Port restricted
I normally can connect to ichat video. Recently I changed my provider to comcast, and I am having a hard time connecting. It takes about 20 trys to actually connect, those are the days that it does work. Does anyone else have this problem.
I checked the connection doctor and it says: port restricted, this computers network setup includes one or more devices that are not fully compatible with audio and video chatting.
I need help desperately, and comcast charges for tech support. lamee.
Brittannny, welcome to the forums.
I would suggest making sure both of you have the latest chat software.
Also find out if the person your having trouble video chatting to can chat with others.
Allot of the time firewalls can interfere with video chat. One trick, to get around the firewall is to invite her to a video chat. ones if fails, have her invite you to a video chat. if this work you may want to re-configure your firewall.
Similar Messages
-
Yosemite Messages Screen Sharing Router Type: Port Restricted
I want to do Screen Sharing via Messages as newly enabled in Yosemite (through Messages...not the Buddy List). Unfortunately, it fails. I run Connection Doctor under Video in Messages and see that I have an issue with the message "Router Type: Port Restricted". I would like to see "Full Cone".
What do I need to do?
I am on AT&T U-Verse running a Motorola NVG589 modem. I have the wireless disabled on the NVG589. The NVG589 is connected via ethernet to my Apple Airport Time Capsule (the tower model that is 802.11ac). The Airport Time Capsule is set up in Bridge Mode - so as not to create Double NAT but to offer 802.11ac wifi speeds and to provide Time Machine backups.
I have connected directly to the NVG589 modem and gotten the same "Router Type: Port Restricted" message. I assume I must open a port/ports on the NVG589. If so...what are those ports?
Any help would be greatly appreciated!Hi,
The Messages app in all versions up to Mavericks only Screen Shares with AIM to AIM and Jabber to Jabber contacts as well as Bonjour connections on your LAN.
It is based on those accounts that do Video and Audio Chats within the app.
The iMessages invokes FaceTime to do Video and will not do Screen Sharing.
However as you say there is this info:-
Share a conversation —
and your screen.
Now you can share your screen with the person you’re chatting with. Then you can go from iMessage conversation to screen sharing with just a click. You can easily do things like collaborate on a presentation with a colleague, browse the web with a friend, or select airplane seats with your spouse. And Messages automatically initiates an audio chat when you start a screen sharing session, so you can talk things through while you’re at it.
On checking the icon to Screen Share does appear in iMessages conversation Details option
Notice the slightly diminished ("greyed out") quality to the Screen Sharing icon.
It appears it only works to other Macs.
The Buddies menu also has the option greyed out.
Routers
My Network Status looks like this.
The Bandwidth Limit is set in Messages > Preferences > Video/Audio pane > Bandwidth Limit.
Setting it to 500kbps is over what it needs to do 4 Way Video chat as Host.
When it is a really fast connection to a much slower Buddy it can help and also with higher speeds come higher variances which and cause havoc.
There are four main type of Router type as this refers to them.
http://en.wikipedia.org/wiki/Network_address_translation#Methods_of_port_transla tion
Port Restricted is just as effective as Full Cone.
I have had it show up this way on a Thompson-Alcatel 510v4 when I was first On line in iChat 2 and Netgear device I forget the number of, a Sagem Fast2504 from Sky my current internet provider when I had DLS and the current Fibre Hub that they supply.
I have UPnP set as the method to open the ports needed.
This allows the computer (apps) to tell the router which ports to open.
They will also close after periods on Non use.
Router that do UPnP advertise the fact.
You can reduce the number of devices that happens through (Hops). The default setting is normally 4. Router to computer counts as 1 Ethernet hubs don't count. But large LANs with more routers (Subnets to LANs) will count as more Hops.
Ports.
Most devices have the first 1024 port open (there are 65355 in total).
These lower numbered port handle things like Web Browsing on port 80.
FTP on port 21 and 22
Some Outgoing Mail servers on port 25
Secure web connection on port 443
and so on.
Messages and FaceTime Video chats use ports above this.
These are the one you tend to have to allow.
Video uses 5678 to send invites then moves to port 16402 (or one from a group of 10 ports below this)
10:02 PM Saturday; November 22, 2014
iMac 2.5Ghz i5 2011 (Mavericks 10.9)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad -
I just installed OSX 10.7.4 on an iMac. I am now getting a router error when setting up iChat. I get the "Port Restricted" message and find that I m not getting any incoming communications. I have found a help screen which explains(??) what is happening. I am not the greatest IT guru and am lost in the explanatioon. Can anyone point me to a beginners manual about the problem, and more importantly - how to fix it!!
ThanksOK
Here's the page of info.
The Network Status pane of the Connection Doctor window displays information about
your bandwidth setting and network router type. Both of these attributes influence
your ability to establish and maintain connections during audio, video, and screen
sharing chats.
Bandwidth limitation: Indicates whether the bandwidth (data transfer rate) has been
limited to a particular speed in iChat Audio/Video preferences. If the indicator is
green, no limit has been set. If the indicator is yellow, click Settings to view and
optionally change the limit setting in Audio/Video preferences, using the “Bandwidth
limit” pop-up menu.
Router type: Identifies the kind of network address translation (NAT) router your
computer is using to communicate with other devices using the Internet.
A NAT router lets you use one Internet connection to connect multiple computers or
network devices to the Internet using a single public IPv4 address. Typically, the NAT
router assigns private IPv4 addresses to the connected devices. When a computer
sends outgoing packets, the NAT router translates (or “maps”) the packets’ private IPv4
address and port to an address and port that can be used for replies.
If the router type you see in the Network Status pane is Full Cone, your network setup
is compatible with audio and video chatting. If the router is some other type, your
network setup may be causing connection difficulties. Here are the NAT router types
you may see in your Network Status pane:
Full Cone: Anyone on the Internet can send replies to the computer by using the
translated address and port. If either the sender or recipient uses a full cone port, the
connection should succeed.
Restricted: The router associates the translated address and port with a particular
destination address. Replies from other addresses are filtered out.
Port Restricted: The router associates the translated address and port with a particular
destination address and port. Replies from other addresses and ports are filtered out.
Symmetric: The router associates the translated address and port with a particular
destination address and port, but uses a new translated port for each destination
address and port.
Unknown: The type of router couldn’t be determined.
Network Status pane of Connection Doctor
This last sntence about the router not known appeared after I redid the Netgear "Routerlogin program" So I did do something but nothing changed in the iChat program. -
Network Status: Port Restricted???
So my ichat one day I started noticing that it was getting fuzzy, so I went to look under Network Status and found that next to Router Type: it says "Port Restricted" and i found out this could cause poor picture quality. How do i fix this I'm using a D-Link router if thats anything
Hi,
The Question mark at the top of Defcom's Pic will tell you more.
It is about the way your Routing device does NAT.
NAT (Network Address Translation) is not the same on every device. There is no standard as such.
iChat "prefers" Full Cone as it is called but I also have Port Restricted listed and have no problems
8:56 PM Wednesday; December 2, 2009
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
Video/Screen Sharing via 3G connection not possible - port restrictions?
I'm running Jabber-based iChat AV 5.0.3 sessions from my MBP connected to the Internet via a wireless USB modem 3G/UMTS (German Telekom D1 network). My buddies are connected to the Internet via regular broadband connections (DSL). I have set up a hosted Jabber server via Dreamhost (without SSL, port 5222 used).
Status Quo:
- Contact status of remote Jabber users shows up properly. All buttons (text chat, screen sharing, video) are available (not greyed out) on both sides.
- Text chat works fine.
- Video chat and screen sharing can be invoked from both sides (confirmation window shows up), but after confirmation the initiation process doesn't finish successfully. The video/screen sharing session doesn't run. *iChat AV shows a message indicating that it doesn't receive an answer from the remote user device.* If the iChat session is initiated from a buddy's computer, the buddy gets the same message respectively.
