cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Adtran 3448 will not ping between subnets with firewall applied

Jump to solution

Hey Folks,

I am configuring an Adtran 3448 and I am stumped.  I need the subnet on vlan 1 (192.168.3.0) to be able to talk to a subnet on another network (192.168.2.0).  The connection to the other network is physically connected to port 8 (vlan 15) with a route statement to the 192.168.2.0 network.  I can always ping any IP address in the 192.168.2.0 network from the router.  Here's the problem...  With the configuration below, from a PC on the 192.168.3.0 network I can ping the 192.168.2.0 network, but my internet does not work; HOWEVER, on the ip policy-class Private if I move my NAT statement to be first and then allow list INTERVLAN stateless as the second statement, I have Internet access, but I cannot ping the 192.168.2.0 network.  I can't figure out what's wrong in the ACL's.  Any suggestions?  I've tried all kinds of things with no luck..

Below is the config (WAN IP's changed to 1.1.1.1 for security)

-----------------------------------------------------------------------------------------

interface eth 0/1

  description Connection To Internet

  speed 100

  ip address  1.1.1.1  255.255.255.252

  no shutdown

!

!

interface eth 0/2

  no ip address

  shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  no shutdown

!

interface switchport 0/7

  no shutdown

!

interface switchport 0/8

  description Uplink to Other Network

  no shutdown

  switchport access vlan 15

!

!

!

interface vlan 1

  description Customer LAN

  ip address  192.168.3.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

interface vlan 15

  ip address  10.10.10.1  255.255.255.252

  ip access-policy Private

  no shutdown

!

!

!

!

!

!

!

ip access-list standard matchall

  permit any

!

!

ip access-list extended INTERVLAN

  permit ip any  any     log

!

ip access-list extended self

  permit ip any  any     log

!

ip access-list extended wan

  permit tcp any  any eq www   log

  permit tcp any  any eq telnet   log

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

!

!

!

ip policy-class Private

  allow list INTERVLAN stateless

  nat source list matchall address 1.1.1.1 overload

!

ip policy-class Public

  allow list wan self

!

!

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 192.168.2.0 255.255.255.0 10.10.10.2

Labels (3)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: Adtran 3448 will not ping between subnets with firewall applied

Jump to solution

- Thank you for posting your question on the forum!

To understand what is happening here, you will need to know that traffic will look for a match on the policy-class and ACL in a top to bottom order. Once a matching entry is found, all remaining entries will not be checked. Since your ACLs, INTERVLAN and matchall, have a 'permit ip any any' entry, the ACL on top will match all traffic while the ACL below will never be checked.

There are a couple of ways to configure this, but I would suggest restricting the INTERVLAN ACL so that instead of a 'permit ip any any' entry, you will have a 'permit 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255' entry and a 'permit 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255' entry. Also, the INTERVLAN allow statement will need to be placed above your internet NAT statement.

I hope this answers your questions, but please do not hesitate if you have any issues.

Thanks,

Noor

View solution in original post

0 Kudos
2 Replies
Highlighted
Anonymous
Not applicable

Re: Adtran 3448 will not ping between subnets with firewall applied

Jump to solution

- Thank you for posting your question on the forum!

To understand what is happening here, you will need to know that traffic will look for a match on the policy-class and ACL in a top to bottom order. Once a matching entry is found, all remaining entries will not be checked. Since your ACLs, INTERVLAN and matchall, have a 'permit ip any any' entry, the ACL on top will match all traffic while the ACL below will never be checked.

There are a couple of ways to configure this, but I would suggest restricting the INTERVLAN ACL so that instead of a 'permit ip any any' entry, you will have a 'permit 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255' entry and a 'permit 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255' entry. Also, the INTERVLAN allow statement will need to be placed above your internet NAT statement.

I hope this answers your questions, but please do not hesitate if you have any issues.

Thanks,

Noor

View solution in original post

0 Kudos
Highlighted
Anonymous
Not applicable

Re: Adtran 3448 will not ping between subnets with firewall applied

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor