cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
g-man
New Contributor

1:1 NAT Help.

Jump to solution

I am trying to configure a 1:1 NAT allowing only a group of IP's to access the server via https. I used the Example 9 - Static 1:1 NAT from IPv4 Firewall Protection in AOS and its just not making it to the Server. When the secondary IP had a subnet of 255.255.255.255 requests were going to the Adtran Web Interface. I updated the subnet to 255.255.255.248 and not I do not get anything. What am I missing?

Config

!

clock timezone -8

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

name-server 8.8.8.8

!

!

auto-config

!

event-history on

no logging forwarding

no logging email

!

service password-encryption

!

username "" password ""

username "" password ""

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

!

interface eth 0/1

  description WAN

  ip address  76.10.76.10  255.255.255.248

  ip address  76.10.76.11  255.255.255.255  secondary

  ip access-policy Public

  media-gateway ip primary

  no shutdown

!

!

interface eth 0/2

  description  (LAN)

  ip address  192.168.33.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no awcp

  no shutdown

!

!

!

interface gigabit-eth 0/1

  no ip address

  shutdown

!

!

!

!

interface t1 0/1

  shutdown

!

interface t1 0/2

  shutdown

!

interface t1 0/3

  lbo short 15

  tdm-group 1 timeslots 1-24 speed 64

  no shutdown

!

interface t1 0/4

  shutdown

!

!

interface pri 1

  isdn name-delivery proceeding

  connect t1 0/3 tdm-group 1

  digits-transferred 4

  no shutdown

!

!

interface fxs 0/1

  impedance 600r

  no shutdown

!

interface fxs 0/2

  no shutdown

!

interface fxs 0/3

  no shutdown

!

interface fxs 0/4

  no shutdown

!

interface fxs 0/5

  no shutdown

!

interface fxs 0/6

  no shutdown

!

interface fxs 0/7

  no shutdown

!

interface fxs 0/8

  no shutdown

!

interface fxs 0/9

  no shutdown

!

interface fxs 0/10

  no shutdown

!

interface fxs 0/11

  no shutdown

!

interface fxs 0/12

  no shutdown

!

interface fxs 0/13

  no shutdown

!

interface fxs 0/14

  no shutdown

!

interface fxs 0/15

  no shutdown

!

interface fxs 0/16

  no shutdown

!

interface fxs 0/17

  no shutdown

!

interface fxs 0/18

  no shutdown

!

interface fxs 0/19

  no shutdown

!

interface fxs 0/20

  no shutdown

!

interface fxs 0/21

  no shutdown

!

interface fxs 0/22

  no shutdown

!

interface fxs 0/23

  no shutdown

!

interface fxs 0/24

  no shutdown

!

!

isdn-group 1

  connect pri 1

!

!

ip access-list standard allow-all

  remark allow all traffic

  permit any

!

ip access-list standard mgmt-allow-list

  permit host 70.11.11.99

!

ip access-list standard sip-allow-list

  permit hostname X.X.COM

!

!

ip access-list extended WEB-ACL-3

  permit tcp any  any eq https 

  permit tcp any  any eq ssh 

!

ip access-list extended WEB-ACL-4

  remark 1:1 NAT 76.10.76.11 > 192.168.33.11

  permit ip any  host 76.10.76.11   

!

ip access-list extended WEB-ACL-5

  remark 1:1 NAT 192.168.33.11 > 76.10.76.11

  permit ip host 192.168.33.11 any   

!

!

!

!

ip policy-class Private

  nat source list allow-all interface eth 0/1 overload policy Public

  allow list allow-all self

  nat source list WEB-ACL-5 address 76.10.76.11 overload

!

ip policy-class Public

  allow list allow-all self

  nat destination list WEB-ACL-4 address 192.168.33.11

  allow list WEB-ACL-3 self

!

!

!

ip route 0.0.0.0 0.0.0.0 76.10.76.9

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

!

sip

sip udp 5060

no sip tcp

!

!

!

voice feature-mode network

voice forward-mode network

!