- For testing purposes, I changed the internet connection on my MBP from the mobile 3G USB modem to a regular *DSL broadband connection (same ISP, German Telekom). In this scenario, video/audio calls and screen sharing work flawlessly!* Therefore, I assume that the problems in 3G connection mode is caused by the ISP (German Telekom) blocking/restricting ports required by iChat AV for initiating the video call and streaming the data on their 3G network.
Is there any way to bypass ISP restrictions, by either changing specific iChat AV port settings on both ends (client devices) or by port forwarding? If yes, which settings should I change? Unfortunately, it's couldn't find any document indicating which ports are opened/allowed by German Telekom's 2G/3G (GSM/UMTS) network.
Below is an excerpt of the error message produced by iChat AV:
iChat Connection Log:
2010-11-09 21:18:19 +0100: AVChat started with ID 494414145.
2010-11-09 21:18:19 +0100: [email protected]: State change from AVChatNoState to AVChatStateWaiting.
2010-11-09 21:18:19 +0100: 0x1a8bf8b0: State change from AVChatNoState to AVChatStateInvited.
2010-11-09 21:18:28 +0100: 0x1a8bf8b0: State change from AVChatStateInvited to AVChatStateConnecting.
2010-11-09 21:18:28 +0100: [email protected]: State change from AVChatStateWaiting to AVChatStateConnecting.
2010-11-09 21:18:48 +0100: 0x1a8bf8b0: State change from AVChatStateConnecting to AVChatStateEnded.
2010-11-09 21:18:48 +0100: 0x1a8bf8b0: Error -8 (Did not receive a response from 0x1a8bf8b0.)
2010-11-09 21:18:48 +0100: [email protected]: State change from AVChatStateConnecting to AVChatStateEnded.
2010-11-09 21:18:48 +0100: [email protected]: Error -8 (Did not receive a response from 0x1a8bf8b0.)
Video Conference Error Report:
0.000000 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/DotMacConfiguration.m:1039 type=4 (FFFFFFFF/2)
[HTTP GET failed (0)]
0.000627 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/DotMacConfiguration.m:758 type=4 (FFFFFFFF/0)
[HTTP GET failed (0)]
0.346813 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/DotMacConfiguration.m:758 type=4 (FFFFFFFF/0)
[HTTP GET failed (0)]
1331.086051 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1333.086142 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1335.086270 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1337.086603 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1339.087985 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1341.088212 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
1343.088361 @/SourceCache/VideoConference/VideoConference-415.22/SIP/SIP.c:2917 type=4 (900A0015/0)
[SIPConnectIPPort failed]
Video Conference Support Report:
929.446913 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2059 type=2 (00000000/0)
[Connection Data for call id: 1 returns 1
934.996640 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2074 type=2 (00000000/0)
[Prepare Connection With Remote Data - remote VCConnectionData: 1, local VCConnectionData: 1
935.002114 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2266 type=2 (00000000/0)
[Initiate Conference To User: u0 with Remote VCConnectionData: 1 with Local Connection Data: 1 conferenceSettings: 1]
935.467624 @/SourceCache/VideoConference/VideoConference-415.22/SIP/Transport.c:2138 type=1 (00000000/0)
[INVITE sip:user@rip:16402 SIP/2.0
Via: SIP/2.0/UDP lip:16402;branch=z9hG4bK0fdd30e326aa779b
Max-Forwards: 70
To: "u0" <sip:user@rip:16402>
From: "0" <sip:user@lip:16402>;tag=544473054
Call-ID: 9c7ecf46-ec3d-11df-8530-f81eeb5f4012@lip
CSeq: 1 INVITE
Contact: <sip:user@lip:16402>;isfocus
User-Agent: Viceroy 1.4
Content-Type: application/sdp
Content-Length: 708
Video Conference User Report:
928.427249 @:0 type=5 (00000000/16402)
[Local SIP port]
934.996832 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2171 type=5 (00000000/0)
*[Remote Router]*
*[PORT RESTRICTED]*
934.996842 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2173 type=5 (00000000/0)
[Remote CommNAT Result: 0x000000d0
936.003962 @:0 type=5 (00000000/60)
