NAT above 8.3+
I am a little confused on the new nat.
I have a VPN tunnel from a vendor that I would like to have their local address set to A NAT address because it conflicts with my network address. And also would like my inside host address NAT to another address. Reason is I will be changing my inside network address scheme in the near future and would be easier to change the address in my Firewall then contact all the vendors. This NAT only needs to happen when contacting this VPN tunnel or any other tunnels in the future. I also put in some public addresses. I dont think I needed they exept for the VPN stage but just in case I am forgetting something.
HQ Inside: Public 192.192.1.214
A SRC-REAL-HQ-IN: host 10.120.40.50
B DST-MAPPED-HQ-NAT: host 172.29.20.50
Vendor: Public 11.11.25.6
C SRC-REAL-VEN-OUT: host 10.1.1.6
D DST-MAPPED-VEN-NAT: host 172.29.10.10
object network A
host 10.120.40.50
object network B
host 172.29.20.50
object network C
host 10.1.1.6
object network D
host 172.29.10.10
Where I am stuck:
? nat (in,out) source static A D destination static B C ?
Or am I doing this all wrong? Is there another way to map the address together?
Hi,
I understood that you want to do NAT for both the source and destination addresses because the remote networks overlaps with your local network.
The configuration format for such a NAT would be
nat (in,out) source static destiantion static
The above configuration would work in the following way
Traffic destined to would arrive on the firewall and the would get UN-NAT / untranslated to
The connections would get mapped to the
With regards to the L2L VPN configurations your Crypto ACL would have to match the and to the 2 configurations would match.
Hope this helps
- Jouni
Similar Messages
-
Broadband connection with one static ip
Hello Everyone!!
I would like to seek your kind suggestion in mapping static ip address to the local ip address.
We have a bsnl broadband connection, and bsnl has provided us with one static ip address.
We are using broadband modem.
Now I would liket to map this static ip address to one of the private ip address which is 192.168.1.2(database server).
i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.
I would like to access this device over internet, by typing my public (Static ip ) given by the BSNL.
Kindly let me know how should i configure this modem.
security device i have is cisco ASA 5505.
Need suggestion.
thanks in advanceHi,
I am afraid that if you are asking for guide to configuring your broadband modem then this is probably not the best section of the Cisco Support Community to do that.
Generall though it would be best if the modem you have was configured as Bridged device and the public IP address was configured on the ASA5505 directly on its "outside" interface. This saves you from a lot of trouble playing with possible NAT configurations on 2 devices.
On the ASA5505 you will basicly be configuring Static PAT and NOT Static NAT.
Static NAT would bind the public IP address to the use of only single internal host.
Static PAT on the other hand would bind certain TCP/UDP ports to some internal host.
So naturally we should first determine which ports you need to forward to the internal host and also what the software level of your ASA5505 is so we know which NAT configuration format to use (version number is shown with the command "show version" or in the main view of the ASDM)
NAT/ACL 8.2 (and older) Configuration format
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255
access-list OUTSIDE-IN permit tcp any interface outside eq 80
access-group OUTSIDE-IN in interface outside
In the above configuration we first use the "static" command to configure the Static PAT. The configuration basicly states that we want to forward the TCP/80 port using the "outside" "interface" IP address to the local IP address of 192.168.1.2 and local port of TCP/80.
Finally we make an ACL that allows TCP/80 traffic from anywhere and we attach the ACL to the "outside" interface with "access-group" command. If there is an existing ACL attached to the "outside" interface then you would naturally use that.
NAT/ACL 8.3 (and newer) Configuration Format
object network SERVER-WWW
host 192.168.1.2
nat (inside,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object SERVER-WWW eq 80
access-group OUTSIDE-IN in interface outside
The above basicly does the same as the first example with the older ASA software. There are just noticiable changes in the NAT and ACL configuration formats.
Hope this helps
- Jouni -
NAT / PAT config conversion from PIX v6 to ASA Software 8.3 and above
Hi folks,
I'm currently working on converting some PIX firewall configs to ASA and wanted to check I was on the right track, as I don't currently have the ASA's so doing the configs up front!
Everything seems straight forward in the conversion and I've used the pixtoasa tool for some of it, but NAT is implemented differently on 8.3, the PIX was running v6 and I'm used to doing mainly static one to one NAT in ASDM.
