I have read through the examples of creating a one-to-one NAT and am struggling with the configuration.
I want a private server 172.168.0.18 to be available to the public 64.x.x.161.
Currently the configuration works for VOIP and Internet traffic (one-to-many NAT).
! ADTRAN, Inc. OS version R10.11.0
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3430, part number 1200820E1
! Serial number xxx
!
hostname "xxx"
enable password xxx
!
ip subnet-zero
ip classless
ip default-gateway 64.x.x.98
ip routing
ipv6 unicast-routing
!
host "D-2950" 172.168.0.18
domain-name "xxx"
domain-proxy
name-server x.x.x.x
!
auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "x" password "x"
ip forward-protocol udp time
ip forward-protocol udp nameserver
ip forward-protocol udp tacacs
ip forward-protocol udp tftp
ip forward-protocol udp netbios-ns
ip forward-protocol udp netbios-dgm
ip forward-protocol udp 5061
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
no dot11ap access-point-control
!
ip dhcp excluded-address 172.168.0.0 172.168.0.199
ip dhcp excluded-address 172.168.0.255
!
ip dhcp pool "Private"
network 172.168.0.0 255.255.255.0
dns-server 172.168.0.1
default-router 172.168.0.1
!
qos map ppp1QosWizard 20
match ip rtp 8000 20000 all
match dscp cs3 cs4 ef
priority 926
qos map ppp1QosWizard 21
match ip list aclppp1QosWizSignal21
set dscp 26
!
no ethernet cfm
!
interface eth 0/1
ip address 172.168.0.1 255.255.255.0
ip helper-address 64.x.x.98
ip access-policy Private
ip flow ingress S-2950
no shutdown
!
interface eth 0/2
no ip address
no awcp
shutdown
!
interface t1 1/1
description T1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
ip address 64.x.x.98 255.255.255.252
ip address range 64.x.x.161 64.x.x.166 255.255.255.0 secondary
ip helper-address 64.x.x.98
ip access-policy Public
ip flow ingress S-2950
qos-policy out ppp1QosWizard
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
ip access-list extended aclppp1QosWizSignal21
!
ip access-list extended web-acl-11
remark S_private
permit ip 172.168.0.0 0.0.0.255 any log
!
ip access-list extended web-acl-12
remark S_public
permit ip 64.x.x.0 0.0.0.255 any log
!
ip policy-class Private
nat source list web-acl-11 address 64.x.x.161 overload
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
!
ip route 0.0.0.0 0.0.0.0 64.x.x.97
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route 172.168.0.0 255.255.255.0 64.x.x.95
!
no tftp server
no tftp server overwrite
http server
no http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
sip
sip udp 5060
no sip tcp
!
no ip rtp firewall-traversal
!
line con 0
login
password x
!
line telnet 0 4
login
password x
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
ntp server 216.x.x.x version 3 source ppp 1
!
end
Thank you for asking this question in the support community, and for including the relevant portions of your configuration. This configuration of this application depends if you want a true 1:1 NAT, or if you simply want a inbound 1:1 NAT (also known as a port forward). Static 1:1 NAT allows connections initiated from a particular private Internet Protocol version 4 (IPv4) address to always map to a particular public IPv4 address. For every private host that requires a 1:1 NAT mapping, there must be a corresponding NAT address on the public side. In previous versions of AOS, this was accomplished by using an exhaustive list of all address mappings. AOS version 17.4 and later provided support for using NAT pools that list ranges of local and global IPv4 addresses to create the 1:1 mappings. In this post, I will guide you on how to correct the minor mistakes in your current configuration, as well as provide recommendations for how to configure 1:1 NAT in the future.