[Detected bandwidth (kbits/s): 2627 up, 2627 down. (00000000)
936.033015 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VideoConferenceMultiController.m:2423 type=5 (00000000/0)
[Start Conference With UserID: u0]
978.787787 @:0 type=5 (00000000/16402)
[Local SIP port]
1014.011790 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2171 type=5 (00000000/0)
[Remote Router]
[PORT RESTRICTED]
1014.011800 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2173 type=5 (00000000/0)
[Remote CommNAT Result: 0x000000d0
1015.024555 @:0 type=5 (00000000/60)
[Detected bandwidth (kbits/s): 2627 up, 2627 down. (00000000)
1015.031800 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VideoConferenceMultiController.m:2423 type=5 (00000000/0)
[Start Conference With UserID: u0]
1323.083386 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2171 type=5 (00000000/0)
[Remote Router]
[PORT RESTRICTED]
1323.083396 @/SourceCache/VideoConference/VideoConference-415.22/Video Conference/VCInitiateConference.m:2173 type=5 (00000000/0)
[Remote CommNAT Result: 0x000000d0
(…)Hi,
Does this 3G device have any set up functions that are on your Mac ?
If it does not it is likely that it is wide open to all Port (65535 of them).
I presume that in System Preferences > Network you see a Public IP when using this device ?
Again this would tend to pint to all the ports being open.
Is there anything on the ISP's web site that suggests this device is unsuitable to be used with VoIP or SIP connections ?
VoIP (Voice over the Internet) uses the SIP connection process the way iChat does.
Most likely the issues is the way packets are sent.
When you do a download, for instance, do you find the speed increases in the first few minutes ?
When some data packets are sent over the Internet the next one is not sent until confirmation that the first has arrived.
This Latency effects Point to Point WiFi (antenna to Dish on House) and satellite connections mostly particularly when it is a two way thing.
It can effect Mobile/Cell phone type connections.
What sort of Speeds are you getting on the 3G device ?
http://www.speedtest.net/
Do these seem to get faster as the time proceeds ? (this can be difficult to spot).
The Log mentions one end being at just over 2Gbps although it does not make it clear which end.
As the Remote end is the end that reports "Router: Port Restricted" and it works over standard DSL we have to presume they have the ports open.
You could try restricting iChat 's Bandwidth in iChat menu > Preferences > Video Section to 500kbps (try it at both ends)
If that does not work try 200kbps
This may stop iChat from trying to send data too Fast for the Network Connections.
Realistically there are a few too many variables here.
It could be Speed of data throughout at the Initiation point. (Slow Start up of data transfer)
It could be an Internal setting preventing SIP.
It could be that the 3G network sends and receives data by different routes.
(I have seen this once when a ISP was repairing some Cabling. To maintain end user speeds they managed their own network to split Incoming and outgoing data to the end point.)
iChat does not like this as it checks the IPs and the Hops (number of intermediate stages/servers) and if the data is different it will not connect (Man in the Middle attack protection).
I can't remember the last time I knew of someone being successful with either an 3G USB dongle or a 3G phone as Modem (internet Sharing).
Despite my ideas I think you will be unlucky and this will not work.
10:31 PM Saturday; November 13, 2010
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
Time Capsule + DG834G Port Restricted
Hi,
When I go on the connection doctor in iChat it says that my router is 'Port Restricted'. I am using a Netgear DG834G and Time Capsule so how would I get it to stop saying it? I would have thought it wouldn't say that as I'm using a Time Capsule, although maybe it's because I have it in bridge mode with the DG834G? If so, I've already tried to use it not in bridge mode and it didn't work, unless there's another way of doing it?
