Weird NAT problem
I got BM 3.8 on OES NW6.5 sp5
I have Nat already in place and it works for what's already there. I
add an available IP address into the system and it refuses to work for
the additional device.
IP address and subnet are valid. IP actually falls inbetween other
working address's.
When sending packets to the public internet, nothing comes out of the
BM. When packets are send in, they are not acknowledged. In addition,
in case I was missing something in my packet traces, I even stuck a
PC on the outside connection with the public address I'm using, and
had no problems with that. So it's definitely a problem here.
Filtering is off. IPFLT & FILTSRV are unloaded. And unloaded again
when I reinitialize the system.
Interesting test with "ping"
First, from the BM, I can consistently ping the internal device on the
private network.
From the outside, no ping responses to the NAT public address. Ping
does respond on other public NAT devices.
Now I deleted the secondary address, and the entry in the NAT table.
Then I only added the secondary address, reinitialized the system. At
this point I can ping from the internet to the public address just
added.
Then I added the entry into the NAT table to point to the internal
device. As soon as I reinitialized the system ping stopped getting
responses. (IPFLT & FILTSRV auto load, and I unloaded them)
However, I know the device is there are working since I also have ping
on the BM server running pinging the device on the local subnet. I can
also pick up the icmp packets hitting the BM with no response.
I've also run this senario rebooting instead of reinitializing with
the same outcome.
Any ideas. Thanks
Thanks Craig!
Too many 18 hour days. I looked at that over and over again and never
saw that in the first device I had a number reversed in the subnet,
and on the second I had an 8 instead of a 6. Amazing what a second
set of eyes can see from miles away, and a few hours sleep at this
end.
Thanks again!
On Mon, 21 Aug 2006 02:05:37 GMT, Craig Johnson
<[email protected]> wrote:
>Can you tell from your traces if BMgr is forwarding the ICMP packets?
>If the internal device does not have a correct default gateway, it will
>receive the ping packets but not respond.
>
>Try disabling NAT in Inetcfg, reinit, then enable NAT again. With it
>disabled, be sure that NAT actually unloads.
>
>There is a possibility of a duplicated tcpip.cfg entry. See tip #48 at
>the URL below.
>
>Craig Johnson
>Novell Support Connection SysOp
>*** For a current patch list, tips, handy files and books on
>BorderManager, go to http://www.craigjconsulting.com ***
>
Similar Messages
-
I really can't figure out this problem. Search the internet tried all kinds of things, nothing help so far.
I have a Macbook Pro (Lion originally installed) running on Mavericks (all latest updates). SSD installed and the DVD tray is replaced by the original HDD.
The laptop wasn't running very smooth anymore so decided to give it a fresh Mavericks install (even though I know it's not really necessary for mac, it helped, everything is much faster except a weird internet problem came up).
After freshly installing Mavericks I couldn't get into my google account anymore, just wouldn't load. Tried Safari (use this normally) and Firefox and Chrome, this last was gave a SSL connection error, both Safari and FF said the website couldn't be loaded because the server didn't respond. For Gmail I use Mailplane which is just stuck on a white page. I tried repairing the keychain, repaired disk and disk permissions, cleaned browsers, turned off firewall and antivirus (Shopos) started in safe mode, checked time settings which were all good. Nothing of this helped. I even ended up creating a usb bootdisk for Mavericks, formatted the disk and reinstalled from the start just Mavericks and nothing else, started Safari, still the same problem. As even this didn't help I figured it's not worth reinstalling all software so put back my backup.
Now I ended up somehow only being able to use Gmail normally in Firefox, Chrome still gives SSL error and Safari can load the inbox, but I can't open any messages. I get the error there is a problem with the connection. If I try in Basic HTML mode it surprisingly does work.
You would say, just use Firefox, finished...but the thing is that sometimes random websites won't load in Firefox, when I load the same site in Safari it works perfectly.
O yes, I also tried the connect to my iPhone and use the Cellular data network, then it's no problem using Gmail in Safari normally. You would say it's a router problem, but I have another Macbook Pro (just one model later running Mountain Lion) this one works perfectly with every browser. Also my iPhone does everyting logged into the WiFi network.
You can understand I really have no clue what's going on here, I don't see any logic. I can only think of a hardware problem in my Macbook, but don't see how that could cause these problems.
I hope someone is ably to help me ?Please read this whole message before doing anything.
This procedure is a test, not a solution. Don’t be disappointed when you find that nothing has changed after you complete it.
Step 1
The purpose of this step is to determine whether the problem is localized to your user account.
Enable guest logins* and log in as Guest. Don't use the Safari-only “Guest User” login created by “Find My Mac.”