The scenario that the PIX has 3 NAT groups which are mapped to 3 separate addresses, where multiple hosts are behint the NAT / PAT. Current config of the PIX is as follows (obviously the names are defined further up the config so this is an extract of the PIX):
global (outside) 1 10.50.50.38
global (outside) 2 10.50.50.39
global (outside) 3 10.50.50.49
nat (inside) 0 access-list no-nat-all
nat (inside) 2 Host_1 255.255.255.255 0 0
nat (inside) 2 Host_2 255.255.255.255 0 0
nat (inside) 2 Host_3 255.255.255.255 0 0
nat (inside) 1 Host_4 255.255.255.255 0 0
nat (inside) 1 Host_5 255.255.255.255 0 0
nat (inside) 1 Host_6 255.255.255.255 0 0
nat (inside) 1 Host_7 255.255.255.255 0 0
nat (inside) 3 Network_3 255.255.255.0 0 0
ASA Config
After a fair amount of reading up on this topic, I'm looking at changing the ASA config in software version 8.3 to the following - Also is it easier to just do this in ASDM? Looks pretty easy from youtube videos but rather have something to put on the box when I arrive at site NAT wise as opposed to working it out there!
Define NAT Objects (outside IP addreses)
object network NAT_1_outside_10.50.50.38
host 10.50.50.38
object network NAT_2_outside_10.50.50.39
host 10.50.50.39
object network NAT_3_outside_10.50.50.49
host 10.50.50.49
exit
Define NAT Objects (inside IP addreses)
object-group network NAT_1_Objects
network-object Host_4 255.255.255.255
network-object Host_5 255.255.255.255
network-object Host_6 255.255.255.255
network-object Host_7 255.255.255.255
nat (inside,outside) dynamic NAT_1_outside_10.50.50.38
object-group network NAT_2_Objects
network-object Host_1 255.255.255.255
network-object Host_2 255.255.255.255
network-object Host_3 255.255.255.255
nat (inside,outside) dynamic NAT_2_outside_10.50.50.39
object-group network NAT_3_Objects
network-object Network_1 255.255.255.0
nat (inside,outside) dynamic NAT_3_outside_10.50.50.49
Any assistance with this would be appreciated.
cheers
MalcolmI cannot make heads or tails of what your trying to accomplish in plain english first before looking at router setup.
If your talking about hosting servers behind the router on your private LAN (asssuming one public WANIP). Then one uses ACLs to control external users by individual OR GROUP and static NAT to port forward users to the correct server. One does not worry about groups of users for this direction of nat rule.
If what your saying is that you have a LAN and 3 different groups of users on the LAN that need to go to specific external IP addresses (external servers) then once again I would say you should ACLs to limit-authorize users and simply use NAT for port translation purposes. So conceptually speaking allow all lan users static nat, and then only allow group 1 hosts access to first external IP, group 2 hosts to second external IP, and group 3 hosts to third external IP. Note you will have to add a deny rule in firewall in general because normally higher to lower security interface is allowed by default.
Am I close......... before going any further need more details on the requirements nevermind setup. -
Static NAT to two servers using same port
I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
Any help would be very much appreciated.
Thanks,
- MikeHi,
Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
But nevertheless its a possibility.
So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
- Jouni -
I have the below config on ASA 8.0 I need to convert it to 9.2
name 10.2.17.80 BV-DVR
name 10.2.13.80 SE-DVR
name 10.2.23.80 ES-DVR
name 10.2.10.80 NW-DVR
name 10.2.10.81 NW-DVR2
name 10.2.1.76 C-DVR1
name 10.2.1.78 C-DVR2
name 10.2.1.80 C-DVR3
name 10.2.19.80 WS-DVR1
name 10.2.19.81 WS-DVR2
name 10.2.15.80 SW-DVR
name 10.2.11.80 M-DVR
object-group network Camera_DVRs
network-object host SE-DVR
network-object host BV-DVR
network-object host ES-DVR
network-object host C-DVR1
network-object host C-DVR2
network-object host C-DVR3
network-object host WS-DVR1
network-object host WS-DVR2
network-object host NW-DVR
network-object host NW-DVR2
network-object host SW-DVR
network-object host M-DVR
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8000
port-object eq www
port-object eq 8001
port-object eq 8100
port-object eq 8101
port-object eq 8200
port-object eq 8201
port-object eq 8202
port-object eq 8203
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8000
port-object eq www
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3
static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255
Here is a bit of what I think I need to do....
object network OBJ-10.2.17.80
host 10.2.17.80
object network OBJ-1.1.1.172
host 1.1.1.172
object service OBJ-TCP-8000
service TCP source eq 8000
object service OBJ-TCP-8000
service TCP source eq 8000
nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000
access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000
Thanks,
MikeI did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.
