RMI game behind a router

Similar Messages

• RMI SERVER behind the router....!!!!!!!!!!!!

  Hi I am new here...And Have a problem regarding to java RMI...
  I have a uni assignment which asks us to write an online tic tac toe game using RMI..well assigment only request if it can be run on the same machine and I finished..
  But now I am trying to config it to real life with internet instead of LAN.
  Basically I have one static IP assigned by my ISP... and I have local IP addresses on my machines. The addresses will be translated by my router to the public one...
  My server is running on port 8081 of my server computer with an local IP addresses... and I did port forwarding in my router to forward all the 8081 request to this server...
  And the the client use the public IP to locate my server they can acctually connect to my server and get the stub or ref to it...But when they acctually trying to call a method on
  the server side, I realised they actually using the local IP addresses of my server machine instead of the public one..so i think the stub acctually bind the machine IP and ask client to use this IP to communicate.
  This obviously not going to work...And In the API it seems like I can not acctually do anything about IP address when create the Registry..
  Any clue on this Thank you.......

  No, the stub consists of a single Java object which contains the IP address and port number of the host from which the remote object was exported. The client knows the initial lookup address for the Registry but it performs all subsequent communications via the information embedded in the stub.
  @OP: you need to export your remote object on a fixed port, have the router forward that port, and set the system property java.rmi.server.hostname in the server JVM to the external IP address of the router.

• RMI Server behind Router: How to set the right IP?

  Hi, I am having trouble with the Server of an RMI application, the set up is this:
  1. The server is not always running on the same host: it may be a computer with a publicly visible and unique IP, or it may be under a computer behind a router.
  2 . The user that runs the server may not know how to get his IP in the router environment.
  3. The user that runs the server knows sh*t about rmiregistry or how to set a Property to the java interpreter (for example: -Djava.rmi.server.hostname=<host>).
  4. The Server code is this:
  * Represents the Server to the Domination app (including the chat plugin).
  public class Server {
       private static final int PORT_NUM = 1099;
       private static final String CHAT = "chat";
       private static final String DOMINATION_FACTORY = "Domination";
        * Sets the Chat and Application Servers.
        * @param args
        *            Never used.
       public static void main(String[] args) {
            try {
                 Registry registry = LocateRegistry.createRegistry(PORT_NUM);
                 Chat chatObject = new ChatImpl();
                 UnicastRemoteObject.unexportObject(chatObject, true);
                 UnicastRemoteObject.exportObject(chatObject, PORT_NUM);
                 registry.rebind(CHAT, chatObject);
                 System.out.println("Chat ready...");
                 Fabrica fabricaObject = new FabricaImpl();
                 UnicastRemoteObject.unexportObject(fabricaObject, true);
                 UnicastRemoteObject.exportObject(fabricaObject, PORT_NUM);
                 registry.rebind(DOMINATION_FACTORY, fabricaObject);
                          System.out.println("Domination Factory ready...");
                 System.out.println("All systems up and running");          
            } catch (Exception e) {
                 e.printStackTrace();
                 System.exit(1);
  }I wrote the code that way (and not using Naming.rebing("//" + host_name + "/Service", serviceObject)) so the server user won't need to run the rmiregistry (In fact, the Server is deployed via a jar file, so just a happy double-click to the jar will do the work)...
  OK, then the problem is this: The client is always having "connection refused" Exceptions while the server is behind a router and not in the same network of the client.
  The IP that is shown in the exception is always the inner IP of the host (or 10.x.x.x or 192.168.x.x or whatever it may be). So it seems that the registry is always choosing that IP and not the router's.
  I need to know if there is a way to rewrite the Server code so the user just should do the same 'double-click' to run the server and not mess around "investigating" the outer IP. I read some of the RMI specs and it suggest to do IP Tunneling and some other techniques that I don't think may be appropiate to the nature of this "roaming server" application.