ThanksThanks so much for suggesting those things, I hadn't stopped the firewall on the DG834G, but when I did iChat reported it as 'Full Cone' with a green status and also Back to My Mac had a green status too which it hasn't had before!
I did a port scan and realised that even though the firewall on the DG834G is stopped, the Time Capsule firewall is on instead. I always thought that if the two were connected on 'bridge mode' then Time Capsule didn't have a firewall on, because I didn't see any settings for it on the Airport Utility. So thanks for that because it's now all working! -
IP Blocking / Port Restrictions
For someone not from a networking background, can someone help me with a query I have about IP BLocking on the Listener port?
I have read the best practices for securing Oracle, which state it is best practice to specify a list of allowed ip addresses that can connect to the port which the oracle listener is listening on - and deny access from untrusted clients. I get the logic behind that. I am also aware Oracle itself doesnt do the port blocking, a firewall does. But which firewall typically will do this IP Blocking? Are we talking a firewall installed on the Database Server, or some sort of permiter firewall that can also prevent connections to specific Servers such as an Oracle Database Server? Excuse my ignorance on Firewalls.user599292 wrote:
Thanks, So its not uncommon to have a firewall just for the sole purpose of protecting the Database Server? Or is it more likely in most setups to find a single corporate firewall will be used to restrict access from specific clients to specific servers?I agree that a firewall is by far a better option - the Listener is not really suited to deal with IP blocking and it cannot really restrict ports (this needs to be done lower down in the IP stack).
An Oracle Listener is no different than a Mail Server Listener, a Web Server or most any other TCP server. All these have listener processes. They bind a TCP socket to a port number, and then call the listen() socket command to listen for connect() requests from clients.
It's more sensible to deal with network security for these servers in a single firewall implementation and configuration, than to deal with each server separately where there is no consistency in how they support network level security.
A firewall can be software and can be local - one of the better ones is an Open Source application called iptables. This runs as a kernel module and provides a rich feature set of network access and control. From blocking protocols, IPs, subnets to IP masquerading (NAT).
So you do not need an expensive and separate and dedicated firewall to protect a server - it can also be a local firewall on that server that is configured to protect the network services on that server.
I would not use the Oracle Listener to deny access from certain IPs or subnets. Instead, I will use something like iptables, and configure and execute the applicable blocking rule.
But if you go down this route, half measures do not make sense. You should also harden your IP stack. There are a number of config changes that can be done to ensure a robust IP stack, like disabling IP spoof attacks, ignoring broadcast pings (used in some DoS attacks), block source routing, not accept redirects, making sure that the dynamic port range is sane, etc. -
My MacBook Pro I messages app doesnt show incoming video chat calls or allow people to accept when I ask for someone to Video Chat... Please Help me out... It does say that my Port is Restricted when i go to video then connection doctor but i do not know how to unrestrict the port..
Hi jlempert10!
Here is an article that can help you address these video chat issues:
Messages (Mountain Lion): Fix video chat issues
http://support.apple.com/kb/PH12060
Additionally, you may need to make sure that your internet settings conform to the recommended settings in this article:
iOS and OS X: Recommended settings for Wi-Fi routers and access points
http://support.apple.com/kb/ht4199
Thanks for coming to the Apple Support Communities!
Regards,
Braden -
How can I configure Port-Restricted Cone NAT ?
Hi,
I need to simulate Port_restricted Cone NAT , example will be great.
ThanksHi.. did you get a solution for this problem?
-
My computer won't do any sort of video chat, Facetime/Skype. It is also rejecting sending emails that I send to certain people. Some people get my messages and some do not varying completely with no seemingly obvious link. It seems to be happening on my Macbook Pro that I got in 2011.. When I go into connection doctor on my computer it says "Port Restricted." I really want to voice chat through my computer but I can't and I don't know why. We have Verizon Fios with an ActionTec router. I called verizon and they said nothing is wrong that it must be my computer and my mother'd ipad. I have also tried setting up a wireless netowrk witth my phone on both devices and it seems to be the same problem.I want to use Yahoo Chat and Webcam so bad. Please help me.
