Overlapping Networks with Tunnel GRE/IPsec and NAT

Similar Messages

• How do i create a little network with my i-mac and macbook

  how do i create a little network with my i-mac and macbook

  Hello:
  To give a sensible answer, a little more information is needed.
  I am guessing that you want to set up a wireless network as you have both a desktop and laptop.
  There are some pretty good tutorials/articles in the knowledge base articles.
  Barry

• Replacing BM on NW with the ISP firewall and NAT

  Replacing BM on NW with the ISP firewall and NAT
  Hi!
  LAN is a tree with 3 servers:
  1. NW 6.5 sp8 + BorderManager 3.9 sp 2
  2. NOWS SBE 2.5 (Suse) - DNS\DHCP
  3. NOWS SBE 2.0 (Suse)
  Since I'm connected to the internet through my ISP router (XBOX- Checkpoint), I am considering to remove the first server (firewall) and ask my ISP ro configure the router as a firewall and NAT too.
  What are the steps needed to do it without any demages?
  TIA
  Nanu

  nanu,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

  Hi
  I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
  machines with internal certificates only.
  I have the following infrastructure setup:
  ISA 2006 SP1 - Server 2003 R2 / SP2
  -Allows UDP 4500/500 and TCP 443
  -Hosted on VMWare ESXi 5
  Test laptop - Windows 7
  External Firewall static NAT's from a public IP to ISA server and allows the following:
  UDP 4500/500
  Protocol 50/51
  IPSEC policy configured on the ISA server:
  -IP Filter List = DMZ IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  IPSEC policy configured on the Windows 7 Test Laptop:
  -IP Filter List = External (public) IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  So far the following works:
  I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
  If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server. 
  If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server.  I note the following:
  -HTTPS is denied with no rule (an allow rule is present)
  -Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
  -The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
  -The event log shows main mode and quick mode as successful.
  -The IPSEC monitor shows SA's for quick mode and main mode.
  If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received.  I guess this is part of AH.  I have tried the following:
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
  -Disable the following in the ISA server registry and reboot:
  RSS
  SecurityFilters
  TCPA
  TCPChimney
  -Disable Chimney Offload via Netsh command
  -Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
  -Switching to an E1000 NIC and disabling all offload options and rebooting
  -Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
  -Run a wireshark trace - cannot see anything useful
  -Checked oackley log  - cannot see anything useful
  I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
  I would really appreciate if anyone has any suggestions?
  Many Thanks
  Steven

  Hi,
  Glad to hear that. I'll mark it as answer. Thank you.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How can I expand my wireless network with a Time Capsule and Airport Express?

  My entire house is wired for ethernet access (2 floors).  I have a Time Capsule on the 2nd floor that reaches the entire house except for one room. 
  In this one room I have an ethernet port plugged into an Airport Express. 
  The problem I encounter is that I have two separate wifi networks with two separate names.  I realize I can extend the wireless network on the 2nd floor to the 1st floor but I can only do this wirelessly to my knowledge, and the entire problem is that the signal doesn't reach the front room.  Also, there is really no place in-between that the AE can be placed to extend the reach.  The building is concrete and steel, I think that has a lot to do with the problem.
  My question is: Can I have two wireless routers (connected to the same home network via ethernet) broadcast the same wifi network?  I also have a SONOS system that further complicates things, I'm afraid.  Would it help if I drew some sort of diagram?
  Thanks!