  Thanks, but that still doesn't do the work. As I stated in the post, not every user will know how to set java.rmi.server.hostname or even look for an outer IP... I was asking for an "automagical" way to code my server class so it could do some job to do the guessing.
  Even though... I tried both ways at home with the help of a friend as the client, and it seemed to work. The client connected to the server but it was kicked out in less than 30 seconds. Being specific, every client, the ones inside and the ones outside my network. As if the only right way was to let the JVM set the IP (but again, in that way the server is invisible to the clients outside the network).

• Set up a proper live and local DNS behind a router

  Hello dear friends,
  I'm new to Snow Leopard Server and also i'm quite inexperienced in setting up DNS. We bought a Mac Pro for out small company along with Snow Leopard Server to become independent from our ISP, for some specific services like web hosting, mail and to bring up new services like Address book server, iCal server, FTP, Mobile access etc...
  So for me to do that i have to set up our own DNS first. We already bought our domain name (crisconsult.ro) and since then the site has been hosted on our ISP and then aliased to Apple. We also have our own (fix) public IP 80.86.123.116.
  Having installed SL Server and set-up, behind an Airport extreme router, the server was unable to pick up our name server which is ns.crisconsult.ro. Since the router is the first in the network, the server became second with a local IP 10.0.1.2. This is the same IP that the server automatically set up for DNS, BUT if i keep this ip on our name server (ns) i feel it's not good since:
  host ns.crisconsult.ro returns
  ns.crisconsult.ro has address 10.0.1.2
  and host 80.86.123.116 returns
  116.123.86.80.in-addr.arpa domain name pointer ns.crisconsult.ro.
  As i understand there should be our public IP (80.86.123.116), BUT all the tutorials on the net regarding setting up DNS in Leopard Server point that at DNS one should put the machine's own local IP and have the machine look at itself as DNS in network settings.
  So? Is there a local DNS and a public DNS to set up? What gives?
  I could really appreciate some help in configuring DNS, along to some good and real examples of DNS servers configured behind a router.
  Thanks,
  Andrei

  Andrei,
  I too, would love nothing more than to be able to use DNS on my 10.4, 10.5 & 10.6 servers. Unfortunately, the only way I have found to effectively wield a somewhat complete level of control over the bind DNS included with the server, is to abandon all usage of the Server Admin DNS control in favor of something like webmin. The good news is, webmin gives you a host of other features that I (sadly) don't expect to see within the Apple Server GUI any time soon.
  Bad news, is that the 'best practice' way of setting up a stable, functional DNS on a Mac Server seems to be: clean install, webmin install, and never, ever use the apple DNS interface. Similar rule applies to web server.
  I like to think the measure of a good admin is the ability to fix the problem(s) without having to reinstall completely. However, I can say from much experience and extensive googling, that what you are trying to do is a game of hopscotch in a minefield. You should be VERY familiar with the installation and setup process once you have your box configured the way you want it.
  Hopefully one day Apple will decide to take the bull by the horns and address teh fact that DNS is an integral part of a sever set up these days and provide us users with some of that Apple think-outside-the-box-so-you-dont-have-to product that they have been so well known for. I can't say whether they're in too much of a hurry deploying video iPods or super-duper mice that the server product that you and I would love to see work efectively simply doesn't.
  Sorry to get on a rant, I just want to save you some time that I lost figgerin' on this vexing enigma. I can use citations for my assertions if need be.
  -Chance

• Cant ping behind cisco router (site2site vpn)

