NAT Configuration

Similar Messages

• NAT configuration on PIX to ASA

  Hi,
  I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
   nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
  access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
  access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
  access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
  And, there is no "NAT (global) 0 " command in PIX for this configuration.
  How can I use this in ASA..?
  Regards,
  Ninad

  Hi,
  The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
  There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
  You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
  object network HOST-10.2.1.175
   host 10.2.1.175
  object network HOST-10.10.49.30
   host 10.10.49.30
  object network HOST-1.1.1.58
   host 1.1.1.58
  object network HOST-1.1.1.57
   host 1.1.1.57
  object network HOST-172.29.83.2
   host 172.29.83.2
  object network HOST-172.29.83.1
   host 172.29.83.1
  object network HOST-202.138.123.75
   host 202.138.123.75
  object network HOST-10.10.11.20
   host 10.10.11.20
  object network HOST-10.14.1.11
   host 10.14.1.11
  object network HOST-10.10.50.150
   host 10.10.50.150
  nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
  nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
  nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
  nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
  nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
  Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
  If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.
  Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Hope this helps :)
  - Jouni

• "Current Time" problem behind a NAT Configured DSL Modem

  I have a WRT54GS wireless router behind a NAT configured Alcatel Speedtouch Pro DSL modem.  I have noticed that the "Current Time:" is perpetually "Not Available".   I am speculating that it is because the NAT blocks the syncrhonization, but I'm not absolutely sure.  Can anyone confirm that this indeed could be the problem?
  If this is the case, is it possible to configure a NAT router to pass this signal?
  I would like to have the benefits of NAT, but I would also like to utilize the WRT54GS's policy feature to limit my kid's internet activity after hours.
  Thanks in advance!

  Alcatel makes a lot of SpeedTouch modems.  I cannot tell which one you have.  I assume it must be a "modem-router" rather than a true modem.
  What "Intenet connection type" are you using in the WRT54GS?  I assume it is probably DHCP or static.  Disconnect the WRT54GS and the Speedtough. Set the "Internet connection type" on the WRT54GS to "static", then set the (WAN) "Internet IP address" to an address that the SpeedTouch will see as a fixed LAN IP address, and set the "Default Gateway" to the LAN IP address of the SpeedTouch, and set the "Subnet Mask" to 255.255.255.0 , and set the "DNS server address" to your true Internet DNS server address  (you should be able to find this info in the SpeedTouch).  
  Hope this helps.
  Please let me know whether or not this worked.
  If you need more help, please state the exact model number of your modem (not the WRT54GS?

• ACE NAT configuration - is it possible to use a different source PAT IP per rserver in a serverfarm?

  Hi,
  I've a quick question regarding using PAT (port address translation) on an ACE module specifically for the purpose of load-balancing requests to a cluster of Exchange CAS servers.
  Each CAS server needs to see requests from the same source IP which can be achieved by using source NAT / PAT but due to the scale of this Exchange deployment a single NAT pool with one PAT'd IP will not provide enough ports (i.e. there may well be more than ~64,000 ports required at any one time).
  Is it possible to configure PAT on the ACE so that each individual rserver will see requests from a unique source PAT address, i.e., each rserver sees a different source PAT IP, i.e., in order to provide ~64,000 ports per source PAT IP <-> CAS server pair as opposed to ~64,000 ports shared between all the CAS servers?
  If so, does anyone have any configuration examples (based on a single-armed configuration)?
  TIA

  Hi Tia,
  I don't think we can do this. We can easily configure a different nat pool per serverfarm but not per rserver.
  --Olivier

