  New State = IKE_I_MM4 
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload 
    next-payload : 8
    type         : 1 
    address      : 192.168.1.101 
    protocol     : 17 
    port         : 0 
    length       : 12
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12
    *Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4  New State = IKE_I_MM5 
    *Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
    *Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
    *Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
    *Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
    *Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
    *Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.

    This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet. 
    Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet. 
    If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.
    If not that then this could be a UDP port 4500 block with the ISP.

  • Noticed that my MAC Mini is sending traffic to 70.38.54.77 on sequential UDP ports (port scanning?)

    Hi,
    I noticed in my home router logs that my MAC Mini "scans" UDP ports in the 33xxx range to an address 70.38.54.77 ... a quick search shows others complains but not result or explanation. I am looking to see if this is some piece of sw installed in my MAC or perhaps how to block traffic to/from that IP (or its subnet).
    See below - .149 is my MAC mini IP address at home.
    Outgoing log
    LAN IP address
    |
    Destination URL or IP address
    |
    Service or port number
    192.168.2.149
    70.38.54.77
    33495
    192.168.2.149
    70.38.54.77
    33494
    192.168.2.149
    70.38.54.77
    33493
    192.168.2.149
    70.38.54.77
    33492
    192.168.2.149
    70.38.54.77
    33491
    192.168.2.149
    70.38.54.77
    33490
    192.168.2.149
    70.38.54.77
    33489
    192.168.2.149
    70.38.54.77
    33488
    192.168.2.149
    70.38.54.77
    33487
    192.168.2.149
    70.38.54.77
    33486
    192.168.2.149
    70.38.54.77
    33485
    192.168.2.149
    70.38.54.77
    33484
    192.168.2.149
    70.38.54.77
    33483
    192.168.2.149
    70.38.54.77
    33482
    192.168.2.149
    70.38.54.77
    33481
    192.168.2.149
    70.38.54.77
    33480
    192.168.2.149
    70.38.54.77
    33479
    192.168.2.149
    70.38.54.77
    33478
    192.168.2.149
    70.38.54.77
    33477
    192.168.2.149
    70.38.54.77
    33476
    192.168.2.149
    70.38.54.77
    33475
    192.168.2.149
    70.38.54.77
    33474
    192.168.2.149
    70.38.54.77
    33473
    192.168.2.149
    70.38.54.77
    33472
    192.168.2.149
    70.38.54.77
    33471
    192.168.2.149
    70.38.54.77
    33470
    192.168.2.149
    70.38.54.77
    33469
    192.168.2.149
    70.38.54.77
    33468
    192.168.2.149
    70.38.54.77
    33467
    Thanks in advance.

    Is that your IP & ISP?
    NetRange:       70.38.54.64 - 70.38.54.95
    CIDR:           70.38.54.64/27
    OriginAS:      
    NetName:        IWEB-CL-T140-02SH
    To see if it's you/your provider, What's my ip...
    http://www.whatismyipaddress.com/
    Little Snitch, stops/alerts outgoing stuff...
    http://www.obdev.at/products/littlesnitch/index.html
    And will tell you what wants to use that port, then you can choose to allow or deny.

