NAT problems on a L3 3650 switch
So, I am trying to setup NAT on our new 3650 switch running IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.00E RELEASE SOFTWARE
This simple setup involves a layer 3 port (1/0/46) to our gateway and a Vlan for NAT
My hosts on my NAT Vlan (Vlan 2) do not seem able to ping anywhere else than the switch itself (all its interfaces) and their local subnet. Pings from the switch to outside are fine (NAT debug enabled):
Switch#ping 8.8.8.8 source 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.122.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
Switch#
*Nov 10 14:27:04.145: NAT: ICMP id=1->1025
*Nov 10 14:27:04.145: NAT: s=192.168.122.1->165.211.28.194, d=8.8.8.8 [5]
*Nov 10 14:27:04.210: NAT: ICMP id=1025->1
*Nov 10 14:27:04.210: NAT: s=8.8.8.8, d=165.211.28.194->192.168.122.1 [0]
Running Config:
! Last configuration change at 13:51:06 UTC Mon Nov 10 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Switch
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
vrf definition Mgmt-vrf
address-family ipv4
exit-address-family
no aaa new-model
switch 1 provision ws-c3650-48ps
ip routing
ip dhcp excluded-address 192.168.122.1
ip dhcp pool Pool14
import all
network 192.168.122.0 255.255.255.0
dns-server 165.211.29.1
default-router 192.168.122.1
domain-name my.domain
crypto pki trustpoint TP-self-signed-1875358754
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
redundancy
mode sso
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
interface GigabitEthernet1/0/46
description conf GW
no switchport
ip address 165.211.28.194 255.255.255.192
ip nat outside
interface GigabitEthernet1/0/47
switchport access vlan 2
spanning-tree portfast
spanning-tree bpduguard enable
interface GigabitEthernet1/0/48
switchport access vlan 2
spanning-tree portfast
spanning-tree bpduguard enable
interface Vlan1
no ip address
shutdown
interface Vlan2
ip address 192.168.122.1 255.255.255.0
ip nat inside
ip nat inside source list 61 interface GigabitEthernet1/0/46 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 165.211.28.193
access-list 61 permit 192.168.122.0 0.0.0.255
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
ap group default-group
end
I also tried using a Vlan (+nat outside) instead of the Layer3 port (1/0/46) with the same results
Hello Paul,
1)yes the public addressing is correct. Our gateway is 165.211.28.193/26 and my public is setup 165.211.28.194/26.
2) Ip routing is enabled on the switch as you can see on my configuration
3)Switch#sh sdm prefer
Showing SDM Template Info
This is the Advanced (low scale) template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 4096
Overflow IGMP and Multicast groups: 512
Directly connected routes: 16384
Indirect routes: 7680
Security Access Control Entries: 1536
QoS Access Control Entries: 3072
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Wireless Input Microflow policer ACEs: 256
Wireless Output Microflow policer ACEs: 256
Flow SPAN ACEs: 512
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT entries: 4096
SGT/DGT Overflow entries: 512
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.
Similar Messages
-
Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.15 255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.6.0 255.255.254.0 inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
ASA5512 iOS 9.3 inside nat problem
Hi,
I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
interface GigabitEthernet0/0
description #### Connect TO Internet ####
nameif outside
security-level 0
ip address 37.10.1.2 255.255.255.248
interface GigabitEthernet0/1
description #### Connect TO Core Switch ####
nameif inside
security-level 100
ip address 10.78.61.1 255.255.255.0
access-list outside-in extended permit ip any any
access-group outside-in in interface outside
access-group outside-in in interface inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_Ser
host 10.88.61.10
object network obj_Ser_WAN
host 37.10.1.3
nat (inside,outside) source static obj_Ser obj_Ser_WAN
object network obj_any
nat (inside,outside) dynamic 37.10.1.4
same-security-traffic permit intra-interface
Thanks
AfzalHi,
Try this NAT:-
nat (inside,inside) source static obj_Ser obj_Ser_WAN
Thanks and Regards,
Vibhor Amrodia -
Problem with vtp on catos-switches
Problem with vtp on catos-switches
connected are three switches:
| vtp |
| server |
| cat or ios |
|
|
| vtp | C3750 or C4506
| client |
| ios |
|
|
| vtp | C2948-GE-TX or C2980
| client |
| catos |
1) when the ios-vtp-client restarts after power failure, everything works fine.
