- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Adtran Support Community
- :
- Discussion
- :
- NetVanta
- :
- NetVanta 3400 Series
- :
- Cannot get PBR to work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what I am doing wrong but I cannot get vlan 100 to use the second internet eth 0/2 (ATT-Map). Nothing is matching my policy, any idea? - Jeremy
!
!
! ADTRAN, Inc. OS version R10.6.0.E
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number LBADTN1340AR595
!
!
hostname "NV3448-MAIN"
!
clock timezone -6-Central-Time
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip default-gateway 66.66.66.177
ip routing
ipv6 unicast-routing
!
!
domain-name "c.local"
name-server 4.2.2.2 8.8.8.8
!
ip local policy route-map ATT-Map
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "password"
!
banner motd #
#
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
ip dhcp database local
ip dhcp excluded-address 172.16.0.1 172.16.0.49
ip dhcp excluded-address 192.168.0.1 192.168.0.199
!
ip dhcp pool "Voice"
network 172.16.0.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 172.16.0.2
option 43 hex 010F544F534849424120495065646765000204AC10000F03010104016E050100060164
!
!
!
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address 66.66.66.178
peer 71.71.71.166
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id address 71.71.71.166 preshared-key p0o9i8u7y6 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description Broadhead
match address VPN-10-vpn-selectors1
set peer 71.71.71.166
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 100
name "Data"
!
vlan 110
name "Voice"
!
!
!
no ethernet cfm
!
interface eth 0/1
description Earthlink WAN
ip address 66.66.66.178 255.255.255.248
ip mtu 1500
ip access-policy Public
crypto map VPN
no awcp
no shutdown
!
!
interface eth 0/2
description ATT WAN
ip address 99.99.99.99 255.255.255.248
ip mtu 1500
ip access-policy ATT
no awcp
no shutdown
!
!
!
interface switchport 0/1
description Link to Switch
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/2
spanning-tree edgeport
no shutdown
switchport access vlan 110
!
interface switchport 0/3
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/4
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/5
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/6
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/7
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
interface switchport 0/8
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 100
!
!
!
interface vlan 1
no ip address
shutdown
!
interface vlan 100
description Data
ip address 192.168.0.2 255.255.255.0
ip mtu 1500
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
interface vlan 110
description Voice
ip address 172.16.0.2 255.255.255.0
ip mtu 1500
ip access-policy Voice
no rtp quality-monitoring
no awcp
no shutdown
!
!
!
!
route-map ATT-Map permit 10
match ip address AttInt
set ip next-hop 99.99.99.97
set interface eth 0/2
!
!
!
!
ip access-list extended AttInt
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log
deny ip 172.16.0.0 0.0.0.255 any log
permit ip any any log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors1
permit ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255
!
ip access-list extended web-acl-10
remark NAT ATT
! Implicit permit (only for empty ACLs)
!
ip access-list extended web-acl-11
remark NAT ATT
permit ip any any log
!
ip access-list extended web-acl-6
remark Data
permit ip any any
!
ip access-list extended web-acl-7
remark NAT Earthlink
! Implicit permit (only for empty ACLs)
!
ip access-list extended web-acl-8
remark Voice
permit ip any any
!
ip access-list extended web-acl-9
remark Phone System
permit tcp any host 66.66.66.178 eq 8080 log
permit tcp any host 66.66.66.178 eq 9443 log
permit tcp any host 66.66.66.178 eq 10000 log
permit tcp any host 66.66.66.178 eq 90 log
permit tcp any host 66.66.66.178 eq 8768 log
permit tcp any host 66.66.66.178 eq ftp-data log
permit tcp any host 66.66.66.178 eq ftp log
permit tcp any host 66.66.66.178 eq 2944 log
permit udp any host 66.66.66.178 eq 1718 log
permit udp any host 66.66.66.178 eq 1719 log
permit udp any host 66.66.66.178 eq 21000 log
!
ip access-list extended wizard-pfwd-1
remark Server Forwards
permit tcp any host 66.66.66.178 eq https log
permit tcp any host 66.66.66.178 eq smtp log
permit tcp any host 66.66.66.178 eq 1723 log
permit tcp any host 66.66.66.178 eq 47 log
permit tcp any host 66.66.66.178 eq www log
!
!
!
!
ip policy-class ATT
nat destination list wizard-pfwd-1 address 192.168.0.1
!
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list web-acl-8 policy Voice
allow list self self
nat source list web-acl-11 interface eth 0/2 overload policy ATT
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors1 stateless
nat destination list wizard-pfwd-1 address 192.168.0.1
nat destination list web-acl-9 address 172.16.0.15
!
ip policy-class Voice
allow list web-acl-6 policy Private
nat source list web-acl-7 interface eth 0/1 overload policy Public
nat source list web-acl-10 interface eth 0/2 overload policy ATT
!
!
!
ip route 0.0.0.0 0.0.0.0 66.66.66.177
ip route 0.0.0.0 0.0.0.0 99.99.99.97 5
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
!
line telnet 0 4
login
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
sntp server time.nist.gov
!
!
!
!
!
!
end
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Not the Solution
- Report Inappropriate Content
Hi kb9mfd:
Thanks for posting your question in the Support Community. The route-map must be applied to an IP interface where it should analyze ingress traffic. Like this:
!
interface vlan 100
description Data
ip address 192.168.0.2 255.255.255.0
ip mtu 1500
ip policy route-map ATT-Map
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
!
route-map ATT-Map permit 10
match ip address AttInt
set ip next-hop 99.99.99.97
set interface eth 0/2 (don't need this)
!
!
!
ip access-list extended AttInt
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log
deny ip 172.16.0.0 0.0.0.255 any log (don't need this as nothing sourced from 172.16 network ingress to interface vlan 100)
permit ip any any log
!
You'll probably want to look at web-acl-7 and web-acl-10 as they're currently empty (which is considered 'permit any' and will match all traffic). To use them in a NAT overload policy, consider:
!
ip access-list extended ACL-name-here
permit ip any any
!
Best,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Not the Solution
- Report Inappropriate Content
Hi kb9mfd:
Thanks for posting your question in the Support Community. The route-map must be applied to an IP interface where it should analyze ingress traffic. Like this:
!
interface vlan 100
description Data
ip address 192.168.0.2 255.255.255.0
ip mtu 1500
ip policy route-map ATT-Map
ip access-policy Private
no rtp quality-monitoring
no awcp
no shutdown
!
!
route-map ATT-Map permit 10
match ip address AttInt
set ip next-hop 99.99.99.97
set interface eth 0/2 (don't need this)
!
!
!
ip access-list extended AttInt
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 log
deny ip 172.16.0.0 0.0.0.255 any log (don't need this as nothing sourced from 172.16 network ingress to interface vlan 100)
permit ip any any log
!
You'll probably want to look at web-acl-7 and web-acl-10 as they're currently empty (which is considered 'permit any' and will match all traffic). To use them in a NAT overload policy, consider:
!
ip access-list extended ACL-name-here
permit ip any any
!
Best,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Accept as Solution
- Report Inappropriate Content
Re: Cannot get PBR to work
Thank you, I had done this before and I must of forgot to add that to my notes. As for the extra ACL's those where added by the GUI and I just need to clean them up. Thanks! - Jeremy