VPN question: ISP assigned a private ip address
Hi all
Internet-online-online headquarters VPN 3015 concentrator
Users remote VPN Client connected to the internet using a private ip address provided by the ISP (cable) is to establish a VPN tunnel, but they can not ping our private network.
The only way to get the VPN works is when remote users use a public ip.
It is a question of Cisco VPN Client? Or it has a solution...
Thanks in advance,
Kind regards
Carlos Welhous
Network engineer
Hi Carlos,
If your ISP gave you a private address, they must use NAT - in which case you will have to enable NAT - T on the VPN concentrator.
To configure the NAT - T in the world, go to Configuration | System | Tunnelling protocols. IPSec | Screen of transparent NAT and check on NAT - T IPSec case.
Tags: Cisco Security
Similar Questions
-
client vpn Cisco router cisco 880 - Private ip addresses is not only the public ip
Experts,
I have an interesting question, I am able to authenticate and connect to my to my Cisco880K9 router cisco vpn client.
My internal network is: 10.10.1.0
My Pool of IP VPN is: 10.10.2.2 - 10.10.2.250
My external Public ip address is: 192.198.46.14
When I connect with my vpn client I get my vpn 10.10.2.2 pool address.
IF I ping my server 10.10.1.2 I get a response from my public IP address.
Example:
Ping 10.10.1.2 with 32 bytes of data:
Reply from 192.198.46.14: bytes = 32 time = 45ms TTL = 127
Reply from 192.198.46.14: bytes = 32 time = 50 ms TTL = 127
Reply from 192.198.46.14: bytes = 32 time = 42ms TTL = 127
Reply from 192.198.46.14: bytes = 32 time = 45ms TTL = 127
I enclose my config file. It's almost a copy from the following link:
Thanks for the help
Please please configure NAT exemption as follows:
access-list 120 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 120 allow ip 10.10.1.0 0.0.0.255 any
IP nat inside source interface FastEthernet4 list 120 overload
no nat ip within the source list 1 interface FastEthernet4 overload
Then, disable the translation: claire ip nat trans *.
-
Cisco ASA5520 facing ISP with private IP address. How to get the IPSec VPN through the internet?
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
Hello guys,.
I have Cisco ASA5520 facing the ISP with private IP address. We don't have a router and how to get the IPSec VPN through the internet?
The question statement not the interface pointing to ISP isn't IP address private and inside as well.
Firewall configuration:
Firewall outside interface Gi0 10.0.1.2 > ISP 10.0.1.1 with security-level 0
Firewall inside the interface Ethernet0 192.168.1.1 > LAN switch 192.168.1.2 with security-level 100
I have public IP block 199.9.9.1/28
How can I use the public IP address to create the IPSec VPN tunnel between two sites across the internet?
can I assign a public IP address on the Gig1 inside the interface with the security level of 100 and how to apply inside to carry on this interface?
If I configure > firewall inside of the item in gi1 interface ip address 199.9.9.1/28 with security-level 100. How to make a safe lane VPN through this interface on the internet?
I'm used to the public IP address allocation to the interface outside of the firewall and private inside the interface IP address.
Please help with configuration examples and advise.
Thank you
Eric
Unfortunately, you can only complete the VPN connection on the interface the VPN connection source, in your case the external interface.
3 options:
(1) connect a router in front of the ASA and assign your public ip address to the ASA outside interface.
OR /.
(2) If your ISP can perform static translation of 1 to 1, then you can always finish the VPN on the external interface and ask your provider what is the static ip address assigned to your ASA out of the IP (10.0.1.2) - this will launch the VPN of bidirectionally
OR /.
(3) If your ISP performs PAT (dynamic NAT), then you can only start the tunnel VPN on the side of the ASA and the other end of the tunnel must be configured to allow VPN LAN-to-LAN dynamics.
-
IPSec VPN with private WAN address... Help!
I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?
I have the following instructions.
FA 0/0
DHCP IP ADDRESS
CRYPTO MAP AESMAPVLAN 1
IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0
If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.
If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.
My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...
