cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bizman
New Contributor II

One to One NAT Not Working

Jump to solution

I have read through the examples of creating a one-to-one NAT and am struggling with the configuration.

I want a private server 172.168.0.18 to be available to the public 64.x.x.161.

Currently the configuration works for VOIP and Internet traffic (one-to-many NAT).

! ADTRAN, Inc. OS version R10.11.0

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3430, part number 1200820E1

! Serial number xxx

!

hostname "xxx"

enable password xxx

!

ip subnet-zero

ip classless

ip default-gateway 64.x.x.98

ip routing

ipv6 unicast-routing

!

host "D-2950" 172.168.0.18

domain-name "xxx"

domain-proxy

name-server x.x.x.x

!

auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "x" password "x"

ip forward-protocol udp time

ip forward-protocol udp nameserver

ip forward-protocol udp tacacs

ip forward-protocol udp tftp

ip forward-protocol udp netbios-ns

ip forward-protocol udp netbios-dgm

ip forward-protocol udp 5061

!

ip firewall

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

no dot11ap access-point-control

!

ip dhcp excluded-address 172.168.0.0 172.168.0.199

ip dhcp excluded-address 172.168.0.255

!

ip dhcp pool "Private"

  network 172.168.0.0 255.255.255.0

  dns-server 172.168.0.1

  default-router 172.168.0.1

!

qos map ppp1QosWizard 20

  match ip rtp 8000 20000 all

  match dscp cs3 cs4 ef

  priority 926

qos map ppp1QosWizard 21

  match ip list aclppp1QosWizSignal21

  set dscp 26

!

no ethernet cfm

!

interface eth 0/1

  ip address  172.168.0.1  255.255.255.0

  ip helper-address  64.x.x.98

  ip access-policy Private

  ip flow ingress S-2950

  no shutdown

!

interface eth 0/2

  no ip address

  no awcp

  shutdown

!

interface t1 1/1

  description T1

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

interface ppp 1

  ip address  64.x.x.98  255.255.255.252

  ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary

  ip helper-address  64.x.x.98

  ip access-policy Public

  ip flow ingress S-2950

  qos-policy out ppp1QosWizard

  no shutdown

  cross-connect 1 t1 1/1 1 ppp 1

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended aclppp1QosWizSignal21

!

ip access-list extended web-acl-11

  remark S_private

  permit ip 172.168.0.0 0.0.0.255  any     log

!

ip access-list extended web-acl-12

  remark S_public

  permit ip 64.x.x.0 0.0.0.255  any     log

!

ip policy-class Private

  nat source list web-acl-11 address 64.x.x.161 overload

  allow list self self

  nat source list wizard-ics interface ppp 1 overload

!

ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18

!

ip route 0.0.0.0 0.0.0.0 64.x.x.97

ip route 0.0.0.0 0.0.0.0 ppp 1

ip route 172.168.0.0 255.255.255.0 64.x.x.95

!

no tftp server

no tftp server overwrite

http server

no http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

sip

sip udp 5060

no sip tcp

!

no ip rtp firewall-traversal

!

line con 0

  login

  password x

!

line telnet 0 4

  login

  password x

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

ntp server 216.x.x.x version 3 source ppp 1

!

end

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: One to One NAT Not Working

Jump to solution

:

Thank you for asking this question in the support community, and for including the relevant portions of your configuration.  This configuration of this application depends if you want a true 1:1 NAT, or if you simply want a inbound 1:1 NAT (also known as a port forward).  Static 1:1 NAT allows connections initiated from a particular private Internet Protocol version 4 (IPv4) address to always map to a particular public IPv4 address. For every private host that requires a 1:1 NAT mapping, there must be a corresponding NAT address on the public side. In previous versions of AOS, this was accomplished by using an exhaustive list of all address mappings. AOS version 17.4 and later provided support for using NAT pools that list ranges of local and global IPv4 addresses to create the 1:1 mappings.  In this post, I will guide you on how to correct the minor mistakes in your current configuration, as well as provide recommendations for how to configure 1:1 NAT in the future.