Mike -
Hi Guys,
Me again asking for some more help, thanks.
I am trying to deploy a Polycom Access Director behind an ASA 5505 firewall and am having some problems configuring inbound NAT for this device.
Currenlty I am able to dial from an endpoint outbound through the ASA with no problem but am unable to dial into the VC endpoint by the IP address (Traffic is not hitting the Access Director)
This blog post shows what I am trying to achieve along with the ACLs that I have applied.
http://blog.networkfoo.org/2014/02/deploy-polycom-rpad-single-nic-with.html#!/2014/02/deploy-polycom-rpad-single-nic-with.html
These are my NAT Rules
nat (Wireless_LAN,VC_INFRA) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (Wireless_LAN,VC_DMZ) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.239.0 obj-10.255.239.0
nat (Wireless_LAN,VC_LAN) source static obj-10.255.222.0 obj-10.255.222.0 destination static obj-10.255.243.0 obj-10.255.243.0
nat (VC_INFRA,any) source static obj-10.255.243.0 obj-10.255.243.0 destination static VPNPool-Network VPNPool-Network
object network obj-10.255.222.0
nat (outside,outside) dynamic interface
object network obj-10.255.243.0
nat (outside,outside) dynamic interface
object network obj_any
nat (Wireless_LAN,outside) dynamic interface
object network obj_any-01
nat (VC_DMZ,outside) dynamic interface
object network obj_any-02
nat (VC_INFRA,outside) dynamic interface
object network obj_any-03
nat (VC_LAN,outside) dynamic interface
nat (outside,VC_DMZ) after-auto source static any any destination static interface obj-CV2RPAD1
This is my ACLs
access-list outside_access_in extended permit udp any eq 1719 object-group RPAD_SERVERS_EXT eq 1719
access-list outside_access_in extended permit udp any eq 1720 object-group RPAD_SERVERS_EXT eq 1720
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq h323
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT range 10001 13000
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT range 20002 30001
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit udp any gt 1023 object-group RPAD_SERVERS_EXT eq sip
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5061
access-list outside_access_in extended permit tcp any gt 1023 object-group RPAD_SERVERS_EXT eq 5222
access-list outside_access_in extended permit icmp any any object-group DefaultICMP
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 20002 30001
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT range 20002 30001 any range 16386 25386
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1719 any eq 1719
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 1720 object-group DMA_SERVERS_INT eq 1720
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT eq h323
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 object-group DMA_SERVERS_INT range 36000 61000
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 13001 15000 any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq sip any gt 1023
access-list dmz_access_in extended permit udp object-group RPAD_SERVERS_EXT eq 5070 object-group DMA_SERVERS_INT eq sip
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 30001 60000 object-group RM_SERVERS_INT eq https
access-list dmz_access_in extended permit tcp object-group RPAD_SERVERS_EXT range 10001 13000 any gt 1023
access-list dmz_access_in extended permit icmp object-group RPAD_SERVERS_EXT any object-group DefaultICMP
If I move my NAT statement as follows
no nat after-auto 1
nat (outside,VC_DMZ) 5 source static any any destination static interface obj-CV2RPAD1
I am able to dial outbound still with no issues and am also able to intiate a call inbound which partially connects. The call seems to fail at the Capabilities exchange so the RTP media stream does not start up so there is some additional troubleshooting to be done.
However moving this NAT statement has the side effect of breaking the IPSec VPN that I have configured for the Cisco VPN Client, I would like to be able to keep my VPN working and be able to do a port forwards/Static 1:1 NAT towards my RPAD.
Once this is happy and working I can then go and troubleshoot why inbound calls are failing at the cpabilities exchange.Thanks a lot Jon, for assisted me solve this problem.
