IPSec tunnels + NAT overload + NAT static
I have a setup with 1*1711 and 3*831. There is an IPSec tunnel between
each of the 831 (remote sites) and the 1711 (main site). NAT overload
is used for all the routers.
Remote sites access a Terminal Server on the main site on the standard
port 3389. This works well.
I want to have access also from the Internet to the Terminal Server on
the main site, but I want to use a different port number, let's say
port 7888 (and I don't want to use this port number for the PC that are
in the main or remote sites). Is this possible?
With my current configuration, as soon as I insert :
ip nat ...Simultaneous NAT overload (internet) and NAT overlapping for IPsec
Have been bashing my head against this for the last couple of days and
was wondering if anyone might be able to take a look at the config and
point where I might be approaching this wrong...
My current lab is configured as:
Two sites (SITE1/SITE2) connected via a third third router (ISP) -
There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and
SITE2 have overlapping IP addresses (SITE1 uses 10.1.1.0/24 and SITE2
uses 10.0.0.0/16 and 192.168.80.0/24 - however, we're only presented
with access to 10.81.0.0/18 via the IPsec VPN)
Okay... Overlapping NAT&...NAT Overloading
I have a question regarding PAT or NAT Overloading.
I understand how NAT overloading works with TCP and UDP which have the
notion of port numbers, but how does it work and does it work at all
with other protocols, like ICMP or IPIP or GRE ? For example, can I
have several PPTP tunnels from the inside network to a VPN server in
Thanks for any input.
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
...Help! Static NAT failed to work -- NAT overload issue?
I set up Cisco 1811 with multiple static NAT like this
ip nat inside source static 10.10.10.13 xx.xx.xx.13
ip nat inside source static 10.10.10.11 xx.xx.xx.11
Once a while when after lot of downloading/uploading, I failed to
access all mapped machines except the router. And I have to reload the
router to recover the access. When I look at the router's NAT table
when it fails, there are hundred's entries like this (same external IP
downloading from the server inside the router)
10.10.10.11 : 80 xx.xx.xx.xx : 2049
10.10.10.11 : 80 xx.xx.xx.xx : 2050
10.10.10.11 : 80 ...NAT to NAT
Hi I am running VNC on a machine on my network behind my NAT router. I
have forwarded the ports and everything and have checked that they
work by using the tools at: http://www.psi-rho.com/dsltools/ (i used
the webserver one because VNC's reply shows in it.
The ports are open and reply back and everything and i have even
managed to get friends to connect to me but when i go to college i
cant connect. I am assuming that my college uses NAT too. Could this
be causing problems?
I first assumed that they had blocked the port so i even tried using
the webserver in VNC to connect. I realised t...NAT overload with some static NAT's and a block public IP's
Please review the config below :
ip address 192.168.1.254 255.255.255.0
ip nat inside
no cdp enable
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
encapsulation aal5mux ppp dialer
dialer pool-member 10
ip address 126.96.36.199 255.255.255.248
ip nat outside
dialer pool 10
ppp authentication pap callin
ppp pap sent-username user password pass
ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
ip nat translation tim...Cisco 1801 - ADSL/PPPoE - IPSec - Static NAT ---- 56K Dial Backup
I am looking for a little guidance on coming up with a configuration
for a very complicated situation. What I'm looking to do is to run a
PPPoE ADSL connection on a Cisco 1801. This 1801 will then need to do
an IPSec tunnel back to a Juniper ERX.
Also, I will need to do several Static NATs with one of the subnets
that will be tunneled. For example, the ethernet subnet of the Cisco
will be 192.168.100.254/24. I will then route 10.20.95.0/24 via the
IPSec tunnel and will need to create specific Static NAT's throughout
the subnet, such as 10.20.95.1 will equal 192.168.100.100.
The r...several nat overload
I want to have two nat overload
Gi 0/0 is internal interface with nat inside
Gi 0/0.5 is external with nat outside
There is rule:
ip nat inside source list 2 interface GigabitEthernet0/0.5 overload
If I try
ip nat inside source list 2 interface GigabitEthernet0/0.8 overload
%Dynamic mapping in use, cannot change
If I add
ip nat inside source list 3 interface GigabitEthernet0/0.8 overload
and add ip nat outside on Gi 0/0.8
then there is no translations in
sh ip nat translations
Is it possible to solve this problem?
