cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

OK - here goes- removed a handful of port forwards on eth 0/2 to inside 192.168 servers

hopefully everything you need to see -

!

!

! ADTRAN, Inc. OS version R11.4.5.E

! Boot ROM version R10.9.3.B1

! Platform: Total Access 908e (3rd Gen), part number 4243908F2

!

!

hostname "host"

enable password encrypted!

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip default-gateway xxx.xxx.xxx.101

ip routing

ipv6 unicast-routing

!

!

name-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

!

!

no auto-config

!

event-history on

no logging forwarding

no logging console

no logging email

!

service password-encryption

!#

!

ip policy-timeout tcp echo 60

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

no dot11ap access-point-contro

!

!

!

ip dhcp database local

ip dhcp excluded-address 192.168.10.0 192.168.10.100

!

ip dhcp pool "local"

  network 192.168.10.0 255.255.255.0

  domain-name "local"

dns-server xxx.xxx.xxx.6 xxx.xxx.xxx.25

default-router 192.168.10.1

!

!

ip crypto ffe

!

!

interface eth 0/1

description Eth1

  speed 100

  ip address  xxx.xxx.xxx.89  255.255.255.248

  ip access-policy DMZ

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

interface eth 0/2

description Eth2

  speed 100

  ip address  xxx.xxx.xxx.102  255.255.255.252

  ip mtu 1500

  ip access-policy Public

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

interface gigabit-eth 0/1

description local

  ip address  192.168.10.1  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

media-gateway ip primary

  no awcp

  no shutdown

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

!

ip access-list extended web-acl-22

  remark Allow

  permit ip any  any   

!

ip access-list extended web-acl-23

  remark https

  permit tcp any  xxx.xxx.xxx.88 0.0.0.7 eq https 

!

ip access-list extended web-acl-4

  remark ssh

  permit tcp any  host xxx.xxx.xxx.102 eq ssh 

!

ip access-list extended web-acl-5

  remark https

  permit tcp any  host xxx.xxx.xxx.102 eq https 

!

!

ip policy-class DMZ

  allow list web-acl-23 policy DMZ

  allow list web-acl-22 self

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

!

!

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.101

!

no tftp server

no tftp server overwrite

http server

http session-timeout 1320

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

!

sip

sip udp 5060

no sip tcp

!

!

!

ip rtp symmetric-filter

!

ntp server us.pool.ntp.org

!

!

end

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

OK, you'll want some tweaks to your access policy.

!

ip policy-class DMZ

  no allow list web-acl-23 policy DMZ ! <- This isn't needed as it's the same subnet.

  allow list web-acl-22 self

  allow list web-acl-22 policy Public ! <- Allow the DMZ to go out to the Internet

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

  allow list [whatever] policy DMZ ! <- Allow the NAT devices whatever access to the DMZ you want.

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

  allow list [whatever] policy DMZ ! <- Allow public to services on DMZ as needed.

!

As to why you're seeing a route loop reaching the DMZ, this isn't a firewall issue but routing. Double-check for typos in the IP addresses for the /29 from your provider vs. what you've configured. Also it usually isn't a good idea to configure the speed on an interface such as you've done on eth 0/1 and eth 0/2. This can cause problems with switch auto-negotiation. Most gear made in the last decade or more doesn't need it and I've found it to cause more harm than good. 

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Still Not working

From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

I will be at the site this week and see if I can ping the router from the server or a pc on that segment.

Also, I checked the IP - and best I can tell it is coded per ISP -

addr:       xxx.xxx.xxx.88

netmask: 255.255.255.0

wildcard: 0.0.0.7

Network:   xxx.xxx.xxx.88/29

HostMin:   xxx.xxx.xxx.89  <- assigned to eth 0/1

HostMax:   xxx.xxx.xxx.94

Broadcast: xxx.xxx.xxx.95

  -> servers at xxx.xxx.xxx.90, xxx.xxx.xxx.91 with GW xxx.xxx.xxx.89  netmask 255.255.255.248

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

Still Not working

From router prompt, I can ping address on eth 0/1 xxx.xxx.xxx.89, but cannot ping the server xxx.xxx.xxx.90 or 91

OK, check the server configuration. The servers should have a netmask of 255.255.255.248 and a gateway of xxx.xxx.xxx.89 . See if the servers can ping each other and if they show up in the router's ARP table. After an attempted ping type "show arp".

Also, I checked the IP - and best I can tell it is coded per ISP -

addr: xxx.xxx.xxx.88

netmask: 255.255.255.0

wildcard: 0.0.0.7

Netmask above is wrong, it should be 255.255.255.248 .

The "addr: xxx.xxx.xxx.88" is the network address, not usable for hosts or gateway.

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

Yep -

that was a typo -

the mask is 255.255.255.248

and I looked at the IP in arin.net and it is recorded correctly -

so must be something in the config.

I still need to go out to the site and check pings on the eth 0/1 segment.

