New nat issue

Never had this happen before. Installed Border in a lab setting..nw6.5
sp1a overlay cd, then border 3.8, then sp2 then tcp645j...
The first thing I always try to do is get dynamic NAT working then I
worry about the proxy services and so on. Opened icmp all the way so I
could test ping.
Server can ping both it's public and private interface, and can ping
points beyond on both sides of those two interfaces.
Workstation can ping border's private and public IP's but nothing beyond
the public IP. Traceroute never returns anything. Seems like Nat just
isn't working. Turned it off and back on...no help there.
I've set this up many times in outerlying offices and in my lab...for
some reason this time it won't work. I've even blown it out and redone
my set up from the beginning...same thing....Yes, dynamic nat passtru is
set on....
Tried to do the tcpip debug = 1 thing...the packets rolled off logger
such that I could not get an F2 to save a darn thing....You woulnd't
think a brand new box would have all the much traffic just yet...
Version of NAT is 7.00.07, trying very hard to understand what's going
on here. Ideas on why nat won't work?

Jim Michael wrote:
> jim fixit wrote:
>
>
>>nw65 sp1a as indicated, bm 3.8sp2 not happy together....
>
>
> I'm running that combo here (sanem NAT.NLM too), and don't have the NAT
> issue you describe.
>
> --
> Jim
> NSC SYsop
hmm yes...I'm running a similar set up in a number of branch offices so
I'm really hard pressed to understand what is with NAT or if it is even
NAT at all that is having the issue.....

Similar Messages

NAT issue - WRT54G Version 1.1 with Vista Home Premium

Router = WRT54G Version 1.1
I am trying to figure out the cause of my problems, this router or Vista?
I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
I have no option to run the trouble shooter (greyed out)…….
If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
Message Edited by jomuir on 08-23-2007 02:50 AM

user11241256 wrote:
Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
You might be able to get the things running on an unsupported combination but there is no guarantee about the stability.

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

Console Gaming - NAT Issues - Workaround and Solut...

I've already used the BT Broadband Contact Us, to raise this issue. They said it was beyond them and that they'd forward me an address for a technical forum. They've not managed to do so yet, so I'm trying here.
Problem:
NAT hole punching regularly fails between peers/players, manifests as "Cannot chat to player due to NAT Issues" on many different broadband routers.
TL/DR:
The BT Home Hub iptables INPUT chain should have a default action of DROP and not REJECT.
Long Version:
I'm a network engineer and programmer analyst and have been for approaching two decades. I'm also a gamer. I'm regularly frustrated by NAT Issue errors while trying to play online games with my friends.
Frustrated for so long, we decided to start analysing the problem. Using packet captures and simulations, we have reproduced the problem and identified dubious logic in the netfilter conntrack module in the Linux kernel.
When it works:
When using a Playstation 4 to play Destiny, using either in-game or PS Party chat, each console uses a NAT discovery service to find it's external IP address and make an educated guess as to whether there is port translation.
At the end of this process, each Player Console receives IP/Port pairs for the other players, they then emit UDP from their desired port to the IP/Port pair of each of the other Players. These UDP packets pass through their NATing routers and establish conntrack entries for the source ip/port, destination ip/port and protocol (here on referred to as five-tuple) with NAT associations with the console's LAN ip address and port; this is the hole-punching.
All being well, each players console has created an association for each of the other players packets to come back through and then they are able to send each other data on these ports.
When it doesn't work:
However, here's the race condition: if player B's packet reaches player A's router before player A has sent theirs, there is no NAT association, no conntrack entry for the 5-tuple. The incoming packet instead considered as intended for the router.
The iptables configuration on the router says that the packet is not allowed and REJECTs it, sending an ICMP destination unreachable packet in response. This reply is then inspected by conntrack, which decapsulates is and erroneously creates a conntrack entry for the 5-tuple.
Now when Player A's console does manage to send it's own hole punching UDP packet, the 5-tuple for the desire hole is associated with the router's ICMP destination-unreachable. So Player A's packet can't have the desired port number and is renumbered to the first available port (e.g. 1025). Player B's subsequent packets to A follow the conntrack entry started by the ICMP destination-unreachable and are sent to the router which continues to reject them.
How to fix this mess
Linux conntrack
Arguably the decapsulation of the ICMP payload and the usage of it to create a conntrack entry is erroneous. The ICMP unreach should not stop the port from being used by a NAT client.
This will take a long time to fix and when fixed may never be back-ported to home routers which may never see new firmware again anyway.
Modify the routers configuration
If the router dropped instead of rejecting the traffic (relatively simple administrative task given appropriate access), the ICMP destination-unreachable wouldn't be generated, conntrack wouldn't create the erroneous entry and then even if Player B's packets arrived before Player A had sent theirs, it would still work.
Disable the "firewall" and put your console in the "DMZ"
These are terms borrowed from the Home Hub 3 admin interface. If you set your console as the "DMZ", it will receive any internet traffic that isn't associated with an already established flow. Actually at this point I'm not certain whether or not you *have* to set the "firewall" to disabled. It depends on how the "firewall" is implemented.
On my console disabling the firewall and setting the console to be the DMZ works around the problem. However, you can only have one default NAT target. So any other device suffering from this problem would be out of luck without you reconfiguring your router each time. Also I'm not thrilled by my console receiving unfiltered internet traffic.
In closing
Race-conditions depend on timings. This one is exacerbated by low latency between players. In this case the difference between server<->PlayerA and server<->PlayerB latencies has to be lower than the PlayerA<->PlayerB latency. If PlayerA and PlayerB have low latency between each other they are more likely to suffer from this problem.
Please, please, please bring this to the attention of someone who is responsible for the configuration of your routers. A simple configuration change on the HomeHub would prevent this problem from happening and remove the need for customers to add special configuration to their router and lowering their security.
Thanks for reading.
Matt