While logged in as Guest, you won’t have access to any of your documents or settings. Applications will behave as if you were running them for the first time. Don’t be alarmed by this behavior; it’s normal. If you need any passwords or other personal data in order to complete the test, memorize, print, or write them down before you begin.
Test while logged in as Guest. Same problem?
After testing, log out of the guest account and, in your own account, disable it if you wish. Any files you created in the guest account will be deleted automatically when you log out of it.
*Note: If you’ve activated “Find My Mac” or FileVault, then you can’t enable the Guest account. The “Guest User” login created by “Find My Mac” is not the same. Create a new account in which to test, and delete it, including its home folder, after testing.
Step 2
The purpose of this step is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.
Please take this step regardless of the results of Step 1.
Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem. You must hold down the shift key twice: once when you turn on the computer, and again when you log in.
Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.
Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.
The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
Test while in safe mode. Same problem?
After testing, restart as usual (not in safe mode) and verify that you still have the problem. Post the results of Steps 1 and 2. -
Hey
I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
By the way will my downloads be faster when I do use a correctly configured NAT?
Samuel
PS I am not using a router just a ADSL ModemI had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
Very frustrating!! -
Open NAT problems with Xbox One .
When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?
Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .
-
why cant u get a open nat with ps3 always on moderate how do u get it to open ?
This link should help.
NAT Problems on games consoles and computers
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Weird audio problem during calls
I have a weird audio problem and was wondering if anyone else has had a similar problem or could help...
My wife and I both have iPhone 5's and sometimes (not all the time) when she calls me (or I call her), it connects, but no matter which audio input I choose (phone, bluetooth, speaker, headphones), I cannot hear her, but she can hear me... I hang up, call back (and when I call, there is no dialing sound, nor any other phone sounds) and it's the same thing. Sometimes restarting the phone works, other times I have to restart it 3-4 times before it'll work again. I try different things during these calls, like turning on/off bluetooth and/or wifi (pretty much anything I can think of that would make a difference), but nothing seems to help.
The (other) weird part is that after the last time of this happening, I tried calling my iPhone with my office phone and it worked fine, so then I immediately call my wife back with my iPhone and it was doing the same thing again. I called her back using my office phone and could talk to her fine...
This problem has been going on for a few months now and I have tried restoring the phone a couple times (and I am on the latest iOS) and sadly, that hasn't done anything to help... Does anyone have any ideas what is going on? I'd make an appointment for the problem, but since it doesn't do it all the time, I don't know what good it would do... But it is getting very frustrating!
Thanks for any help!
-JasonThanks for the response! It happened again yesterday... It seems to be happening more frequently in the past few weeks now.
I checked the link and have tried all of the things listed at one point or another over the past few months. I did just check my Carrier settings and it said it had updated (it's on 14.1), but I am not sure when that happened (could have been today, could have been after my last restore last week, not sure). I'll keep my fingers crossed that maybe that fixed it...
If it continues to act up, would you recommend that I bring the phone in to an Apple store or an AT&T store? I bought the phone through Apple, but my carrier is AT&T (and if you suspect that the problem may be with the cellular conection), maybe the AT&T store would be the better choice?
I really wish the problem would be more consistant or go away, cause trying to get the problem solved is driving me crazy! -
Xbox360 WRT54GS ver. 6 NAT problems
my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6
for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
CamZ -
Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.15 255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.6.0 255.255.254.0 inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
ASA5512 iOS 9.3 inside nat problem
Hi,
I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
interface GigabitEthernet0/0
description #### Connect TO Internet ####
nameif outside
security-level 0
ip address 37.10.1.2 255.255.255.248
interface GigabitEthernet0/1
description #### Connect TO Core Switch ####
nameif inside
security-level 100
ip address 10.78.61.1 255.255.255.0
access-list outside-in extended permit ip any any
access-group outside-in in interface outside
access-group outside-in in interface inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_Ser
host 10.88.61.10
object network obj_Ser_WAN
host 37.10.1.3
nat (inside,outside) source static obj_Ser obj_Ser_WAN
object network obj_any
nat (inside,outside) dynamic 37.10.1.4
same-security-traffic permit intra-interface
Thanks
AfzalHi,
Try this NAT:-
nat (inside,inside) source static obj_Ser obj_Ser_WAN
Thanks and Regards,
Vibhor Amrodia -
Slooow internet and weird mouse problems?
I recently upgraded my iMac to Leopard (10.5.4) and started having weird mouse problems. At start up, mouse would be frozen in upper left corner. I'd restart, switch mice, restart, over and over. I use a Wacom tablet w cordless mouse plus Apples alum cordless keyboard. Eventually I tried switching USB ports for my Wacom tablet and the mouse was OK. I have learned that when this problem occurs, I need to shut down and unplug everything. That seems to solve it. Anyone know why? ALSO, ever since upgrading I have found the Internet to be appallingly slow. I have 2 GB memory and just upped my internet speed (supposedly) through Embarq.
hmm, what is a mouse usb or a keyboard usb?
arent all the usb ports same?
