cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nfletcher2
New Contributor

Adtran Netvanta 3200 - Pass all traffic

I could really use some help from the Adtran masters here! I am pretty well versed in system side and used to be pretty good with Cisco CLI but we have an adtran we are trying to get working and we are having issues. So on to our problem!

Equipment: Adtran Netvanta running OS verion 13.02.00 and a Mikrotik router

Line in: Bonded T1 into a dual T1 card on the Adtran

Ultimate goal: Pass all traffic and make the the adtran transparent.

Setup: We have a client that recently ordered a bonded T1. The company they leased it from ran it into the building and did not quote any equipment to aggregate the line in. We were left with 2 open ports and no equipment to plug 2 T1 lines into. AT all our sites we have a Mikrotik as our border router that performs OSPF routing over VPN's between sites. The mikrotik must be the border device, or atleaset appear to be.

What we have done: We set the adtran up between the mikrotik and the 2 open T1 ports. I have a console connection to the device. What we tried to do is a 1to1 NAT translation from the new external IP to an internal /30 between the adtran and mikrotik. Then we did another 1to1 NAT translation between the /30 IP to the external IP. This should of passed everything and made the adtran transparent. But then the problem!

The problem: When you enable NAT on this verison of Adtran you also have to enable the firewall. We really did not want to filter packets. Just pass everything! We can not seem to get the config worked out where it will pass everything. We have tried setting it to unfiltered and tried filtering but allowing all. Every time we switch the client onto the bonded T1 it starts dropping packets. We get notifications about spoofing attacks and post connection SYN attacks. There is also several websites that the site utilizes that just flat out won't load when on the Bonded T1. We have verified that the websites will load over the single T1 they still have and can load elsewhere so the common denominator is the adtran.

How can we set this adtran up to pass all traffic? If we are going about this the wrong way using NAT I am open to suggestions. Either way the other router (the Mikrotik) needs to be accessible from the outside via the public IP address.

Config: Below is a current config of what we have. I took out some identifying info to protect our client. Items changed are bolded and in italics.

! ADTRAN, Inc. OS version 13.02.00

! Boot ROM version 06.03.00

! Platform: NetVanta 3200, part number 1202860L1

! Serial number LBADTN0505AA057

! Flash: 16777216 bytes  DRAM: 33554431 bytes

! Date/Time: Tue Oct 20 2015, 09:12:08 GMT-05:00

!

!

hostname "Companyname_Adtran"

enable password encrypted 141asfdbv34987th954jnnos52bgin8b95

!

clock timezone -5

clock no-auto-correct-DST

!

ip subnet-zero

ip classless

ip routing

!

auto-config

!

event-history on

no logging forwarding

no logging email

logging email priority-level info

!

service password-encryption

!

username "admin" password encrypted "1c1ds897fb8438bfsdbv8b20f512883c"

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg h323

!

!

!

!

!

!

!

!

!

!

!

interface eth 0/1

  description Local LAN

  speed 100

  ip address  10.255.255.2  255.255.255.252

  access-policy PRIVATE

  max-reserved-bandwidth 100

  no shutdown

!

!

!

!

interface t1 1/1

  clock source through

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

interface t1 1/2

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

!

interface fr 1 point-to-point

  frame-relay lmi-type ansi

  frame-relay multilink

  frame-relay multilink bid MFR65000

  max-reserved-bandwidth 100

  no shutdown

  cross-connect 1 t1 1/1 1 frame-relay 1

  cross-connect 2 t1 1/2 1 frame-relay 1

!

interface fr 1.500 point-to-point

  frame-relay interface-dlci 500

  description WAN To ISP

  ip address WAN_IP  255.255.255.252

  access-policy PUBLIC

  no lldp send-and-receive

!

!

!

!

!

!

ip access-list standard MATCHALL

  permit any

!

!

ip access-list extended ALL

  ! Implicit permit (only for empty ACLs)

!

ip policy-class PRIVATE

  nat source list ALL address WAN_IP overload

  allow list ALL

  allow list ALL self

!

ip policy-class PUBLIC

  nat destination list ALL address 10.255.255.1

  allow list ALL

  allow list ALL self

!

!

!

ip route 0.0.0.0 0.0.0.0 WAN_NEXT_HOP

!

no ip tftp server

no ip tftp server overwrite

no ip http server

no ip http secure-server

no ip snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

line con 0

  login

  password encrypted 1816f0u073d988cdflgjnosinv89408484ed

!

line telnet 0 4

  login local-userlist

  password encrypted 4ujnbef2f00gb3cdc07f1338dae4c656bd9f

  line-timeout 30

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

!

end

0 Kudos
3 Replies

Re: Adtran Netvanta 3200 - Pass all traffic

Okay so a little more information. Commands we have ran since posting yesterday:

no ip firewall check reflexive-traffic (Comment: Does not show in running config that this was applied after we ran command)

no ip firewall check syn-flood (Comment: Shows in config)

no ip firewall check rst-seq (Comment: Required us to select ports, selected range 0-65535. Config only shows no ip firewall check rst-seq 0)

no ip firewall check winnuke (Comment: Shows in config)

It appears that some websites will not load at all. We had to switch the client back to their legacy T1 line and can not utilize the bonded T1 until we figure this out. For example, acesetsthepace.com will not load with this config.

We are getting to the point where we are running out of ideas. If anyone has a better way for us to complete this it would be greatly appreciated. Or even a different device that only aggregates the 2 T1's into a single Ethernet line and will allow us to manage the IP and everything from the site router that would be even better. Suggestions?

Re: Adtran Netvanta 3200 - Pass all traffic

bump

Re: Adtran Netvanta 3200 - Pass all traffic

Anyone? We could really use some help.