Welcome to this forum.
This is a customer to customer forum only,
This is where customers help each other get the most out of BT products & services.
Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
This is a public forum which can be viewed worldwide, so please do not post any personal information, especially phone numbers, account numbers, fault numbers, address information or email addresses, as this could be used to impersonate you.
I would suggest that maybe you try using a different router?
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

ASA 5510 9.1.x ACL/NAT issues

Forgoing some security concern have you tried "permit ip" instead?

Good afternoon.
I'm hoping one of you spiceheads might be able to help a fellow out. We upgraded our 5510 from 8.2 to 9.1 and now none of our NAT'd public servers are working.
we cleared out every thing and did step by step to create the new NAT connection and even though the ACL shows any4 for the private IP address, we are getting access denied.
access-list outside_access_1 extended permit tcp any4 host 10.201.0.130
We have the same config and IOS version running on our 5505 and don't have any issues.
Thoughts?
This topic first appeared in the Spiceworks Community

Could DirectTv server be causing my Double Nat Issues?

     Could DirectTv server be causing my Double Nat Issues? I am using an older Motorola Modem, then my Airport Extreme, then my airport express in bridge mode. The DirectTv server seems to be plugged in before the Airportr Express so I am pretty sure it is no getting any info from the Airport Extreme but I am not sure.
     The modem is model Motorola SurfBoard 5101U. I do not beleive it has router capabilities.
     The problem seems to only come up when I am using my Mac Book Pro (Mavericks). Usually only when trying to download large files. It does not effect my ipads or iphones. Very strange.
    I've been racking my brain on this for a year.
Thanks,
Stephen

So, I run into some similar problems. I used to have the HD-DVR pre-Genie, which is when I started seeing some of the problems that my AirPort Utility was reporting. I hardwire every connection where possible. I currently run out of my AirPort TC into a switch. From the switch I go out to the rest of the house including an Apple TV and the new Genie. Along with multiple other wall ports, etc.
It seems to me that whenever I have my Genie hardwired in - for extended period of times my network will "crash" and I will receive an error of Double NAT. Once I unplug the DirecTV from the network, everything goes back to working fine. This ocurred on the old HD-DVR as well as the Genie.
I would welcome any ideas or suggestions.
I am running a Motorola SURFboard S86141, New AirPort Extreme TC, and a Netgear 8-Port Switch.
Thank you in advance for your help!!
Billy Trimble