!

voice dial-plan 2 long-distance 1-NXX-NXX-XXXX

!

voice codec-list VOICE

  default

  codec g711ulaw

!

voice codec-list FAX

  codec g711ulaw

!

voice trunk T01 type sip

  description "SIP"

  match dnis "91-NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"

  match dnis "9NXX-XXXX" substitute "1-310-NXX-XXXX"

  match dnis "NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"

  match dnis "NXX-XXXX" substitute "1-310-NXX-XXXX"

  sip-server primary 188.255.88.10

  registrar primary 188.255.88.10

  register 15555555555 auth-name "" password "

  codec-list VOICE both

  authentication username "" password ""

!

voice trunk T02 type isdn

  description "DSX-1"

  resource-selection linear ascending

  connect isdn-group 1

  no early-cut-through

  match dnis "1NXXNXXXXXX" substitute "1NXXNXXXXXX"

  match dnis "1NXXNXXXXXX" substitute "1NXXNXXXXXX"

  rtp delay-mode adaptive

  codec-list VOICE

!

!

voice grouped-trunk SIP

  trunk T01

  accept $ cost 0

!

!

voice grouped-trunk ISDN

  trunk T02

  accept 1NXXNXXXXXX cost 0

!

!

voice user 1000

  password ""

  description "fax 001"

  modem-passthrough

  codec-list VOICE

!

!

voice user 1001

  connect fxs 0/1

  password ""

  description "LD fax COM2"

  modem-passthrough

  codec-list VOICE

!

!

voice user 1002

  connect fxs 0/2

  password ""

  description "LD Fax COM5"

  caller-id-override external-number 1NXXNXXXXXX

  modem-passthrough

  codec-list VOICE

!

!

voice user 1003

  connect fxs 0/3

  password ""

  caller-id-override external-number 1NXXNXXXXXX

  modem-passthrough

  codec-list VOICE

!

!

voice user 1004

  connect fxs 0/4

  password ""

  caller-id-override external-number 1NXXNXXXXXX

  did "1NXXNXXXXXX"

  did "1NXXNXXXXXX"

  modem-passthrough

  codec-list VOICE

!

!

voice user 1005

  connect fxs 0/5

  password ""

  modem-passthrough

  codec-list VOICE

!

!

voice user 1006

  connect fxs 0/6

  password ""

  modem-passthrough

  codec-list VOICE

!

!

voice user 1007

  password ""

  modem-passthrough

  codec-list VOICE

!

!

voice user 1008

  password ""

  modem-passthrough

  codec-list VOICE

!

!

voice user 1009

  password ""

  modem-passthrough

  codec-list VOICE

!

!

voice user 101

  password ""

  codec-list VOICE

!

!

voice user 1010

  password ""

  modem-passthrough

  codec-list VOICE

!

sip access-class ip "sip-allow-list" in

!

!

line con 0

  no login

!

line telnet 0 4

  login local-userlist

  password password

  shutdown

  ip access-class mgmt-allow-list in

line ssh 0 4

  login local-userlist

  no shutdown

  ip access-class mgmt-allow-list in

!

end

0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: 1:1 NAT Help.

Jump to solution

Your Public zone is configured as follows:

!

ip policy-class Public

  allow list allow-all self

  nat destination list WEB-ACL-4 address 192.168.33.11

  allow list WEB-ACL-3 self

!

and you have:

http secure-server

Policy-class rules are processed in order. Because allow list allow-all self is before nat destination list WEB-ACL-4 address 192.168.33.11 in the Public policy class, https requests will first go to the AOS web interface.

You can change the Public policy-class as follows:

!

ip policy-class Public

  nat destination list WEB-ACL-4 address 192.168.33.11

  allow list allow-all self

  allow list WEB-ACL-3 self

!

This will cause the NAT to your internal server first. Change the NAT destination list to only match https traffic.

!

ip access-list extended WEB-ACL-4

  remark 1:1 NAT 76.10.76.11 > 192.168.33.11 for HTTPS webserver

  no permit ip any host 76.10.76.11   

  permit tcp any host 76.10.76.11 eq 443

!

Alternatively, you can change the port on which the internal Adtran web server is listening.

http secure-server 8443

for example.