In the configuration you have submitted, it looks like you have attempted to setup a true 1:1 NAT (where one public IP address is linked to a private IP address for both inbound and outbound traffic) without utilizing the NAT pool feature. Therefore, to correct the configuration for this application, you will need to modify the the access-control lists (ACLs) for the match criteria. In the "Public" policy-class you are referencing the ACL "web-acl-12" for the match criteria to be 1:1 NAT'ed. The ACL and corresponding policy-class are listed below:
ip access-list extended web-acl-12
remark S_public
permit ip 64.x.x.0 0.0.0.255 any log
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
This ACL is used to determine which traffic will be selected for the 1:1 NAT. In this case, you are saying "any traffic arriving at the ADTRAN's "Public" interface with a source address of 64.x.x.0 255.255.255.0 destined for any IP address should be forwarded to 172.168.0.18." For a 1:1 NAT, most likely you should change the match criteria in the ACL to match only the single public address the traffic is destined for. It will look similar to the following:
ip access-list extended web-acl-12
remark S_public
permit ip any host 64.x.x.161 log
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
This ACL essentially says "any traffic that arrives at the ADTRAN with a destination address of 64.x.x.161, forward that to the internal address of 172.168.0.18." I think you had the concept nearly correct, but the order of the ACL needed to be changed.
Furthermore, you will need to correct the exact same thing on the "Private" policy-class's ACL. Currently, the ACL and policy-class are as follows:
ip access-list extended web-acl-11
remark S_private
permit ip 172.168.0.0 0.0.0.255 any log
!
ip policy-class Private
nat source list web-acl-11 address 64.x.x.161 overload
In this configuration, you will need to change "web-acl-11" to match traffic from the private host (172.168.0.18). The ACL should be changed to something similar to the following:
ip access-list extended web-acl-11
remark S_private
permit ip host 172.168.0.18 any log
I hope that makes sense, but please do not hesitate to reply to this post if you have any further questions or additional information. I will be happy to help in any way I can.
You mentioned you were referencing some documentation. Which documentation were you reviewing? This configuration can be found in the following guides:
An example for this application can be found on page 40 of the Configuring the Firewall (IPv4) in AOS guide. Furthermore, ADTRAN recommends 1:1 NAT applications use the NAT Pools feature, which is a little different method than the way you have the configuration). The example for this method starts on page 6: Configuring NAT Pools in AOS
Finally, for future reference, if you simply desire a one-way inbound mapping, then you can configure a port forward, by referencing the following links:
[video] Configuring a Port Forward in AOS (NetVanta)
Port Forwarding Quick Configuration Guide
Again, do not hesitate to reply with any questions.
Levi
Thank you for asking this question in the support community, and for including the relevant portions of your configuration. This configuration of this application depends if you want a true 1:1 NAT, or if you simply want a inbound 1:1 NAT (also known as a port forward). Static 1:1 NAT allows connections initiated from a particular private Internet Protocol version 4 (IPv4) address to always map to a particular public IPv4 address. For every private host that requires a 1:1 NAT mapping, there must be a corresponding NAT address on the public side. In previous versions of AOS, this was accomplished by using an exhaustive list of all address mappings. AOS version 17.4 and later provided support for using NAT pools that list ranges of local and global IPv4 addresses to create the 1:1 mappings. In this post, I will guide you on how to correct the minor mistakes in your current configuration, as well as provide recommendations for how to configure 1:1 NAT in the future.
In the configuration you have submitted, it looks like you have attempted to setup a true 1:1 NAT (where one public IP address is linked to a private IP address for both inbound and outbound traffic) without utilizing the NAT pool feature. Therefore, to correct the configuration for this application, you will need to modify the the access-control lists (ACLs) for the match criteria. In the "Public" policy-class you are referencing the ACL "web-acl-12" for the match criteria to be 1:1 NAT'ed. The ACL and corresponding policy-class are listed below:
ip access-list extended web-acl-12
remark S_public
permit ip 64.x.x.0 0.0.0.255 any log
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
This ACL is used to determine which traffic will be selected for the 1:1 NAT. In this case, you are saying "any traffic arriving at the ADTRAN's "Public" interface with a source address of 64.x.x.0 255.255.255.0 destined for any IP address should be forwarded to 172.168.0.18." For a 1:1 NAT, most likely you should change the match criteria in the ACL to match only the single public address the traffic is destined for. It will look similar to the following:
ip access-list extended web-acl-12
remark S_public
permit ip any host 64.x.x.161 log
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
This ACL essentially says "any traffic that arrives at the ADTRAN with a destination address of 64.x.x.161, forward that to the internal address of 172.168.0.18." I think you had the concept nearly correct, but the order of the ACL needed to be changed.