NAT issues with 5 XBOX consoles on network

I have my other XBOXs connected to a 24 port switch but the one connected to the ea6500 directly gives me this moderate NAT issue. I thought this new router would be an upgrade to my old dlink but so far I get a new problem every day.
I have reserved dhcp addresses for all the boxes and set up port triggering for the ports listed in several guides. But what else do I need to do? Is it likely I got a bad router?

If your xbox is directly connected to the modem, do you have an open nat for your xbox? Have you tried forwarding the ports? If it did not work using port trigerring, try forwarding the ports then. One thing that you have to make sure if you do port forwarding is that you should be getting a public IP address on your router page. If you're not getting a public IP, there might be a need for your modem to be set to bridge mode. You may refer to this link for more info: http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=22385 (Resolving NAT type issues with gaming consoles through a Linksys router).
Btw, are you using the cloud firmware or classic?

Looking from the many users complaining, I am a bit scared whether should i proceed update to ios 8.0.2 to my ipad 2 or not? Does any one know news whether issues will be really fixed or should i stay on version 7 only?

looking from the many users complaining, I am a bit scared whether should i proceed update to ios 8.0.2 to my ipad 2 or not? Does any one know news whether issues will be really fixed or should i stay on version 7 only? Can appl,e has any plan to migrate their Ipad 2 customers to use or take new Ipad with some exchange offers ?
please I expect a quick responce to my queries. I am waiting eagerly what to do now?

Ipad Air dead after installing IOS 8.0.2
I have just downloaded and installed this version of IOS on my Ipad Air and it is DEAD.
It won't start up.
When I connect my Ipad to my MacbookPro, Itunes tells me the following:
"iTunes has detected an iPad in recovery mode. You must restore this iPad before it can be used with iTunes."
What now? restore? try to remove 8.0.2?
what a misery!!

New ARB Issue: Button navigation and Declarative States

<[email protected]il.forums.adobe.com>
Message-ID: <C6277898.7F37%[email protected]>
Thread-Topic: New ARB Issue: Button navigation and Declarative States
Thread-Index: AcnOqlv/oTWkTNjMukqDP18VFO76uA==
Mime-version: 1.0
Content-type: multipart/alternative;
 boundary="B_3324475544_8859892"
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--B_3324475544_8859892
Content-type: text/plain;
 charset="US-ASCII"
Content-transfer-encoding: 7bit
A new ARB issue has been posted to the flex open source site:
http://opensource.adobe.com/wiki/display/flexsdk/buttonnavigationand+decla
rative+states
This issue concerns the new state syntax and what it means to leave a value
of a property implicit in one or more states.
Comments, suggestions, and feedback are welcome.
--B_3324475544_8859892
Content-type: text/html;
 charset="US-ASCII"
Content-transfer-encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>New ARB Issue: Button navigation and Declarative States</TITLE=
>
</HEAD>
<BODY>
 
 
 
A new ARB issue has been posted to the flex open source site: 
 
<a href=3D"http://opensource.adobe.com/wiki/display/flexsdk/button+navigation=
anddeclarative+states">http://opensource.adobe.com/wiki/display/flexsdk/bu=
ttonnavigationanddeclarativestates
This issue concerns the new state syntax and what it means to leave a value= of a property implicit in one or more states.
Comments, suggestions, and feedback are welcome.
B_3324475544_8859892