  • UDP PORT 445 Not listed in System Process

    Hi! Can you help me? I need the UDP PORT 445 listed on SYSTEM Process. 
    I open UDP PORT 445 on Firewall (WSBS 2011), but in Syshelp (symatech validation too) the result is:
    Title: One or more network services, ports, protocols or associated processes may need attention
    Product: Backup Exec Server
    Status: Warning
    Details:
    Warning SYSTEM's UDP port 445 is not open or listening.
    Warning Port is not open or listening.
    UDP Process: System
    Ok SYSTEM is the correct process for UDP port 137
    Ok Port 137 with protocol UDP is open on the following IP addresses: - 25.54.28.213
    - 169.254.41.25
    - 169.254.244.222
    - 192.168.0.6
    - 192.168.1.2
    Ok Process System has port 137 with protocol UDP open.
    Ok Process System has port 137 with protocol UDP open.
    Ok Process System has port 137 with protocol UDP open.
    Ok Process System has port 137 with protocol UDP open.
    Ok Process System has port 137 with protocol UDP open.
    Information Network service name not defined. Test skipped.
    Information Default settings - Network Service Name: netbios-ns Port: 137 Protocol: UDP Process: System
    Ok SYSTEM is the correct process for UDP port 138
    Ok Port 138 with protocol UDP is open on the following IP addresses: - 25.54.28.213
    - 169.254.41.25
    - 169.254.244.222
    - 192.168.0.6
    - 192.168.1.2
    Ok Process System has port 138 with protocol UDP open.
    Ok Process System has port 138 with protocol UDP open.
    Ok Process System has port 138 with protocol UDP open.
    Ok Process System has port 138 with protocol UDP open.
    Ok Process System has port 138 with protocol UDP open.
    Information Network service name not defined. Test skipped.
    Information Default settings - Network Service Name: netbios-dgm Port: 138 Protocol: UDP Process: System
    Ok SYSTEM is the correct process for TCP port 445
    Ok Port 445 with protocol TCP is open on the following IP addresses: - 0.0.0.0
    Ok Process System has port 445 with protocol TCP open.
    Information Network service name not defined. Test skipped.
    Information Default settings - Network Service Name: microsoft-ds Port: 445 Protocol: TCP Process: System

    Hi,
    à
    I need the UDP PORT 445 listed on SYSTEM Process.
    à
    Warning SYSTEM's UDP port 445 is not open or listening.
    Based on your description, I’m a little confused with this issue. Please run following commands with administrator
    permission and monitor the result. Would you please check and confirm whether any process listened the UDP port 445?
    netstat –ab
    netstat -a | find /i "445"
    In addition, I noticed that you use Syshelp (Symantec validation tool) to check. I suggest that you would post
    the warning message in Symantec Forum and confirm this issue. I believe we will get a better assistance there.
    If anything I misunderstand, please don’t hesitate to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Monitor a UDP port

    Hi,
    I could find a solution for my problem. I need to monitor a UDP port.
    For the TCP ports i'm using MP template TCP Port, but for the UDP i don't find any tool.
    My question is. It's possible to monitor UPD ports in SCOM 2012 R2? If yes, how?
    Thank you,
    Rui 

    Hi Rui,
    I have found a possibility to do this. Hope you understand this and it is helpful. This is a two step process but guess will definitely server the purpose.
    Scope: We will be running a tool which will monitor a port (TCP or UDP) for a specific host / IP and will throw a log file.
    SCOM will monitor the log file and will throw a alert if the log file contains the string NOT LISTENING (Port not working or unable to open the port) which the program will create the log with the results.
    First download the program named: PortQry Command Line Port Scanner Version 2.0 from microsoft using the below link. It is a command line tool.
    http://www.microsoft.com/en-in/download/details.aspx?id=17148
    Run it using by making a batch file or powershell script using task scheduler as per your time requirement (Every 5 min or 1Hr).
    Use this command to monitor a ip / hostname and its port with TCP or UDP.
    I have pasted the command file of the program in C:\Port_checker directory so i am using the below syntax
    C:\Port_checker\PortQry.exe -N 192.168.1.1 -e 5723 -p UDP -l C:\Port_checker\Result.log /y
    -N = Hostname / FQDN of agent or Ip address
    -E = Port # what you want to monitor
    -P = Protocol (TCP or UDP)
    -L = Generate log on the following location and name
    /Y = To replace the existing log file name to fresh one without prompt.
    The result in the log file will be as follows:
    ============================
    For successful port open:
    PortQry Version 2.0 Log File
    System Date: Tue Oct 07 09:42:32 2014
    Command run:
     C:\PortQryV2\PortQry.exe -N 192.168.1.1 -e 5723 -p UDP -l C:\Portqryv2\Result.log /y
    Local computer name:
     192.168.1.2
    Querying target system called:
     192.168.1.1
    Attempting to resolve name to IP address...
    Name resolved to 192.168.1.1
    querying...
    UDP port 5723 (unknown service): LISTENING
    ========= end of log file ========= 
      PortQry developed by Tim Rains
    For failure port open:
    PortQry Version 2.0 Log File
    System Date: Tue Oct 07 09:42:32 2014
    Command run:
     C:\PortQryV2\PortQry.exe -N 192.168.1.1 -e 5723 -p UDP -l C:\Portqryv2\Result.log /y
    Local computer name:
     192.168.1.2
    Querying target system called:
     192.168.1.1
    Attempting to resolve name to IP address...
    Name resolved to 192.168.1.1
    querying...
    UDP port 5723 (unknown service): NOT LISTENING
    ========= end of log file ========= 
      PortQry developed by Tim Rains
    Now as per the above results NOT LISTENING Port is blocked or is not opened and LISTENING
    means working or port is opened.
    So now using SCOM you will monitor the log file Result.log
    in the location C:\Port_checker\ saying if NOT LISTENING
    comes in the log file throw me a alert in SCOM consle or via email.
    To configure that alert you need to create a Generic text log alerting Rule which will throw a alert if any thing added in that log which is not to be added and if it is added like NOT LISTENING
    then it will throw a alert.
    Refer this link on how to open a Generic text log alerting Rule.
    http://blogs.technet.com/b/kevinholman/archive/2009/06/20/using-a-generic-text-log-rule-to-monitor-an-ascii-text-file-even-when-the-file-is-a-unc-path.aspx
    Gautam.75801