Bod,
Thanks for the reply. I understood very well what Safari was doing - I even know why. What I don't understand is why they don't provide a workaround, not even editing some obscure plist file. I can certainly use your suggestion and try to convince the hosting entity to change port numbers - they have a bunch of webcams linked from the same IP address and it looks like they just selected a sequential series of ports in the 8x range. But this ignores the point that from the standpoint of client software, this security mechanism is poorly implemented. It's great to provide sane defaults, but not allowing the freedom to connect to ANY desired TCP port simply makes the client inferior for some uses.
I was hoping someone would point out a thread I'd missed where a client-side solution was provided and call me an idiot for not trying to find the answer myself
Thanks though! -
Hello!
I'm using Oracle 10g XE on Windows Server 2003, the installation was successfully realized.
The problem is that I can't access to the login page : http://127.0.0.1:8080/apex . I think that the problem come from a port restriction (but I'm not sure!) : the 8080 port is certainely blocked, but I don't know how open it ...
With Windows XP Pro, I had no problem ... ! Nevertheless I used the same anti-virus program with the same rules ... !
Can someone help me please, I'm loosing my hair !!
Thanks !Hello!
I'm using Oracle 10g XE on Windows Server 2003, the installation was successfully realized.
The problem is that I can't access to the login page : http://127.0.0.1:8080/apex . I think that the problem come from a port restriction (but I'm not sure!) : the 8080 port is certainely blocked, but I don't know how open it ...
With Windows XP Pro, I had no problem ... ! Nevertheless I used the same anti-virus program with the same rules ... !
Can someone help me please, I'm loosing my hair !!
Thanks ! -
What is the correct port number that DI used to communicate with CI?
Hello All,
Could you tell me the correct port numbers that a dialog instance used to connect to Central instance?
I just installed a CI (ABAP + Java) with instance number 05 and 06, and also I installed a DI which instance number is 07.
Everytime when I tried to start up DI, the process list (disp+work) and Java server0 can not start up, always yellow...
But when I close the windows firewall on CI machine, the CPU began to work happily until the DI started successfully with green light.
So, I know the root cause is happened on port restrictions, but I don't want to alway let the CI windows firewall closed, I just want to allow the corresponding ports. Now, the port number I opened on CI is:
3205,3206,3305,3306,3605,3606,3905,3906,50500,50501,50600,50601... But all of those port are not the correct ports, could any experts tell me?
Thank you very much in advance.
Best regards,
NickHi All,
Thanks for your reply.
I already opened those ports you mentioned above, but it still doesn't work, once I close the windows firewall, the work proess jlaunch.exe began to work.......CPU from the bottom to top....
Yes, I know that it's useless to open the firewall between CI and DI, here I just want to know the mechanism of communication between CI and DI, which pots are they used.
The instance number on CI is 05(ABAP) and 06(Java), and the number for DI is 07.
On CI host, I opened ports:3205,3206,3305,3306,3605,3606,3905,3906, 50500,50501,50502,50600,50601,50602 and 1527
On DI host, I opened ports:3207,3307,3607,3907,50700,50701,50702
Are those not enough for communication between DI and CI?
Best regards,
Nick -
Security for the l2 ports of 4506 catalyst
Hi
I have users of around 4000 in a building . They were configured for their project subnet and we have a guest network for the external users who come to visit their project people..We have to put them in a guest subnet where his access is restricted...But Many of my users would come calling up their guests and make them to sit along with them and our employee would give up his port to the guest where he would also be a project network and the guest would have all the possibilities to see our employees project details coupled with our company resources...
I want to have a remedy for this..
I tried configuring the Mac-based port restrictions . But we have lot of pc's moving internally , so our intervention in configuring the ports also increases day by day....