In the configuration you have submitted, it looks like you have attempted to setup a true 1:1 NAT (where one public IP address is linked to a private IP address for both inbound and outbound traffic) without utilizing the NAT pool feature.  Therefore, to correct the configuration for this application, you will need to modify the the access-control lists (ACLs) for the match criteria.  In the "Public" policy-class you are referencing the ACL "web-acl-12" for the match criteria to be 1:1 NAT'ed.  The ACL and corresponding policy-class are listed below:


ip access-list extended web-acl-12

  remark S_public

  permit ip 64.x.x.0 0.0.0.255  any     log

ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18


This ACL is used to determine which traffic will be selected for the 1:1 NAT.  In this case, you are saying "any traffic arriving at the ADTRAN's "Public" interface with a source address of 64.x.x.0 255.255.255.0 destined for any IP address should be forwarded to 172.168.0.18."  For a 1:1 NAT, most likely you should change the match criteria in the ACL to match only the single public address the traffic is destined for.  It will look similar to the following:


ip access-list extended web-acl-12

  remark S_public

  permit ip  any host  64.x.x.161    log


ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18


This ACL essentially says "any traffic that arrives at the ADTRAN with a destination address of 64.x.x.161, forward that to the internal address of 172.168.0.18."  I think you had the concept nearly correct, but the order of the ACL needed to be changed.

Furthermore, you will need to correct the exact same thing on the "Private" policy-class's ACL.  Currently, the ACL and policy-class are as follows:


ip access-list extended web-acl-11

  remark S_private

  permit ip 172.168.0.0 0.0.0.255  any     log

!

ip policy-class Private

  nat source list web-acl-11 address 64.x.x.161 overload


In this configuration, you will need to change "web-acl-11" to match traffic from the private host (172.168.0.18).  The ACL should be changed to something similar to the following:


ip access-list extended web-acl-11

  remark S_private

  permit ip host 172.168.0.18  any     log


I hope that makes sense, but please do not hesitate to reply to this post if you have any further questions or additional information.  I will be happy to help in any way I can.

You mentioned you were referencing some documentation.  Which documentation were you reviewing?  This configuration can be found in the following guides:

An example for this application can be found on page 40 of the Configuring the Firewall (IPv4) in AOS guide.  Furthermore, ADTRAN recommends 1:1 NAT applications use the NAT Pools feature, which is a little different method than the way you have the configuration).  The example for this method starts on page 6:  Configuring NAT Pools in AOS

Finally, for future reference, if you simply desire a one-way inbound mapping, then you can configure a port forward, by referencing the following links:

[video] Configuring a Port Forward in AOS (NetVanta)

Port Forwarding Quick Configuration Guide


Again, do not hesitate to reply with any questions.

Levi

View solution in original post

0 Kudos
6 Replies
Anonymous
Not applicable

Re: One to One NAT Not Working

Jump to solution

:

Thank you for asking this question in the support community, and for including the relevant portions of your configuration.  This configuration of this application depends if you want a true 1:1 NAT, or if you simply want a inbound 1:1 NAT (also known as a port forward).  Static 1:1 NAT allows connections initiated from a particular private Internet Protocol version 4 (IPv4) address to always map to a particular public IPv4 address. For every private host that requires a 1:1 NAT mapping, there must be a corresponding NAT address on the public side. In previous versions of AOS, this was accomplished by using an exhaustive list of all address mappings. AOS version 17.4 and later provided support for using NAT pools that list ranges of local and global IPv4 addresses to create the 1:1 mappings.  In this post, I will guide you on how to correct the minor mistakes in your current configuration, as well as provide recommendations for how to configure 1:1 NAT in the future.

In the configuration you have submitted, it looks like you have attempted to setup a true 1:1 NAT (where one public IP address is linked to a private IP address for both inbound and outbound traffic) without utilizing the NAT pool feature.  Therefore, to correct the configuration for this application, you will need to modify the the access-control lists (ACLs) for the match criteria.  In the "Public" policy-class you are referencing the ACL "web-acl-12" for the match criteria to be 1:1 NAT'ed.  The ACL and corresponding policy-class are listed below:


ip access-list extended web-acl-12

  remark S_public

  permit ip 64.x.x.0 0.0.0.255  any     log

ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18


This ACL is used to determine which traffic will be selected for the 1:1 NAT.  In this case, you are saying "any traffic arriving at the ADTRAN's "Public" interface with a source address of 64.x.x.0 255.255.255.0 destined for any IP address should be forwarded to 172.168.0.18."  For a 1:1 NAT, most likely you should change the match criteria in the ACL to match only the single public address the traffic is destined for.  It will look similar to the following:


ip access-list extended web-acl-12

  remark S_public

  permit ip  any host  64.x.x.161    log


ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18


This ACL essentially says "any traffic that arrives at the ADTRAN with a destination address of 64.x.x.161, forward that to the internal address of 172.168.0.18."  I think you had the concept nearly correct, but the order of the ACL needed to be changed.

