I was trying to add another server to port forward for remote desktop and it overwrote the existing policy-classes This is an Adtran 3448 router. I have attached the config I really need help nobody can work.
First question - do you have a backup config you can roll back to? In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.
Are you fixing this through CLI? You need to fix your public policy. You will need to restore the rules to the policy to make it work.
So these are the ACL's that match traffic to your WAN on a specific port.
ip access-list extended web-acl-13
remark Remote to Server p:3389
permit tcp any host WANIP.x.x.x eq 3389 log
!
ip access-list extended web-acl-14
remark Christie's RDP port 3390
permit tcp any host WANIP.x.x.x eq 3390 log
!
ip access-list extended web-acl-15
remark Q's Test PC - SLCSURGERY
permit tcp any host WANIP.x.x.x eq 3391 log
!
ip access-list extended web-acl-16
remark 1335 Web Access
permit tcp any host WANIP.x.x.x eq 8080 log
So those need to be match in the Public access policy and NAT'd to the correct destination IP address. I hope you recall which port mapping is for each internal server.
I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.
ip policy-class Public
allow list web-acl-3 self
nat destination list web-acl-13 address x.x.x.x (internal server IP1)
nat destination list web-acl-14 address x.x.x.x (internal server IP2)
nat destination list web-acl-15 address x.x.x.x (internal server IP3)
nat destination list web-acl-16 address x.x.x.x (internal server IP4)
If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.
example: nat destination list web-acl-14 address 192.168.10.10 port 3389
This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.
That's the best I can suggest at the moment without knowing more about how this was setup prior. You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.
First question - do you have a backup config you can roll back to? In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.
Are you fixing this through CLI? You need to fix your public policy. You will need to restore the rules to the policy to make it work.
So these are the ACL's that match traffic to your WAN on a specific port.
ip access-list extended web-acl-13
remark Remote to Server p:3389
permit tcp any host WANIP.x.x.x eq 3389 log
!
ip access-list extended web-acl-14
remark Christie's RDP port 3390
permit tcp any host WANIP.x.x.x eq 3390 log
!
ip access-list extended web-acl-15
remark Q's Test PC - SLCSURGERY
permit tcp any host WANIP.x.x.x eq 3391 log
!
ip access-list extended web-acl-16
remark 1335 Web Access
permit tcp any host WANIP.x.x.x eq 8080 log
So those need to be match in the Public access policy and NAT'd to the correct destination IP address. I hope you recall which port mapping is for each internal server.
I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.
ip policy-class Public
allow list web-acl-3 self
nat destination list web-acl-13 address x.x.x.x (internal server IP1)
nat destination list web-acl-14 address x.x.x.x (internal server IP2)
nat destination list web-acl-15 address x.x.x.x (internal server IP3)
nat destination list web-acl-16 address x.x.x.x (internal server IP4)
If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.
example: nat destination list web-acl-14 address 192.168.10.10 port 3389
This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.
That's the best I can suggest at the moment without knowing more about how this was setup prior. You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.
Thanks I will use this to try and get it up and going. They only have one server so the IP should be the same for all.
I can't get to other computers across the vpn either I can ping any IP on the 192.168.1.x from the router itself buy not from a computer on the 10.10.10.x network.
Right, sorry, I overlooked that.
You need rules in the public and private policies for VPN traffic as well.
Here are the ACL rules matching traffic.
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
!
ip access-list extended VPN1-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
So you want them to be matched on the LAN so the traffic doesn't get NAT'd, and matched on the WAN so it is allowed in from the tunnel.
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
allow list VPN1-10-vpn-selectors stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
allow reverse list VPN1-10-vpn-selectors stateless
allow list web-acl-3 self
nat destination list web-acl-13 address x.x.x.x (internal server IP1)
nat destination list web-acl-14 address x.x.x.x (internal server IP2)
nat destination list web-acl-15 address x.x.x.x (internal server IP3)
nat destination list web-acl-16 address x.x.x.x (internal server IP4)
never mind I just had to add the access list for the vpn back into the Private policy. Everything is up thank you.