What i would like to have is ...
I must have all the mac-addresses of our company network .....When a mac-address apart from this is received it should block that ....so that the guest laptop plugged int to the employees port must get blocked and whereas any of the prescribed lap tops mac-address must not get blocked in taht port...
Is there any for this....?
pls reply
Reagrds.....
Gokulakrishnan.Hi Gokulakrishnan -
Yes - the NAC Appliance is a hw/sw solution for you.
There are a few components
- the NAC Manager - this is where the policy is defined (also called CAM)
- the NAC Server - this enforces the policy and is placed nearest the user (also called CAS)
- the NAC Agent - this installs on the computers to provide posture information
Eval Units are available through your account team.
Please let me know if you have additional questions.
thxs
peter -
Clientless SSL VPN and ActiveX question
Hey All,
First post for me here, so be gentle. I'll try to be as detailed as possible.
With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports. However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center. I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup. Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective. My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server). I am unable to browse (via bookmark) to the internal address of the remote web server. Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal. I am testing this external connectivity using a cell card to be able to simulate outside access. Is accessing the external IP address by design, or do I have something hosed?
Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions. I am not able to use controls that require my company's ActiveX controls (video, primarily). I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through. The stream only runs at about 5 fps, so it's not an intense stream.
I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail. I do see a decent number of "no translates" from a show nat:
match ip inside any outside any
NAT exempt
translate_hits = 8915, untranslate_hits = 6574
access-list nonat extended permit ip any any log notifications
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_in extended permit icmp any any log notifications
access-list outside_in extended permit tcp any any log notifications
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.16.34 / syslog *****
mtu inside 1500
mtu outside 1500
ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.16.32 255.255.255.224
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
192.168.2.0 is my corp network range
192.168.2.171 is my internal IP for corp ASA5510
97.x.x.x is the external interface for my corp ASA5510
192.168.16.34 is the internal interface for the remote ASA5505
64.x.x.x is the external interface for the remote ASA5505
192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505. I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN. Am I going about this the right way? Anyone have any suggestions, or do I have my config royally hosed?
Thanks much for any and all ideas!Hey All, I appreciate all of the views on this post. I would appreciate any input - even if you think it might be far-fetched. I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself. Thanks, in advance!!
-
NAT issue - WRT54G Version 1.1 with Vista Home Premium
Router = WRT54G Version 1.1
I am trying to figure out the cause of my problems, this router or Vista?
I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
I have no option to run the trouble shooter (greyed out)…….
If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
Message Edited by jomuir on 08-23-2007 02:50 AMuser11241256 wrote:
Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
You might be able to get the things running on an unsupported combination but there is no guarantee about the stability.
Maybe you are looking for
-
I am considering switching from an android to an iPhone and one of the features I use heavily on my android is my google now cards. It automatically reminds me to check in for flights and gives me flight status information based on flight information
-
Safari 5.0.6 and hotmail clash
Safari 5.0.6 is giving me 'bad server certificates' on hotmail / live.com servers starting with gfx (from Activities). Microsoft are advising to change to a new browser like Chrome or Firefox (not compatible with this OS). Where is the discussion on
-
Hi , I hav to set a clock on a jsp page which is dynamic can sumbody help me to do that ....... plz its urgent
-
Error extracting mzm.tvbnoepi.pkg while installing Xcode from App Store on OS X Loin
Hi Folks. First post here. I am trying to install Xcode from App Store on Mac OS X Loin and there is this error which I am facing. Error extracting mzm.tvbnoepi.pkg This is persistant. I have reinstalled entire OS and then I tried to install XCode Ag
-
Azure to Azure Migration Cloning between subscriptions
What is the best way to clone a configuration of VMs (Biztalk, SQL, 2012 Server, etc..) from one subscription to another? Is it possible to build a shell configuration of VMs in a Virtual Network and clone it to another subscription? So this is not