2) when the catos-vtp-client restarts after power failure, everything works fine, too.
3) if both (ios-vtp-client and catos-vtp-client) restart after power failure at the same time the catos-vtp-client-switch loses its connection/vlan database.
the reason seems to be that the catos-switch is faster in power up and couldn´t connect the vtp-server after booting.
If you change the vlan-database on the vtp server after both switches are running, the catos-switch learns its vlan database and everything works fine, without change in the vlan database the switch is still out of order.
workaround: configure every catos-switch behind an ios-switch in vtp-server mode
is there another solution for my problem?
thanks and regards
bjoernnot sure of the issue, see if the following link helps :
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84bf.html -
Hey
I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
By the way will my downloads be faster when I do use a correctly configured NAT?
Samuel
PS I am not using a router just a ADSL ModemI had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
Very frustrating!! -
Hi,
I recently got myself an apple iphone 5s (factory unlocked) phone from the US. However on using the same in India with Vodafone, i am facing a problem where the connectivity keeps switching to EDGE most of the time. I have a 3G plan but most of the time it switches automatically to EDGE. Thats when i have to either switch Airplane mode - On/Off and then it acts normal. Any permanant solutions to fix this problem?Return the iPhone personally or via friend/relative/co-worker who is in
the US. The warranty is valid only in the country of original purchase - the USA
in this case. Apple will not accept international shipments for evaluation nor
will Apple ship out of the country after repair/replacement.
How did the iPhone from the US get to you in India? Reverse that process to
get it back to the US so someone can take it into Apple. -
Open NAT problems with Xbox One .
When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?
Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .
-
why cant u get a open nat with ps3 always on moderate how do u get it to open ?
This link should help.
NAT Problems on games consoles and computers
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
I'm new to Macbook Pro, and never imagined I would have problems saving bookmarks when I switched to Mac. Any suggestions with this issue? I have Safari 6.0.4, and has Apple come up with a permanent fix?
Triple-click the line below to select it:
~/Library/Safari/Bookmarks.plist
Right-click or control-click the highlighted line and select
Services ▹ Show Info
from the contextual menu.* An Info dialog should open.
Does the dialog show "You can read and write" in the Sharing & Permissions section?
In the General section, is the box labeled Locked checked?
What is the Modified date?
*If you don't see the contextual menu item, copy the selected text to the Clipboard (command-C). Open a TextEdit window and paste into it (command-V). Select the line you just pasted and continue as above. -
I have an 8 year old G5 / OS X 10.4.11, what kind of problems will I have now switching from Mobileme to iCloud?
You can migrate to iCloud, but the only thing you will be able to do is access email, and you will have toi set Mail up manually to do this:
Entering iCloud email settings manually in Tiger
This is worth doing to maintain your email address, but you won't be able to sync calendars, contacts or bookmarks. Your calendars and contacts will be removed from MobileMe (though not from your Mac) and won't appear on the iCloud website. -
3650 Switch Stack IP Base and LAN Base Software
Hello All,
I will have a 3 stack of 3650's. One switch will have the IP base image and the other two will have a LAN base image. I have read that all switches in the stack must have the exact image. If I have an IP based image and a LAN based image with the exact IOS version number, will the stack still work?
Thanks for your helpTake a look at this doc:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3650-series-switches/qa_c67-729531.html
Q. What are the license requirements for a Cisco Catalyst 3650 switch stack?
A. In a Cisco Catalyst 3650 stack, all switches should be at the same image-based license (IP Services/IP Base/LAN Base) level. The active switch license level is considered as the reference, and the member switch licenses are compared against it. If there is a mismatch, the active switch with the syslog message “license mismatch error” indicates that the stacking was unsuccessful.
Q. How is a “license mismatch error” fixed in a Cisco Catalyst 3650 stack?
A. The license level of the mismatched stack member switch can be changed with the license right-to-use activate <license> all acceptEULA CLI command (entire stack should have the same wired license level) and reloaded from the active switch console. This will enable the member switch to join the stack successfully. The customer has to purchase a license before moving to a specific license level.