  Dears;
  After configure site to site vpn between cisco router and fortigate firewall,
  site A : 10.0.0.0/24     behind fortigate
  site B: 10.10.10.0/24  behind cisco router
  the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
  my cisco router configuration is
  Current configuration : 2947 bytes
  ! No configuration change since last restart
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  boot-start-marker
  boot-end-marker
  enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
  no aaa new-model
  memory-size iomem 10
  clock timezone cairo 2 0
  crypto pki token default removal timeout 0
  ip source-route
  ip dhcp excluded-address 192.168.16.1
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool GUEST
   network 192.168.16.0 255.255.255.0
   default-router 192.168.16.1
   dns-server 8.8.8.8 8.8.4.4
  ip dhcp pool LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8 8.8.4.4
  ip cef
  controller VDSL 0
  ip ssh version 2
  crypto isakmp policy 10
   encr aes
   hash sha256
   authentication pre-share
   group 5
  crypto isakmp key 6 *********** address 4.x.x.x no-xauth
  crypto ipsec transform-set myset esp-aes esp-sha256-hmac
  crypto map kon-map 10 ipsec-isakmp
   set peer 4.x.x.x
   set transform-set myset
   set pfs group5
   match address 105
  interface Ethernet0
   no ip address
   no fair-queue
  interface ATM0
   no ip address
   ip mtu 1452
   ip tcp adjust-mss 1452
   no atm ilmi-keepalive
  interface ATM0.1 point-to-point
   ip flow ingress
   pvc 0/35
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
  interface FastEthernet0
   switchport mode trunk
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   switchport access vlan 2
   no ip address
  interface FastEthernet3
   no ip address
  interface Vlan1
   ip address 10.10.10.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Vlan2
   ip address 192.168.16.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Dialer1
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 1
   ppp authentication chap pap callin
   ppp chap hostname
   ppp chap password 0
   ppp pap sent-username
   crypto map kon-map
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  access-list 100 permit ip 10.10.10.0 0.0.0.255 any
  access-list 100 permit ip 192.168.16.0 0.0.0.255 any
  access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
  banner motd ^C^C
  end
  when ping from cisco router
  konsuler#ping 10.0.0.27 source vlan1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
  Packet sent with a source address of 10.10.10.1
  Success rate is 0 percent (0/5)
  help please

  Thank you karsten
  I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
  -counters in
  # sh crypto ipsec sa
  increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
  r#show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer1
  Uptime: 00:03:12
  Session status: UP-ACTIVE     
  Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.x.x.x
        Desc: (none)
    IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
            Capabilities:(none) connid:2001 lifetime:22:39:59
    IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
          Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407

• RA VPN into ASA5505 behind C871 Router with one public IP address

  Hello,
  I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
  PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
  The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
  version 15.0
  no service pad
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname router
  boot-start-marker
  boot-end-marker
  enable password 7 xxxx
  aaa new-model
  aaa session-id common
  clock timezone UTC -8
  clock summer-time PDT recurring
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.2.1
  ip dhcp excluded-address 192.168.2.2
  ip dhcp pool dhcp-vlan2
     network 192.168.2.0 255.255.255.0
     default-router 192.168.2.1
  ip cef
  ip domain name xxxx.local
  no ipv6 cef
  multilink bundle-name authenticated
  password encryption aes
  username xxxx password 7 xxxx
  ip ssh version 2
  interface FastEthernet0
  switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description WAN Interface
  ip address 1.1.1.2 255.255.255.252
  ip access-group wna-in in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  interface Vlan1
  no ip address
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Vlan10
  description router-asa
  ip address 10.10.10.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list nat-pat interface FastEthernet4 overload
  ip nat inside source static 10.10.10.1 interface FastEthernet4
  ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
  ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
  ip nat inside source static esp 10.10.10.2 interface FastEthernet4
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  ip route 10.10.10.0 255.255.255.252 10.10.10.2
  ip route 192.168.2.0 255.255.255.0 10.10.10.2
  ip access-list standard ssh
  permit 0.0.0.0 255.255.255.0 log
  permit any log
  ip access-list extended nat-pat
  deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  permit ip 192.168.2.0 0.0.0.255 any
  ip access-list extended wan-in
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.255.0.0 0.0.255.255 any
  deny   ip 255.0.0.0 0.255.255.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip host 0.0.0.0 any
  deny   icmp any any fragments log
  permit tcp any any established
  permit icmp any any net-unreachable
  permit udp any any eq isakmp
  permit udp any any eq non500-isakmp
  permit esp any any
  permit icmp any any host-unreachable
  permit icmp any any port-unreachable
  permit icmp any any packet-too-big
  permit icmp any any administratively-prohibited
  permit icmp any any source-quench
  permit icmp any any ttl-exceeded
  permit icmp any any echo-reply
  deny   ip any any log
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  no modem enable
  line aux 0
  line vty 0 4
  access-class ssh in
  exec-timeout 5 0
  logging synchronous
  transport input ssh
  scheduler max-task-time 5000
  end
  ASA:
  ASA Version 9.1(2)
  hostname asa
  domain-name xxxx.local
  enable password xxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxx encrypted
  names
  ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
  interface Ethernet0/0
  switchport trunk allowed vlan 2,10
  switchport mode trunk
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Vlan10
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.255.255.252
  ftp mode passive
  clock timezone UTC -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name xxxx.local
  object network vlan2-mapped
  subnet 192.168.2.0 255.255.255.0
  object network vlan2-real
  subnet 192.168.2.0 255.255.255.0
  object network vpn-192.168.100.0
  subnet 192.168.100.0 255.255.255.224
  object network lan-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
  object network vlan2-real
  nat (inside,outside) static vlan2-mapped
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 10.10.10.1 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.2.0 255.255.255.0 inside
  ssh 10.10.10.1 255.255.255.255 outside
  ssh timeout 20
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  group-policy vpn internal
  group-policy vpn attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn-split
  default-domain value xxxx.local
  username xxxx password xxxx encrypted privilege 15
  tunnel-group vpn type remote-access
  tunnel-group vpn general-attributes
  address-pool vpn-pool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  ikev1 pre-shared-key xxxx
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
  : end

