Solved: I screwed up existing port fowarding by using the wizard and need help. - Adtran Support Community

Adtran

I was trying to add another server to port forward for remote desktop and it overwrote the existing policy-classes This is an Adtran 3448 router. I have attached the config I really need help nobody can work.

1 Solution

Accepted Solutions

First question - do you have a backup config you can roll back to? In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.

Are you fixing this through CLI? You need to fix your public policy. You will need to restore the rules to the policy to make it work.

So these are the ACL's that match traffic to your WAN on a specific port.

ip access-list extended web-acl-13

remark Remote to Server p:3389

permit tcp any host WANIP.x.x.x eq 3389 log

!

ip access-list extended web-acl-14

remark Christie's RDP port 3390

permit tcp any host WANIP.x.x.x eq 3390 log

!

ip access-list extended web-acl-15

remark Q's Test PC - SLCSURGERY

permit tcp any host WANIP.x.x.x eq 3391 log

!

ip access-list extended web-acl-16

remark 1335 Web Access

permit tcp any host WANIP.x.x.x eq 8080 log

So those need to be match in the Public access policy and NAT'd to the correct destination IP address. I hope you recall which port mapping is for each internal server.

I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.

ip policy-class Public

allow list web-acl-3 self

nat destination list web-acl-13 address x.x.x.x (internal server IP1)

nat destination list web-acl-14 address x.x.x.x (internal server IP2)

nat destination list web-acl-15 address x.x.x.x (internal server IP3)

nat destination list web-acl-16 address x.x.x.x (internal server IP4)

If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.

example: nat destination list web-acl-14 address 192.168.10.10 port 3389

This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.

That's the best I can suggest at the moment without knowing more about how this was setup prior. You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.

View solution in original post

5 Replies

First question - do you have a backup config you can roll back to? In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.

Are you fixing this through CLI? You need to fix your public policy. You will need to restore the rules to the policy to make it work.

So these are the ACL's that match traffic to your WAN on a specific port.

ip access-list extended web-acl-13

remark Remote to Server p:3389

permit tcp any host WANIP.x.x.x eq 3389 log

!

ip access-list extended web-acl-14

remark Christie's RDP port 3390

permit tcp any host WANIP.x.x.x eq 3390 log

!

ip access-list extended web-acl-15

remark Q's Test PC - SLCSURGERY

permit tcp any host WANIP.x.x.x eq 3391 log

!

ip access-list extended web-acl-16

remark 1335 Web Access

permit tcp any host WANIP.x.x.x eq 8080 log

So those need to be match in the Public access policy and NAT'd to the correct destination IP address. I hope you recall which port mapping is for each internal server.

I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.

ip policy-class Public

allow list web-acl-3 self

nat destination list web-acl-13 address x.x.x.x (internal server IP1)

nat destination list web-acl-14 address x.x.x.x (internal server IP2)

nat destination list web-acl-15 address x.x.x.x (internal server IP3)

nat destination list web-acl-16 address x.x.x.x (internal server IP4)

If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.

example: nat destination list web-acl-14 address 192.168.10.10 port 3389

This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.

That's the best I can suggest at the moment without knowing more about how this was setup prior. You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.

Thanks I will use this to try and get it up and going. They only have one server so the IP should be the same for all.

I can't get to other computers across the vpn either I can ping any IP on the 192.168.1.x from the router itself buy not from a computer on the 10.10.10.x network.

Right, sorry, I overlooked that.

You need rules in the public and private policies for VPN traffic as well.

Here are the ACL rules matching traffic.

ip access-list extended VPN-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255

!

ip access-list extended VPN1-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255

So you want them to be matched on the LAN so the traffic doesn't get NAT'd, and matched on the WAN so it is allowed in from the tunnel.

ip policy-class Private

allow list VPN-10-vpn-selectors stateless

allow list VPN1-10-vpn-selectors stateless

allow list self self

nat source list wizard-ics interface eth 0/1 overload

ip policy-class Public

allow reverse list VPN-10-vpn-selectors stateless

allow reverse list VPN1-10-vpn-selectors stateless

allow list web-acl-3 self

nat destination list web-acl-13 address x.x.x.x (internal server IP1)

nat destination list web-acl-14 address x.x.x.x (internal server IP2)

nat destination list web-acl-15 address x.x.x.x (internal server IP3)

nat destination list web-acl-16 address x.x.x.x (internal server IP4)

never mind I just had to add the access list for the vpn back into the Private policy. Everything is up thank you.