  • How to setup a UDP port forward range

    Hi,
    We are trying to figure out how to setup UDP port forward range. This is the configuration that we are using.
    ip nat pool voip-rtp 10.10.10.3 10.10.10.3 netmask 255.255.255.0 type rotary
    ip nat inside destination list 114 pool voip-rtp
    access-list 114 permit udp any any range 16384 32767
    Where 10.10.10.3 is the host I want to forward the ports 16384 to 32767 to.
    This is not working. We use a similar set of commands for TCP range forwarding which work perfecting. Can anyone advise of the correct way to port forward a UDP range. 
    Damien

    thanks for the suggestion.
    I tried the same , but still the udp port 514 is not available. when i run nmap tool to scan the ports, the udp port 514 is not available to the external world and hence the syslog msgs i send to tat port is not being received. kindly help me out.
    thanks again!!

  • Track UDP ports

    Hi,
    How can we check opened UDP ports on Solaris 10.I run following command to check all open UDP ports but it is not displaying all
    netstat -a -P udp but I cant see 514 udp port which is being used by syslog.
    asqcsat:/ # ps -ef|grep syslog
    root 11836 2306 0 Dec 05 ? 30:07 /usr/sbin/syslogd
    root 17025 17019 0 15:14:26 pts/37 0:00 grep syslog
    asqcsat:/ #
    asqcsat:/ # netstat -a -P udp|grep 514
    asqcsat:/ #
    Regards,
    RTA

    Well, since the port is, as mentioned, defined in /etc/services, it will show up in 'netstat' as 'syslog' rather than '514'. Hence, try and run
    netstat -a -P udp | grep -i syslog
    If you still don't see anything, perhaps logging of remote messages are disabled.. In which case you should check /etc/default/syslogd and svccfg for the system-log instance.
    If the port is opened by syslogd, you should also see it if you run:
    pfiles <pid of syslogd>
    .7/M.

  • Operations Manager 2012 doesn't listening SNMP Trap UDP port 162

    hi,
    SCOM 2012 SP1, how come the operations manager started but the SNMP Trap UDP port 162 not listening?
    Without this port listening, I can't testing SNMP trap on SCOM.
    Thanks...KEN

    Hi,
    As described in the following blog, the TRAP service should be installed but turned off, we could not get traps coming in until we turned the service back on.
    So please verify if the service is on. You can continue audit the ports by running netstat –a.
    System Center 2012 Notes From the Field
    http://scom-2012.blogspot.in/2012/07/setting-up-snmp-monitoring-in-scom-2012.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Hope this helps.