When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity. Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.
Thanks for any help anyone can provide!
Brandon,
NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.
The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.
That being said, some providers overcome this problem differently, but it's not THE standard way.
Your head should see you as PublicIP facig of internet device.
I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.
I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)
Marcin
-
Site to site VPN question: passing a public IP with IPSEC
Hi all
I need to create a VPN tunnel site to site using IPSEC between two offices on the Internet. The offices belong to two different companies.
They gave me a series of 16 public IP addresses. One of these IP addresses is used on the ISP router and this is the next hop for my router. Another IP in the range is used on my router? s external interface (which is a Cisco 851) and he is also my site VPN endpoint. So far so good...
Here's my problem: the IP source of encrypted traffic, is a public address from within the IPs public 16 I (not the one on my router interface). The actual application that needs to send the encrypted data is a server in my local network, and it has a private IP address. The other site, expects to receive data, however, the public IP address. I used NAT between the private IP address of the server and its public IP address, but no data goes through the tunnel. Moreover, the tunnel between the two end points established without problem. The problem is that the source of my encrypted data is the public IP address and I don't know how to get through the tunnel. I enclose my router configuration.
Any help is appreciated.
The access list "natted-traffic" should say:
extended traffic natted IP access list
deny ip host 192.168.0.160 BB. ABM ABM BD
deny ip host 192.168.0.160 BB. ABM BB.BE
output
I hope this helps.
-Kanishka
-
How can I disable Automatic Private IP Addressing APIPA in Windows 7?
How can I disable Automatic Private IP Addressing APIPA in Windows 7?
I want to disable AUTOMATIC private IP addressing in Windows 7 64-bit edition. I disabled it in my old XP system by a simple registry change and it worked perfectly for my problem.
I searched the forum and I found nothing relevant to W7.
I would appreciate greatly any help.
Thank you in advance.
For any question on Windows 7:
http://social.answers.Microsoft.com/forums/en-us/category/Windows7
Link above is Windows 7 Forum for questions on Windows 7.
Windows 7 questions should be directed to the it.
You are in the Vista Forums.
See you soon.
Mick Murphy - Microsoft partner
-
How to disable automatic private IP addressing
I use the single language window 8 but repeat the link in my wifi adapter
automatic private IP addressing is enabled and I am facing problem with ip address conflict.
How can I solve the problem other than manually assign the ip address
. How can I stop apipa
Hello Frederic,.
I would like to know some information about the problem so that we can help you better.
Your computer is connected to a domain network?
Thank you for details on the issue.
I also know that the inconvenience you encounter because of the issue of IP addressing private AUTO . I will definitely help you.
With APIPA, clients DHCP can configure themselves automatically an IP address and subnet mask when a DHCP server is not available. When a DHCP client boots, it first looks for a DHCP server to obtain an IP address and the subnet mask.
If the client fails to find the information, she uses APIPA to automatically configure themselves with an IP address from a range that has been specially reserved for Microsoft. The IP range is between 169.254.0.1 to 169.254.255.254 The client is configured with a default class b 255.255.0.0subnet mask. A client uses the automatic IP Configuration address until a DHCP server is available.
This problem can occur if the DHCP server has not assigned the IP address in Windows, or if the DNS service has failed.
I suggest you try the following steps and check if it helps.
a. press Windows + C keys together, and then click Search.
b. type cmd in the search box, right-click on command prompt in the search results and click on run as administrator.
c. type the following commands at a command prompt, and press ENTER after each command.
netsh winsock reset catalog
netsh int ip reset resetlog.txt
netsh winsock reset
ipconfig/registerdns
ipconfig/flushdns
ipconfig/releaseI hope this information helps.
Simply answer the required information and let us know if you need more help.
Thank you
-
Satellite L300-2 - How to assign a new email address when registering
I am writing this message on behalf of the end user of our Toshiba.
She bought the TOSHIBA Satellite L300-2This and because she didn't have an internet connection at home, I order him to register his new Toshiba by our care.