The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
How you explain that? -
No errors with NAT or DHCP, but can't ping server or access internet
2 weeks ago my Xserve was positioned directly behind a modem and acted as the router to my small office - supplying DHCP, NAT, etc. Then, the Xserve lost it's connection to the internet. The Xserve was unable to pull an address from the modem (via DHCP) and troubleshooting the issue with my ISP resulted in getting my modem swapped.
My Xserve is still unable to pull an address via DHCP directly from the modem. So, I called apple support. The tech I spoke to was extremely helpful and instructed me to place the Xserve behind a router so it could use a static ip - without having to pay my ISP for one. So, I did as he instructed.
Regardless, since my Xserve originally lost connection to the internet I have been unable to get my Xserve to supply NAT to my internal network successfully. DHCP is working fine, the firewall isn't logging any refusals, NAT isn't returning errors. All internal network functions work, I just can't access the internet from any machine other than the server.
Here is the network port breakdown:
Ethernet 1 (wan)
ip: 192.168.1.2
sub: 255.255.255.0
router: 192.168.1.1 (router supplying static ip)
dns: 208.67.222.222,208.67.220.220 (opendns)
Ethernet 2 (lan)
ip: 192.168.1.3
sub: 255.255.255.0
router: 192.168.1.3
DHCP settings:
start ip: 192.168.1.4
end ip: 192.168.1.254
sub: 255.255.255.0
interface: en1
router: 192.168.1.3
Firewall:
Allow all traffic from "any"
NAT:
IP Forwarding and Network Address Translation
External network interface: Ethernet 1
NAT Port Mapping Protocol enabled.
Other notes: I can see the Xserve from any device on the network (in Finder running OS X) but I cannot ping it via the router's ip. (example: ping 192.168.1.3) 100% packet loss.
The Xserve does have access to the internet.
The Xserve leases an ip to the devices on the network, but cannot ping them using their leased ip address.
Initially, I was receiving the following error:
"xserve subnets: create failed, Invalid/missing 'net_address' property
So I modified bootpd.plist by adding:
<key>net_address</key>
<string>192.168.1.0</string>
I no longer receive the error and DHCP works properly.
Any help is thoroughly appreciated as this issue has set me back over a week in troubleshooting.Thanks again.
I'll try to be more clear about my current setup:
Modem
->
Router
DHCP enabled but supplying server with static ip of: 192.168.1.2 - hence my Ethernet 1 settings on my Xserve. The DHCP address the router supplies to other devices range between 192.168.1.101 - 192.168.1.150 (this is temporary). I'm using the Router as a temporary network connection for devices as I continue to setup the server. Once the server is completed, I will hook everyone up through the switch.
->
Xserve
The Xserve receives a static IP from the router above (192.168.1.2) even though the router gives DHCP addresses to other devices. The Xserve then goes out Ethernet 2 to (which has also been assigned a static internal address: 192.168.1.3) a switch.
->
Switch
The Switch definitely has DHCP disabled, and merely extends the network connection.
Right now, the Xserve is doing nothing other than attempting to supply an internet connection to devices attached to it. I performed a clean install after a day or two of troubleshooting.
I really want to be able to control content access as well as give certain devices priority over others using the Xserve. I want it to control... the network, in all aspects: DNS, Open Directory (Master), Firewall etc. Am I still able to control the network with the Xserve if it is hooked up side by side to the clients without reconfiguring my router to hop through the Xserve before going to the internet? If not, why not just use the Xserve as a middle man as I currently do?
What are the benefits of using it side by side to the clients? What are the drawbacks of my current setup? (Other than it not functioning) -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA IPsec Remote Access VPN | NAT Question
We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
RV042 Site-to-Stie VPN with NAT on one side
I set up a site-to-site VPN using two RV042s some time ago. One was behind a NATting router. The other was the internet interface itself.
Somewhere I had found a paper describing how to do this. It said that only ONE of them could be behind another NATting router. So, that's how this was set up. I sure wish I could find that paper again!!! Any suggestions?
Now I have to do the same thing again but can't get it working. It looks like this:
RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
I'm getting log messages and on the remote site log (the left side of the above) like:
initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized
and
No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value
(where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
I have them both in Aggressive mode as eventually I'll be using a dyndns url. But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.