  Hi,
  I think, that you want control all outbound traffic from the LAN to the outside by ASA.
  I suggest some modifications as shown below.
  C871:
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.2 255.255.255.0
  no ip nat inside
  no ip proxy-arp
  ip virtual-reassembly
  ip access-list extended nat-pat
  no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  no permit ip 192.168.2.0 0.0.0.255 any
  deny ip 192.168.2.0 0.0.0.255 any
  permit ip 10.10.10.0 0.0.0.255 any
  ASA 5505:
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  Try them out and response.
  Best regards,
  MB

• Controlling multiple Macs remotely behind a router with ARD

  Greetings! My problem is that I cannot access more that one computer in ARD. I have ARD installed on my Macbook and the computers I want to control are at my parents house. Remote management and login are enabled of course but the router needs to be configured to forward ports 3283 and 5900. But as far as I know these ports can be forwarded for one local ip only meaning that I have to somehow change the default 3283 and 5900 to some other ports in order to access them.
  So the question is, how can I change the default ports for remote management on os x snow leopard? Other than that, does ARD offer any other way to access multiple computers behind a router?
  Many many thanks!

  In regards VPN, take a look at VPN-X from Birdssoft which is an easy to install and low-cost solution perfect for this purpose (among others).
  Basically speaking, after having installed and configured VPN-X on your Mac and ONE remote Mac and opened the ports in the firewall you establish a connection between your and the remote network and gain complete access to the remote network.
  Alternatively, you can use Teamviewer for giving support.

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• Help needed - tunnel from behind ADSL router

  I have a situation in which I require to set-up IPSec tunnel in between two 1841 routers. This is normally two minutes job, in this case however one of the routers sits on a private LAN behind ADSL router (at the moment there is no reasonable way to get around it).
  Thus:
  1841-1 <-> WAN <-> ADSL Router <-> 1841-2
  1841-1
  FE0/1 Private LAN 172.16.1.1
  FE0/0 Public IP
  |
  WAN
  |
  ADSL Router
  Public IP
  NAT
  Private LAN1 192.168.0.1
  |
  1841-2
  FE0/0 LAN1 IP 192.168.0.1
  FE0/1 LAN2 IP 172.16.0.1
  172.16.1.0-172.16.0.0 require to communicate over the IPSec tunnel.
  Could you please advice me on 1) what is the most practical way to set this up with out loosing sanity; and 2) Could you maybe point me to some documentation that deals with this specific scenario?
  Thanks.