Ned Murphy wrote:
Select the textfield that is inside the movieclip and in the properties panel you should see a dropdown for selecting the type of textfield. If you select Dynamic and then assign an instance name to the textfield you can use that instance name in your code to assign the text when the file runs. If you were to name the textfield "tField", then the code you would use inside an instance of your movieclip named "mClip1" would be...
mClip1.tField.text = "your text";
So, if I have multiple buttons, using your example, would the code read
mClip1.tField.text = "your text";
mClip1.tField2.text = "your text2";
mClip1.tField3.text = "your text3";
mClip1.tField4.text = "your text4";
And my buttons are built inside movieclips, ie
Main Timeline > aboutButton_mc > aboutText_mc > "about"
 > contactsButton_mc > contactsText_mc > "contacts"
can the code be put at any level, or does it need to reside on the Main Timeline to access all the movie clips' text fields?
Just in case this may be too complex to get into via this forum, if you know of any good tutorials, that would be awesome too!
I tried doing a search, but it's so hard to tell if they might be in AS2, or AS3, and if they would apply to newer versions of Adobe Flash (I have CS5)

Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
John

I don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App

New format issues

Hi,
I guess these might be issues with incomplete migration to the new format but I'll post them here nevertheless:
Incorrect post count - The "total number of posts" in the user information seems to reflect the total number of posts online at the time of the transition instead of total number of posts to date
Joined date changed - the "date joined" in the user info seems to have changed for me - no biggy but this might point to other problems
Incorrect migration of old formats - the old discussions had the editor shortcuts "ii " at the beginning of a new line to create italic text - all these post now display "i " at the start of such lines (with the text not being in bold)
Level info missing - according to the help file, a user should be able to see his/her level per topic as well as overall - I was not able to find this information at all
But then, I am happy to see that you are keeping to make improvements to this forum and I thank all of you for your work - I am especially happy about the new "Preview" button for new messages!
Andreas

Another items is:
Email Notification do not use subject of topic -
In old system the email notifications showed for example "New Formatting issues", or "Re: New Formatting issues". On new system email notifications so as example:"Apple Discussions forum "Feedback about New Discussions" has been updated by Andreas Amann", or "Apple Discussions forum "Feedback about New Discussions" has been updated by John Smith", and so on. Makes it impossible to thread post by topics because all notifications only change if the post is from another group.

Cant ping inside hosts from client vpn. Think its a NAT issue

Hello all, I am running into what I think is a NAT/nat exclusion issue with an IOS IPSEC VPN. I can connect to the VPN with the cisco IPSEC VPN client, and I am able to authenticate. Once I authenticate, I am not able to reach any of the inside hosts. My relevant config is below. Any help would be greatly appreciated.
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group businessVPN
key xxxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group businessVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.1.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0/0
ip address 111.111.111.138 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface BVI1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
ip nat inside source route-map nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended nonat
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit tcp any any eq 443
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
permit esp any host 111.111.111.138
permit udp any host 111.111.111.138 eq isakmp
permit udp any host 111.111.111.138 eq non500-isakmp
permit ahp any host 111.111.111.138
permit gre any host 111.111.111.138
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map nat permit 10
match ip address nat
bridge 1 route ip

I believe the acl applied to the client group is backwards. It should permit traffic from the internal network to the clients pool.
To confirm you can open the Cisco VPN client statistics(after connecting) then go to the route details tab. You should see there the networks that you should be able to reach from the client. Make sure the correct ones are in there.
Regards,

Why do I lose internet connection when I put airport extreme into bridge mode to correct Double NAT issue

I reset my airport extreme router the other day because I was too lazy to reset the password on my private network.
I have been reading the advice found on apple support communities and wide web, but the solutions do not solve any problems and often create new ones.
I'm regretting because everything was working just fine.
But I remember having this double nat error when I first set it up a few months back, but now I cannot resolve it.
I would live with the yellow light, but it seems that this double nat error is preventing my playstation 3 from connecting to the airport extreme.
When I put the aiport extreme into bridge mode, I loose all my wireless networks, even when I reboot the airport extreme and the modem.
I try rebooting the modem, then the airport. and vice versa. No internet.
I switch back to NAT/DCHP and the internet works fine on apple devices, but not the playstation 3, and I have the 1 Double NAT error.
I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
I tried setting the DHCP only but it said it didn't like the settings. is there a stock range i could be using?