-
Remote Access VPN and NAT inside interface
Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
MaheshHi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.50.1 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar -
Problem with NAT? can get to web server internally but not externally
We are trying to setup our helpdesk software website so external users
can access it. However, we have been unsuccessful. We don't have any
issues accessing it internally from our 10.1.1.X LAN
We have had our ISP setup a public DNS "A" record of
customerservice.amerinet-gpo.com which resolves to 198.88.234.40 and that
appears to be working.
Next we added a NAT to our Firewall to take 198.88.234.40 traffic and put
it to the local IP of 10.1.1.23 which is our local address for the
webserver running the helpdesk software.
We also made sure that BM filters are allowing traffic on ports 80 and
443 to the local IP as well.
We have 4 other webservers (on a separate servers than our helpdesk
software website) that are exposed to the outside in this same manner and
all work fine.
The helpdesk website is on Windows 2003 server SP1 running IIS 6.0. Our
firewall server is NetWare 6 SP5 and BM 3.7 SP3.
I have tried to just telnet to the public IP of 198.88.234.40 on port 80
and it times out. I can't understand why, and have checked my entries on
BM and even deleted and re did them 3 times to make sure I didn't make a
mistake. I even have another web server on that block NAT'd the same way
and it works (198.88.234.36), if you telnet to it on port 80 it goes
right away.
What else can I try? Any insight would be greatly appreciated!
Thanks,
SCOTT> > ok, the easiest way to calculate valid addresses is to use an IP
subnet
> > calculator. The one I like the most is the free utility by Wildpackets
> >
http://www.wildpackets.com/products/...tcalc/overview
> >
> > Anyway, with a 255.255.255.248 network mask the valid IP addresses
> > associated to the primary address of your BM server are in the range:
> > 198.88.234.33-198.88.234.38
> > therefore .40 isn't included. Actually .40 is the subnet identifier
of
> a
> > separate subnet. The addresses from .33 to .38 are the ones you can
use.
> >
> > --
> > Cat
> > NSC Volunteer Sysop
>
> I was mistaken, the subnet for that block is 255.255.255.240 so I was
> told by our ISP that our range was is 198.88.234.32 to 198.88.234.47
or
> 14 usable IPs since first and last are unusable.
>
> We have 3 different IP blocks from our ISP, the above 198.88.234.32 one
> with the 255.255.255.240 subnet, then a 199.217.136.184 with
> 255.255.255.248 subnet and finally a 198.88.233.1 with a
255.255.255.248
> subnet.
>
> So I think we should be able to use the 198.88.234.40 address.
>
> SCOTT
>
I was really hoping that we had the wrong sub net in BM for the
198.88.234.32 block! When I read your post last night, I thought that's
gotta be it...sadly I checked and it does have it as 255.255.255.240 when
I look in inetcfg under bindings. I even checked our Cisco router as
well to make sure it had the sub net correct since this is the first time
I've tried to use an IP above 198.88.234.36. The router looked fine as
well. Is there anyplace else that this could be wrong, maybe a config
file on BM or something?
Thx,
SCOTT V. -
[SOLVED] NAT gateway and bridge
Hello. I'm having hard time trying to setup a small nat gateway. The whole point of me doing this is to learn more.
Here is brief idea of what I'm trying to achieve. I have done it in the past with netcfg and it worked well but then I left my project to do other things. Now I'm back and after fresh install I can't start bridge interface with netctl.
DSL_router|<--------->|ARCH | |+------->Gentoo/windows
gateway 192.168.0.1| |gateway 192.168.1.1| br0 |
|+dual_port_nic |<----+
|
+-------->5port switch(RsPI/printer/tv/ps3)
So my Arch is connected to DSL router with static address on
enp4s0. I have a dual port NIC (like this) that I want to bridge but for some reason I'm unable to.
I configured my iptables according to Simple Stateful Firewall section of NAT gateway so it looks like this:
# Generated by iptables-save v1.4.19.1 on Fri Aug 2 00:59:59 2013
*nat
:PREROUTING ACCEPT [5:576]
:INPUT ACCEPT [5:576]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 2 00:59:59 2013
# Generated by iptables-save v1.4.19.1 on Fri Aug 2 00:59:59 2013
*filter
:INPUT ACCEPT [828:78883]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [559:82036]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i br0 -j ACCEPT
COMMIT
# Completed on Fri Aug 2 00:59:59 2013
I know its basic one but its all I need atm until I will get over that problem.
