cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Simple NAT One to One

Hello,

I am trying to set up a simple one to one NAT and am stuck, hopefully on something simple.  Router is a NetVanta 3140.  We have block of static i/ps (xxx.xxx.62.137-xxx.xxx.62.142 from ISP.  I am trying to get inbound traffic to an exchange server on a secondary ip (xxx.xxx.62.138).  I have tried both a 1:1 NAT & a NAT Pool.  When connected to ISP, nothing will flow in or out of the secondary ip.  Traffic to and from primary ip is fine, including ability to port forward.

I tested offline by widening the public subnet and placing a PC configured as xxx.xxx.62.180  connected directly to the WAN interface.  I can reach NAT'd host behind the router fine.  Is this a valid test method?

The configuration is below.

Thanks!

CTR-RTR-002#show config

Using 2811 bytes

!

!

! ADTRAN, Inc. OS version R12.3.1.E

! Boot ROM version R11.5.0

! Platform: NetVanta 3140, part number 4700341F2

! Serial number CFG1528591

!

!

hostname "CTR-RTR-002"

enable password password

!

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip default-gateway xxx.xxx.62.142

ip routing

ipv6 unicast-routing

!

!

name-server 75.75.75.75 8.8.8.8

!

!

no auto-config

!

event-history on

event-history priority warning

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password "password"

!

!

ip firewall

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

no dot11ap access-point-control

!

!

!

!

ip crypto ffe

!

!

!

!

interface gigabit-eth 0/1

  description Center Data

  ip address  192.168.81.1  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  no awcp

  no shutdown

!

!

interface gigabit-eth 0/2

  no ip address

  shutdown

!

!

interface gigabit-eth 0/3

  description Center WAN

  ip address  xxx.xxx.62.137  255.255.255.248

  ip mtu 1500

  ip address range  xxx.xxx.62.138  xxx.xxx.62.139  255.255.255.248  secondary

  ip access-policy Public

  no rtp quality-monitoring

  no awcp

  no shutdown

!

!

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-7

  permit icmp any  host xxx.xxx.62.138     log

  permit tcp any  host xxx.xxx.62.138 eq smtp   log

  permit tcp any  host xxx.xxx.62.138 eq www   log

  permit tcp any  host xxx.xxx.62.138 eq https   log

!

ip access-list extended web-acl-8

  remark Outbound Exchange

  permit ip host 192.168.81.30  any     log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list web-acl-8 address xxx.xxx.62.138 overload

  nat source list wizard-ics interface gigabit-ethernet 0/3 overload

!

ip policy-class Public

  nat destination list web-acl-7 address 192.168.81.30

!

!

!

no tftp server

no tftp server overwrite

http server

http session-timeout 7800

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

!

voice feature-mode network

voice forward-mode network

!

!

!

!

!

!

line con 0

  login

!

line telnet 0 4

  login local-userlist

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

sntp server time.nist.gov

!

!

!

!

end

CTR-RTR-002#

Labels (1)
0 Kudos
Reply
3 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: Simple NAT One to One

We use a similar setup without issue. I see a couple of things that I would change.

You have ip routing enabled, so instead of

ip default-gateway xxx.xxx.62.142

you should use

ip route 0.0.0.0 0.0.0.0 xxx.xxx.62.142

Also, you probably don't need:

ip address range  xxx.xxx.62.138  xxx.xxx.62.139  255.255.255.248  secondary

on interface gi 0/3 because those addresses exist as part of the subnet

ip address  xxx.xxx.62.137  255.255.255.248

If those changes don't fix it, attempt to connect to your mail server from outside and type "show ip policy-session" from the console to see what is going on.

0 Kudos
Reply
Highlighted
New Contributor

Re: Simple NAT One to One

Hello jayh, Thank you for the quick response on Friday.  Unfortunately, I can only do some of this work off hours, so I came on site last evening and tried your fixes, no luck.  

Testing with show ip policy-session results;

First test; I telneted from my office to xxx.138 port 25.  There were no entries displayed from the public side.

Second test:  I added a port forward on xxx.137 I/p just so that I could see some inbound traffic, started an outbound ping on the 81.30 exchange server to my office and telneted to port 25 and port 80 at the same time from my office.  I could see the traffic from my office to the xxx.137, but no other public side traffic.  I could see the 81.30 icmp on the private side trying to go out xxx.138 ocrrectly.  I can post those results if it would help.

We are on Comcast business for our ISP.  I did some additional digging this morning on the Comcast modem. Their modem/router is an SMCD3G-CCR, which is really a router.  I suspect we are having issues with that unit and its interaction with the Adtran device.  Our current router is a simple CISCO RV042 and it "interacts" fine.  Mr. Yahoo & Mr. Google indicate to get that device in bridge mode.  Other than disabling LAN DHCP in that device, everything else appears in order, no firewall, etc.  I spoke with Comcast tech this morning and he was reluctant to put that device in true bridge mode because in his experience, it doesn't work.  We removed LAN DHCP and I will try at noon EST.

I will update later today.  Thanks, Joel

0 Kudos
Reply
Highlighted
Honored Contributor
Honored Contributor

Re: Simple NAT One to One

Multiple IP addresses on a cable modem connection can be funky, especially if they all terminate on the same device with a single MAC address. You'll probably need to call Comcast and escalate a couple of levels above the "Have you rebooted your router?" group to reach someone with both the clue and the permission to do whatever magic is needed on their end to make it work. Bring a chair and some refreshments. "Your call is important to us...."

You definitely do NOT want them doing any kind of NAT within the cable modem. Their handoff to you should be a public IP subnet.

0 Kudos
Reply