I have a plain stock Motorolla modem and I can dial in and see settings (although nothing about NAT). I didn't see where to see them.
Exact model .. motorola make adsl, cable and probably wireless modems.. with some modems and some modem router.. we need exact info. What kind of broadband do you have?
I would note.. some of the motorola cable modems seem to have issues with the apple routers. If you are about due to change modems.. now is a good time.. not another motorola.
If the modem is a straight cable modem, the AE must be in router mode.. but you need to power down the cable modem. maybe for 20min so the new router can pick up the IP address.
You cannot use DHCP alone.. the ISP do not give you a block of IP addresses.
You cannot use bridge with a pure modem.. you will find it works.. but only to one device.
The only reason you get double NAT is the failure to pick up the public IP.
Give the info required..
If you have trouble, I need the actual IP of the modem. the actual IP of the AE WAN port when plugged in. Screenshots are good.

Double computer name on network and NAT issue with Back to My Mac

These are the problems I am having:
When my MacPro workstation (which on the network is named "The Beast") wakes from sleep - I get a message saying "there is already a computer on the network with the name "The Beast". Other computers on the network can now find you at "The Beast-2"" and it gives me a new name in the file sharing preferences - even though it is the only computer on the network with that name.
Why is this happening???
The other problem is with BackTo My Mac - When I try to enable it - I get an error message saying "Turn off NAT Addressing" - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
Here is my network setup which consists of the Modem / Router from my ISP - an Airport Extreme Base Station and one Airport Express - which is connected to my MacPro via ethernet. The MacPro does not have an airport card installed and is running OSX 10.6.8 - all other computers / devices are running 10.7.x and iOS6).
VDSL Modem / Router (from Internet provider) with wireless turned off - (so it is not broadcasting a competing wireless signal) - connected via ethernet to my Airport Extreme Base Station.
Here are all the settings on the AEBS and the Airport Express: - I am using Airport Utility 5.6.1 on my Mac Pro running OSX 10.6.8 - so the setup prefs are different than the newer version of Airport Utility found on 10.7.x systems - but both work fine. Although I did notice that the option to allow ethernet clients to connect to the Airport Express does not exist (or I just didn't find it) in the newer version of Airport Utility.
Airport Extreme Base Station is set up as follows:
Wireless Mode: Create a Wireless Network
Wireless Settings:
Allow this network to be extended IS CHECKED
Radio Mode: 802.11n (b and g compatible)
Wireless Security: WPA/WPA2 Personal
Access Control:
MAC Address Access Control: Not Enabled
Internet Settings:
Internet Connection:
Connect Using: Ethernet
Connection Sharing: OFF (Bridge Mode).
TCP/IP:
Configure IPv4: Using DHCP
Advanced Settings:
Logging & Statistics:
Syslog Destination Address is blank (as in nothing appears in this field).
Syslog Level: 5 - Notice
Allow SNMP is CHECKED
MobileMe:
Back to my Mac is turned off - but if I try to turn it on I get an error message saying "Turn off NAT Addressing - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
IPv6:
IPv6 Mode: Link-local only
As stated - my MacPro with no wifi card - is connected via ethernet to an Airport Express which connects wirelessly to the AEBS for network and internet access.
Airport Express Settings:
Airport Settings:
Wireless Mode: Join a Wireless Network
Allow Ethernet Clients IS CHECKED
Wireless Security WPA/WPA2 Personal
Internet Settings: Are grayed out (as in I can't change these settings - I assume because they are being controlled by the AEBS) and read as follows:
Connect Using: Wireless Network
Connection Sharing: OFF (Bridge Mode)
TCP/IP:
Configure IPv4: using DHCP
All other settings are identical to the AEBS.
All other WiFi devices in the house (MacBook Pro, iPhones, iPad's, iMac, Apple TV, Nintendo Wii etc…all are able to connect to the network and connect to the internet - no problem.
Thanks for any insights into what might be causing the double name on the network and why it is asking me to turn off NAT addressing - when both my Airport devices are in Bridge Mode?

I am also having this issue... any updates on this??