Q. What happens after 90 days of activating an evaluation RTU license?
A. An evaluation RTU license EULA expects that customers will purchase a permanent license within 90 days. After 90 days the evaluation license will not be valid. Warning syslog messages about the evaluation license expiration are generated 10 and 5 days before the 90-day window ends. Warning syslog messages are generated every day after the 90-day period. The expired evaluation license continues to function with the daily syslog messages until the switch is reloaded. The expired evaluation license cannot be reactivated after the reload.
Thank you for rating helpful posts! -
Anyone having problems with the on/off switch
anyone having problems with the on/off switch. It sometimes does not work, I occasionally have to pull the plug out and replug then hit the button and it goes on?
Out of the 100+ millions of iPhone, I'm sure there are many people that have that same problem. If you do, you have a 1 year warranty... take it in before it runs out.
-
Xbox360 WRT54GS ver. 6 NAT problems
my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6
for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
CamZ -
Two VLANs on same Switch with NAT problem.
Hello all.
I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
NAT Solution 1
ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool INET overload
access-list 1 permit any
NAT Solution 2
ip nat inside source list 100 interface fa1/0 overload
access-list 100 permit ip any any
Router config
R1#sh run
Building configuration...
Current configuration : 1470 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname R1
boot-start-marker
boot-end-marker
enable secret
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.5
encapsulation dot1Q 5 native
ip address 172.16.1.6 255.255.255.248
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.20.0.254 255.255.255.0
ip nat inside
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 172.20.1.254 255.255.255.0
ip nat inside
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial0/2
no ip address
shutdown
interface Serial0/3
no ip address
shutdown
interface FastEthernet1/0
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.7 area 0
network 172.20.0.0 0.0.0.255 area 0
network 172.20.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
no ip http server
ip classless
line con 0
exec-timeout 0 0
password
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
password
logging synchronous
login
line vty 5 181
exec-timeout 0 0
password
logging synchronous
login
end
Switch Config
SW1#sh run
Building configuration...
Current configuration:
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SW1
ip subnet-zero
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 1,5,10,20,1002-1005
switchport mode trunk
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
switchport access vlan 10
interface FastEthernet0/5
switchport access vlan 10
interface FastEthernet0/6
switchport access vlan 10
interface FastEthernet0/7
switchport access vlan 10
interface FastEthernet0/8
switchport access vlan 10
interface FastEthernet0/9
switchport access vlan 10
interface FastEthernet0/10
switchport access vlan 10
interface FastEthernet0/11
switchport access vlan 10
interface FastEthernet0/12
switchport access vlan 20
interface FastEthernet0/13
switchport access vlan 20
interface FastEthernet0/14
switchport access vlan 20
interface FastEthernet0/15
switchport access vlan 20
interface FastEthernet0/16
switchport access vlan 20
interface FastEthernet0/17
switchport access vlan 20
interface FastEthernet0/18
switchport access vlan 20
interface FastEthernet0/19
switchport access vlan 20
interface FastEthernet0/20
switchport access vlan 20
interface FastEthernet0/21
switchport access vlan 20
interface FastEthernet0/22
switchport access vlan 20
interface FastEthernet0/23
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
interface VLAN5
ip address 172.16.1.1 255.255.255.248
no ip directed-broadcast
no ip route-cache
ip default-gateway 172.16.1.6
line con 0
transport input none
stopbits 1
line vty 0 4
login
line vty 5 15
login
endYou need to change your acl because NAT doesn't usually work with "any" as the source.
I tend to use extended acls so -
access-list 101 permit 172.20.0.0 255.255.255.0 any
access-list 101 permit 172.20.1.0 255.255.255.0 any
and then use your second solution ie. overload on the interface.
If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
Jon -
Airport wifi problems with uverse and gigabit switch resolved
I think there is a bug in airport firmware 7.6 with how spanning tree works in addition to problems with the Uverse router. Having an Airport with a uverse 2wire 3801 and gigabit switch will not work. Putting the extreme in NAT mode with DMZ plus behind the uverse resolved the problem.