• Static nat configuration help

  Hi,
  I have the following setup that i am tasked with creating static nat for and i am a little lost with getting the correct nat working.
  Here is the setup:
  Internal servers behind firewall 192.168.1.0/24
  Firewall external interface is 192.168.5.36
  Firewall external interface is connected to inside gig0/0 interface on cisco router.
  cisco router currently, it has a sub interface g0/0.5 with ip 192.168.5.41.
  on the outside cisco interface, serial1/0 is an ip, 10.1.2.3.
  Beyond serial1/0 are multiple remote hosts, such as...
  10.8.10.5
  10.20.10.16
  10.20.12.12
  these are remotely managed by another company.
  Now, for the static nat, we want to do the following:
  translate 192.168.5.66 -> 10.8.10.5
  translate 192.168.5.67 -> 10.20.10.16
  translate 192.168.5.68 -> 10.20.12.12
  Internal hosts behind the firewall would communicate via 192.168.5.66, 67 or 68, and the cisco router would translate these to appropriate addresses.
  Note that 192.168.5.66,67,68 don't exist as yet, my understanding (which is possibly wrong) is that once nat is correctly setup they will just work and the cisco router will do the translations.
  I've tried some different scenarios with ip nat inside, ip nat outside and nvi (Cisco IOS is 12.4(11)XW3) but am failing to get proper translation happening.
  Most examples i've seen involve the internal "to be translated" address actually being an internal server, not something that gets configured on the cisco router by a nat translation.
  Is this possible?
  or have i got it completely wrong? i.e .should the addresses 192.168.5.66,67,68 be configured somewhere?
  Thanks in advance,
  Regards,
  Les

  Michael,
  Thanks for your reply, i had seen that doc before, but it wasn't enough to get things working for me. Most of the examples i have seen were similar to this, and involved nat where an internal host address was being nat'ed. In my case, the address to nat didn't exist on an internal host and to translate correctly i needed to define both and inside source static and an identical outside source static entry. I also had to change which interface was outside and inside.
  i.e.
  int g0/0.5
  ip nat outside
  int serial1/0
  ip nat inside
  ip nat inside source static 10.8.10.5 192.168.5.66
  ip nat outside source static 10.8.10.5 192.168.5.66
  with that config my translation table looked like...
  #sh ip nat tra
  Pro Inside global      Inside local       Outside local      Outside global
  ---   ---                           ---                        192.168.5.66     10.8.10.5
  --- 192.168.5.66     10.8.10.5        ---                         ---
  And debug ip nat detailed showed correct translations happening:
  # ping from 192.168.5.36
  Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]    
  Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]
  Sep  4 06:18:07.807: NAT*: s=192.168.5.36, d=192.168.5.66->10.8.10.5 [43]
  if i had only an inside source static address then the translations never happened.
  So i have a working config now.
  Regards,
  Les

• Issues with source NAT configuration in VNMC

  Before coming to the questions/doubts let me explain the ASA 1000v setup that I have
  ASA 1000v
  -          inside interface with ip 10.1.1.1 (attached to a network with subnet 10.1.1.0/24 and vlan 515)
  -          outside interface with ip 10.147.30.236 (attached to a network with subnet 10.147.30.0/24 and vlan 30)
  On ASA running ‘show route’ outputs following:
  C             10.1.1.0 255.255.255.0 is directly connected, esp-in
  C             10.147.28.0 255.255.255.0 is directly connected, management
  C             10.147.30.0 255.255.255.0 is directly connected, esp-out
  S*           0.0.0.0 0.0.0.0 [1/0] via 10.147.30.1 via esp-out
  On VNMC I created edge firewall with inside interface as ‘esp_in’ (10.1.1.1) and outside as ‘esp_out’ (10.147.30.236)
  Now I want to configure the following scenarios through VNMC:
  1.       Source NAT : 10.1.1.0/24 -> 10.147.30.236. While trying to configure this I see the following error in VNMC
  ERROR: Executing CLI returned error message: object network pe_internal_net_obj_range_10.1.1.2_10.1.1.254;range 10.1.1.2
  10.1.1.254;object-group network NSONOg:source-nat:source-nat-rule@esp-out;network-object object
  pe_internal_net_obj_range_10.1.1.2_10.1.1.254;nat (esp-out,any) 1 source static NSONOg: source-nat:source-nat-rule@esp-out interface;
  ERROR:  interface keyword is not allowed when translated interface is any;
  2.       I created another NAT rule from 10.1.1.0/24 -> 10.147.30.237. I also created ACL rule for allowing outbout ssh traffic. This working for me initially and I was able to ssh from a VM attached to subnet 10.1.1.0/24 to an outside VM. But after I did a re-assign with the same ASA appliance this stopped working and there was a configuration error:
  ERROR: Executing CLI returned error message: service-policy mpf-sp0001 interface sp0001;         ^;ERROR: % Invalid input detected at ^ marker;
  ERROR: Executing CLI returned error message: service-policy mpf-esp-out interface esp-out;     ^;ERROR: % Invalid input detected at ^ marker;
  Version details
  VNMC 2.0
  ASA 1000v version
  Cisco Adaptive Security Appliance Software Version 8.7(1)1
  Device Manager Version 6.7(1)
  Questions:
  -          Can anyone let me know what is the correct configuration for setting up source NAT as mentioned above. Why am I getting the errors mentioned and how to fix them?
  -      Why is there an error on reassigning asa 1000v to the edge firewall
  -          How to enabling logging/debugging on ASA or VNMC to see packet details and how rules are getting applied?
  Thanks,
  Koushik