  Your network is not working as you describe.. or I have misunderstood the layout..
  What is the broadband type? Modem is where? What is the main router?
  From your screen shots the main router is the airport express that covers one room which seems wrong.
  Why isn't the TC the main router? or both bridged.. if you go back and look at the apple document.. one or both apple routers are in bridge mode..
  You are having issues with setup .. half of which is caused by v6 airport utility.
  What OS are you running? Please install 5.6 utility.. do it.. do it now!!
  Easy for Lion.
  http://support.apple.com/kb/DL1482
  Messy but possible for ML.
  How to load 5.6 into ML.
  1. Download 5.6 for Lion.
  http://support.apple.com/kb/DL1482
  Click to open the dmg but do not attempt to install the pkg.. it won't work anyway.
  2. Download and install unpkg.
  http://www.timdoug.com/unpkg/
  Run unpkg on the desktop.. it is very simple.. drag the AirPortUtility56.pkg file over to unpkg.. and it will create a new directory of the same name on the desktop.. drill down.. applications utilities .. there lo and behold is Airport utility 5.6 .. drag it to your main utilities directory or just run it from current location.
  You cannot uninstall 6.1 so don't try.. and you cannot or should not run them both at the same time.. so just ignore the toyland version.. the plastic hammer.. and start using 5.6.. a real tool.

• Designing a network with 6 base stations and an Access control lists

  I have 6 airport extreme (802.11n) base stations setup in my studio.
  I'm a little concerned about security as they're all setup individually (wireless mode: Create a wireless network) with the same Network names (mystudio) and WPA/WPA2 personal password so my roaming users don't have to keep entering passwords / experience dropouts etc
  i have lots of freelancers who are in and out of the studio and there isn't anyway for me to monitor who is currently connected to my wifi network.
  i'd like to setup a wireless network that only allows you to connect to the WIFI network only if your MAC address is on the access control list.
  is this possible with Apple Airport extreme base stations or would it be a better idea for me to invest in a 3rd party product?
  all the base station are connected to an Ethernet point and have static IP's assigned to them.
  whats the best way to deploy such a solution;should i keep the setting as they are and manually enter the mac address for 30 portable machines on each base station or is there a more pragmatic solution...
  any help / input would be much appreciated.
  Thank You

  When employing Access Control in a roaming network configuration, the MAC addresses would be required to be entered atr each of the base stations ... as there is no means (unfortunately) to have them "automatically" migrate amongst them.
  However, one important thing to note. Only wireless security, using WPA or WPA2, will actually secure the wireless network. MAC addresses can easily be spoofed. Someone, determined to do so, can still access your network ... even if secured by Access Control.

• SA540 - IPSec and NAT

  Here's the scenario
  My LAN 10.10.10.0
  Local Host 10.10.10.6
  Remote LAN: 192.168.201.0
  Remote Host: 192.168.201.59
  Trying to setup a IPSec connection between two hosts.
  The other side wants to me to NAT 10.10.10.6 as 172.16.5.6
  The SA540 doesn't seem to have this feature.
  Is there a way to easily achieve that?
  Thank you

  Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)
  Configure the NAT.  Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)
  access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255
  Create a route-map called 'static-nat' and match traffic to ACL 101:
  route-map static-nat
    match ip address 101
  Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to 172.16.17.0:
  ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0
  Create a NAT rule to use the route-map 'static-nat'.  Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:
  ip nat inside source route-map static-nat pool NAT-POOL Overload
  Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic' 
  access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255
  Define your VPN peer, apply phase II and matching ACL for interesting traffic:
  crypto map VPN 5 ipsec-isakmp
   set peer <peer ip>
   set transform-set <transform set>
   match address 121
  Apply the crypto map to the public interface and NAT on the public side:
  interface GigabitEthernet0/0
   ip nat outside
  crypto map VPN
  Configure the inside interface NAT on internal side:
  interface GigabitEthernet0/1
   ip address 10.9.0.0 255.255.255.0
   ip nat inside
  HTH

