Solved

NAT on Adran doesn't work

Posted on 2014-01-22
1
944 Views
Last Modified: 2014-03-17
Our client has adtran as gateway connecting to T1 lines and Sonicwall as firewall connecting to LAN. They have 3 web servers and they would like to create double NATs for outside access the websites. However, we can’t make it work.

1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90, 91 and 92.
2. From Adtran we can ping  websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.

Here are configuration of Adtran

Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1  proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
 Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
  shutdown
!
no ethernet cfm
!
interface eth 0/1
  ip address  192.168.10.1  255.255.255.0
  ip access-policy Private
  no shutdown
!
!
interface eth 0/2
  no ip address
  shutdown
!
interface t1 1/1
  description twtelecom T-1
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface t1 1/2
  description t1-2
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface ppp 1
  description T1-2
  ip address  x.x.125.30  255.255.255.252
  ip mtu 1500
  ip address  x.x.97.33  255.255.255.255  secondary
  ip address  x.x.97.34  255.255.255.255  secondary
  ip address  x.x.97.35  255.255.255.255  secondary
  ip address  x.x.97.36  255.255.255.255  secondary
  ip access-policy Public
  peer default ip address x.x.97.32
  ppp multilink interleave
  ppp multilink fragmentation
  ppp multilink
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
  cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
  no shutdown
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended web-acl-36
  remark 90 Port forwarding
  permit tcp any  host x.x.97.33    log
!
ip access-list extended web-acl-37
  remark 91 NAT
  permit ip any  host x.x.97.34     log
!
ip access-list extended web-acl-5
  remark psd .90
  permit ip any  any
!
ip access-list extended web-acl-6
  remark psd inbound
  permit ip any  any
!
ip access-list extended web-acl-7
  remark psd
  ! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
  remark x.x.97.36:0 -> 192.168.10.36
  permit tcp any  host x.x.97.36    log
!
ip access-list extended wizard-pfwd-5
  permit tcp any  host x.x.97.35    log
!
ip nat pool web-nat-pool-1 static
  local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
  nat destination list web-acl-36 address 192.168.10.90
  nat destination list wizard-pfwd-3 address 192.168.10.36
  nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
  login
!
End
0
Comment
Question by:boblin20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
boblin20 earned 0 total points
ID: 39914800
Ok, I fixed the problem by adding another ip access-list
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question