  • Change UDP ports used by SVE

    Hello all,
    I have recently installed a piece of hardware which transmits information to UDP port 6001 on my computer. Some software then runs on the computer listens to this port in order to detect the hardware.
    However, LabVIEW shared variable engine seems to use the same port. On the computer in question the port is used by NITaggerService (National Instruments Variable Engine).
    One solution is to stop this service - this works and allows the software to detect the hardware. However, eventually, I want to run this hardware alongside LabVIEW (indeed, LabVIEW will communicate with the hardware), so this is not a desirable solution.
    http://www.ni.com/white-paper/12402/en suggestst that UDP ports 6000-6010 are used by Shared Variables and Network Streams, which is consistant with the service identified above. It suggests that these ports are fixed, however, I have noticed that on different computers, port 6001 is used by a different NI Service (e.g. on another computer, it is used by lkTimeSync (National Instruements Time Synchronization) ), suggesting that there is /some/ flexibility. In addition, not all the ports from 6000-6010 are used in practice, suggesting that it might be possible to use another port in the range 6000-6010 rather than 6001.
    Does anyone know how to force NI SVE to use a different range of UDP port, or at least to not use 6001?
    All the best
    James Polyblank

    Hi James,
    It is not possible to pre-define which ports the NI services should use. One way to get around this would be to have these services not auto start on windows launch and manually start it once your other software has established communication with the hardware through UDP port 6001.
    You have taken the first step in this direction by stopping the service. After the hardware has been detected (on port 6001), restart the NITaggerService that you stopped. This will automatically start the service on a port that is free and available.
    Try this and see if it works. You can also try starting the service automatically from your labview application using 'System Exec.vi' .
    Thanks and Regards,
    Supreeth.K
    Applications Engineer
    NIUK

  • Can't Receive Calls on VOIP Service - Need to Check Port 5060

    Hi Everyone,
    I use a the www.mynetfone.com.auy voip service. It seems that I'm unable to receive calls (randomly).
    I was told by their support team that I need to ensure Port 5060 is active. I checked with my internet provider and they dont block access to this port.
    I need to know:
    1. How can i check to see if this port is actually blocked on the Time Capsule; and
    2. How do I allow access?

    1. How can i check to see if this port is actually blocked on the Time Capsule
    By default, the Time Capsule (TC) employs NAT so all incoming ports are blocked.
    2. How do I allow access?
    One method is to configure the TC to map port 5060 to the network device that is required to be accessed from the Internet. To do so, the device would have to be assigned a static IP address (or a DHCP-provided address must be reserved for it).

Maybe you are looking for

  • How can I write to 4 different tables in database at the same time

    I have .mdb file which has 4 tables for each hardware, I have a labview main program which calls 4 sub programs for each hardware, all these 4 subprograms run parallely. One might finish one test early or late by milli seconds or seconds, the data ha

  • User mapping when installing JAVA addin for ABAP

    Hi, I have installd SAP ABAP on a domain. As the ABAP went fine and successfully gets installed. When I am installing JAVA addon for ABAP it is throwing an error lke the users are not mapped. So can any one guide me where actually I should map the SA

  • Getting error in mapping execution Invalid CHAR

    hi i am having file to RFC scenario, and the input file is an xml file and i am getting erron in mapping as below but when i download the payload and load it in the integration repository mapping tool ,i am able to execute it  succesfully. i think th

  • Is there a way to find out the content of texts on my daughter's phone?

    We have a daughter with special needs who is trying very hard to be independent. I don't worry about her as much as I worry what others say to her. I try to monitor daily what she is texting and what others are texting to her. I have a pretty good ha

  • CS6 photoshop constantly crashing with OpenGL. Need help

    OpenGL seems to crash randomly, but constantly. Previously running CS3, with few issues. I recently upgrade the graphics card after OpenGL testing failed, and it seem to be the most likely solution based on the old card. Working file is located on C