My dnsmasq.conf:
# Configuration file for dnsmasq.
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# [email protected]#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.1.0,192.168.1.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overriden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also the they [] around the IPv6 address are obilgatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
Basically it has only 3 lines:
domain-needed
bogus-priv
dhcp-range=192.168.1.0,192.168.1.150,12h
I also turned the forwarding on
# echo 1 >/proc/sys/net/ipv4/ip_forward
This is my bridge-profile
/etc/netctl/bridge-profile
Description="Bridge"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp11s0f0 enp11s0f1)
IP=dhcp
#Address=('192.168.1.1/24')
#SkipNoCarrier=yes
#Broadcast="192.168.1.255"
## sets forward delay time
#FwdDelay=0
## sets max age of hello message
#MaxAge=10
when i try to start this profile with netctl start bridge-profile nothing happens and after I will abort process (ctrl+c) this is what i find in journalctl -xn
Aug 05 11:31:09 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:13 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:14 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:31:19 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:32:24 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Aug 05 11:32:29 localhost dnsmasq-dhcp[497]: DHCP packet received on enp11s0f0 which has no address
Same happens is i try to assign static ip for the bridge. Any help is much appreciated as i have loads of equipment behind that network adapter that i can't run right now.
Last edited by verb0ss (2013-08-07 18:27:36)It appears that I can't set up my bridge interface.
Description="Bridge"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp11s0f0 enp11s0f1)
IP=static
Address=('192.168.1.1/24')
And this is my journalctl -xn output:
[root@localhost ~]# journalctl -xn
-- Logs begin at Tue 2013-07-30 23:47:51 BST, end at Tue 2013-08-06 10:28:45 BST. --
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:44 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:45 localhost network[308]: /usr/lib/network/network: line 17: /sys/class/net/br0/flags: No such file or directory
Aug 06 10:28:45 localhost network[308]: Cannot find device "br0"
Aug 06 10:28:45 localhost network[308]: Could not add address '192.168.1.1/24' to interface 'br0'
Aug 06 10:28:45 localhost network[308]: Failed to bring the network up for profile 'bridge-profile'
Aug 06 10:28:45 localhost systemd[1]: netctl@bridge\x2dprofile.service: main process exited, code=exited, status=1/FAILURE
Aug 06 10:28:45 localhost systemd[1]: Failed to start Networking for netctl profile bridge-profile.
-- Subject: Unit netctl@bridge\x2dprofile.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d
-- Unit netctl@bridge\x2dprofile.service has failed.
-- The result is failed.
Aug 06 10:28:45 localhost systemd[1]: Unit netctl@bridge\x2dprofile.service entered failed state.
I'm even unable to make a working profile just for one of the ports:
ip link set enp11s0f0 down
ip link set enp11s0f1 down
Description="Bridge"
Interface=enp11s0f0
Connection=ethernet
IP=static
Address=('192.168.1.1/24')
I'm ending up with this:
[root@localhost netctl]# journalctl -xn
-- Logs begin at Tue 2013-07-30 23:47:51 BST, end at Tue 2013-08-06 10:32:57 BST. --
Aug 06 10:32:52 localhost systemd[1]: Starting Networking for netctl profile enp11s0f0...
-- Subject: Unit [email protected] has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit [email protected] has begun starting up.
Aug 06 10:32:52 localhost network[381]: Starting network profile 'enp11s0f0'...
Aug 06 10:32:52 localhost kernel: e1000e 0000:0b:00.0: irq 57 for MSI/MSI-X
Aug 06 10:32:52 localhost kernel: e1000e 0000:0b:00.0: irq 57 for MSI/MSI-X
Aug 06 10:32:52 localhost kernel: IPv6: ADDRCONF(NETDEV_UP): enp11s0f0: link is not ready
Aug 06 10:32:57 localhost network[381]: No connection on interface 'enp11s0f0'
Aug 06 10:32:57 localhost network[381]: Failed to bring the network up for profile 'enp11s0f0'
Aug 06 10:32:57 localhost systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
Aug 06 10:32:57 localhost systemd[1]: Failed to start Networking for netctl profile enp11s0f0.
