VPN Server under Static NAT. Any advices?

Similar Messages

• How to set VPN server with static IP without DHCP on

  I set up a new Mac mini server with OS X 10.9.1 and Server App 3.0.1
  My ISP gave me a static bublic IP address.
  I have on:
  - web server
  - mail server
  - DNS server
  without using DHCP, but now i want to set up L2TP/IPSec VPN server and it requires that i give start IP address of the VPN server.
  Can i use VPN server w/out DHCP server on?
  If yes, how?
  If not, when i turn on the DHCP server, what i have to do with web, mail servers?

  To run a public VPN server, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• VPN Problems - The L2TP-VPN server did not respond

  Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
  I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
  - I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
  - I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
  - I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
  ** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
  Am I missing something? Why won't my client connect and that too when I'm at home?

  To run a public VPN server behind an NAT gateway, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.
  5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
  6. "Back to My Mac" on the server is incompatible with the VPN service.
  If the server is directly connected to the Internet, see this blog post.

• Static Nat and VPN conflict

  Hi
  I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.
  I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .
  I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .
  Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100
  Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
  I hope the above makes sense.

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• Static NAT causes unable to access server via internal IP

  Hi all,
  Need some help. I running site-to-site IPsec VPN in Cisco 2811 IOS 12.4 both site. Here I encounter a problem to access server on  Site A from Site B
  Site A having Leased Line connected to router with Public IP. I have done static mapping 1 web server to Public IP (NAT). This to allow external users to access the server via Public IP. At the same time, users at Site B would need to access to same server via Internal IP since they have Site-to-Site VPN established. But once I done Static Mapping (NAT), user at Site B unable to access the server at Site A using its internal IP. But external user can access server via Public IP. What went wrong here. Do i need to add extra command to get this done? We really need this.

  Hi sheik,
  I'm accessing the server form Site B using its server's LAN IP.
  If I remove the static NAT statement from my router at Site A, everything works well. I can access the server from site B using its LAN IP via Site-to-Site VPN. But in this case, external users unable to access server via Public IP since no Static NAT statement.

• Static NAT - VPN - Internet Access

  Does anyone know how to configure the following?
  1.  An static NAT from an inside ip address to another inside ip address (not physical subnet).
  2.  The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
  My router just have two interfaces a WAN and a LAN.
  I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
  I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
  in an extract:
  LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
  BTW.  I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

  Why do you need an inside host to be natted to another inside IP address?
  You need to configure a "no nat" policy, for the internet traffic.

• DM-VPN with Static NAT for Spoke Router. Require Expert Help

  Dear All,
              This is my first time to write something .
                           i have configure DM-VPN, and it's working fine, now i want to configure static nat.
  some people will think why need static nat if it's working fine.
  let me tell you why i need. what is my plan.
  i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
  will for that i try but fail. 
  will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
  i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
  ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
  but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
  spose spoke Network: 192.168.2.0/24
  and i want on HUB Router:
  ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
  i am using Cisco -- 887 and 877 ADSL Router.
  but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
  fore more details please see the diagram.
  for Contact Me: [email protected]

  hi rvarelac  thank you for reply :
  i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
  crypto isakmp policy 10
   encr aes
   authentication pre-share
  crypto isakmp key 12344321 address 1.1.1.1
  crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
   mode tunnel
  crypto map s2s 100 ipsec-isakmp
   set peer 1.1.1.1
   set transform-set Remote-Site
   match address vpnacl
  interface GigabitEthernet0/0
   crypto map s2s
  Extended IP access list lantointernet
  30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
  80 permit ip any any

• Turned "Sort by Album Artist" off on iPod Touch 5th Gen so individual artists on compilation albums will show up separately under "Artists" with no succuss.  This worked perfectly on my Ipod Touch 4th Gen.  Any Advice?

  I have a 5th Gen iPod Touch.  It is running the latest iOS, and iTunes has the latest update.  I have many compilation albums that I imported from CD.  I want the individual artists and their associated song(s) to show up under "Artists."  I have turned off "Sort by Album Artist" in Settings.  This worked perfectly on my 4th Gen Touch.  Each artist from a compilation would show up under "Artists" with the correct song(s) showing, while still showing the whole compilation under "Albums."  Now, on my 5th Gen Touch, when I try to look at an artist from a compilation under "Artists,"  I get one of the following:  the correct artist and song, an incorrect artist and song, or an incorrect artist with the entire compilation album showing up.  Is this a bug in the new iOS 7, or am I doing something wrong?  Anyone else with this problem?  Any advice?