  '1841-2' does not have public IP (it "fakes" to have one).
  IPsec tunnel is fully working now.
  In the process though I have learned that it depends on what ADSL modem you are using to get this working.
  Check out http://kb.juniper.net/KB4715 for example (this is the one I got working).
  You can thus give your Cisco router a private IP behind ADSL router and then follow the steps from the knowledge base article above on ADSL modem (if you have same type available).
  In addition then, on your Cisco router - you require to add loopback 0 interface and give it public IP of your ADSL router (yes - your adsl router WAN interface and loopback interface on your Cisco router have now the same public IP).
  As the last step, on your Cisco router, change tunnel interface: source interface loopback 0 and destination your remote gateway.
  I am going to try different modems, many models can actually do this, but the documentation is often unimpressive.
  It is possible that there are better ways to do this, if so, please let me know.
  If you wish to have more details about the set-up, let me know.
  Thanks.

• Seeing Airtunes from Behind a Router

  My setup is on a college network, so when my Airport Express is plugged into the switch on the wall, the people in my dorm can access my remote speakers if they are plugged into the switches on their walls. This is a good thing.
  However, my roommate has a wireless router. When he's behind that router he can't see my remote speakers. I assumed this was a port problem, so I looked up what ports Airtunes uses and came up with with port 3689 and port 5353 UDP. I forwarded both 3689 and 5353. I'm not sure if port 3689 is in UDP, but I forwarded both ports in UDP on my roommate's router. However, he still does not see my remote speakers in iTunes.
  Any suggestions? Am I not forwarding the right ports?

  UncleJemima, Welcome to the discussion area!
  Sorry but Airtunes doesn't cross subnets. A router creates a subnet.
  You might be able to make it work if your roommate disables the DHCP server in the router.

• PXE bbot and imaging behind a Router

  Hi all,
  I'm trying to use PXE and imagining behind a router.
  So far I have configured the folowing:
  DHCPserver 192.168.1.2
  PXE/Imaging server 192.168.1.12
  At the remote location I've configured the Cisco router as following:
  interface Vlan10
  description WAN Interface
  ip address 10.0.0.2 255.255.255.0
  interface Vlan11
  description LAN Interface
  ip address 192.168.80.1 255.255.255.0
  ip helper-address 192.168.1.2
  ip helper-address 192.168.1.12
  ip forward-protocol udp bootpc
  ip forward-protocol udp bootps
  At the DHCP server I set the following options:
  3 - Gateway > 192.168.80.1
  6 - DNS > 192.168.1.5
  78 - DA > 192.168.1.31
  79 - SCOPE > SCOPE
  An imaged workstation works fine, but when I try to use PXE it gives
  the following error:
  Client MAC <mac adres of ws>
  ClientIP: 192.168.80.100 MASK: 255.255.255.0
  DHCPIP: 192.168.1.2 ProxyIP: 192.168.1.12
  GatewayIP: 192.168.80.1
  PXE-E78: Could not locate boot server
  PXE-M0F Exiting
  Do I have to set DHCP options:
  66 = Boot Server Host Name
  67 = BootFile Name
  If yes, what setting should I use?
  Thanx,
  Martin Haaksema

  Martin Haaksema wrote:
  > Hi all,
  >
  > I'm trying to use PXE and imagining behind a router.
  > So far I have configured the folowing:
  >
  > DHCPserver 192.168.1.2
  > PXE/Imaging server 192.168.1.12
  >
  > At the remote location I've configured the Cisco router as following:
  > ----/----
  > interface Vlan10
  > description WAN Interface
  > ip address 10.0.0.2 255.255.255.0
  > !
  > interface Vlan11
  > description LAN Interface
  > ip address 192.168.80.1 255.255.255.0
  > ip helper-address 192.168.1.2
  > ip helper-address 192.168.1.12
  >
  > ip forward-protocol udp bootpc
  > ip forward-protocol udp bootps
  > ----/----
  >
  > At the DHCP server I set the following options:
  > 3 - Gateway > 192.168.80.1
  > 6 - DNS > 192.168.1.5
  > 78 - DA > 192.168.1.31
  > 79 - SCOPE > SCOPE
  >
  > An imaged workstation works fine, but when I try to use PXE it gives
  > the following error:
  > ----/----
  > Client MAC <mac adres of ws>
  > ClientIP: 192.168.80.100 MASK: 255.255.255.0
  > DHCPIP: 192.168.1.2 ProxyIP: 192.168.1.12
  > GatewayIP: 192.168.80.1
  >
  >
  > PXE-E78: Could not locate boot server
  >
  > PXE-M0F Exiting
  > ----/----
  >
  > Do I have to set DHCP options:
  > 66 = Boot Server Host Name
  > 67 = BootFile Name
  >
  > If yes, what setting should I use?
  >
  >
  > Thanx,
  >
  > Martin Haaksema
  I fixed the problem, I enabled "Spanningtree portfast" on the connected
  FE port.
  Martin Haaksema