Furthermore, you will need to correct the exact same thing on the "Private" policy-class's ACL.  Currently, the ACL and policy-class are as follows:


ip access-list extended web-acl-11

  remark S_private

  permit ip 172.168.0.0 0.0.0.255  any     log

!

ip policy-class Private

  nat source list web-acl-11 address 64.x.x.161 overload


In this configuration, you will need to change "web-acl-11" to match traffic from the private host (172.168.0.18).  The ACL should be changed to something similar to the following:


ip access-list extended web-acl-11

  remark S_private

  permit ip host 172.168.0.18  any     log


I hope that makes sense, but please do not hesitate to reply to this post if you have any further questions or additional information.  I will be happy to help in any way I can.

You mentioned you were referencing some documentation.  Which documentation were you reviewing?  This configuration can be found in the following guides:

An example for this application can be found on page 40 of the Configuring the Firewall (IPv4) in AOS guide.  Furthermore, ADTRAN recommends 1:1 NAT applications use the NAT Pools feature, which is a little different method than the way you have the configuration).  The example for this method starts on page 6:  Configuring NAT Pools in AOS

Finally, for future reference, if you simply desire a one-way inbound mapping, then you can configure a port forward, by referencing the following links:

[video] Configuring a Port Forward in AOS (NetVanta)

Port Forwarding Quick Configuration Guide


Again, do not hesitate to reply with any questions.

Levi

0 Kudos
bizman
New Contributor II

Re: One to One NAT Not Working

Jump to solution

I made the changes as you indicated but I get the same result...  The router (port 80) is answering and wants me to log into the router web interface, which is what was happening before.  I want to get access to (port 80) on the local machine.  So the 1-to-1 NAT is still not working.  I am missing something.

Anonymous
Not applicable

Re: One to One NAT Not Working

Jump to solution

:

Typically, when you are prompted for the ADTRAN's login instead of being forwarded, that is because there is a more specific ACL entry in the policy-class that is matching the port 80 traffic and is used for "admin-access." 

When you get a chance, will you please reply and attach the current configuration (please, remember to remove any information that might be sensitive to the organization)?  I will be happy to review the configuration for you.

Levi

bizman
New Contributor II

Re: One to One NAT Not Working

Jump to solution

Attached is the current configuration. 

no ethernet cfm

!

interface eth 0/1

  ip address  172.168.0.1  255.255.255.0

  ip helper-address  64.x.x.98

  ip access-policy Private

  ip flow ingress S-2950

  no shutdown

!

interface eth 0/2

  no ip address

  no awcp

  shutdown

!

interface t1 1/1

  description AA T1

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

interface ppp 1

  ip address  64.x.x.98  255.255.255.252

  ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary

  ip helper-address  64.x.x.98

  ip access-policy Public

  ip flow ingress S-2950

  qos-policy out ppp1QosWizard

  no shutdown

  cross-connect 1 t1 1/1 1 ppp 1

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended aclppp1QosWizSignal21

!

ip access-list extended S-2950

  permit ip 64.x.x.160 0.0.0.7  any     log

!

ip access-list extended web-acl-11

  remark S_private

  permit ip host 172.168.0.18  any     log

!

ip access-list extended web-acl-12

  remark S_public

  permit ip any  host 64.x.x.161     log

!

ip policy-class Private

  nat source list web-acl-11 address 64.x.x.161 overload

  allow list self self

  nat source list wizard-ics interface ppp 1 overload

!

ip policy-class Public

  nat destination list web-acl-12 address 172.168.0.18

!

ip route 0.0.0.0 0.0.0.0 64.x.x.97

ip route 0.0.0.0 0.0.0.0 ppp 1

ip route 172.168.0.0 255.255.255.0 64.x.x.95

!

Anonymous
Not applicable

Re: One to One NAT Not Working

Jump to solution

:

Thank you for replying with this information.  The only thing I see in the configuration is the secondary range on PPP 1 (ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary).  Is that supposed to be a 255.255.255.0 subnet mask? 

When you get a chance, when you attempt to connect to the public interface, will you reply (and attach) the output from the show ip policy-sessions command?  I will be happy to review this output and see what is happening when you attempt to connect to the 64.x.x.161 IP address. 

Levi

bizman
New Contributor II

Re: One to One NAT Not Working

Jump to solution

Problem solved.  The subnet mask was wrong.  Once it was corrected then I could login to the server.

Thanks