Time Capsule, hardwired to TWO xbox 360's, and NAT issues.

Hello All,
I currently have an older Linksys WRT54G (version 1.0 LOL) which has been working fine for years. I recently bought my son an XBOX 360 for Christmas and we went through the issues of NAT and Call of Duty, and basically I have become quite knowledgeable on this topic. I recently added a SECOND XBOX 360, as it became apparent that one would not do with three boys in the house (Plus COD is a blast on line).
So I created a second Live Account and got the two xbox's running online stably with NAT wide open on both. This required abandoning the Linksys Firmware and installing "Tomato" on the WRT54G. That works GREAT. No modifications were required for the rest of the network including...
Macbook by Wifi, Minimac Hardwired (ya ya wifi works but hardwire is better), Airport Express (used only to stream music to stereo in family room - from ANY PC/MAC running Itunes...Itunes is VERY NICE), HP printer with network adapter, 5 other PC's including a mix of VISTA, XP, XP Pro, and multiple IPHONES, A Palm Tungsten C, WII, DS and of course the two hard wired XBOXs. NO Problems. The Tomato configuration only required the modifications for the XBOXs specifically as the rest of the network settings were not change after the firmware update.
What am I interested in? I'd like to upgrade to a Time Capsule for several reasons. One Newer wifi, faster, two frequencies, backup space for growing Mac branch of our network, and as the internet sharing router. AND to be able to access the TC from the internet for file access anywhere! LOVE THAT FEATURE. This requires the TC to be the first device after the cable modem as far as I can tell at this point. (any input on this specific feature would be great).
So I want to configure the TC with the input from the Cable modem as the main distribution of the internet. Then from the other NETWORK ports connect to my 20 port router for the rest of the house, as well as to the other items currently connected at the site of the current LinkSys Router (Mac Mini, Sony TV).
Also I need to maintain the current XBOX set up with (as well as Wii) with full open NAT on both XBOXs.
My question: Anyone here currently using the TC for hardwired connectivity for an XBOX with XBOX live running with open NAT for TWO XBOXs?
The issues with NAT and TWO XBOXs is that you cannot simply use PORT FORWARDing or PORT Triggering to make sure that the traffic goes to the correct xbox. The XBOX uses specific communication ports and the ROUTER needs to keep the traffic flowing properly or you get disconnected or never get open NAT (must have for XBOX live and internet gaming). There are many write ups on using Port Forwarding for one XBOX and setting the second one in the DMZ, but this does not work all the time.
The "Tomato" firmware on the LINKSYS allows fooling the router into giving a 'pseudo static' ip address to the XBOX's by doing MAC address based reservation of an IP number and then letting the DHCP give the xbox an IP address. The MAC address based reservation makes sure that the XBOX always gets the same IP address which for some GD reason must be in order for the traffic to be routed to the correct device. (you can of course use the same MAC address reservation for any device on the network).
Second Question: For those using the TC AND a second WiFi Router to do WIRELESS connection to the XBOX - which device do you have configured as the main INTERNET sharing router? I have read hear what appears to state that the TC is the main router and the other WiFi the secondary. Thus the ROUTING is still being done by the TC and the other wifi device is being used simply as a WiFi Access point/switch. If this is the case would the firmware on the TC allow the proper routing for TWO XBOXs on the network?
Thank you,
Mike

The ports are 53, 80, 88, and 3074. Since you are trying to make two Xbox consoles use those ports and you are trying to connect to a server, what you need to do is to use Port Range Triggering. You can't use Port Range Forwarding since it will only set those ports into listening mode to the IP address you set it. So if you use Port Range Forwarding it will only be open/available to one console(the one using the IP address).
You need to use PORT RANGE TRIGGERING. Disable Port Range Forwarding and DMZ. You need to enable UPnP as well if your Linksys router have this option (other model doesn't have this option but it is said to be enabled in default settings according to their tech support).
To solve the lag problem set your MTU size to 1364. This settings will work even if you have one or multiple consoles running behind the router.

New nat issue

Similar Messages

Maybe you are looking for