Solved

NAT on Adran doesn't work

Posted on 2014-01-22
1
875 Views
Last Modified: 2014-03-17
Our client has adtran as gateway connecting to T1 lines and Sonicwall as firewall connecting to LAN. They have 3 web servers and they would like to create double NATs for outside access the websites. However, we can’t make it work.

1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90, 91 and 92.
2. From Adtran we can ping  websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.

Here are configuration of Adtran

Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1  proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
 Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
  shutdown
!
no ethernet cfm
!
interface eth 0/1
  ip address  192.168.10.1  255.255.255.0
  ip access-policy Private
  no shutdown
!
!
interface eth 0/2
  no ip address
  shutdown
!
interface t1 1/1
  description twtelecom T-1
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface t1 1/2
  description t1-2
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface ppp 1
  description T1-2
  ip address  x.x.125.30  255.255.255.252
  ip mtu 1500
  ip address  x.x.97.33  255.255.255.255  secondary
  ip address  x.x.97.34  255.255.255.255  secondary
  ip address  x.x.97.35  255.255.255.255  secondary
  ip address  x.x.97.36  255.255.255.255  secondary
  ip access-policy Public
  peer default ip address x.x.97.32
  ppp multilink interleave
  ppp multilink fragmentation
  ppp multilink
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
  cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
  no shutdown
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended web-acl-36
  remark 90 Port forwarding
  permit tcp any  host x.x.97.33    log
!
ip access-list extended web-acl-37
  remark 91 NAT
  permit ip any  host x.x.97.34     log
!
ip access-list extended web-acl-5
  remark psd .90
  permit ip any  any
!
ip access-list extended web-acl-6
  remark psd inbound
  permit ip any  any
!
ip access-list extended web-acl-7
  remark psd
  ! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
  remark x.x.97.36:0 -> 192.168.10.36
  permit tcp any  host x.x.97.36    log
!
ip access-list extended wizard-pfwd-5
  permit tcp any  host x.x.97.35    log
!
ip nat pool web-nat-pool-1 static
  local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
  nat destination list web-acl-36 address 192.168.10.90
  nat destination list wizard-pfwd-3 address 192.168.10.36
  nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
  login
!
End
0
Comment
Question by:boblin20
1 Comment
 

Accepted Solution

by:
boblin20 earned 0 total points
ID: 39914800
Ok, I fixed the problem by adding another ip access-list
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now