Network configuration:
Uverse 2wire 3801 router
3801 provides prioritization for upstream traffic so skype and VoIP work better when doing a lot of stuff on Internet
Airport extreme firmware 7.6
two airport express 802.11n hardwired to extreme. Set up in bridge mode. All access points have same SSID "create a network" to enable roaming. Ignore anything to do with extending a network. firmware 7.6
two gigabit switches
Netgear GS608 - 8 port gigabit switch
Trendnet TEG-S80g - 8 port gigabit switch
100BT 5 port switch - did not figure into problem
Three Uverse set top boxes wired on Ethernet. They have to be wire directly to the 2wire box to work correctly. See: http://forums.att.com/t5/Features-and-How-To/At-amp-t-U-Verse-modem-setup-Airpor t-Extreme/td-p/2300785
However, you need to be careful to place your own PCs and other internet devices on the network created by your gear (airport extreme in your case), but keep AT&T's set top boxes for the IPTV services IN FRONT of your own router - so they remain on AT&T's provided network.
So it would work like this ...
Network 1: 2wire RG (4 lan ports) -> Any Set tops, and to the WAN port on your AirportExtreme
Network 2: Airport Extreme LAN ports -> to any computers or internet devices (but not AT&T set top boxes).
The RG prioritizes the traffic for your Uverse Voice and your Uverse TV ahead of internet data traffic, as it rationalizes data heading out of your home. If you place your own equipment in that equation (like putting AT&T set top boxes behind your Airport Extreme) the performance and function of your AT&T set top boxes could really flake out on you.
Symptom:
Everything would be working fine, then intermittently all my wifi access points would stop working. ~6,000 ms latency, dropped packets. Ethernet worked fine. Here is an example of my macbook pinging the extreme when associated with the extreme over wifi with a strong signal.
ping: sendto: Host is down
Request timeout for icmp_seq 23
Request timeout for icmp_seq 24
64 bytes from 192.168.1.64: icmp_seq=25 ttl=255 time=267.051 ms
Request timeout for icmp_seq 26
Request timeout for icmp_seq 27
Request timeout for icmp_seq 28
64 bytes from 192.168.1.64: icmp_seq=26 ttl=255 time=3402.599 ms
Request timeout for icmp_seq 30
Request timeout for icmp_seq 31
Request timeout for icmp_seq 32
64 bytes from 192.168.1.64: icmp_seq=30 ttl=255 time=3060.673 ms
64 bytes from 192.168.1.64: icmp_seq=34 ttl=255 time=24.115 ms
64 bytes from 192.168.1.64: icmp_seq=35 ttl=255 time=31.056 ms
64 bytes from 192.168.1.64: icmp_seq=36 ttl=255 time=39.828 ms
Root cause:
It looks like the 2wire 2801 router has a problem with spanning tree when interoperating with gigabit switches and airports. There is interplay with the airport.
I did not have this problem until the 7.6 airport firmware. I had been using the Netgear hub for about a year with the extreme in bridge mode. I added the Trendnet hub and upgraded airport firmware at the same time which made fault isolation difficult.
Problem recreation:
Set up airport expresses hard wired to extreme
Connect gigabit switch anywhere to network
Everything OK
Dettach one computer from wifi then reattach, then all wifi stops working. It takes a few seconds for the problem to propagate.
Ethernet still works fine
Problem Resolution:
Connect to 2wire with ethernet
Set 2wire route to have subnet as 192.168.2.x
Set extreme in NAT mode behind 2wire. It will complain about double NAT. Override the warning. Set the subnet to 192.168.1.x so you don't have to change any static IP addresses. Note that 2wire uses 192.168.1.254 as default route whereas airport uses 192.168.1.1.
I set DHCP to start at .10 to leave the lower addresses for assigning static IP addresses to computers I want to expose outside the firewall.
Go into firewall settings. Select airport extreme. Select the bottom setting which is "DMZ Plus". When you go into the airport extreme settings, you will now see that it has the uverse public IP address on its WAN port. NAT port mappings work fine on the extreme behind the 2wire router.Keeping this very short here is a summary of the actual problem and solution to allow your Apple Airport Extreme to run in Bridge mode on the same subnet as your uVerse settop boxes (if your Layer 2 switch is configurable).
Devices: Uverse, Cisco SG300, and Airport Extreme
uVerse uses Multicast to broadcast video streams between the uVerse network to the settop box, and from settop box to settop box.