I took his laptop and I made a mistake by e-mail. I wrote the wrong email address. How to assign a new email address?Best regards
SAMO Praprotnik
Hello Samo
If you have registration problems, please contact Toshiba [email protected]
You should contact Toshiba in your country. Details are at http://eu.computers.toshiba-europe.com/innovation/contact_toshiba.jsp
Explain what is the problem and I hope someone will help you.
Post edited by: ADMIN
-
NETGEAR WNR1000v3 - Public IP instead of the private IP address
Hello
I moved into a new House and put in place and internet service here. So, I got my own modem + router (WNR1000v3). The router itself works fine and provide internet.
However, when I tried to access the routerlogin.net OR IP address, the application expires. Which means that I can not set a password to protect my network.
I called support and thought that my router is giving a public IP address instead of the private IP address. Any ideas how I can reconfigure the router working properly?
http://www.downloads.NETGEAR.com/files/WNR1000_UM_WW_26Jan09.PDF
7-12
-
assign the IP static address/user GBA 5.1
Hello
The ACS 4, you have the option to a user to assign a static ip address. How more easy do you solve this ACS 5?
Thanks in advance
/ Benny
It is possible to create defined by the user of the attribute values that can be entered as part of the definition of the user and then used in two terms of insurance and/or the values returned in authorization. This is a generic mechanism to rebut the evidence of use that you set
This can be achieved as follows-Define an attribute of the identity of the IP address of type-Define users and enter their assigned IP address-Define an authorization profile that uses set it the IP address of the user record-Select the profile for authorization as a result in the authorization policyI enclose some slides illustrating this process -
Assign a static IP address via DHCP based on the Mac address of the virtual machine
Hi all
It is especially a feature request, as I'm sure that it is not currently possible to do what I want to do...
I would like to be able to assign static IP addresses to VM without having to manually configure the network settings of the virtual machine directly. I want to be able to do it from the DHCP settings in the virtual network Editor.
Most of the routers DHCP allow this. They give an IP address through DHCP based on the MAC address of the client. This means that the customer is concerned that he receives a regular IP DHCP address, but it is never change.
DHCP is the default option for all OS this makes things much easier to manage, as IP addresses is assigned in the same way, in one place for all DHCP clients, regardless of the client operating system, and without having to manually keep track of which the IP is assigned to which customers etc..
Also AFAIK at least for Ubuntu, you cannot assign a static IP address without having to also statically assign to the DNS server. It is only the IP address I need to be static, so I prefer not to have to worry about manually assign the DNS server.
I can just kind of fudge making the really long DHCP lease duration, but the maximum is 99 days only, so finally addresses are going to change, that would mean a whole bunch of reconfiguration for VM services, etc..
Does anyone know if the workstation 9 has this ability? I am currently on version 8, but I would probably upgrade this function only if she can do it.
If there is no way to do what I want to directly through the virtual network Editor, can anyone recommend a way to do this, perhaps using Guest only network and then, by running a kind of services to the 3rd party NAT and DHCP on the host?
Thank you
Eugene
There is no GUI option to get what you are looking for, but you can do it manually. Please take a look at Re: assign a static IP to guest with network adapter NAT Virt? where I posted an example.
André
-
Assign the static IP address by ISE, ASA VPN clients
We will integrate the remote access ASA VPN service with a new 1.2 ISE.
Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?
This means that the same VPN user will always get the same IP address. Thank you.
Daniel,
You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.
However if I may make a suggestion:
Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.
In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.
M.
-
SSL VPN error: no assigned address
Hello. I tried for a few days now to implement a VPN SSL via the VPN Wizard of the AMPS on an ASA5510. When I try to connect to the VPN I get the error "no assigned address. Shows that the client connects to the DefaultWEBVPNGroup instead of the VPN I created the debugging. I have tried both disable the DefaultWEBVPNGroup and addition of the created ip pool for the DefaultWEBVPNGroup but I have the same result. I also configured the required exempt NAT and ACL is defined to allow a whole on all interfaces. Anyone have any idea what causes this problem?
