cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor II

Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

Hello All, I have a setup that I am struggling with a little bit. Verizon did not provide T1 equipment for a 2x Frame-Relay T1, so I'm configuring an Adtran for my client, but a little confused how to avoid a double NAT since I do not want to use the 3430 as a firewall. I want the customer's equipment to handle all firewall and NAT.

Here's the scenario:

Verizon has provided me a /30 IP for the Frame-Relay Circuit, as well as a "LAN" set of public IP addresses of /30 as well.

Of course, the first /30 Frame-Relay set of IPs is easy and my 0.0.0.0 route will go to the fr interface.

However, the /30 for the "LAN" gives me only 1 "public" IP address for my eth 0/1 interface since the other usable IP is Verizon's default gateway ip for the LAN subnet. I then have no public IP to assign to my customer's firewall.

Do I need to fix this by simply getting a bigger block from the provider, or is there a way to "bridge" this connection? My SE mentioned SBC, but I'm not very familiar with SBC and all the config guides I found really only have to do with VoIP and this is a data only configuration.

Any guidance would be greatly appreciated!

Labels (1)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Contributor
Contributor

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them.  But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces.  You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall).  Customer firewall should use y.y.y.1 as its default gateway.

Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30.  The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.

View solution in original post

0 Kudos
2 Replies
Highlighted
Contributor
Contributor

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them.  But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces.  You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall).  Customer firewall should use y.y.y.1 as its default gateway.

Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30.  The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.

View solution in original post

0 Kudos
Highlighted
New Contributor II

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

That's exactly what I was thinking and turns out that the Verizon tech was telling me WRONG that I couldn't use the second /30 for my eth interface and the firewall. Thanks for confirming that for me! I spoke to an engineer today who cleared it up for me further. Thanks Verizon for sending me on a wild goose chase!

Y.Y.Y.1 is the frame-relay /30

X.X.X.1 is the eth /30

Customer firewall would have X.X.X.2 with gateway of X.X.X.1

Adtran 3430 MLFR 2xT1

!

!

!

hostname Verizon_Frame_Relay

enable password adtran

!

!

ip subnet-zero

ip classless

ip routing

ip load-sharing per-destination

!

no auto-config

!

event-history on

no logging forwarding

no logging email

logging email priority-level info

!

no service password-encryption

!

no ip firewall alg msn

no ip firewall alg h323

!

interface eth 0/1

description to Local LAN

ip address X.X.X.1 255.255.255.252

no shutdown

!

interface t1 1/1

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface t1 1/2

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface fr 1 point-to-point

frame-relay lmi-type ansi

frame-relay multilink

frame-relay multilink bid MFR1

max-reserved-bandwidth 100

no shutdown

cross-connect 1 t1 1/1 1 frame-relay 1

cross-connect 2 t1 1/2 1 frame-relay 1

!

interface fr 1.500 point-to-point

description WAN to Verizon

frame-relay interface-dlci 500

ip address Y.Y.Y.1 255.255.255.252

no lldp send-and-receive

!

ip route 0.0.0.0 0.0.0.0 fr 1.500

!

no ip tftp server

no ip tftp server overwrite

no ip http server

no ip http secure-server

ip snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

line con 0

login

password adtran

!

line telnet 0 4

login

password adtran

!

line-timeout 30

line ssh 0 4

login local-userlist

!

end