• Windows Sharing behind a router

  I often want to send single files to my brother in another city, and I figured that Windows Sharing should let me do this.
  However, when I turn on Windows Sharing, it says "Windows users can access your computer at \\192.168.0.103\Name" which is the IP Address behind my router...
  How do I get around this?
  Matthew

  Since you are only sending 'single files,' if the files are under 2mb, and you are both on DSL or cable, e-mail them.

• RV180 behind DSL-ROUTER can't connect with QuickVPN

  Hello,
  I want to ask if is possible to configure the RV180 behind my DSL Router to connect using QuickVPN. First I tried to connect to the PPTP server and worked fine, but when I tried to connect using QickVPN, seems to connect but when the client says "verifying network" after a while appears the message "network not responding..."
  In my DSL-Router forwared this ports: UDP: 500,4500,443,60443 - TCP: 443,60443 (i don't know if tcp ports are needed but I opened for testing) and allowed protocol ESP (comes with the rule to allow IPSEC-L2TP)
  Thanks!

  Hello Siva,
  From where I have to test reachabilty? From the computer where I have installed the QuickVPN client I can reach de WAN interface of the DSL-Router, which is doing NAT and forwarding the ports I said to the WAN interface of my RV180. The network betwwen DSL and RV180 is using private ips.
  The schema is:
  Internet ---- (public ip) dsl router (192.168.1.1) ---- (192.168.1.50)RV180(10.0.0.1) ----- my network 10.0.0.0/24
  In the document you posted is explained:
  "Your Cisco router must have a direct public IP address for QuickVPN to work, please check under the status tab and your internet connection type and make sure it has a public IP address and it is not behind another router. This issue is more common with DSL connections; if you are behind another router/modem you should request your ISP to turn it into bridge mode so our router can be the border router between your LAN and your ISP."
  It's my configuration. I will look how to turn my DSL router into a bridge. Thanks.

• Client connection to a Server behind a router

  Hello everyone,
  I'm building a client / server application where the server will be my machine that is in residential gateway behind a router. the client will be out of the U.S. completely. On the client side the connection method (connectTo(InetAddress ip)) must know the server IP address in order to connect to it. I've tried configuring port-forwarding on my router to have it forward any connection under port 5555 to my local IP and passing my public IP on the client side to that connection method. Disappointingly, that didn't work. Here is my Code for the server:
  import java.io.*;
  import java.net.*;
  * Server class, to accept concurrent client
  * requests,through accepting socket connection
  * and establishing a new thread to provide the
  * desired service
  * @author True
  * @see source.ServiceProvider
  public class Server {
       * Creates a new instance of source.Server
      public Server(){
          try{
              ServerSocket ss = new ServerSocket(5555);
              while(true){
                  Socket sock = ss.accept();
                  ServiceProvider sp = new ServiceProvider(sock);
                   sp.start();
          catch(IOException x ){
              // handles exception here
       * Main method creates a new instance of Server
       * @param args String [] of parameters at the excusion time
      public static void main(String args[]){
          new Server();
  }And here is my code for the client:
  // irrelevant code here...
  private void connectTo(InetAddress ip){
           try{
               Socket sock = new Socket(ip, 5555 );
  //           Building Streams
               OutputStream os = sock.getOutputStream();
               ObjectOutputStream oos = new ObjectOutputStream(os);
               InputStream is = sock.getInputStream();
               ObjectInputStream ois = new ObjectInputStream(is);
               // more irrelevant code here...
           catch(IOException x){
               // handle exception here
           catch(ClassNotFoundException x){
               // handle exception here
  }Any ideas or comments are welcome and highly appreciated.