X number of Multicast Groups are created based on X number of settop boxes you have. You can see the multicast definitions by logging into the webinterface of the iNid. Each settop box is a member and can choose to display a broadcasted TV stream or not.
Multicast membership is setup by the use of ICMP messages for IPv4 (MLD for IPv6). Each of the settop boxes become members of each others multicast group by reporting up to the iNid (MultiCast Proxy).
In an ideal world a layer 2 switch will track these memberships and only forward a broadcast packet to the ports on the switch to which the settop boxes are connected to. The switch would do these via snooping on the ICMP packets. Most switches by default do not do this by default and simply forward the broadcast packett out every one of it's switch ports.
Here in lies the problem. Problem is that the Apple AES doesn’t do ICMP snooping / filtering and floods the wireless network with these broadcast streams.
In order to fix this you must turn on ICMP snooping and filtering on the switch (or buy a switch that does this). I have a Cisco SG300 and list out the configuration below.
Other notes:
Ensure that all Media renderers (settop boxes) and servers are wired directly off the switch and not attached to any of the Airport Express ports. This way no media transverses the Airport (only control point traffic goes through the WiFi - which is fine). Obviously if the IGMP snooping switch sees any client requesting Multicast streaming traffic on the same port as the WAP, it will add that Multicast address to the forwarding table for that port, and then, yes it could get flooded.
Remember, you need to allow some Multicast traffic through your WAP to allow UPnP discovery to work (assuming that you will be using Wireless control points.)
Read the Multicast chapter in the SG 300 switch Admin Guide as it explains things very well.
Setting up multicast on the SG300s using the WebUI:
1. Multicast/Properties/
Tick enable Bridge Multicast Filtering Status for VLAN 1, and
set the Forwarding Method to IP Group Address for both IPv4 & IPv6.
2. Multicast/ IGMP snooping/
Tick enable IGMP snooping status then select and edit the entry and ensure that IGMP querier status is ticked.
It's essential for IGMP snooping to work that there must be at least one active IGMP querier on the network - if more than one is enabled, they will carry out an "election" to decide which one should be active (normally the one with the lowest IP address.)
3. Multicast Router Port
Set whichever port that is connected to the uVerse iNid to Status which means that it the uVerse router connected to this port is the Multicast Router
4. Multicast/ Unregistered Multicast
set all ports to Filtering. (The default is Forwarding.)
There are a lot of other variables within all the above - the defaults are OK, you should probably leave them alone!
In the config file you would then expect to see the above appearing as something like this:
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 1 immediate-leave
interface vlan 1
bridge multicast mode ipv4-group
bridge multicast ipv6 mode ip-group
interface range gi1-10
bridge multicast unregistered filtering
ip igmp snooping vlan 1 querier
ip igmp snooping vlan 1 querier address <IP-Addr>
Maybe you are looking for
-
Error when running measurement explorer; corrupt installation on Windows XP
When I launch measurement explorer in Windows XP, I get an error stating: Unable to open connection to server. Config.mxs file or installation corrupt. Please delete config.mxs file in the same directory as NIMax.exe,please delete file, reinstall and
-
How can I set up a 2 column layout in LiveCycle?
Hi, I'm new to working with LiveCycle Designer. I'm using version 10.4, the OEM version bundled with SAP. Aside from being quite buggy, the capabilities seem pretty similar to LiveCycle Designer ES4, which I downloaded in a trial version. All of whic
-
How to change space between folder icon and text on personal toolbar?
I have a few folders on the personal toolbar with just a letter to indicate what they are, but on the theme I'm using, the letter is too far away from the folder it belongs to and partially falls under the next folder icon. I don't want to increase t
-
Problems displaying correct caracter set (German Umlaute)
Hi everybody, Our development server had a crash some weeks ago, forcing us to reinstall and resetup the Coldfusion server. Since then, where has been some problems. One of those problems occures in displaying the correct character set. German Umlaut
-
Can't maintain a WiFi connection
Hi, I am having trouble using my BTHomeHub2's WiFi connection on my mobile (HTC Desire). When at home when I have turned on WiFi on my mobile and I can see my Hub's SSID in the available network's list, I can try to connect to it but it will not mai