Adtran
Help
The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mikeatcomtech
New Contributor
‎09-14-2015 03:48 PM

Routing Internet Traffic to Remote ISP

I have a network with 2 sites joined by a VPN, Site 1 and Site 2. Site 1 LAN network is 10.0.2.0/24 and Site 2 LAN is 192.168.168.1. I need to route traffic from the Site 1 LAN to Site 2's ISP. Site 1 is a Sonicwall 210 and Site 2 is an Adtran 3120.

I can ping each LAN through the VPN, no problems there. I have a rule in the Public security zone at Site 2 to NAT with overload traffic with source 10.0.2.0/24 destination any. When I ping 8.8.8.8 from Site 1 I can see traffic route to Site 2 and come in the Public policy.

ProtocolSource Address/PortDestination Address/PortNat Address/Port
ICMP(1)10.0.2.528.8.8.8...

However I do not see anything in the Private policy NATting these packets to the ISP at Site 2. I have copied the sanitized config below:

Any help is greatly appreciated!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 73.x.x.x

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 64.x.x.x

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 2

!

crypto ike remote-id address 64.x.x.x preshared-key "PSK" ike-policy 100 crypto map VPN 10 no-mode-config nat-t v2 force

!

ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description TestConnection

  match address ip VPN-10-vpn-selectors

  set peer 64.x.x.x

  set transform-set esp-aes-256-cbc-esp-sha-hmac

  set pfs group2

  ike-policy 100

!

interface eth 0/1

  ip address dhcp

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip primary

  no awcp

  no shutdown

  no lldp send-and-receive

!

!

interface vlan 1

  ip address  192.168.168.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no awcp

!

ip access-list standard MATCHALL

!

ip access-list extended ADMIN

  permit tcp any  any eq ssh

  permit tcp any  any eq https

  permit icmp any  any

!

ip access-list extended LAN

  permit ip 192.168.168.0 0.0.0.255  any  log

  permit ip 10.0.2.0 0.0.0.255  any     log

!

ip access-list extended MC

  permit tcp any  any eq 50000

!

ip access-list extended MCADMIN

  permit tcp host 73.x.x.x  host 73.133.87.67 eq 3389

  permit tcp host 173.x.x.x  host 73.133.87.67 eq 3389

!

ip access-list extended SIP

  permit udp hostname fe-d2c5-7y.coredial.com  any eq 5060

!

ip access-list extended VPN-10-vpn-selectors

  permit ip any  10.0.2.0 0.0.0.255

!

ip policy-class Private

  allow list MATCHALL self

  nat source list LAN interface eth 0/1 overload

  allow list VPN-10-vpn-selectors stateless

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list ADMIN

  nat destination list MC address 192.168.168.40 port 25565

  nat destination list MCADMIN address 192.168.168.40

!

sip

sip udp 5060

no sip tcp

!

sip proxy

sip proxy transparent

!

sip proxy sip-server primary fe-d2c5-7y.coredial.com

!

sip timer d 4000

sip timer j 4000

!

ip rtp quality-monitoring

ip rtp quality-monitoring sip

ip rtp quality-monitoring history max-streams 10

!

line con 0

  no login

!

line telnet 0 4

  login local-userlist

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  line-timeout 30

  no shutdown

Labels (4)
0 Kudos
Reply