Sharing behind Internet Sharing NAT

I have a product demonstration that will require the internet being shared from my cell to two devices via ethernet. One is hard-wired to the physical ethernet port. The other is a virtual machine configured to look like a separate device on the network (VMWare Fusion 6, not that it matters). This is the only hardware I'm allowed to bring into the facility: phone, laptop, and the one physical ethernet device.
From a topology standpoint the network would look like this:
[Internet] -- [4G -- iPhone -- tethering wifi] -- [wifi -- MacBook Pro via Internet Sharing -- ethernet] -- <two devices, A and B>
I'm attempting to use the Internet Sharing-configured NAT on the ethernet port like a typical consumer router: 1 WAN port, 2 LAN ports.
At this point, enabling Internet Sharing allows both devices A and B to connect to the internet. However, devices A and B cannot ping one another.
I've been digging into PF and 'pfctl' but I'm not seeing how to allow traffic between A and B. It's as if the virtual bridge setup by Internet Sharing is unable to act as a switch for the "local" side of the NAT.
Does anyone know how to enable this functionality of Internet Sharing to allow A and B to communicate on any port? Or perhaps have a different solution?
Thanks for any help.
Thomas

Happy to hear alternative ideas to this one... This is a goofy fix:
In System Preferences, be sure you have disabled Internet Sharing before trying this.
1) Navigate to the System Preferences -> Network and click the + to add a new interface. Make it ethernet and give it some name.
2) System Preferences -> Sharing -> Internet Sharing -> Enable whatever your internet-connected interface is to hook to "both" interfaces labeled Ethernet (despite different names, both showed as "Ethernet" for me).
3) In VMWare Fusion, choose to bridge your VM's network interface with this second, fake, Ethernet from #1.
4) Boot the VM.
What you should see is that the VM still gets assigned an IP address, but the configured NAT that provides the Internet Sharing ability now can see and route between two connected interfaces. Otherwise it seems to think the single ethernet is exactly 1 device despite there being two MACs using it.
Cheers!

Similar Messages

Does Stratus/RTMFP support P2P behind the same NAT/Router?

Does Stratus/RTMFP support peers behind the same NAT/Router?
(such that both peers have the same public IP address)
That is: if two computers (each running Flash) are behind the same NAT, and connect to Stratus to get peerID;
do we expect they can connect p2p?
Or will each one get/see just the public IP address:port of the other?
My initial tests indicate that this scenario fails [ICMP Destination Unreachable (port unreachable)]
Is this just a limitation of my local router? does this work for others?
Does Status expect the local router to detect/decode/resolve this situation?
If the solution requires 10.1 groups, is there support to detect/diagnose when/if the peer is on the same LAN?

Thanks for the info, sounds like RTMFP supports this, and hopefully the AFP code does the right thing.
[so, officially, the original question is answered]
Note: In one instance, i'm running two browsers on the same host,
so even the inner/LAN addresses would be the same. Therefore, if A sends to B's inner/LAN address,
the [Windows] OS network layer *should* recognize that and 'hairpin' without leaving the host, or crossing the firewall.
(I say "should" because Unix generally does that, but I'll have to check to see about Windoze).
[And such packets are probably invisible to Wireshark also, so how do i verify what's happening?
oh sure, just reconfigure to boot Linux... ]
So glad you explained that the client tries all three pathways; if it works as you say,
then I can probably ignore the ICMP error from the local router (or, as you say, teach it to do the hairpin).
Can you confirm that P2P will work between browsers (say Chrome to Firefox) on a single Windows host?
[I really want to know if I'm failing because of network configuration or application code/error;
at this point, I am able to correctly exchange the peerIds, and start the NetSteam.play,
but the two sides do not appear to be exchanging audio/video]

Windows Virtual PC running Windows 7 Pro on Windows 7 Pro with Network Sharing (NAT)