You need set up an alias in your more specific connection profile and then activate the ability for users to choose the profile to log on. You can also configure a group URL to direct the user to the specific profile (IE http://vpn.vpn.com/webvpn).
Via ASDM, change the connection profile, you created and add an alias in the "Alias" field Under Configuration-> access to the network (Client)-> AnyConnect connection profiles, check «Allow the user to select...» ». Group URL can be configured under Advanced-> tab SSL VPN connection profile.
HTH
-
L2l - a non-reachable subnet VPN question
Hi people,
I have a strange problem with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540 s configured as a failover pair (code version 8.2 (5)).
Recently, I added 2 new VPN L2L - these two VPNS come from the same interface on my ASA (called Internet service provider) and both are to the same customer, but they end the different firewall on the end of cusomter and different client subnets traffic encryption. There is a basic network diagram attached.
1 - the VPN is for customer subnet 10.2.1.0/24 traffic. Devices in this subnet should have access to 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN working properly.
2 - the VPN is for the subnet 192.168.1.0/24 customer traffic. Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). What VPN does not work - the client can access 144 DMZ, but not of DMZ 211.
There is a SAs isakmp and ipsec for two virtual private networks. I noticed that the program/decaps packages counter does not increment when the client sends the test traffic to 211 of the DMZ. This counter will increment when they send traffic test to DMZ144. I also see the traffic sent to 144 DMZ customer subnet 192.168.1.0/24 in packet capture on the interface DMZ 144 of the ASA. I don't see similar traffic capture on the interface DMZ211 (although I can see the traffic sent to DMZ211, if it is from 10.2.1.0/24 - IE when using VPN1)
Exemption of NAT is configured for 192.168.1.0/24 and 10.2.1.0/24.
There is a road to two client subnets via the same next hop.
There is nothing in the unknown newspapers 192.168.1.0/24 traffic has been ignored
I suspect that this may be a problem on the client side, but I would like to be able to prove that. Specifically, I'd like to really be able to capture traffic destined to 211 DMZ on the interface of the firewall after her Internet service provider has been deciphered - I don't know if this can be done however, and I haven'treally has found a good way to prove or disprove that the 192.168.1.0/24 DMZ211 VPN traffic coming to my ASA Internet service provider interface and show what happens to This traffic, after his arrival.
Here is the relevant vpn configuration:
MY_CRYPTO_MAP 90 crypto card matches the address VPN_2
card crypto MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto 90 MY_CRYPTO_MAP the transform-set 3dessha value card
card crypto set MY_CRYPTO_MAP security-association life 90 seconds 86400
crypto MY_CRYPTO_MAP 100 card matches the address VPN_1
card crypto MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto MY_CRYPTO_MAP 100 the transform-set 3dessha value card
card crypto MY_CRYPTO_MAP 100 set security-association second life 86400
crypto MY_CRYPTO_MAP isp interface card
ASA # sh access-list VPN_2
VPN_2 list of access; 6 elements; hash name: 0xa902d2f4
permit for access list 1 VPN_2 line extended ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list 1 permit line VPN_2 extended 192.168.144.0 ip 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 45) 0x93b6dc21
access-list 1 permit line VPN_2 extended ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 6) 0x0abf7bb9
access-list 1 permit line VPN_2 extended ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt = 8) 0xcc48a56e
ASA # sh VPN_1 access-list
VPN_1 access list; 3 elements; hash name: 0x30168cce
access-list line 1 license VPN_1 extended ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt = 6) 0 x 61759554
allowed to Access - list line 2 VPN_1 extended ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 3) 0xa602c97c
allowed to Access - list VPN_1 line 3 extended ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x7b9f32e3
nonatdmz144 (dmz144) NAT 0 access list
nonatdmz211 (dmz211) NAT 0 access list
ASA # sh access-list nonatdmz144
nonatdmz144 list of access; 5 elements; hash name: 0xbf28538e
access-list 1 permit line nonatdmz144 extended 192.168.144.0 ip 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt = 0) 0 x 20121683
allowed to Access-list nonatdmz144 line 2 extended 192.168.144.0 ip 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt = 0) 0xbc8ab4f1
permit for access list 3 nonatdmz144 line scope ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt = 0) 0xce869e1e
allowed to Access-list nonatdmz144 line 4 extended 192.168.144.0 ip 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt = 0) 0xd3ec5035
permit for access list 5 nonatdmz144 line scope ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x4c9cc781
ASA # sh nonatdmz211 access-list | in 192.168\.1\.
