boblin20
asked on
NAT on Adran doesn't work
Our client has adtran as gateway connecting to T1 lines and Sonicwall as firewall connecting to LAN. They have 3 web servers and they would like to create double NATs for outside access the websites. However, we can’t make it work.
1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90 , 91 and 92.
2. From Adtran we can ping websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.
Here are configuration of Adtran
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1 proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
shutdown
!
no ethernet cfm
!
interface eth 0/1
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
interface t1 1/1
description twtelecom T-1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
description t1-2
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
description T1-2
ip address x.x.125.30 255.255.255.252
ip mtu 1500
ip address x.x.97.33 255.255.255.255 secondary
ip address x.x.97.34 255.255.255.255 secondary
ip address x.x.97.35 255.255.255.255 secondary
ip address x.x.97.36 255.255.255.255 secondary
ip access-policy Public
peer default ip address x.x.97.32
ppp multilink interleave
ppp multilink fragmentation
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-36
remark 90 Port forwarding
permit tcp any host x.x.97.33 log
!
ip access-list extended web-acl-37
remark 91 NAT
permit ip any host x.x.97.34 log
!
ip access-list extended web-acl-5
remark psd .90
permit ip any any
!
ip access-list extended web-acl-6
remark psd inbound
permit ip any any
!
ip access-list extended web-acl-7
remark psd
! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
remark x.x.97.36:0 -> 192.168.10.36
permit tcp any host x.x.97.36 log
!
ip access-list extended wizard-pfwd-5
permit tcp any host x.x.97.35 log
!
ip nat pool web-nat-pool-1 static
local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-36 address 192.168.10.90
nat destination list wizard-pfwd-3 address 192.168.10.36
nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
login
!
End
1. The Adtran inside IP is 192.168.10.1; the Sonicwall outside IP is 192.168.10.36 and inside IP is 192.16.1.1. The 3 websites NATs IP addresses are 192.168.10.90/192.168.1.90
2. From Adtran we can ping websites’ IP, for example 192.168.10.90.
3. Outside can’t ping or telnet websites’ IP address, for example x.x.x.33.
Here are configuration of Adtran
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
enable password password
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
adtran#show run
2014.01.19 08:56:06 FIREWALL id=firewall time="2014-01-19 08:56:06" fw=rivers
ide pri=1 proto=http src=192.168.10.36 dst=x.x.224.246 msg="TCP connection
request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11
Src 43063 Dst 80 from Private policy-class on interface eth 0/1" agent=AdFirewa
ll
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.03.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1042AG875
!
!
hostname "adtran"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway x.x.125.29
ip routing
ipv6 unicast-routing
!
!
domain-name "twtelecom.net"
no domain-lookup
name-server 216.136.95.2 64.132.94.250
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
banner motd #
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
probe 192.168.10.90 icmp-echo
shutdown
!
no ethernet cfm
!
interface eth 0/1
ip address 192.168.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
interface t1 1/1
description twtelecom T-1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
description t1-2
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
description T1-2
ip address x.x.125.30 255.255.255.252
ip mtu 1500
ip address x.x.97.33 255.255.255.255 secondary
ip address x.x.97.34 255.255.255.255 secondary
ip address x.x.97.35 255.255.255.255 secondary
ip address x.x.97.36 255.255.255.255 secondary
ip access-policy Public
peer default ip address x.x.97.32
ppp multilink interleave
ppp multilink fragmentation
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
interface ppp 2
no shutdown
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-36
remark 90 Port forwarding
permit tcp any host x.x.97.33 log
!
ip access-list extended web-acl-37
remark 91 NAT
permit ip any host x.x.97.34 log
!
ip access-list extended web-acl-5
remark psd .90
permit ip any any
!
ip access-list extended web-acl-6
remark psd inbound
permit ip any any
!
ip access-list extended web-acl-7
remark psd
! Implicit permit (only for empty ACLs)
!
ip access-list extended wizard-pfwd-3
remark x.x.97.36:0 -> 192.168.10.36
permit tcp any host x.x.97.36 log
!
ip access-list extended wizard-pfwd-5
permit tcp any host x.x.97.35 log
!
ip nat pool web-nat-pool-1 static
local 192.168.1.90 192.168.1.90 global x.x.97.33 x.x.97.33
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-36 address 192.168.10.90
nat destination list wizard-pfwd-3 address 192.168.10.36
nat destination list web-acl-37 address 192.168.10.91
!
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route x.x.x.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.10.36
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip sip udp 5060
ip sip tcp 5060
!
line con 0
login
!
End
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.