Furthermore, you will need to correct the exact same thing on the "Private" policy-class's ACL. Currently, the ACL and policy-class are as follows:
ip access-list extended web-acl-11
remark S_private
permit ip 172.168.0.0 0.0.0.255 any log
!
ip policy-class Private
nat source list web-acl-11 address 64.x.x.161 overload
In this configuration, you will need to change "web-acl-11" to match traffic from the private host (172.168.0.18). The ACL should be changed to something similar to the following:
ip access-list extended web-acl-11
remark S_private
permit ip host 172.168.0.18 any log
I hope that makes sense, but please do not hesitate to reply to this post if you have any further questions or additional information. I will be happy to help in any way I can.
You mentioned you were referencing some documentation. Which documentation were you reviewing? This configuration can be found in the following guides:
An example for this application can be found on page 40 of the Configuring the Firewall (IPv4) in AOS guide. Furthermore, ADTRAN recommends 1:1 NAT applications use the NAT Pools feature, which is a little different method than the way you have the configuration). The example for this method starts on page 6: Configuring NAT Pools in AOS
Finally, for future reference, if you simply desire a one-way inbound mapping, then you can configure a port forward, by referencing the following links:
[video] Configuring a Port Forward in AOS (NetVanta)
Port Forwarding Quick Configuration Guide
Again, do not hesitate to reply with any questions.
Levi
I made the changes as you indicated but I get the same result... The router (port 80) is answering and wants me to log into the router web interface, which is what was happening before. I want to get access to (port 80) on the local machine. So the 1-to-1 NAT is still not working. I am missing something.
Typically, when you are prompted for the ADTRAN's login instead of being forwarded, that is because there is a more specific ACL entry in the policy-class that is matching the port 80 traffic and is used for "admin-access."
When you get a chance, will you please reply and attach the current configuration (please, remember to remove any information that might be sensitive to the organization)? I will be happy to review the configuration for you.
Levi
Attached is the current configuration.
no ethernet cfm
!
interface eth 0/1
ip address 172.168.0.1 255.255.255.0
ip helper-address 64.x.x.98
ip access-policy Private
ip flow ingress S-2950
no shutdown
!
interface eth 0/2
no ip address
no awcp
shutdown
!
interface t1 1/1
description AA T1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
ip address 64.x.x.98 255.255.255.252
ip address range 64.x.x.161 64.x.x.166 255.255.255.0 secondary
ip helper-address 64.x.x.98
ip access-policy Public
ip flow ingress S-2950
qos-policy out ppp1QosWizard
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
ip access-list extended aclppp1QosWizSignal21
!
ip access-list extended S-2950
permit ip 64.x.x.160 0.0.0.7 any log
!
ip access-list extended web-acl-11
remark S_private
permit ip host 172.168.0.18 any log
!
ip access-list extended web-acl-12
remark S_public
permit ip any host 64.x.x.161 log
!
ip policy-class Private
nat source list web-acl-11 address 64.x.x.161 overload
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list web-acl-12 address 172.168.0.18
!
ip route 0.0.0.0 0.0.0.0 64.x.x.97
ip route 0.0.0.0 0.0.0.0 ppp 1
ip route 172.168.0.0 255.255.255.0 64.x.x.95
!
Thank you for replying with this information. The only thing I see in the configuration is the secondary range on PPP 1 (ip address range 64.x.x.161 64.x.x.166 255.255.255.0 secondary). Is that supposed to be a 255.255.255.0 subnet mask?
When you get a chance, when you attempt to connect to the public interface, will you reply (and attach) the output from the show ip policy-sessions command? I will be happy to review this output and see what is happening when you attempt to connect to the 64.x.x.161 IP address.
Levi
Problem solved. The subnet mask was wrong. Once it was corrected then I could login to the server.
Thanks