I really wish to show you how this happens it is really fun, but also annoying. especially when I am playing a game. it is interesting to watch the screen when suddenly all the world starts rotating when you are playing a first person shot'm up. -
Hi..
I'm having this weird boot problem (and no it doesn't seem to be the standard one)
OK..
I have the following :
AMD Athlon 2000+
KT6V LSR mainboard
2x 256 Crucial PC2700 memory
IDE Hard Disk (120gb segate)
Creative 5700ultra Graphics card (AGP)
Cd Rom
Chieftec 400w PSU
WinXP Pro
If I set my CPU FSB to 100mhz (everything else on auto).. win Xp pro boots fine and all is pretty good except that my chip is now seen as a lowly 1.25ghz..
If I then set my CPU FSB to 133 or 166 then the machine boots (ie it beeps etc..).. starts to load windows xp (I get the logo and that's when the problem happens) and either black screens (ie.. nothing and the monitor turns off) or blue screens with the windows message saying that windows has detected a hardware fault and has halted the system..
I know my memory, chip, heatsink etc all work because just over an hour ago they all worked fine in my KT3 ultra.
What is going on as I've tried almost everything to try and solve this, with the only option to set the FSb to 100mhz which is incorrect for my CPU.
How do I fix this.
I've looked through the forum but this is not the same problem as simple reboots.. this is weird.
If I can't fix this then I guess it'll be send it back.. which is a shame because I like MSi motherboards.
Thanks
SlipperyHi..
I've checked the CPU heatsink.. and nothings wrong !
(Can't check the voltage but I know the PSU is Ok as I did run it in a custom case with 4 Cd writters, 4 HDs, loads of lights etc.. before I moved to this new plain case tonight)
What's weird is that set at 100FSb it's fine but at 133 or 166 it just crashes after the loading XP logo is displayed. Up until that point it's all fine.
But why does it run Ok at 100mhz and not 133mhz ?
Please help.. before I end up fixing this with a hammer !
Thanks
Slippery -
Cisco ASA5505 multiple public ip nat problem
Hello,
I've been having weird problem with static nat.
First have to say that i've been searching answer for this and not yet found...
I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
Config:
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008
host 192.168.1.10
object network w2008
nat (inside,outside) static 83.x.x.27
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object w2008
access-group outside_access_in in interface outside
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
What trick i need to do with ASA to get this working?Here is the command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
Apology, didn't know that you are running that version that supports this new command.
The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled. -
Very weird internet problem :I
Hi everyone, I am calling for all the experts because I have spent my last two days resolving this problem without any success.
I moved to a new location Saturday where I set up my Airport Extreme to provide a wifi network. The extreme is connected to the ISP's modem in Bridge mode. ISP modem address is 192.168.1.254. My Macbook gets usually the 192.168.1.4 IP address, DHCP is the 192.168.1.254. I have in this network my MacBook and the wife's Vista on a desktop PC. MacBook is up-to-date with 10.5.8. (Or, better to say, that was the starting system version)
What I experience is, that some of the websites are working in my MacBook (meaning they are loading in), while some not. That means white page, no content at all, loading goes forever. For example youtube does not come in. Adobe does not come in. Apple.com works. I couldn't find any pattern why a site can't load.
Safari and Firefox makes the same, so it is probably not a Safari bug.
The machine with Vista (on the same network) works with every webpage (using Firefox). I didn't had this problem on the old location.
I did the followings:
- I took my MacBook back to the old location, where the old network I used for years still works. Same problem. Never had this before. Then a got back to the new location.
- I connected the MacBook via cable to the Extreme (Aiport in MacBook disabled), same problem.
- I created a new user, nothing.
- I created a new network location, nothing.
- Reset Safari, nothing
- Tested browser capablities in various sites. I had some which were not loading at all, but the ones that worked gave back a good result, meaning every plug-in worked.
- Reset modem, reset Airport Extreme, nothing
- Changed wifi channel (from 6 to 4), nothing. I live in a village, no wifi pollution anyway.
- Deleted Safari and System cache, nothing
- Verified Disk permissions, some problems were found, repaired them, nothing.
- With the help of apple support I deleted some System configuration files which were automatically generated by new start, nothing
- I did a complete archive and install
- I tried out everything without an update (that means 10.5 and Safari 3.0.4), almost the same.I had some pages which were working after 2-3 min waiting, but with youtube for example I get some weird, almost only text content with small pictures and no video. After 2-3 min wait of course. And a message, that java is old. Hit the link, went to Adobe, slowly loading but I couldn't download the .dmg, Safari says network error, server could not be found.
