Solved

NAT on Adran doesn't work

Posted on 2014-01-22
1
907 Views
Last Modified: 2014-03-17
Our client has adtran as gateway connecting to T1 lines and Sonicwall as firewall connecting to LAN. They have 3 web servers and they would like to create double NATs for outside access the websites. However, we can’t make it work.

1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90, 91 and 92.
2. From Adtran we can ping  websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.

Here are configuration of Adtran

Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1  proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
 Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
  shutdown
!
no ethernet cfm
!
interface eth 0/1
  ip address  192.168.10.1  255.255.255.0
  ip access-policy Private
  no shutdown
!
!
interface eth 0/2
  no ip address
  shutdown
!
interface t1 1/1
  description twtelecom T-1
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface t1 1/2
  description t1-2
  tdm-group 1 timeslots 1-24 speed 64
  no shutdown
!
interface ppp 1
  description T1-2
  ip address  x.x.125.30  255.255.255.252
  ip mtu 1500
  ip address  x.x.97.33  255.255.255.255  secondary
  ip address  x.x.97.34  255.255.255.255  secondary
  ip address  x.x.97.35  255.255.255.255  secondary
  ip address  x.x.97.36  255.255.255.255  secondary
  ip access-policy Public
  peer default ip address x.x.97.32
  ppp multilink interleave
  ppp multilink fragmentation
  ppp multilink
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
  cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
  no shutdown
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to NetVanta
  permit ip any  any     log
!
ip access-list extended web-acl-36
  remark 90 Port forwarding
  permit tcp any  host x.x.97.33    log
!
ip access-list extended web-acl-37
  remark 91 NAT
  permit ip any  host x.x.97.34     log
!
ip access-list extended web-acl-5
  remark psd .90
  permit ip any  any
!
ip access-list extended web-acl-6
  remark psd inbound
  permit ip any  any
!
ip access-list extended web-acl-7
  remark psd
  ! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
  remark x.x.97.36:0 -> 192.168.10.36
  permit tcp any  host x.x.97.36    log
!
ip access-list extended wizard-pfwd-5
  permit tcp any  host x.x.97.35    log
!
ip nat pool web-nat-pool-1 static
  local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
  nat destination list web-acl-36 address 192.168.10.90
  nat destination list wizard-pfwd-3 address 192.168.10.36
  nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
  login
!
End
0
Comment
Question by:boblin20
1 Comment
 

Accepted Solution

by:
boblin20 earned 0 total points
ID: 39914800
Ok, I fixed the problem by adding another ip access-list
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question