Hello,
I am trying to set up a simple one to one NAT and am stuck, hopefully on something simple. Router is a NetVanta 3140. We have block of static i/ps (xxx.xxx.62.137-xxx.xxx.62.142 from ISP. I am trying to get inbound traffic to an exchange server on a secondary ip (xxx.xxx.62.138). I have tried both a 1:1 NAT & a NAT Pool. When connected to ISP, nothing will flow in or out of the secondary ip. Traffic to and from primary ip is fine, including ability to port forward.
I tested offline by widening the public subnet and placing a PC configured as xxx.xxx.62.180 connected directly to the WAN interface. I can reach NAT'd host behind the router fine. Is this a valid test method?
The configuration is below.
Thanks!
CTR-RTR-002#show config
Using 2811 bytes
!
!
! ADTRAN, Inc. OS version R12.3.1.E
! Boot ROM version R11.5.0
! Platform: NetVanta 3140, part number 4700341F2
! Serial number CFG1528591
!
!
hostname "CTR-RTR-002"
enable password password
!
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway xxx.xxx.62.142
ip routing
ipv6 unicast-routing
!
!
name-server 75.75.75.75 8.8.8.8
!
!
no auto-config
!
event-history on
event-history priority warning
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password "password"
!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
no dot11ap access-point-control
!
!
!
!
ip crypto ffe
!
!
!
!
interface gigabit-eth 0/1
description Center Data
ip address 192.168.81.1 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
!
interface gigabit-eth 0/2
no ip address
shutdown
!
!
interface gigabit-eth 0/3
description Center WAN
ip address xxx.xxx.62.137 255.255.255.248
ip mtu 1500
ip address range xxx.xxx.62.138 xxx.xxx.62.139 255.255.255.248 secondary
ip access-policy Public
no rtp quality-monitoring
no awcp
no shutdown
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-7
permit icmp any host xxx.xxx.62.138 log
permit tcp any host xxx.xxx.62.138 eq smtp log
permit tcp any host xxx.xxx.62.138 eq www log
permit tcp any host xxx.xxx.62.138 eq https log
!
ip access-list extended web-acl-8
remark Outbound Exchange
permit ip host 192.168.81.30 any log
!
!
!
!
ip policy-class Private
allow list self self
nat source list web-acl-8 address xxx.xxx.62.138 overload
nat source list wizard-ics interface gigabit-ethernet 0/3 overload
!
ip policy-class Public
nat destination list web-acl-7 address 192.168.81.30
!
!
!
no tftp server
no tftp server overwrite
http server
http session-timeout 7800
http secure-server
no snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
voice feature-mode network
voice forward-mode network
!
!
!
!
!
!
line con 0
login
!
line telnet 0 4
login local-userlist
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server time.nist.gov
!
!
!
!
end
CTR-RTR-002#
We use a similar setup without issue. I see a couple of things that I would change.
You have ip routing enabled, so instead of
ip default-gateway xxx.xxx.62.142
you should use
ip route 0.0.0.0 0.0.0.0 xxx.xxx.62.142
Also, you probably don't need:
ip address range xxx.xxx.62.138 xxx.xxx.62.139 255.255.255.248 secondary
on interface gi 0/3 because those addresses exist as part of the subnet
ip address xxx.xxx.62.137 255.255.255.248
If those changes don't fix it, attempt to connect to your mail server from outside and type "show ip policy-session" from the console to see what is going on.
Hello jayh, Thank you for the quick response on Friday. Unfortunately, I can only do some of this work off hours, so I came on site last evening and tried your fixes, no luck.
Testing with show ip policy-session results;
First test; I telneted from my office to xxx.138 port 25. There were no entries displayed from the public side.
Second test: I added a port forward on xxx.137 I/p just so that I could see some inbound traffic, started an outbound ping on the 81.30 exchange server to my office and telneted to port 25 and port 80 at the same time from my office. I could see the traffic from my office to the xxx.137, but no other public side traffic. I could see the 81.30 icmp on the private side trying to go out xxx.138 ocrrectly. I can post those results if it would help.
We are on Comcast business for our ISP. I did some additional digging this morning on the Comcast modem. Their modem/router is an SMCD3G-CCR, which is really a router. I suspect we are having issues with that unit and its interaction with the Adtran device. Our current router is a simple CISCO RV042 and it "interacts" fine. Mr. Yahoo & Mr. Google indicate to get that device in bridge mode. Other than disabling LAN DHCP in that device, everything else appears in order, no firewall, etc. I spoke with Comcast tech this morning and he was reluctant to put that device in true bridge mode because in his experience, it doesn't work. We removed LAN DHCP and I will try at noon EST.
I will update later today. Thanks, Joel
Multiple IP addresses on a cable modem connection can be funky, especially if they all terminate on the same device with a single MAC address. You'll probably need to call Comcast and escalate a couple of levels above the "Have you rebooted your router?" group to reach someone with both the clue and the permission to do whatever magic is needed on their end to make it work. Bring a chair and some refreshments. "Your call is important to us...."
You definitely do NOT want them doing any kind of NAT within the cable modem. Their handoff to you should be a public IP subnet.