  I have the same problem and I have been really trying hard to find a solution.  No success. 
  My main problem is this:  For example:  Top Gun soundtrack - I look at Kenny Loggins under artists and I see his albums and songs, plus the 2 songs from top gun.  Then when I look at Miami Sound Machine (also on top gun cd) under artist, I see correct albums from Miami sound machine, but under the top gun soundtrack, it shows the 2 kenny loggins songs instead.  then if I look at another artist from top gun cd, it continues to show the kenny loggins songs.  It doesn't matter which songs i look at, but the first one i start with will always show up on the others.  Funny thing is, if I click on the song, the correct song plays, it just says it is the kenny loggins song!!!  ha ha.   Been dealing with this for over a year now.  Pretty aggravating.   Happens whether I have compilations checked or unchecked on settings.   I have over 50 compilation albums and some are checked, some aren't...they all behave this way. 
  On Mac, itunes (v 12) it all shows up correctly and works fine.  I have become an expert on ID tags and am very thorough with my tagging.  HAND TAGGING, not some program that does it for you...they are never correct.  I match all my tag info with the info in the iTunes store for each album so it is sure to match.  Has taken a long, long, long time. 
  Love iTunes match, but this one issue is a real pain.  Anyone with any ideas, I'd love to hear them!  Thanks!

• Please could you advise? ... After installing Itunes 11.3.1.2 on my Laptop and when reconnecting my iPad2 via USB, it is no longer visible under 'My Computer'. Any advice on resolving this issue would be most welcome. Thanks

  Please could you advise? ... After installing Itunes 11.3.1.2 on my Laptop and when reconnecting my iPad2 via USB, it is no longer visible under 'My Computer'. Any advice on resolving this issue would be most welcome. Thanks

  Any one or a combo may help
  Give your iPad a reset. Hold down the sleep and home  keys for about 20 seconds. When you see the silver apple, let go and let it reboot and try again.
  Try a different USB cord
  Try a different USB port
  Try rebooting your computer
  Try closing/opening iTunes.
  If you go through that and it doesn't work, try going into the control panel, add/remove programs. Uninstall iTunes, Apple Mobile Device Service, Apple Application Support. Then redownload and reinstall iTunes and try again

• Security warning for any connect VPN " Untrusted VPN server Certificate"

  Is there any way to disable this security warning  ( " Untrusted VPN server Certificate") with self sign certificate on the ASA 

  Hi Anton,
  Please have a look at the link below:
  http://docs.acl.com/ex/300/index.jsp?topic=%2Fcom.acl.ax.exception.installguide%2Fexception%2Finstallation%2Ft_installing_the_self-signed_certificate.html
  This is for IE. You should get steps for FF and CHROME out there easily as well.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Static NAT and IPSec VPN

  This maybe stupid but may somebody help on this.
  Site A --- Internet --- Site B
  An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
  But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
  May someone advise me how to overcome this? Thanks.

  Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

• I work in a public library and we have two ipod touch and two ipod nanos we would like to circulate for our patrons. Any advice on how we can do this? Should we allow patrons to set the device up for personal use or download static content?

  I work in a public library and we have two ipod touch and two ipod nanos we would like to circulate for our patrons. Any advice on how we can do this? Should we allow patrons to set the device up for personal use or download static content?

  With the Nanos, you should have no problem lending them loaded with audiobooks from Librivox, etc.
  As for the iPod Touches, I'm not sure the question is whether you should allow patrons to set up the device for personal accounts, but whether you can prevent them from doing so. Prepare to to a factory restore every time one is returned.

• I'm trying to update to IOS6 on my New Ipad through software update under settings, over Wi-Fi ....It keeps telling me that IOS is still up to date.....? Any advice?

  I'm trying to update to IOS6 on my New Ipad through software update under settings, over Wi-Fi ....It keeps telling me that IOS is still up to date.....? Any advice?

  Maybe you have a beta version of iOS6 in your Ipad. if is this, you have to put the ipad in recovery mode in itunes and then the update will start.
  To put the ipad in recovery mode, you have to turn of the ipad. In your pc/mac Itunes has to be running, and plug the cord, but when you do that you have to press the home button until a message shows up in itunes!!
  Regards!!