- The I did an update (through Software Update, bandwith was O.K). System 10.5.8, newest Safari, the same problem that I had before archive and install. Youtube won't load at all.
- Then I did a complete new install with erase. Nothing, problem stays!
So, now I am sitting in front of a brand new installed MacBook with 10.5 (no updates yet after installation) and I really don't know what to do now. The problem seems to be not software related. The problem seems to be not network related (Vista works on the same network). Can this be a hardware problem? I really can't imagine it...I did talked to the ISP and got the access codes to the ISP router. It's a WLAN broadband router, by operating mode I see the following option checked:
Wireless ISP: In this mode, all ethernet ports are bridged together and the wireless client will connect to ISP access point. The NAT is enabled and PCs in ethernet ports share the same IP to ISP through wireless LAN. You must set the wireless to client mode first and connect to the ISP AP in Site-Survey page. The connection type can be setup in WAN page by using PPPOE, DHCP client, PPTP client or static IP.
So, would it mean, that if I connect my Extreme in bridge mode, than I do not have double NAT and that is the correct way of connection?
To clarify the situation, I have a microwave antenna and that is connected to the ISP router. Then a LAN port of the ISP router is connected to the WAN port of the Extreme. (I did try to connect it to a LAN port of the Extreme, everything was the same). -
Hi there,
I'm currently dealing with a weird problem on a Cisco RVS4000.
I'm tring to connect to a IPSEC VPN Gateway (NETASQ) located on the lan side of the RVS4000.
I'm using Greenbow vpn client on the WAN side of the RVS4000
Basicaly i'm trying to get through the RVS
My VPN config is ok because i tested it on the lan side of the RVS
The RVS is configured like this:
NO VPN configured.
Block WAN Request :OFF
FIREWALL,IPS,DDOS are OFF
NAT forwarding on for UDP 500 and 4500 directed from the wan to the ip of the VPN gateway
Seems right because iv managed to do this with other routers (different brands) on another site
I've wiresharked my vpn client and i keep getting ICMP destination unreachable (PORT UNREACHABLE) after my ISAKMP launching packet.
Can the RVS nat these ports ?I've managed to discover the trick. These two ports are some kind of reserved for the cisco vpn system. You can fool this by nating These two ports to a different value on the wan side.
wan --700--470 ---CISCO --- 500- 4500 ---YourVpnequipement -
Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
New Requirement
If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
What I've done
On W-FW2
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
On W-FW1
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
At this point packet tracer said the traffic was being blocked by ACL so I added
access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
access-group inbound in interface outside
Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
W-FW1 can ping S-Client
Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
Help!First check if the packet from the S client is making it back to the W-F1.
Configure Captures on the interface that is connected to the 106.200.194 subnet.
#cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
#show cap capin
Capture is bidirectional. Hence no need to enable it in the opposite direction.
If the packet is seen coming back from the Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
#capture asp type asp-drop all
send the traffic.
#show cap asp | in <Sclient IP>
If the packet is see in this capture then the ASA is dropping it.
Then do a packet tracer to see why it is dropping it.
#packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
Check why the packet is dropping.
if the capin capture does not see the reply packet then check the reply path and routing.
Maybe you are looking for
-
How do I install Photoshop Elements and Premier Elements on a new hard drive?
My hard drive had to be replaced and Photoshop Elements and Premier Elements were not de-activated and unistalled before the hard drive was replaced. I have my original downloaded install programs and serial numbers. Thank You.
-
How to send a ttachment with email.
Dear all , i have written the below code to send mails ..it is workiing fine my problem is data to be shown in the mail is contained in itab mailtxt77 .... but i want the data contained in this itab to be sent as attachment ... how to do dat. *& Repo
-
Identifying triger point & stoping an idoc from getting generated in SD
We have 2 boxes KLE 420 ( CRM box) & KLE 430 ( SC box) As per original business flow 1) Sales order is generated in 420 ( order type Z001, item category ZAN1 ) 2) idoc is generated and message/details is transferred to 430 ( Z002, ZAN2 ) 3) in 430 th
-
How to disable and enable a Hardware Card on my Mac
Hi all, I have a system with2 BlackMagicDesign (BMD) Decklink cards in it. One HD Extreme and one HD Extreme 3D+ card. I use it to capture multiple video streams at once and it works perfectly. I can choose to input and output card for audio, etc...
-
Dear Experts, I am working on Alerts. I have created Alert category in the tcode 'ALRTCATDEF' and I have assigned this category in the transaction 'SWE2' for the Business object 'BUS10006'. My requirement is when i create the Business Part