• Proper setup for a network with Public Static IPs and Private IPs

  hello all-
  i am trying to setup a network with public static IP addresses and local (internal) IP addresses with 192.168.xxx.xxx format. i will try to explain as best i can how i have it set up and what my issues are.
  i have COX business services in my home and 8 static public IPs assigned to me. i have tried setting this up and everything internally (192.168.xxx.xxx) works fine and all the devices can get to the outside world fine but when i try to access ANY of the devices on the public IPs from outside the network i get absolutely nothing. the browser just times out and i cannot ping the devices even though COX can see and says the devices are bridging over. COX is unable to get a response when they ping the devices either.
  one of the devices is a Synology NAS with one Ethernet port that is using a public IP and the other using a 192.168.xxx.xxx address. when the Ethernet port is setup using a static public IP COX can see it but they get no response from a ping and when they go to the address to get the login page the browser times out. when i reconfigure the port for DHCP it grabs a public DHCP address and when COX pings that they get a response AND they are able to type the DHCP adress in their browser and get to the login page no problem. when i switch back to the static IP they can see it but again are unable to get a response from a ping and are unable to go to the login page.
  my setup is:
  COX Modem (only has 1 Ethernet port) ====>> 8 port NETGEAR Gigabit switch (all devices with Public IPs are plugged into the NETGEAR switch)
  NETGEAR switch ====>> WAN Port on Airport Extreme (latest version w/all software updates)
  LAN Port Airport Extreme ====>> CISCO 2960 48 port Gigabit Switch (all internal devices are plugged into the CISCO switch)
  like i said everything with the 192.168.xxx.xxx connects and i can connect to just fine but none of the devices with public static IPs can be pinged even though COX can see them bridging over. i have tried all new cables on the devices and that didn't work so it has to be something with my setup.
  do i need to add another router to this configuration because i have extra airport extremes lying around i can use if someone could just tell me how the setup should be. i also have a few ports open on the CISCO switch; is there a way i can use it for the 4-5 devices that have public IPs? or will that cause a problem with all the other devices plugged into it with the 192.168.xxx.xxx IP addresses?
  i'm not a networking guru (obviously) so if you are able to help me get this setup properly can you try not to use Doctoral Level syntax in your response? i would greatly appreciate it!
  i appreciate any and all help... thx in advance!

  Duplicate posts. 
  Go HERE.

• How to setup OD Master with 1 Static IP and NAT?

  I'm attempting to setup an OD Master on my server. Currently, I only have 1 static IP from the ISP, so the router gets it.
  Pretty much all ports are forwarded from the router to the server which is running DNS, Mail, Web currently as a standalone server.
  The server (in network preferences) has a local IP address.
  DNS is setup using global address (PTR record is done by the ISP)
  DNS resolves correctly (checked using dig)
  Mail services all are good.
  Web services all are good.
  So, by my checklist:
  hostname: server.example.com
  DNS: resolved to FQDN and IP
  All should be ok for a OD Master (so I thought).
  I added the Open Directory Service.
  Changed Standalone to "Open Directory Master"
  Followed the steps.
  Kerberos was stopped when finished. I noted that during OD setup, after the screen where I input the OD Administrator username/password, the next screen should be related to Kerberos, but the screen did not come.
  Is it possible to use Kerberos in my configuration? (single IP nat to local IP)?
  +(I suspect that even though DNS resolves, there is issues with my DNS setup as sudo changeip -checkhostname reveals a primary ip address as a local address and not the global address. The DNS hostname is not available, please repair DNS and re-run this tool.)+

  ... unanswered. withdraw question

• VPN s2s tunnel after PAT and NAT on non-cisco

  hello!
  I have cisco 1711. on LAN there is ZYXEL firewall. I have tried to establish s2s tunnel betwenn this LAN zyxel and other Zyxel on the other side with WAN.
  cisco:
  interface Serial0
  description Polaczenie do Internetu$FW_OUTSIDE$
  bandwidth 2048
  ip address 80.50.92.xxx 255.255.255.252
  ip nat pool PAT 213.77.105.248 213.77.105.252 prefix-length 29
  ip nat inside source static 192.168.0.199 213.77.105.xxx extendable
  ZYXEL is LAN 192.168.0.199 and NATed to 213.77.105.xxx
  my qestion is:
  is there posibility to establish s2s tunnel with host that in LAN has NATed to WAN address as above?

