cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aiken8758
New Contributor

Wan connection with No-NAT to pass though another Wan connection

Jump to solution

I have a 3140 with a Cox Modem as the Internet Connection. Cox has given us a /27 range for public IPs but then stated we had to use a static /32 for the actual link to our 3140 and that the /27 would "pass through" that connection and out to the Internet.

-G01=LAN-Private

-G02=IP on /27 network (Public)

-G03=COX connection (Public - single IP)

Internet works fine but I need the connection on G02 to be public as if it was on the Internet and NOT NATed "pass though". I cannot seem to get this to work. I can plug a laptop into the G02 interface with a public IP in the /27 range and surf the web but cannot ping the laptop and the debug ip firewall shows it being blocked...

fw=NV3140-DC pri=6 proto=8/icmp src=4.35.15.138 dst=70.164.46.99 msg="No Access Policy matched, dropping packet from Public policy-class on interface giga-eth 0/3" agent=AdFirewall

FIREWALL Deleting Association

This tells be the traffic is being NATed and not "passing through"

Any suggestions would be helpful - Thanks!!

At the end of the day we need the /27 on the G0/2 interface to act as if it were directly connected to the Internet - no firewall or NAT.

Here is the config:

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

no dot11ap access-point-control

!

!

!

!

!

interface gigabit-eth 0/1

  description LAN

  ip address  192.168.2.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

interface gigabit-eth 0/2

  description -SIPtoPRI-908e

  ip address  G/02.97  255.255.255.224

  ip access-policy nexVortex

  no shutdown

!

!

interface gigabit-eth 0/3

  description Cox Modem

  ip address  G/03.73  255.255.255.224

  ip access-policy Public

  ip crypto map VPN

  no shutdown

!

!

!

!

!

!

!

ip access-list standard ADMIN-LIST

  remark permit management-net inverse-mask

  permit 192.168.0.0 0.0.15.255

!

ip access-list standard ATL

  permit host 38.122.19.10

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended InterNetworks

  remark Allow LAN w/o Firewall

  permit ip 192.168.0.0 0.0.15.255  192.168.0.0 0.0.15.255   

  permit ip G/02.96 0.0.0.31  G/02.96 0.0.0.31   

!

ip access-list extended nexVortex

  permit ip any  any   

  permit icmp any  any  echo 

  permit icmp any  any  echo-reply 

!

ip access-list extended self

  remark Traffic to UNIT

  permit ip any  any     log

!

ip access-list extended MGMT

  permit tcp host MGMT.130  any eq https 

  permit tcp host MGMT.130  any eq echo 

  permit tcp host MGMT.130  any eq ssh 

  permit tcp host MGMT.137  any eq https 

  permit tcp host MGMT.137  any eq echo 

  permit tcp host MGMT.137  any eq ssh 

  permit icmp host Vortex.138  any  echo 

  permit icmp host Vortex.138  any  echo-reply 

!

!

!

!

!

ip policy-class nexVortex

  allow list nexVortex stateless

!

ip policy-class Private

  allow list InterNetworks stateless

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/3 overload

!

ip policy-class Public

  allow list VerticalAccess self

  allow list ATL self

!

!

!

ip route 0.0.0.0 0.0.0.0 G/03.65

Labels (3)
Tags (4)
0 Kudos
1 Solution

Accepted Solutions
vmaxdawg05
Contributor III
Contributor III

Re: Wan connection with No-NAT to pass though another Wan connection

Jump to solution

I've noticed that you do not specify the policy-class that the traffic is destined for (NexVortex, Self, etc.) in the Public policy-class.

Since your actual link to the Internet is in the Public policy-class, you may need to account for that.

I may be wrong, but I'm assuming you have SIP equipment connecting to Gig 0/2 that is registering to NexVortex, right?

Try this:

ip policy-class nexVortex

  allow list nexVortex policy Public stateless

!

ip policy-class Private

  allow list InterNetworks stateless

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/3 overload

!

ip policy-class Public

  allow list VerticalAccess self

  allow list ATL self

  allow list <acl for inbound traffic to SIP equipment> policy nexVortex stateless

!

View solution in original post

0 Kudos
2 Replies
vmaxdawg05
Contributor III
Contributor III

Re: Wan connection with No-NAT to pass though another Wan connection

Jump to solution

I've noticed that you do not specify the policy-class that the traffic is destined for (NexVortex, Self, etc.) in the Public policy-class.

Since your actual link to the Internet is in the Public policy-class, you may need to account for that.

I may be wrong, but I'm assuming you have SIP equipment connecting to Gig 0/2 that is registering to NexVortex, right?

Try this:

ip policy-class nexVortex

  allow list nexVortex policy Public stateless

!

ip policy-class Private

  allow list InterNetworks stateless

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/3 overload

!

ip policy-class Public

  allow list VerticalAccess self

  allow list ATL self

  allow list <acl for inbound traffic to SIP equipment> policy nexVortex stateless

!

View solution in original post

0 Kudos
aiken8758
New Contributor

Re: Wan connection with No-NAT to pass though another Wan connection

Jump to solution

Thanks, you are right - that is almost exactly what we did to get it to work. Added the following with help from Support.

ip policy-class nexVortex

  allow list nexVortex stateless

!

ip policy-class Public

  allow list MATCHALL policy nexVortex stateless

Thanks for the reply!