-- Subject: Unit [email protected] has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d
-- Unit [email protected] has failed.
-- The result is failed.
Aug 06 10:32:57 localhost systemd[1]: Unit [email protected] entered failed state. -
Full NAT dns proxy is not working in Windows 7
Back in XP, I can activate the Windows full blown NAT service via RemoteAccess and IpNat (I turned off SharedAccess as it's not compatible with RemoteAccess) and use netsh to configure it. I activated the dns proxy via 'netsh routing ip dnsproxy' context.
It works very well all these years.
Now using Windows 7, I can't make it work anymore. I have copied over both ipmontr.dll & ippromon.dll from Windows 2K8 R2, and install those helper to my Windows 7 netsh. I can access 'netsh routing ip dnsproxy' context. But enabling the the DNS proxy
doesn't do anything. DNS Request (UDP port 53) coming form the client in the private LAN served by this PC just sinked in, no response. I don't see any DNS request attempt on the public network interface of this PC.
From 'netstat -na', I don't see UDP port 53 on private network interface is opened. In XP, I can see it's opened and closed as I enable or disable the DNS proxy on 'netsh routing ip dnsproxy' context. I enable the firewall log to see if the firewall block
it, but I see absolutely nothing related to the DNS request.
Is there a missing step to enable a full blown NAT service in Windows 7 that I missed? Pls help.
ThxThank you all for replies, but ICS is NOT an option. It can only handle 1 private network and limited to 192.168.0.0/24. In our test framework we need 2 private network and use 172.20.0.0/14. Using Windows Server is way too expensive, we have so many test
benches that each having their private network the above for test isolation. We only need NAT functionality, not the whole Windows Server functionality.
I also found out, despite netsh manage to configure the NAT, but actually no NATing is taken any place. Not only the DNS proxy, but the whole NAT just not happening.
IMHO, removing it from Win7 is a mistake, not every one need the whole server functionality. We have decided to use linux instead. So we cancel the plan to upgrade to Win7 and go linux. Microsoft could have got some license fee from the Win7 we plan to puchase,
but this is a deal killer for us as NAT is the core of our test framework based on. Not ideal for us as we have many win native based tools, but since we are already moving to python, I guess moving to linux is the answer for us.
Had Win7 still has the full NAT capability as in WinXP, I do prefer to stay on windows, but we have to move on as WinXP is no longer supported.
I consider this thread is close. Thank you all. -
Not sure if I am doing this right. This is my first time in the support community.
I imagine what I put in my heading was supposed to go in here.
I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).Why do ISPs insist upon making things so difficult for their customers?
If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
Scroll down to DHCP Settings
You will need to log in with proper "technician" credentials. They are provided in the above link as
Username: tech
Password: t3lu5tv
... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.
Maybe you are looking for
-
I have a trail version, now I can not install Master Collection version
I used a trail version of Flash Catalyst and now I purchased master Collection, but when I try to use Flash Catalyst I get a messages that says the licensing for this produce has expired. I installed Master Collection CS5 but I am not able to open Fl
-
Hi, When I am using BPM, I am getting this message in SXMB_MONI of PI <SAP:Code area="BPE_ADAPTER">UNKNOWN_MESSAGE</SAP:Code> <SAP:P1 /> <SAP:P2 /> <SAP:P3 /> <SAP:P4 /> <SAP:AdditionalText /> <SAP:Stack>No object type found for the mes
-
Hello Apple First of all I realize I have listed as a specific request a question about an itunes store feature. however that is NOT what this email is about. Here is My Question. I just recently bought an iphone 4 about a month ago.
-
Hi. I have a eMac (specs at bottom) in very good condition. It has a few problems cosmetically, but it's an excellent machine. If I erase the drive, reinstall the OS (Mac OS X 10.4), and don't go through the setup process, how much do you think I cou
-
Why is my macbook running slow slow wirelessly
recently my hard drive crash so i replaced it with the intel 320 series SSD. dont know why but my macbook started running slower. if i run the speed test it downloads and uploads at about .71 mbps when myspeed through my service is 15 mbps. anyone ha