permit for access list 3 nonatdmz1 line scope ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt = 0) 0x2bbfcfdd
ASA # sh nonatdmz211 access-list | in 10.2.1.
allowed to Access-list nonatdmz1 line 4 extended ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt = 0) 0x8a836d91
Route ISP 192.168.1.0 255.255.255.0 137.191.234.33 1
Route ISP 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who's looking good!
Darragh
The counters of compensation was a good idea. If the counter is not incremented and ping the remote side is not cause future VPN it certainly confirms that something is not working properly.
It might be interesting to wait the SAs time out and go idle and test it again with the ping to the remote subnet that does not work. Turn on debugging for ISAKMP and see if there is an attempt of negotiation. Especially if you don't get any attempt to open ISAKMP then so it would be a way of showing that there is a problem on the remote site.
Certainly, the ASA has the ability to capture packets. I've used this feature and it can be very useful. I have not tried to make a catch on the external interface for incoming VPN traffic and so not sure if you would be available to capture the encrypted packet or the off encrypted packet. You can configure an access list to identify traffic capture and I guess you could write an access list that included the two addresses as source and destination peer to capture encrypted traffic and the Scriptures that were unencrypted source and destination subnets to capture traffic after encryption.
HTH
Rick
-
VPN client with counterpart on secondary ip address on the public interface of the router
Hello
On our office LAN, we have a Linux server than it hosting a VPN connection to a remote client.
Do this to ISAKMP card on our Cisco router port connections to the internal ip address of the Linux host.
However, we now want to allow our users to establish VPN connections to our local network using the unit of Cisco VPN Client.
Of course, this would present challenges, as the ISAKMP our router port is mapped through an internal host.
So, we tried to set up a secondary ip address on the router and VPN clients to connect to that.
What we see in our newspapers is as follows:
Phase 1 is very well established, and the VPN Client prompts the user for a user name and password.
Authentication of the phase 2 starts, but the router says it's is not to receive a proposal of hash of the client.
185 12:18:06.943 09/03/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">(in this case, where x.x.x.x is the secondary ip address on the public interface)
After that, the Phase 1 SA is removed and the connection fails.
My understanding is that the Phase 2 negotiation takes place with the ip address assigned to the client in Phase 1, which suggests that the problem occurs because the client communicates with the main on the interface ip address, and no secondary ip address.
When remove us the mapping of port isakmp and the VPN client to connect to the primary ip address, everything works fine.
Question:
It is possible to establish 2 router VPN Client uses a secondary ip address?
If not, is there some way I can implement the port mapping so that it occurs, the connection comes from a specific ip address?
Garreth
Should be supported on IOS.
The command is crypto ctcp port...
Check this link:
Federico.
Maybe you are looking for
-
The size of the maximum and accessories of the A10 series micro sd card
So, what is the exact limit for players? If it is stuck at 128 GB? Or it would cooperate with the future larger capacity cards? And American stores will be sold to the Japan soft cases? Where can I find a protective screen for this instead of cut min
-
Question on the recovery CD and the Vista anytime upgrade
Hello I bought a toshiba laptop now a year ago, it came pre-installed with vista home premium.I would like to do a complete cleaning my system as its useless been lately and isn't a fact since I bought. It came only with - a the product recovery disc
-
Hi, I bought Qosmio F20, can someone tell me how long does the battery work on its own, for me as long is about 2 hours
-
What are the 6 s unlocked iPhone part numbers?
Could MKT32LL/A be one of them?
-
How can I transfer my iPod to my MacBookAir Notes?
I have a lot of notes on my iPod and I would like to transfer them to my new MacBookAir. How can I do this? Seems that iTunes allows you to transfer everything except the Notes.