For security, you may also want to limit the IPs that can access the AOS web interface. The following will use the same ACL you use for SSH. Don't lock yourself out. You might want to add your LAN subnet of 192.168.33.0 0.0.0.255 to mgmt-allow-list.

!

http ip access-class mgmt-allow-list in

http ip secure-access-class mgmt-allow-list in

!

Contrary to the previous reply, DO NOT configure a default gateway. This would only be used if you didn't have ip routing enabled with a static default route. It won't break anything now, but it isn't good practice should something go wonky with your static default route. This command is primarily for use on layer 2 switches and not routers. If you ever do use ip default-gateway, don't point it to your own interface but to that of the next-hop upstream router.

View solution in original post

6 Replies
mick
Contributor
Contributor

Re: 1:1 NAT Help.

Jump to solution

Hi g-man,

I can see two things which need changing, but there may be more.

You have not set a default geteway:

!

ip subnet-zero

ip classless

ip default-gateway 76.10.76.10

ip routing

ipv6 unicast-routing

!

Also, the secondary IP's subnet is incorrect:

!

interface eth 0/1

  description WAN

  ip address  76.10.76.10  255.255.255.248

  ip address  76.10.76.11  255.255.255.248  secondary

  ip access-policy Public

  media-gateway ip primary

  no shutdown

!

Hope this helps,

--

Regards,

Mick

g-man
New Contributor

Re: 1:1 NAT Help.

Jump to solution

Hey Mick,

Thank you for the feed back. I updated the default gateway, ip default-gateway 76.10.76.10 and changed the subnet to ip address  76.10.76.11  255.255.255.255. When I attempt to connect via my web browser to https://76.10.76.11 I get redirected to the AOS web interface, not the server on the Private interface. From the logs it looks like it is not passing the session to the Private IP

debug ip firewall

2019.04.06 04:58:19 FIREWALL   Assoc Index = 83232, Count (total, policy-class) = 13, 8

2019.04.06 04:58:19 FIREWALL   allow, flags = 0x0000003D, 0x00000014, timeout = 4

2019.04.06 04:58:19 FIREWALL   Selector1: Dir=Public, int=eth 0/1, Protocol=6  cookie-> Loopback

2019.04.06 04:58:19 FIREWALL     SrcIp: 105.15.175.111, DstIp: 76.10.76.11

2019.04.06 04:58:19 FIREWALL     SrcPort: 57240, DstPort: 443

2019.04.06 04:58:19 FIREWALL   Selector2: Dir=SELF, int=Loopback, Protocol=6  cookie-> eth 0/1

2019.04.06 04:58:19 FIREWALL     SrcIp: 76.10.76.11, DstIp: 105.15.175.111

2019.04.06 04:58:19 FIREWALL     SrcPort: 443, DstPort: 57240

2019.04.06 04:58:19 FIREWALL Deleting Association

2019.04.06 04:58:19 FIREWALL   Assoc Index = 83231, Count (total, policy-class) = 13, 8

2019.04.06 04:58:19 FIREWALL   allow, flags = 0x0000003D, 0x00000014, timeout = 4

2019.04.06 04:58:19 FIREWALL   Selector1: Dir=Public, int=eth 0/1, Protocol=6  cookie-> Loopback

2019.04.06 04:58:19 FIREWALL     SrcIp: 105.15.175.111, DstIp: 76.10.76.11

2019.04.06 04:58:19 FIREWALL     SrcPort: 57239, DstPort: 443

2019.04.06 04:58:19 FIREWALL   Selector2: Dir=SELF, int=Loopback, Protocol=6  cookie-> eth 0/1

2019.04.06 04:58:19 FIREWALL     SrcIp: 76.10.76.11, DstIp: 105.15.175.111

2019.04.06 04:58:19 FIREWALL     SrcPort: 443, DstPort: 57239

2019.04.06 04:58:19 FIREWALL id=firewall time="2019-04-06 04:58:19" fw=VVV pri=6 rule=3  proto=https src=105.15.175.111 dst=76.10.76.11 msg="Connection closed.Bytes transferred : 1353 Src 57239 Dst 443 from Public policy-class on interface eth 0/1" agent=AdFirewall

2019.04.06 04:58:19 FIREWALL Deleting Association

jayh
Honored Contributor
Honored Contributor

Re: 1:1 NAT Help.