  Hello Arseny,
  How did you resolve this issue?
  We are still facing the same problem in WebI 4.1 SP5 Patch 4.
  The issue is still under SAP investigation with KBA 2131762.
  Regards,
  Mirko

• Why does this NAT configuration not work ?

  interface FastEthernet0/0
  description To Cable Modem
  ip address dhcp
  ip nat outside
  interface FastEthernet0/1
  description To LAN
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
  ip nat inside source list NATOUT pool ovrld overload
  ip access-list standard NATOUT
  permit 192.168.1.0 0.0.0.255 log
  Show ip nat translations shows no translations.
  The Stats
  Dynamic mappings:
  -- Inside Source
  [Id: 3] access-list NATOUT pool ovrld refcount 0
  pool ovrld: netmask 255.255.192.0
          start 72.186.194.72 end 72.186.194.72
          type generic, total addresses 1, allocated 0 (0%), misses 0
  Queued Packets: 0
  I can get one device to translate with a static but the dynamic does not work.

  Hey Rolf. I used the commands like you said but it will not translate anything unless the entry is static.
  ip nat inside source static 192.168.1.2 72.186.*.72      is what im using to get my main node translated while i figure out this problem. The configuration worked fine until I upgraded IOS from 12.3 to 12.4.  Thats when it quit translating. My config follows. Keep in ming that when i tried your commands I removed the static entry for 192.168.1.2
  Building configuration...
  [OK]
  HEADEND(config)#do sh run
  Building configuration...
  Current configuration : 3267 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname HEADEND
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$vk5M$eGiHBbhKZrvPdNz0aXhve1
  no aaa new-model
  memory-size iomem 15
  no network-clock-participate slot 1
  no network-clock-participate wic 0
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.100
  ip dhcp excluded-address 192.168.1.254
  ip dhcp excluded-address 192.168.1.250 192.168.1.254
  ip dhcp pool DEESPOOL
     network 192.168.1.0 255.255.255.0
     dns-server 65.32.5.111 65.32.5.112
     domain-name dbtech.netpros.com
     default-router 192.168.1.254
  crypto pki trustpoint TP-self-signed-3843280569
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3843280569
  revocation-check none
  rsakeypair TP-self-signed-3843280569
  crypto pki certificate chain TP-self-signed-3843280569
  certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383433 32383035 3639301E 170D3032 30333031 30333331
    30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343332
    38303536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BD0F 1F06509B 67D1C1F4 C9AEFA31 89A8C059 4B17CDE8 95F23275 CFB9AC41
    D784F703 C25B630D A0461FB1 114B3608 B3387518 8F552DD7 41796488 F0C79FC0
    103A2C3F FFE388FE 7970D921 C5F754D1 68A15518 F30F91CC 26884284 5C8C3275
    B06A584D 96D2D5CB 92068B40 C05C8A4E 80E9CCE0 2DE5883F 9EF405BB 89252921
    B03D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17484541 44454E44 2E74616D 70616261 792E7272 2E636F6D
    301F0603 551D2304 18301680 14E92E8B 5F671437 6F383CCD 42AD6AE8 4CC47730
    F9301D06 03551D0E 04160414 E92E8B5F 6714376F 383CCD42 AD6AE84C C47730F9
    300D0609 2A864886 F70D0101 04050003 81810055 7BE1410C C73F83F3 26B30B9A
    569ED607 9FDCB6CD 46125795 0A8137EF 930C195B 19E79813 B6DF9B2D 6809F4A2
    A5F0BDB0 03DF87D2 81643EC7 5D619E65 132B1C12 61FB212B DAEB02A2 56E63559
    D931DF1F A3817AAF F21D8EE0 D0741B96 DBF52051 78964876 5AB7E319 5A051455
    4EA9186D 1E9ABC81 00573284 564D6BE7 486681
    quit
  username derek privilege 15 secret 5 $1$rBZD$NqY/hkTEpcZV4rYqwtKAD.
  interface FastEthernet0/0
  description To Cable Modem
  ip address dhcp
  ip nat outside
  duplex auto
  speed auto
  interface FastEthernet0/1
  description To LAN
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list NATOUT interface FastEthernet0/0 overload
  ip access-list standard NATOUT
  permit 192.168.1.0 0.0.0.255 log
  control-plane
  line con 0
  line aux 0
  This is very odd it is like dynamic NAT is just broken.

