boblin20
asked on
NAT on Adran doesn't work
Our client has adtran as gateway connecting to T1 lines and Sonicwall as firewall connecting to LAN. They have 3 web servers and they would like to create double NATs for outside access the websites. However, we can’t make it work.
1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90
2. From Adtran we can ping websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.
Here are configuration of Adtran
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1 proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
shutdown
!
no ethernet cfm
!
interface eth 0/1
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
interface t1 1/1
description twtelecom T-1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
description t1-2
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
description T1-2
ip address x.x.125.30 255.255.255.252
ip mtu 1500
ip address x.x.97.33 255.255.255.255 secondary
ip address x.x.97.34 255.255.255.255 secondary
ip address x.x.97.35 255.255.255.255 secondary
ip address x.x.97.36 255.255.255.255 secondary
ip access-policy Public
peer default ip address x.x.97.32
ppp multilink interleave
ppp multilink fragmentation
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-36
remark 90 Port forwarding
permit tcp any host x.x.97.33 log
!
ip access-list extended web-acl-37
remark 91 NAT
permit ip any host x.x.97.34 log
!
ip access-list extended web-acl-5
remark psd .90
permit ip any any
!
ip access-list extended web-acl-6
remark psd inbound
permit ip any any
!
ip access-list extended web-acl-7
remark psd
! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
remark x.x.97.36:0 -> 192.168.10.36
permit tcp any host x.x.97.36 log
!
ip access-list extended wizard-pfwd-5
permit tcp any host x.x.97.35 log
!
ip nat pool web-nat-pool-1 static
local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-36 address 192.168.10.90
nat destination list wizard-pfwd-3 address 192.168.10.36
nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
login
!
End
1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90
2. From Adtran we can ping websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.
Here are configuration of Adtran
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1 proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
shutdown
!
no ethernet cfm
!
interface eth 0/1
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
interface t1 1/1
description twtelecom T-1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
description t1-2
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
description T1-2
ip address x.x.125.30 255.255.255.252
ip mtu 1500
ip address x.x.97.33 255.255.255.255 secondary
ip address x.x.97.34 255.255.255.255 secondary
ip address x.x.97.35 255.255.255.255 secondary
ip address x.x.97.36 255.255.255.255 secondary
ip access-policy Public
peer default ip address x.x.97.32
ppp multilink interleave
ppp multilink fragmentation
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-36
remark 90 Port forwarding
permit tcp any host x.x.97.33 log
!
ip access-list extended web-acl-37
remark 91 NAT
permit ip any host x.x.97.34 log
!
ip access-list extended web-acl-5
remark psd .90
permit ip any any
!
ip access-list extended web-acl-6
remark psd inbound
permit ip any any
!
ip access-list extended web-acl-7
remark psd
! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
remark x.x.97.36:0 -> 192.168.10.36
permit tcp any host x.x.97.36 log
!
ip access-list extended wizard-pfwd-5
permit tcp any host x.x.97.35 log
!
ip nat pool web-nat-pool-1 static
local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-36 address 192.168.10.90
nat destination list wizard-pfwd-3 address 192.168.10.36
nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
login
!
End
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.