  So you're saying that your configuration is :
  Zyxel (LAN ) -> 1711 -> Zyxel (WAN ) and you want to establish a l2l VPN tunnel between the LAN and WAN Zyxel firewalls and you're NATting the LAN Zyxel firewall to a WAN address?
  If yes, then your answer is : Yes you can do a VPN but using NAT-Traversal. It's a technology where the IKE ports of the initiator and the responder are changed from their default value of 500 to 4500 in order to support NAT devices working in-between the VPN. If your Zyxel firewall supports NAT-T then there's a good chance this will work

• Can you use 2 apple tvs on the same network with different apple ids and how would your devices know which apple tv to stream to?

  Hi,
  I was looking into purchasing 2 apple tvs and was wondering if they can be setup with different apple ids. I need to have mine setup with my id and be able to hook my devices to it , but have the one in a bedroom hooked to a different apple id and have my friend's devices stream to that one and not mine.  Is this possible?

  Welcome to the Apple Community.
  In order that your Apple TV only streamed from your iTunes Library and your friends to your friends, you would both have to have different homesharing ID's.
  So far as devices go, any device on a network can stream over AirPlay to an Apple TV, to ensure each of you couldn't stream to the others device you can enable a password via the Apple TV which would then need entering when you used a device for AirPlay.
  Shouldn't be a problem to do what you want to do.

• Network with XP (32 bit) and Windows 8.1(64 bit)

  The HP printer F4280 is connected directly to the XP computer and via a wired modem network connection to the Windows 8.1 computer.
  The XP computer gets perfect prints. The Windows 8.1 computer gets incomplete prints - the shaded stuff is printed, the plain print is missing.
  I tried new drivers on each - the XP only accepts a 32 bit driver. I put a 64 bit driver on the Windows 8.1 computer - nothing improved the 8.1 prints.
  What can I do??
  This question was solved.
  View Solution.

  Actually the network setup we have works fine for most print jobs from the Widows 8.1 computer. The one case of difficulty involved an Adobe Readert file on my Widows 8.1 computer that failed to print fully on the HP printer on the other computer. I think Adobe Reader is the problem or the file set up by the site with the file I wanted to print.
  Generally speaking the HP set up we have works well most of the time, even with Adobe Reader files. But that one file was a mess and caused my concern. I can live with it, I think!

• Small fast network with Mac mini server and Promise Pegasus?

  I have 7 Mac Pros and iMacs that need to be connected to the same storage. I'm doing non MPI-based numerical modeling so the transfer rates have to be fast but not infiniband fast. I'm considering a setup with a Promise Pegasus thunderbolt RAID connected to a Mac Mini running Lion server for Access controll/Roaming homer directories. The Mac Pros and iMacs would the be connected via 1Gb ethernet.
  My question is where the bottlenecks in this setup would be. The server software/hardware? The network? What else am I forgetting

  I assume you're looking at Mac mini because you've already run the numbers on Mac Pro and ruled it out. I wonder how many buyers are opting for Mac mini solely for those Promise Thunderbolt arrays.
  I also assume that each of your users is currently using a single gigabit Ethernet port to connect to the LAN.
  If these assumptions are accurate, then I think that a Mac mini will work as long as you and your users have appropriate expectations. The win from putting this server in place won't be networked storage that outperforms an internal SATA drive, although in bursts it probably can. The solution you've described is smart because it's centralized, securable and adds a layer of data protection (RAID).
  You asked about bottlenecks. I can think of three, two of which you can work around now or in the near future. The first is Mac mini's slow internal hard drive(s). You'll have a solution in hand: Boot Mac mini from the array. Some consider that to be a controversial choice, but you shouldn't spend extra for the Mac mini server with dual 7200 RPM drives. The less costly Core i7 configure-to-order upgrade will give you a bigger boost.
  Booting from the array also protects you from the most likely "repair" scenario for Mac mini: Swapping out your entire machine.
  The second issue is Mac mini's lack of an expansion bus. If you get more users or start using apps that demand more from the LAN, you might want to fire up additional gigabit Ethernet ports. Mac mini has just one. At present, the only way to add a gigabit port is with a Thunderbolt PCIe bus expander. Early next year, there should be more options that connect directly or via an intermediate bus like ExpressCard/34 or USB 3.0.
  The one limitation you're powerless to work around is RAM. Mac mini tops out at 8 GB. That meets requirements, but it will be tight if you try to use Mac mini as a client and a server. I deploy them headless so no one's tempted to use the console.
  You can improve your odds that gigabit will cut it by using heavy, short Cat6 cables and a switch dedicated to the Mac LAN. Use Mac mini's built-in Wi-Fi to keep Remote Desktop and other low-priority traffic off the wire.
  Whatever solution you choose, I wish you the best of luck.