• Cisco 871 NAT configuration not working

  The problem is that NAT is not working for the "internal" network.
  If i own the ip 10.0.0.15 for example and i try to reach x.x.x.x:65009 i will not work.
  what's the problem?
  here is the configuration:
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
  ip address x.x.x.x 255.255.255.192
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  ip route-cache flow
  duplex auto
  speed auto
  interface Vlan1
  ip address 10.0.0.1 255.255.255.192
  ip access-group 2 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip route-cache flow
  ip tcp adjust-mss 1452
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 10.0.0.12 60022 x.x.x.x 65000 extendable
  ip nat inside source static tcp 10.0.0.12 80 x.x.x.x 65001 extendable
  ip nat inside source static tcp 10.0.0.12 21 x.x.x.x 65002 extendable
  ip nat inside source static tcp 10.0.0.12 389 x.x.x.x 65003 extendable
  ip nat inside source static tcp 10.0.0.12 3306 x.x.x.x 65004 extendable
  ip nat inside source static tcp 10.0.0.12 10000 x.x.x.x 65005 extendable
  ip nat inside source static tcp 10.0.0.12 443 x.x.x.x 65007 extendable
  ip nat inside source static tcp 10.0.0.21 80 x.x.x.x 65009 extendable
  ip nat inside source static tcp 10.0.0.21 22 x.x.x.x 65010 extendable
  ip nat inside source static tcp 10.0.0.12 8080 x.x.x.x 65011 extendable
  ip nat inside source static tcp 10.0.0.21 21 x.x.x.x 65012 extendable
  ip nat inside source static tcp 10.0.0.21 3306 x.x.x.x 65013 extendable
  logging trap debugging
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 10.0.0.0 0.0.0.63
  access-list 2 deny 10.0.0.8
  access-list 2 deny 10.0.0.2
  access-list 2 deny 10.0.0.3
  access-list 2 deny 10.0.0.6
  access-list 2 deny 10.0.0.7
  access-list 2 deny 10.0.0.4
  access-list 2 deny 10.0.0.5
  access-list 2 permit 0.0.0.0 10.0.0.63
  Posted by WebUser ??????? ???

  No, the ranges are not the same. That is, they share the same B-class stats, but no C-class.
  Incidentally, the extendable parameter is present in this ios version. When I change the parameter interface dialer0 to the ip address associated with the interface, extendable is addedd automatically. No joy however.
  Today I'm going to try and downgrade the ios, another router with 12.4(4)T1 does have functional port mappings....

• Router NAT Configuration

  Hi,
  I have a pc behind a nat router with ip 192.168.1.2.
  Setting virtual server on my router configuration, when a request arrive on my router on 1099 port, router send this request to my pc.
  So clients can connect to rmiregistry running on my pc.
  Rmi Server Object is registered with option
  -Djava.rmi.server.hostname=82.xx.xx.xx (public ip of router)
  so clients connect to this public ip to find rmi object.
  My problem is this: when I run rmi server object with this option, after 25second the object falls.
  If I run it without this option, it doesn't fall but it is registered with local ip and clients can't connect to it.
  RmiRegistry and RmiServerObject run on the same local pc behind router.
  Thanks.
  Bye

  If I know why it falls I could resolve it.
  There isn't an exception error.
  This is the main function of MyServerImpl that extends UnicastRemoteObject and implements MyServer interface.
  public static void main(String args[]) {
  String rmiregistry_host="localhost";
  // String rmiregistry_host="192.168.1.5";
  //String rmiregistry_host="82.51.85.191";
  String URL="jdbc:odbc:DBExAllievi";
  String driver="sun.jdbc.odbc.JdbcOdbcDriver";
  if(args.length==1){
  rmiregistry_host = args[0];
  }else if(args.length==3){
  rmiregistry_host = args[0];
  driver=args[1];
  URL=args[2];
  System.setSecurityManager(new RMISecurityManager());
  try {
  GestioneDatiExAllievi_IMPL istanza = new GestioneDatiExAllievi_IMPL();
  istanza.settaggi(driver,URL);
  Naming.rebind("//"+rmiregistry_host+"/GestioneDatiExAllievi", istanza);
  System.out.println("Registrazione oggetto remoto effettuata");
  catch (Exception e) {
  System.out.println(e.getMessage());
  This is the output:
  http://www.cplusplus.it/file/output.jpg
  The String "Registrazione oggetto remoto effettuata" is shown so there isn't exception, but after 24 seconds the application exits.
  Instead if I run without -Djava.rmi.server.hostname=82.51.85.191 it's all ok, but my rmi object is registered with local ip, so I can't use it over the internet but only in lan.
  I hope now I explained better the problem.
  Sorry.