Jump to solution

Your Public zone is configured as follows:

!

ip policy-class Public

  allow list allow-all self

  nat destination list WEB-ACL-4 address 192.168.33.11

  allow list WEB-ACL-3 self

!

and you have:

http secure-server

Policy-class rules are processed in order. Because allow list allow-all self is before nat destination list WEB-ACL-4 address 192.168.33.11 in the Public policy class, https requests will first go to the AOS web interface.

You can change the Public policy-class as follows:

!

ip policy-class Public

  nat destination list WEB-ACL-4 address 192.168.33.11

  allow list allow-all self

  allow list WEB-ACL-3 self

!

This will cause the NAT to your internal server first. Change the NAT destination list to only match https traffic.

!

ip access-list extended WEB-ACL-4

  remark 1:1 NAT 76.10.76.11 > 192.168.33.11 for HTTPS webserver

  no permit ip any host 76.10.76.11   

  permit tcp any host 76.10.76.11 eq 443

!

Alternatively, you can change the port on which the internal Adtran web server is listening.

http secure-server 8443

for example.

For security, you may also want to limit the IPs that can access the AOS web interface. The following will use the same ACL you use for SSH. Don't lock yourself out. You might want to add your LAN subnet of 192.168.33.0 0.0.0.255 to mgmt-allow-list.

!

http ip access-class mgmt-allow-list in

http ip secure-access-class mgmt-allow-list in

!

Contrary to the previous reply, DO NOT configure a default gateway. This would only be used if you didn't have ip routing enabled with a static default route. It won't break anything now, but it isn't good practice should something go wonky with your static default route. This command is primarily for use on layer 2 switches and not routers. If you ever do use ip default-gateway, don't point it to your own interface but to that of the next-hop upstream router.

View solution in original post

mick
Contributor
Contributor

Re: 1:1 NAT Help.

Jump to solution

It seems I had misunderstood the default gateway setting - thank you jayh for correcting my post above.

--

Regards,

Mick

g-man
New Contributor

Re: 1:1 NAT Help.

Jump to solution

Jayh,

Thank, that did it. One final question, if I wanted to only allow certain IP addresses to be able to access the server via https and ssh would I just need to update ACL3?

ip access-list extended WEB-ACL-3

  permit tcp host 55.20.76.76  any eq https 

  permit tcp host 79.15.22.13 any eq https 

  permit tcp host 55.20.76.76  any eq ssh 

  permit tcp host 79.15.22.13 any eq ssh

jayh
Honored Contributor
Honored Contributor

Re: 1:1 NAT Help.

Jump to solution

Your WEB-ACL-4 is what controls access to the server on 192.168.33.11. If you wanted to control access to that server, you would modify WEB-ACL-4 for that. Obviously remove the permit tcp any, and you would specify the IP that NATs to the webserver as the destination. So:

ip access-list extended WEB-ACL-4

  permit tcp host 55.20.76.76  host 76.10.76.11 eq https 

  permit tcp host 79.15.22.13 host 76.10.76.11 eq https 

  permit tcp host 55.20.76.76  host 76.10.76.11 eq ssh 

  permit tcp host 79.15.22.13 host 76.10.76.11 eq ssh

WEB-ACL-3 actually does nothing. You reference it in the Public policy-class but it's after "allow list allow-all self" so it will never be seen.

If you want to limit access to management of the device itself, use your existing standard ACL "ip access-list standard mgmt-allow-list" and put the allowed hosts and subnets there. Usually you'll also want to include your 192.168.33.0 0.0.0.255 in that ACL for local access, but that depends on your preference and security policy. Reference this ACL in your "line ssh", "http server" and "http secure-server" configuration, also SNMP if enabled. This is far easier to manage than including it in the Public policy-class as there is other traffic to the device such as SIP and RTP to the phones so you generally want to allow any to self and then lock down the services as needed. You can also create a SIP access list to control sip-vicious, etc. by limiting SIP to your SIP provider.