"Dmitry Melekhov" <email@example.com> wrot...Direct connections through NAT/firewall
I'm involved with some research at the University of Manitoba (in Winnipeg,
Canada) this summer. My colleagues and I are in the process of developing a
method for reliably establishing direct connections over the Internet
between two hosts that are both behind NAT gateways.
The software we've come up with runs in userspace linux, so there is no
kernel or network stack tweaking required. It can easily be extended to
multiple operating systems.
No ports have to be explicitly opened at the firewall. And the method is
able to "break through" several kinds of NAT/firewalls...Dynamic NAT w/ Overload
Hi all, I seem to be having a really dumb problem, i know it is
something simple that i am overlooking, and i have removed anything
that i can think of that would be blocking my internal network from
getting out, however when i do a show ip nat translations, it shows
none. and nothing on my network can get out. My config is listed
below, if you can help i would greatly appreciate it.
Current configuration : 1620 bytes
! Last configuration change at 19:54:11 UTC Thu Feb 22 2007 by
! NVRAM config last updated at 19:43:01 UTC Thu Feb 22 2007 by
no service pad...NAT versus NO NAT
We currently have several web servers behind a firewall in the DMZ (DMZ
port of the firewall). Each server has a public facing IP address. We
will be switching firewalls and I would like to get opinions if we
should implement NAT for the web servers or stay with the current
Thanks for responding.
<firstname.lastname@example.org> wrote in message
> We currently have several web servers behind a firewall in the DMZ (DMZ
> port of the firewall). Each server has a public facing IP address. We
> will be switc...NAT Overload and load sharing
I have a Cisco 2650 with IOS 12.3 (c2600-i-mz.123-16.bin), a fast ethernet,
and 2 Int T1 CSU/DSU cards.
Verizon has just enabled the second T-1 line for constant operation--it was
previosly just a backup line.
Each T-1 is using frame relay on a serial sub-interface and has ip addresses
assigned-- using a /30 subnet.
The FA0/0 is defined as ip nat inside and the Serial Sub Interfaces are
designated as ip nat outside.
I was using" ip nat inside source list 10 interface s0/0.1 overload" to
allow internal users access to the Internet.
I can now use the
ip nat pool test netmask ...Problem on 1720 with overload nat
I have a problem on a 1720 with the IOS 12.0(3)T. It is connected to two
private networks (192.168.X.X and 10.Y.Y.Y), correctly configured on the two
network interfaces. I have implemented an nat pool to translate all
192.168.X.X IP addresses on connections going to 10.Y.Y.Y to source address
10.208.7.15 and four static nat allowing 10.Y.Y.Y to access four different
servers on 192.168.X.X network.
The problem is that the router is working ok after reload for a certain
time (I think about 24 hours, altough not sure yet about the lapse of time),
changing correctly all 192.16...Opinions: To NAT or not to NAT?
I'm looking for some expert opinions on the following question:
Should individual departments in a large university be behind NAT firewalls
or transparent firewalls?
The university assigns every PC (and Mac, and network printer, and whatnot)
an IP address from its allocation, and DHCP-serves the PC from its central
DHCP server, which also serves as an inventory of networked computers on
campus. Departments are encouraged to get firewalls, which must be
transparent and capable of DHCP relaying. Departmental subnets work whether
or not a firewall is present.
...Trouble with Cisco 1600 doing NAT overload
I'm having a bit of trouble. Could someone look over my config and
tell me what I have wrong?
Here is the scenario:
I can ping any ip address on the net. I can telnet, do DNS lookups,
etc from the router itself. When I do a show ip nat trans I get lots
of translations listed. (port 53 as expected when I do DNS lookups).
According to the ISP, they see my packets go out, and come back, but
they don't get back to the workstation.
When I try to do a DNS lookup from any internal workstation, however,
it fails. I can ping, but anything else doesn't come back to the
workstation. It...UDP source ports using PAT (NAT overload)
I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
the ethernet interfaces is setup to use NAT. The problem is that my
company is writing a small application that uses UDP. The app uses a
single, specific source port address and calls a specific, static port
number at one remote address. The problem is that the external
interface of the router opens the exact same port number on the
external interface for each connection rather than opening a random
one. This causes the obvious problems with socket identification at
the other end and scuttles communication.