• AV Edge NAT Configuration for UDP 3478 with Federated Partners (FTURN)

  For A/V media to be relayed between two (NAT'd) federated partners edge servers over UDP 3478 "Tunnel Mode", must the NAT be configured so that the source port not be changed on an inbound packet.
  In Converse:
  If the NAT changes the source port of an inbound packet, will it break/prevent UDP "Tunnel Mode"? (thus forcing media connectivity by other connectivity points)
  Edge Server  Sends  (source) x.x.x.x:3478 (dest) x.x.x.x:3478  ---->  NAT Device ---->
  (source) x.x.x.x:6000 (dest) x.x.x.x:3478 ---> Received at Destination Edge Server.

  Hi MGMNVA,
  I don’t think this can work.
  On the other hand, if the remote Edge server sends the traffic to your Edge server, how the traffic reaches and communicates with your Edge Server ?
  Remote Edge Server 
  Sends  (source) x.x.x.x:3478 (dest) x.x.x.x:3478 
  ---------> Your NAT Device (Firewall) ---------> ?? （Where the traffic will be forwarded to ?）
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Ipfilter nat configuration

  Hi
  I'm trying to setup a NAT on my solaris 10 x86 box, but so far no success.
  I have an outgoing network interface rtls1 which has a private ip address given by my adsl modem and internel rtls0 interface which i setup manually.
  the rtls1 is 192.168.1.2 / 255.255.255.252 with default router 192.168.1.1 (my ads modem)
  the rtls0 is 192.168.0.1 / 255.255.255.0
  I started with very simple ipnat.conf
  map rtls1 192.168.0.0/24 -> 192.168.1.2/32 portmap tcp/udp auto
  map rtls1 192.168.0.0/24 -> 192.168.1.2/32
  Even with this simple configuration I can see the packets from my internal network going to rtls1 but the source address of those packets is not mangled with the address of rtls1.
  I have the followin result from ipf -Vbash-3.00# ipf -V
  ipf: IP Filter: v4.0.2 (500)
  Kernel: IP Filter: v4.0.2
  Running: yes
  Log Flags: 0 = none set
  Default: pass all, Logging: available
  Active list: 0
  and
  ipnat -l
  List of active MAP/Redirect filters:
  map rtls1 192.168.0.0/24 -> 192.168.1.2/32 portmap tcp/udp auto
  map rtls1 192.168.0.0/24 -> 192.168.1.2/32
  List of active sessions:
  the ip_forwarding is enabled because
  ndd -get /dev/tcp ip_forwarding
  1
  So i can not figure what is wrong with the configuration and why the packets at rtls1 are not translated?
  Thanks

  Did you successfully set up your Solaris 10 IP Filter with NAT? I am attempting to do the same. Would you be so kind as to share the essentials and maybe examples?

• NAT configuration and Port Mapping for xBox

  I'm looking for help with port mapping to open up the NAT for an xBox One. I'm working with the following network devices:
  xBox One
  DSL Modem: Embarq (ZyXEL) 660R series
  Airport Extreme version 7.7.3
  I understand the following from researching the issue:
  The default settings for both devices block the ports needed for xBox Live.
  Airport Extremes are not on the compatible list for xBox.
  Port Mapping is better then creating a DMZ for the xBox.
  The xBox needs its own manually set IP address.
  I switched my Network>Router Mode from Off (Bridge Mode) to DHCP and NAT. I then created a DHCP Reservation and the Port Settings for that IP.
  After doing this, the Airport would restart and display a warning - Double NAT. I figured this was because the 660 settings showed the NAT Mode to be SUA Only. The Edit Details link displayed an empty table where you edited the SUA/NAT Server Set. I switched from NAT Mode>SUA Only to None. So there was my Double NAT and I would have thought that would have removed one.
  I also disabled the Firewall and Enabled the UPnP.
  After restarts the Airport continued to display the Double NAT error. However, with the 660's NAT Mode set to None, the Internet was not there. Web browsers and email accounts replied with server not found.
  Only with the 660 set to SUA Only and the Airport in Bridge Mode is the Internet accessible. I now have the details for the SUA filled out for the xBox's IP address and ports.
  Hypothesis
  Since both devices are acting as DHCP servers the port mapping is not working. Rather then have the 660 distribute IP addresses and then having the Airport distribute another range of numbers, I need to have both devices bridge and distribute one range of numbers. Currently the 660 is using the 192.168 range and the Airport is using the 10.0 range.
  Am I correct? Any thoughts and suggestions are welcome.