I have been trying to get a new install of Windows 7 in Windows Virtual PC 6.1 to use the Shared Networking with the Windows 7 host.
It works with Windows XP as the guest. I tried changing the DNS to 192.168.131.254 and 252. It works through a dedicated NIC but I need NAT because I have to use the IP of the host (this is in a computer lab where students play with their own Windows 7 vhd).
Any help would be appreciated.
Randy

Try http://social.technet.microsoft.com/Forums/en-US/w7itprovirt/threads
The following is signature, not part of post
Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
Visual C++ MVP

RV180 no internet in NAT if DHCP off

Hello,
I have a RV180 running behind a DSL-Router, connected to the WAN-Port. I have "internet" in my NAT if I have activated the DHCP. I want to use fixed IPs, so I have turned off the DHCP, than I have no constant conection to the internet.
Any idea?
br

at the RV180.
The RV180 gets a IP from the DSL-Router, that is working.
If the Local Net is working with DHCP, every thing is fine, but if I use static IPs, it is working but only for 5mins.

Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.

Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards,

IPsec on hosts behind load balancing NAT

Hi,
I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
On the side where the traffic comes from i allways see a debug output like this:
ar 1 05:23:54.294: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
    local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
    remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
    protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
195.10.0.1 is my global address for the FTP server
on the side where the encryption should be terminated i allways see an output like this:
*Mar 1 05:23:54.130: map_db_find_best did not find matching map
*Mar 1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
But i can see that there is a crypto map for address 10.0.10.1
RA#sh cryp map
Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
I tried to use some of the NAT traversal techniques for IPSec but without any success.
If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
Thanks, Adrian

This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
I have configured 2 loopback. on R1: 100.1.1.1
on R2: 200.1.1.1
R1:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.1.1
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.0.2
R2:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Now when i ping from R1:
ping 200.1.1.1 source 100.1.1.1
its not successful. Why doesnt it work any idea ?

Mac OSX server not supported behind Airport Extreme NAT router?!!

For a customer, I recently installed a new XServe, within a local network with an Airport Extreme (n) with FW 7.4.2. Mac OSX Server manages the router (which has a fixed IP from the ISP). Because the Mac OSX Server runs a DNS server (supporting a local domain), OSX Server reconfigured the Airport Extreme, so that it would forward DNS queries to the server. The server's dns server will forward queries for non-local domains to the ISP's dns servers.
All clients get their IP configuration using DHCP from the router. You can't use the DHCP service of the server, as you can't disable DHCP on the router (in NAT mode).
All clients get the router's IP as the dns server.
HOWEVER:
The Airport Extreme can't connect to the internal DNS server! *It doesn't seem to be able to route dns requests to the internal network* (verified using nslookup). Any dns queries sent to the router will time out.
Come on, Airport Extreme team.. you can't claim the Airport Extreme to be the ideal router in combination with an OSX server, if this simple and very common setup is not supported! How hard can it be to either:
...*Allow us to disable DHCP on the router* (even when in NAT mode), so we can use the OSX server for this (which will dispatch the correct DNS settings)
...*Allow the router to route DNS queries to the local DNS* (OSX) server (which should be working anyway)
Message was edited by: blackbit

blackbit, Welcome to the discussion area!
It doesn't seem to be able to route dns requests to the internal network (verified using nslookup).
That is true.
This is a user to user discussion area so Apple will not see your suggestions here. Instead go to www.apple.com/feedback/airportextreme.html and send them to Apple.

