Adtran
Help
The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎04-04-2016 04:47 PM

Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

Hello All, I have a setup that I am struggling with a little bit. Verizon did not provide T1 equipment for a 2x Frame-Relay T1, so I'm configuring an Adtran for my client, but a little confused how to avoid a double NAT since I do not want to use the 3430 as a firewall. I want the customer's equipment to handle all firewall and NAT.

Here's the scenario:

Verizon has provided me a /30 IP for the Frame-Relay Circuit, as well as a "LAN" set of public IP addresses of /30 as well.

Of course, the first /30 Frame-Relay set of IPs is easy and my 0.0.0.0 route will go to the fr interface.

However, the /30 for the "LAN" gives me only 1 "public" IP address for my eth 0/1 interface since the other usable IP is Verizon's default gateway ip for the LAN subnet. I then have no public IP to assign to my customer's firewall.

Do I need to fix this by simply getting a bigger block from the provider, or is there a way to "bridge" this connection? My SE mentioned SBC, but I'm not very familiar with SBC and all the config guides I found really only have to do with VoIP and this is a data only configuration.

Any guidance would be greatly appreciated!

Labels (1)
Labels
Tags (3)
0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎04-05-2016 09:35 AM

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them.  But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces.  You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall).  Customer firewall should use y.y.y.1 as its default gateway.

Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30.  The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.

View solution in original post

0 Kudos
Reply
2 Replies
Anonymous
Not applicable
‎04-05-2016 09:35 AM

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them.  But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces.  You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall).  Customer firewall should use y.y.y.1 as its default gateway.

Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30.  The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.

0 Kudos
Reply
Anonymous
Not applicable
‎04-05-2016 02:57 PM

Re: Frame-Relay Setup to pass WAN to customer Firewall

Jump to solution

That's exactly what I was thinking and turns out that the Verizon tech was telling me WRONG that I couldn't use the second /30 for my eth interface and the firewall. Thanks for confirming that for me! I spoke to an engineer today who cleared it up for me further. Thanks Verizon for sending me on a wild goose chase!

Y.Y.Y.1 is the frame-relay /30

X.X.X.1 is the eth /30

Customer firewall would have X.X.X.2 with gateway of X.X.X.1

Adtran 3430 MLFR 2xT1

!

!

!

hostname Verizon_Frame_Relay

enable password adtran

!

!

ip subnet-zero

ip classless

ip routing

ip load-sharing per-destination

!

no auto-config

!

event-history on

no logging forwarding

no logging email

logging email priority-level info

!

no service password-encryption

!

no ip firewall alg msn

no ip firewall alg h323

!

interface eth 0/1

description to Local LAN

ip address X.X.X.1 255.255.255.252

no shutdown

!

interface t1 1/1

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface t1 1/2

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface fr 1 point-to-point

frame-relay lmi-type ansi

frame-relay multilink

frame-relay multilink bid MFR1

max-reserved-bandwidth 100

no shutdown

cross-connect 1 t1 1/1 1 frame-relay 1

cross-connect 2 t1 1/2 1 frame-relay 1

!

interface fr 1.500 point-to-point

description WAN to Verizon

frame-relay interface-dlci 500

ip address Y.Y.Y.1 255.255.255.252

no lldp send-and-receive

!

ip route 0.0.0.0 0.0.0.0 fr 1.500

!

no ip tftp server

no ip tftp server overwrite

no ip http server

no ip http secure-server

ip snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

line con 0

login

password adtran

!

line telnet 0 4

login

password adtran

!

line-timeout 30

line ssh 0 4

login local-userlist

!

end

0 Kudos
Accept as Solution Reply