• Extend wireless network with multiple airport express and netgear powerline

  I currently have the following network configuration:
  1. Using ATT u-verse (2-wire 3800HGV-B "modem") to internet
  2. Disabled the u-verse modem wireless router, and have connected an Apple Time Capsule wireless router (on a DMZ)
  3. Have four Netgear XAVB5001 powerline adapters connected to the time capsule (for our iMac desktops and the Apple TV)
  4. Have an Airport Express wirelessly connected to the time capsule to extend range (for our iPhones and iPad)
  All this is currently working. What I would like to do is the following, keeping 1-3 above the same:
  4. Connect the airport express to the time capsule via Netgear XAVB5101 powerline adapter (instead of wirelessly connecting to the time capsule as it is today) and use it to extend the wireless range of the time capsule
  5. Add ANOTHER airport express to the time capsule via powerline adapter (and extend the wireless range elsewhere in the house).
  Does anyone have any experience with this kind of setup and can assure that it would work? (I'm trying to decide whether to spring for a couple more powerline adapters and another airport express)
  Thanks in advance!
  Dave

  I had a VERY similar problem:  I was trying to extend my wireless network using a hardwired ethernet connection from Airport Extreme to my Time Capsule.  Every time I plugged in the wire to the TC, everything disappeared.  Unplugged, and boom.  Came back.
  Here's how I solved it:
  Go into Airport Utility and select the unit you are trying to use as a wireless extender and choose to edit it.  Then, on the wireless tab select CREATE a wireless network.  But, give it the exact same name and password.  This is completely counter-intuitive.  You would think to choose EXTEND, but this would be wrong.  Next choose the network tab.  And, select Router mode to Bridge (off).
  By choosing the same name and password, your phone, laptop, etc. will think it's on the same network and move seamlessly from one to the other.
  See if this fixes your issue.  Fixed mine instantly.  AND, it only took 3 painstaking hours of checking ethernet connections and rewiring jacks, etc. to figure it out.  LOL

• Networking with USB ADSL modem (and AOL)

  hi there,
  just purchased first mac (macbook), and want to get it online.
  i have a windows desktop connected to AOL with a USB ADSL modem, and would like my Macbook to be able to be wirelessly connected to the internet.
  I understand that having AOL and a USB modem can be problematic in setting up a wireless network.
  Can anybody offer me any help, i.e what routers to buy and how to set it up? or even just link me to a similar topic?
  thanks very much in advance.
  Macbook   Mac OS X (10.4.6)   1.83 Ghz, 80Gb, 1Gb mem

  Hi andwhy
  as Duane suggest you need to replace the usb modem.
  You can get a wireless adsl router for about £50.
  USB modem cann be networked unless you use your pc as a gateway. This would involve install router software on the pc, then you would need to get a wireless access point connected to the pc.
  So it is much simpler and more cost effective to use a wireless ADSL router.
  I would check out the adsl routers you can get from http://www.solwise.co.uk