WAE behind router doing NAT

Hi,
Are there any known issues with a WAE sitting behind a router thats static nating addresses? For example, I know connections are being optimized because I can see them using the "sh tfo conn summ" command. These connections do not show up under the Connections Statistics tab in the CM though.
Thanks,
Mike

Thanks Zach,
I see the 4050 connections to my other WAE's and I see the SSL connection from the CM to the WAE. There is an FTP transfer going though that I can see in the CLI but not in the CM.
There is not much going through it currently so in the CLI I see all the 4050 connections, the SSL connection and the FTP transfer. The only one thats not in the CM is the FTP transfer.
Mike

File Sharing in virtualbox using NAT

I have Win2K installed as a guest machine in virtualbox. I have no problems accessing the Internet using NAT with the NIC set to DHCP.
Will I be able to access the Arch host (and vice-versa) using NAT networking or will I have to setup bridge-networking? I know there is a wiki on virtualbox, but it didn't seem to cover this other than giving more detailed instructions on bridge-networking. At this point I only want to know if file sharing is possible using NAT before spending too much time on it. If its not possible I may go back to VMware-server which seemed to get broken after the last kernel upgrade.
Thanks

Although you have allowed open access to all users to save files in that directory, it's a pointless excersise as you have no system in place to allow one user to overwrite another users files. There's more to multiuser file access than simply making a place where you can all save files. Files created by each user have a unique user ID attached, and without a Group system in place for your users, OSX will (correctly) deny overwrites. You're going to need to learn about the unix filesystem and the chgrp function, and establish your users as being members of a Group before they can all overwrite each others files. It's much too large a topic to get into here, but a spot of research will sort you out. A word of caution though - filelocking is not a trivial subject and you probably want to consider other options - what happens if someone screws up a project and overwrites it 'behind the back' of another user?

PIX Users Cannot Access Other Websites & Email Servers on Same-Shared T1 Co

We are sharing a T1 connection with another business in our building. They have their own separate network environment from mine. I have a Windows 2003 Small Business Server behind a PIX-501 and the users in my network connect to the Internet via Windows Server?s DHCP and Internet sharing (NAT) services.
All Internet and email traffic is accessible except for those hosted by the other company who we're sharing a connection with. My users cannot access that company?s web server or send email to their email server (we all get 4.4.7 SMTP errors? days later after sending the message).
They have no firewall on their end; which is why I think there may be something wrong with my PIX configuration (see attached config file). I'm sort of a newbie with the PIX CLI, so any help I can get could be great. Thanks in advanced!

The problem is not with PIX. This is a common problem when sharing a T1 link as it creates a routing problem since routing cannot be done based on shared T1 channels. Your PIX config is fine and has nothing to do with this issue.

No video or screen sharing on iChat 4 between identical MBP's and OS

Hi, like many others, i'm experiencing problems with audio/video calls and screen sharing on iChat 4.
It's really important since my dad lives abroad and is 80 years old, so i need to help him out by taking over control of his MacBookPro when he needs me to.
Here's our setup when it DID work:
We were both in my house, on my network, through my Airport Exreme. We're both running 2009 MacBook Pro's with OSX 10.5.8 on it, and were signed in to iChat through our google account (jabber).
Then he returned back to his home (i'm in Holland, he's in Austria), and since then we can only do text chats on iChat. Whenever we invite eachother for video chat or screen sharing, we get the same error message about a communication error, or telling us the other one 'didn't reply' or something like that. I'll copy-paste the exact message + error details the next time we try.
We tried to solve it by changing services, meaning i signed in through my @mac.com account and he signing in through his AIM account, but with no luck. Also AIM to AIM didn't help.
I'm still on my Airport Extreme, connected to a DSL modem which is branded by my provider, so no idea what it is.
He is on a Speedtouch ST585 wireless DSL router, which he also got from his provider.
Any settings we should check/change? i've read all sorts of stuff about port forwarding, SIP/NAT compatibility and UPNP but that all works rather confusing than clarifying..
Any suggestions would be highly appreciated.
Thanks,
Lexxy
Message was edited by: TheRealLexxy