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

still at it, OK - Here is another config -

masked IP addresses -

aaa.bbb.ccc     for the /32  on eth 0/2-

and xx.xxx.xxx for the /29  on eth 0/1

=================following================

Config 2018-Jan-09

- - - - - - - - - - - - - - - - - - - - - - - - - -

ip subnet-zero

ip classless

ip default-gateway aaa.bbb.ccc.101

ip routing

ipv6 unicast-routing

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

ip crypto ffe

!

interface eth 0/1

  description Eth1

  ip address  xx.xxx.xxx.89  255.255.255.248

  ip access-policy DMZ

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

interface eth 0/2

  description Eth2

  speed 100

  ip address  aaa.bbb.ccc.102  255.255.255.252

  ip mtu 1500

  ip access-policy Public

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

interface gigabit-eth 0/1

  description Rushford

  ip address  192.168.10.1  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

ip access-list extended filterIP

  permit ip host 192.168.10.106  host 82.165.21.187   

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark 58108

  permit tcp any  host aaa.bbb.ccc.102 eq 108   log

!

ip access-list extended web-acl-14

  remark 1681053

  permit tcp any  host aaa.bbb.ccc.102 eq 1053   log

!

ip access-list extended web-acl-15

  remark 1671054

  permit tcp any  host aaa.bbb.ccc.102 eq 1054   log

!

ip access-list extended web-acl-16

  remark 56106

  permit tcp any  host aaa.bbb.ccc.102 eq 106   log

!

ip access-list extended web-acl-18

  remark 7183

  permit tcp any  host aaa.bbb.ccc.102 eq 83   log

  permit tcp any  host aaa.bbb.ccc.102 eq 3440   log

  permit tcp any  host aaa.bbb.ccc.102 eq 8000   log

!

ip access-list extended web-acl-25

  permit ip any  any   

!

ip access-list extended web-acl-27

  remark pvt2dmz

  permit ip any  any     log

!

ip access-list extended web-acl-28

  remark pub2dmz

  permit ip any  any   

!

ip access-list extended web-acl-4

  remark ssh

  permit tcp any  host aaa.bbb.ccc.102 eq ssh 

!

ip access-list extended web-acl-5

  remark https

  permit tcp any  host aaa.bbb.ccc.102 eq https 

!

ip access-list extended web-acl-6

  remark 50100

  permit tcp any  host aaa.bbb.ccc.102 eq 100   log

!

ip access-list extended web-acl-7

  remark 51101

  permit tcp any  host aaa.bbb.ccc.102 eq hostname   log

!

ip access-list extended web-acl-8

  remark 54104

  permit tcp any  host aaa.bbb.ccc.102 eq 104   log

!

ip access-list extended web-acl-9

  remark 55105

  permit tcp any  host aaa.bbb.ccc.102 eq 105   log

!

ip policy-class DMZ

  allow list web-acl-25 policy Public

!

ip policy-class Private

  allow list web-acl-27 policy DMZ

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

  discard list filterIP

!

ip policy-class Public

  allow list web-acl-4 self

  allow list web-acl-5 self

  nat destination list web-acl-6 address 192.168.10.50

  nat destination list web-acl-7 address 192.168.10.51

  nat destination list web-acl-8 address 192.168.10.54

  nat destination list web-acl-9 address 192.168.10.55

  nat destination list web-acl-16 address 192.168.10.56

  nat destination list web-acl-10 address 192.168.10.58

  nat destination list web-acl-14 address 192.168.10.168

  nat destination list web-acl-15 address 192.168.10.167

  nat destination list web-acl-18 address 192.168.10.71

  allow list web-acl-28 policy DMZ

!

ip policy-class Public2

  ! Implicit discard

!

ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.101

!

[** NOTE: added static route - but it did not help]

ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

!

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

busy2 wrote:

!

[** NOTE: added static route - but it did not help]

ip route xx.xxx.xxx.88 255.255.255.248 aaa.bbb.ccc.102

!

You don't want this, xx.xxx.xxx.88 is directly connected.

You should add "allow list self self" to the DMZ policy-class for tests from the Adtran itself.

It sounds like eth 0/1 isn't connected.

Does "show ip route" list the xx.xxx.xxx.88/29 as a connected route? 

Are the servers on xx.xxx.xxx.90 and .91 in the ARP cache after an attempted ping?

Do the servers have  xx.xxx.xxx.89 configured as their gateway?

Can the servers ping each other?

0 Kudos
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

"show ip route" 

Yes-   xx.xxx.xxx.88/29 is directly connected, eth 0/1

sh arp

Addresses in the 90 - 94 range show in the arp table

(but currently there are no devices on those addresses, the server is currently offline)

table entries look like this

ADDRESS          TTL   MAC ADDRESS   INTERFACE   TYPE

xx.xxx.xxx.91    0      (Unresolved)       eth 0/1         dynamic

Also, I was able to ping xx.xxx.xxx.89  (eth 0/1) remotely from a device on the 192.168.10.0 network.

I will be onsite at this location tomorrow to check the server gateway address and run pings from the /29

appreciate your input and time on this project.  Thanks

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Need assistance routing Public IP natively w/o NAT

(Unresolved) in the ARP table means that the servers aren't connected. You should see the MAC address of the server when it's connected. Can you ping xx.xxx.xxx.89 from the Internet?

0 Kudos
Highlighted
New Contributor

Re: Need assistance routing Public IP  natively w/o NAT

IT'S Working!!! 

Last night's pings were promising.

Once on site today re-plugging and un-plugging connections the local crew had installed in the cabinets- 

Pings started working inside. The server comes up and shows up in arp w MAC.

There is another /29 address supposedly, but it doesn't show when pinging the /29 range 89-94

Last piece of this is to restrict ports to the server connection xx.xxx.xxx.89/29

that would be and allow list in security zone dmz w destination dmz and ports selected "443,80,......" ?

^ btw ... this is a question??    

0 Kudos