  Port forwarding through a double NAT.. is near impossible.. !!
  And the xbox is so attuned to using UPNP it is very hard not to.. even port mapping is not a great fix. Since apple decided gamers did not count as users for Airports.. I think honestly it is best to bypass the airport and stick to upnp from the modem router.
  What method of authentication does your ISP use? Because it is really better to use one router.
  And in fact the router should be the Zyxel. If you plug the Xbox to the Zyxel running in full router mode, with the airport removed from the network does it work and open NAT??
  If not replace the Zyxel with a modern listed router that is xbox compatible and bridge the airport to it.

• ASA5510 NAT configuration question

  Hello friends...
  I have 30 IP cameras with a private IP address:
  10.1.1.1 – 10.1.1.30
  I have a Cisco ASA 5510 firewall.
  I want to be able to use one public IP address, example, 50.50.50.50
  With a specific port to go to a different internal camera,
  Example
  50.50.50.50:3001 should be NATTED to camera 10.1.1.1
  50.50.50.50:3002 should be NATTED to camera 10.1.1.2
  50.50.50.50:3003 should be NATTED to camera 10.1.1.3
  50.50.50.50:3004 should be NATTED to camera 10.1.1.4
  Etc…
  How do I do this? I know how to create NAT… just not like this, please help!!
  Any help is greatly appreciated.
  Thanks
  David

  Hi,
  No worries.
  static (inside,outside) tcp 50.50.50.50 3001 10.1.1.1 80
  static (inside,outside) tcp 50.50.50.50 3002 10.1.1.2 80
  static (inside,outside) tcp 50.50.50.50 3003 10.1.1.3 80
  static (inside,outside) tcp 50.50.50.50 3004 10.1.1.4 80
  static (inside,outside) tcp 50.50.50.50 3005 10.1.1.5 80
  Dan

• WRT160Nv3 360 NAT configuration simplified, multiple 360's

  So, as with many folks on here, I've been struggling with configuring my WRT160Nv3 (Firmware Version: v3.0.02) for some time now.  I found many posts with some pretty extreme configurations (turning off this, that, port forwarding, etc...), but once I was able to get it work (BUT sadly only 1 360 with port forwarding), I WAS finally able to use multiple 360's by using port range triggering. And THEN, I decided to roll back many of the changes I had made to find the minimum configuration...
  In a nutshell:
  Turn OFF UPnP on the "Administration" tab (This one was most frustrating because the XBOX support page tells you to turn it ON)
  Use Port Range Triggering on the Games and Applications table entering 3074 to 3074 for both Triggered Range and Forwarded Range (I did have 88 as well, but found it wasn't necessary)
  That's IT!!!!!
  Mind you, I am now using static IP's via the DHCP reservation function, but I don't think it's necessary. (I'm using this because of a flaky wireless printer and I think HBOGo associates your activation with your IP - seems like every 4 days or so :-) I would have to reactivate my devices...  I have one 360 with Manual IP setup on the 360 itself (using the routers DHCP reserved IP and leaving DNS as automatic on the 360) and one 360 with both IP and DNS set to automatic (still reserved on the router, so should be the same IP everytime), and they both are working fine.
  I hope this helps and stops the madness!!!

  I figured it out. I don't see a delete thread option. Sorry >__<

• Where do I call to change my NAT configuration from "Moderate" To "open"?

  I have already port forwarded, reset modem for 5 minutes, tried new IP adress, Switched in between wired and wireless, and nothing happens.

  #1 What is the brand and model of your modem?
  #2 What is the brand and model of your router?
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.