HI,
Thomson-Alcatel, to give them their Full name, make the Speedtouch Series of Modems
As a Brand they will work with each other no matter if they are a Cable (non routing) modem or a Speedtouch DSL Modem.
So, 2 to 3 (or 3 to 2) will work as they are Alcatels
The computer 1 and computer 2 situation (with said modems) has about a 1 in 5 chance of working based on my personal knowledge of Version 4.3.5 firmware and mush less with later firmware from threads on this board.
The Airport Express does or can do something called Port Mapping Protocol.
It is turned On in the Airport Admin Utility > Internet pane > NAT tab
In some circumstances this can be an issue. (It open ports like UPnP does but in a different way) - IF - the Express in not in Bridge (Off) Mode.
Is the DSL modem you have Routes then the Express should be set to Bridge (Off) Mode so that there is only one DHCP server on your LAN (unless you set the devices to do Static routing)
You could try it without the Express, but I am sure you will get the same results.
Can your Dad reach any of the names in Table 1 http://www.ralphjohns.co.uk/ContactTesters.html ?
(He adds them to his Buddy list and tries Video chats (they Auto Answer) )
There maybe a conflict between the two lots of NAT at your end if the modem and Express are doing DHCP (Share An IP) and your Dad's Alcatel.
It may still be there if it is your modem only and his.
My Personal experience with an Thomson-Alcatel Speedtouch Modem, answering on these boards and doing regular testing with people and work Bosie on this forum which Defcom and I have been involved with - tells me it is the Speedtouch that is the problem.
8:02 PM Saturday; November 14, 2009
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

Shared Devices Don't Drop After Disconnect

I fixed a double NAT issue by sacrificing my WNDR3700 router and turning it into nothing but an Access Point behind my Westell 9100em FiOS MOCA modem (LAN to LAN).
The problem is that now, *shared devices are hanging on the the network after they disconnect.* For instance after a reboot, my iMac renamed itself to 'iMac (2).' If I bootcamp into Windows7 and then boot back to OS X, the Windows 7 drive continues to appear as a shared device.... My gripe is about it changing my iMac name - not nice. My network includes ipods, iphones, Macs, PS3, PC, Sony BR player and DNS-323 NAS.
It is important to have a gigabit LAN/dual radio WIFI and 'back to my mac' functionality. The 9100em modem/router doesn't support gigabit ethernet or N wireless and 'back to my mac' will not work behind a double NAT. Figuring out how to bridge the 9100em has been exhausting and fruitless....
Does anyone have any insight? Terminal command to force confirmation of shared devices perhaps?
Thanks

Interestingly, last night I watched a podcast through to the end. Then I went to watch it again and the Apple TV asked if I wanted to resume, after I selected resume, the final fraction of a second played and it was done. I tried that a couple times and each time the same thing happened. So, it seems that the Apple TV is just not registering that it has played the final blip of a podcast, at least with shared podcasts.

H.323 gateway behind NAT

i configued h.323 gateway (gateway is connected PSTN through FXO) behind internet NAT router and try to call that gateway from a softphone through internet. the dialed PSTN no is ringging but no voice for both ways. Pls refer the attached configuration. Is this a problem with NAT translation?
Thanks in advance!

Yes, you need a version of IOS that has NAT ALG. What IOS are you running?
NAT with ALG can translate the embedded addresses in H225/H245.
Cisco IOS NAT Application Layer Gateways
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801af2b9.shtml
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a00807819ce.html
Please rate helpful posts.
Dave

RV180 - DDNS behind 2nd NAT router

Hello community,
is it possible to use the DDNS feature (dyndns.com) behind a 2nd NAT router?
Network is as follows:
INTERNET - NAT-Router (unknown device) - Cisco RV-180 (NAT) - Clients
Kind Regard,
Michael

If you put your dyndns client in front of the rv180 or one the nat router's dmz, you should get the correct IP address. I usually use the DMZ port on a nat router when putting a vpn router behind a nat one--this solves a lot of the IP address issues for the vpn router.
Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

PIX L2L VPN behind NAT device

I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
the schema is like this:
LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
(see the attached file)
regards
mariano

Chris
We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
If so, yes absolutely you can do this as i have done it many times in production environments.
No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
Jon

Sharing behind Internet Sharing NAT

Similar Messages

Maybe you are looking for