Do...Using multiple outside interface with ip nat overload
I am trying to figure out if it is possible to use more than one external
interface with ip nat overload.
This ist not the complete config, just a sample with the most inportant
ip nat inside
dialer pool-member 1
dialer pool-member 2
ip address negotiated
ip nat outside
dialer pool 1
ip address negotiated
ip nat outside
dialer pool 2
ip nat inside source list 101 dialer1 overload
ip nat inside source list 102 dialer2 ove...UDP ports using PAT (NAT overload)
Below is a thread that I started a while ago and didn't complete. If
anyone has an answer I'd be very grateful.
> >> Hi Everyone,
> >> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
> >> the ethernet interfaces is setup to use NAT. The problem is that my
> >> company is writing a small application that uses UDP. The app uses a
> >> single, specific source port address and calls a specific, static port
> >> number at one remote address. The problem is that t...Info on Cisco NAT (overload) and MS PPTP Server
I placed a MS Windows 2000 Server configured as a PPTP Server behind a Cisco
2650 (IOS 12.3) router doing static NAT translation of the PPTP port and IP
The Cisco was also doing overload NAT translations of the internal ip
The 2000 RRAS Server was obtaining int ip addresses from an int DHCP server.
In the present Cisco IOS 12.3. incarnation this does not work.
The cisco will not handle the underlying PPP protocol with overlaod NAT, but
will work if static translations are in place.
The PPP protocol does not expose ports that are needed for the overload NAT
to...function overloading: direct-match vs trivial-conversion
Suppose T is a type.
Consider the two functions:
void fn(T& first)
void fn(T const & second)
Suppose I have the declaration
If I call fn(obj), then the function, void fn(T& first) will be
called. This is because:
1) 'T' to 'T&' (this is a direct match)
2) 'T' to 'T const &' (this involves trivial conversion)
are present, direct match takes higher precedence. If direct match is
not found, only then trivial conversion is considered. That is, if the
first function void fn(T& first) is not present, onl...function overload (not operator overload)
Can I do function overload in Perl (not operator) ?
I'd like to create a function, which accepts an object array or an
object iterator as argument ...
I've googled "perl function overload", but all I get is about operator
overload... what can I do in my case ? (except calling them by
func_array(@array) and func_iter($iter))
self-producing in perl :
-- V Vinay
Ying-Chieh Liao <email@example.com> wrote in comp.lang.perl.misc:
> Can I do function overload in Perl (not operator) ?
> I'd like to create...Overloading an existing overloaded subroutine
I am using a fortran library that provides subroutines that are
already overloaded, and I would like to overload them further, but I
can't seem to be able to do that. Consider the following example:
module procedure do_real, do_str
real,intent(in) :: x
end subroutine do_real
character(len=*),intent(in) :: x
end subroutine do_str
end module a
use a, do_old => do
module procedure do_old, do_int
end interface do
c...Direct IP dialing with Grandstream HandyTone 286 behind NAT?
Hi guys, I was just wondering is it possible to get the HT286 to work for
Direct IP dialing behind NAT? without going through any SIP server
It is possible, thought require some extra efforts to do it. You will
have to clear the configuration of the device so it does not register to
any server, disable random port, and do the appropriate port forwarding
settings in the NAT.
"SniperSquad" <firstname.lastname@example.org> wrote in message news:<6h0Lb.email@example.com>...
> Hi guys, I was just wondering is it possible to get the HT286 to work for...direct
hi could anybody tell me how to tunel ports behind fierwall/NAT so as i
could use direct connections (p2p) .... for example kaza bittoorent or
naythingelse that uses p2p connections ??
On Fri, 25 Jul 2003 15:21:24 +0200, vlad4 spoketh
>hi could anybody tell me how to tunel ports behind fierwall/NAT so as i
>could use direct connections (p2p) .... for example kaza bittoorent or
>naythingelse that uses p2p connections ??
No. This is a group dedicated to prevent such connections, not allow
them. What you are attempting to probably violates your Unive...