  true_lover wrote:
  All configuration seem fine. port forwarding is straight forward on the router page. I checked all numbers & values and all seemed fine.Well obviously it's not. Otherwise you wouldn't be getting a connection refused.
  The only other item worth checking is if your ISP is blocking the port. Which may well be happening.
  The other poster was correct, once you have the exception figured out (aka what it is) and it's connection refused this is not actually a Java related problem any more and you should take that question to a general networking forum.
  Edited by: cotton.m on 27-Nov-2008 7:46 PM

• QuickVPN - RV110W behind DSL Router

  Hi all,
  I have a Cisco RV110W behind an Actiontek V1000H DSL router supplied by my ISP.
  I'd like to be able to make use of the Cisco QuickVPN client. According to my ISP placing the Actiontek into bridge mode cannot be done.
  On the Actiontek I have forwarded the following ports to my RV110W's address:
  60443/tcp
  4500/udp
  500/udp
  On the RV110W I have ensured that remote management is enabled (on port 60443).
  When attempting to connect with the client (using port 60443) - I get this far:
  2012/01/30 11:16:21 [STATUS]OS Version: Windows 7
  2012/01/30 11:16:21 [STATUS]Windows Firewall Domain Profile Settings: ON
  2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
  2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
  2012/01/30 11:16:21 [STATUS]One network interface detected with IP address 192.168.245.164
  2012/01/30 11:16:21 [STATUS]Connecting...
  2012/01/30 11:16:22 [DEBUG]Input VPN Server Address = xx.xx.xx.xx
  2012/01/30 11:16:22 [STATUS]Connecting to remote gateway with IP address: xx.xx.xx.xx
  2012/01/30 11:16:22 [WARNING]Server's certificate doesn't exist on your local computer.
  2012/01/30 11:16:23 [WARNING]Remote gateway wasn't reached...
  2012/01/30 11:16:23 [WARNING]Failed to connect.
  2012/01/30 11:16:23 [WARNING]Failed to connect!
  Any suggestions? Is this configuration even possible?
  Thanks!

  Hi, Rudi & Craig
  I just tested another diffrent way, which way as Craig's book did, I set
  Master's IP is DSL Router inside IP which same as "PUBLIC" Network Card's
  IP address (10.0.0.101) when setting the MASTER's configuration in
  iManager, it still working fine. Then it will be the best way if the ISP
  change my static Public IP.
  BTW, Craig, when you have chance, can you memtion this on your web site or
  in your book (when you have new version book), BM38SP5 got a bug, the
  vpn.jar cannot set Non-BM VPN Slave (I used Linksys router for Slave
  server), I called Novell support engineer, he said Novell knew this error,
  I have to use the vpn.jar which in BM38SP4_IR5 to setup Non-BM VPN Salve.
  But there is another problem, the vpn.jar which in BM38SP4_IR5 cannot set
  MASTER VPN server. The only way to do the job is install BM38SP5, setup
  MASTER VPN server, setup C2S VPN, then copy the vpn.jar which in
  BM38SP4_IR5 in, to setup Non-BM VPN Salve. I hope you can understand my
  poor Engish.
  James
  > Rudolf Thilo wrote:
  > Hello James.
  >> In Craig's book, there is a sample
  >> for VPN Slave Server behind DSL router.
  >> But I don't know I can setup Master VPN
  >> server behind DSL router or not.
  > It works, starting with BM3.8. IIRC Craig has an example
  > in his book? You will need to specify the DSL router's
  > (static!!) public IP address as the MASTER's public IP
  > when setting um the MASTER's configuration.
  > Regards, Rudi.