Adtran
Help
The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dwolf
New Contributor
‎10-07-2016 02:48 AM

One to one NAT for new VLAN not working

I am trying to implement a second VPN device on a new VLAN 3 on switchport 0/8, but I can't even get ICMP to work.  I can ping the new SSLVPN device from the source switchport 0/8, but I can't from the interface eth 0/2.  The ACLs and Policies are all the same, but yet the original VPN works and the new SSLVPN doesn't (ICMP).  I need the dedicated public IP to route directly to this new SSLVPN IP.  The public IP comes in on eth 0/2 and the SSLVPN device is on switchport 0/8.

I have provided relevant  parts of my configuration below and would appreciate a second set of eyes to see what I am missing.

Thanks,

dwolf

!

!

! ADTRAN, Inc. OS version R10.9.0.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448,

ip policy-timeout udp all-ports 300

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

!

!

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "Voice"

!

vlan 3

  name "SSLVPN"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description WAN-1

  ip address  xx.yy.28.61  255.255.255.248

  ip mtu 1500

  ip address  xx.yy.28.57  255.255.255.248  secondary

  ip address  xx.yy.28.59  255.255.255.248  secondary

  ip access-policy Public

  ip flow ingress

  ip flow egress

  qos-policy out eth0/2QosWizard

  no shutdown

!

!

interface eth 0/2

  description MegaPath

  ip address  xx.yy.186.170  255.255.255.252

  ip mtu 1500

  ip address range  xx.yy.79.83  xx.yy.79.84  255.255.255.248  secondary

  ip access-policy Public2

  ip flow ingress

  ip flow egress

  qos-policy out eth0/2QosWizard

  no shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

  switchport access vlan 2

!

interface switchport 0/6

  no shutdown

  switchport access vlan 2

!

interface switchport 0/7

  no shutdown

  switchport access vlan 2

!

interface switchport 0/8

  no shutdown

  switchport access vlan 3

!

!

!

interface vlan 1

  ip address  192.xx.yy.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

interface vlan 2

  ip address  172.xx.yy.1  255.255.255.0

  ip policy route-map VoiceMap

  ip access-policy Private

  no shutdown

!

interface vlan 3

  description Fortinet SSL VPN device

  ip address  10.xxx.yy.2  255.255.255.252

  ip access-policy PrivateSSLVPN

  no shutdown

!

!

!

!

route-map local permit 10

  match ip address wan1

  set ip next-hop xx.yy.28.62

route-map local permit 20

  match ip address wan2

  set ip next-hop xxx.yyy.186.169

route-map VoiceMap permit 10

  match ip address VoiceMap

  set ip next-hop xxx.yyy.186.169

  set interface null 0

!

!

!

!

ip access-list standard natpool

  permit any

!

ip access-list standard natpool2

  permit any

!

ip access-list standard self

  permit any

!

!

ip access-list extended acleth0/2QosWizRTP20

  permit ip 172.xx.yy.0 0.0.0.255  any   

!

ip access-list extended acleth0/2QosWizSignal21

  permit udp any  any range 5060 5061  

  permit tcp any  any range 5060 5061 

!

!

ip access-list extended SSLVPN

  remark xx.yy.79.84 -> 10.xxx.yy.1

  permit icmp any  host xx.yy.79.84     log

  permit tcp any  host xx.yy.79.84 eq https 

  permit udp any  host xx.yy.79.84 eq 443  

!

ip access-list extended SSLVPN-Out2

  remark 10.xxx.yy.1 : xx.yy.79.84

  permit icmp host 10.xxx.yy.1  any     log

  permit udp host 10.xxx.yy.1 eq 443 any   

  permit tcp host 10.xxx.yy.1 eq https any  

!

ip access-list extended VoiceMap

  permit ip 172.xx.yy.0 0.0.0.255  any     track wan2

  deny   ip any  any   

!

ip access-list extended VPN

  permit icmp any  host xx.yy.28.57  echo   log

  permit gre any  host xx.yy.28.57   

  permit tcp any  host xx.yy.28.57 eq 1723 

!

ip access-list extended VPN-Out

  remark 192.xx.yy.250 : xx.yy.28.57

  permit gre host 192.xx.yy.250  any   

  permit tcp host 192.xx.yy.250 eq 1723 any  

  permit icmp host 192.xx.yy.250  any   

!

ip access-list extended VPN-Out2

  remark 192.xx.yy.250 : xx.yy.79.83

  permit gre host 192.xx.yy.250  any   

  permit tcp host 192.xx.yy.250 eq 1723 any  

  permit icmp host 192.xx.yy.250  any   

!

ip access-list extended VPN2

  permit icmp any  host xx.yy.79.83  echo 

  permit gre any  host xx.yy.79.83   

  permit tcp any  host xx.yy.79.83 eq 1723 

!

ip access-list extended wan1

  permit icmp host xx.yy.28.61  host 4.2.2.4     log

!

ip access-list extended wan2

  permit icmp host xxx.yyy.186.170  host xxx.yyy.186.169     log

!

ip access-list extended web-acl-1

  remark Jive Allow

  permit ip 199.36.248.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

ip access-list extended web-acl-2

  remark Jive Allow 2

  permit ip 199.87.120.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

ip access-list extended web-acl-3

  remark Admin Access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-4

  remark Jive Allow 3

  permit ip 162.250.60.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list VPN-Out address xx.yy.28.57 overload policy Public

  nat source list VPN-Out2 address xx.yy.79.83 overload policy Public2

  nat source list natpool interface eth 0/1 overload policy Public

  nat source list natpool2 interface eth 0/2 overload policy Public2

!

ip policy-class PrivateSSLVPN

  nat source list SSLVPN-Out2 address xx.yy.79.84 overload policy Public2

  allow list self self

!

no ip policy-class Public rpf-check

ip policy-class Public

  nat destination list VPN address 192.xx.yy.250

  allow list web-acl-1

  allow list web-acl-2

  allow list web-acl-4

  allow list web-acl-3 self

!

no ip policy-class Public2 rpf-check

ip policy-class Public2

  nat destination list VPN2 address 192.xx.yy.250

  nat destination list SSLVPN address 10.xxx.yy.1

  allow list web-acl-1

  allow list web-acl-2

  allow list web-acl-4

  allow list web-acl-3 self

!

!

!

ip route 0.0.0.0 0.0.0.0 xx.yy.28.62 track wan1

ip route 0.0.0.0 0.0.0.0 xxx.yyy.186.169 track wan2

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

0 Kudos
Reply
1 Reply
jayh
Honored Contributor
Honored Contributor
‎10-14-2016 07:38 PM

Re: One to one NAT for new VLAN not working

It looks like you have a routing issue. You have only a default route out WAN 1 that fails over to Megapath should that fail. Hence you will try to route out the other provider with a source of Megapath's IP.

You could add a static route to the SSLVPN endpoint with a gateway of Megapath's next hop. You could also use a route-map for the remote endpoint.

"show ip policy-session" may give a clue as to how it's routing.

Also, the secondary IPs which I assume are for the LAN block assigned by the ISPs may be conflicting with the primary source of the point-to-point /30 to the provider. You might not be sourcing from where you think you are. Consider using a loopback for these, or a VLAN interface if you need access to these subnets by physical devices.

BTW, It isn't necessary to mask IPs of RFC1918 addresses like 10/8, 172.16/12 and 192.168/16, makes things a bit harder to follow.

0 Kudos
Accept as Solution Reply