cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tonycaf
New Contributor

PAT statements not working

Jump to solution

Hi all. Trying to port forward in a 908e. But is not working.. Below is the config. Would appreciate any help

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

interface eth 0/1

  description WAN interface

  speed 100

  ip address  74.8.x.x  255.255.255.252

  ip address  63.x.x.162  255.255.255.248  secondary

  access-policy OUTSIDE

  ip access-group NOSPOOF in

  ip flow ingress

  ip flow egress

  no shutdown

interface eth 0/2

description LAN interface

  ip address  192.168.0.1  255.255.255.0

  no ip proxy-arp

  access-policy INSIDE

  no shutdown

ip access-list standard MGDR_TELNET

  remark Telnet Access List

  permit 64.x.x.0 0.0.0.31

  permit 64.x.x.0 0.0.3.255

  permit 64.x.x.0 0.0.3.255

  permit 207.x.x.192 0.0.0.7

  permit 205.x.x.0 0.0.0.255

  permit host 63.x.x.86

  permit host 216.x.x.86

  permit 74.8.x.x 0.0.0.3

  permit 64.206.x.x 0.0.0.3

!

ip access-list extended NAT

  permit ip host 192.168.0.128  any

  permit ip host 192.168.0.155  any

  permit ip 192.168.0.0 0.0.0.255  any

!

ip access-list extended NOSPOOF

  deny   53 any  any

  deny   55 any  any

  deny   77 any  any

  deny   103 any  any

  deny   ip 127.0.0.0 0.255.255.255  any

  deny   ip 255.0.0.0 0.255.255.255  any

  deny   ip 224.0.0.0 7.255.255.255  any

  deny   ip host 0.0.0.0  any

  deny   ip 10.0.0.0 0.255.255.255  any

  deny   ip 172.16.0.0 0.15.255.255  any

  deny   ip 192.168.0.0 0.0.255.255  any

  deny   ip 63.x.x.160 0.0.0.7  any

  permit ip any  any

ip access-list extended PAT01

  permit tcp any  host 63.x.x.162 eq 1723

  permit tcp any  host 63.x.x.162 eq 3389

  permit gre any  host 63.x.x.162

  permit udp any  host 63.x.x.162 eq 1723

!

ip access-list extended PAT02

  permit tcp any  host 63.x.x.162 eq 143

  permit tcp any  host 63.x.x.162 eq pop3

  permit tcp any  host 63.x.x.162 eq https

  permit tcp any  host 63.x.x.162 eq smtp

  permit udp any  host 63.x.x.162 eq 25

!

ip access-list extended PAT03

  permit tcp any  host 63.x.x.162 eq 4000

!

ip access-list extended PAT04

  permit tcp any  host 63.x.x.162 eq 8245

  permit tcp any  host 63.x.x.162 eq 9010

  permit tcp any  host 63.x.x.162 eq 9011

!

ip access-list extended PAT05

  permit tcp any  host 63.x.x.162 eq 9898

!

ip access-list extended SELF

  permit ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.0.255

!

ip access-list extended SMTP_OUT

  permit tcp host 192.168.0.3  any eq smtp

  permit udp host 192.168.0.3  any eq 25

ip policy-class INSIDE

  allow list SELF

  nat source list SMTP_OUT address 63.x.x.162 overload

  nat source list NAT interface eth 0/1 overload

!

ip policy-class OUTSIDE

  allow list MGDR_TELNET

  nat destination list PAT01 address 192.168.0.2

  nat destination list PAT03 address 192.168.0.15

  nat destination list PAT04 address 192.168.0.10

  nat destination list PAT05 address 192.168.0.50

  nat destination list PAT02 address 192.168.0.3

0 Kudos
1 Solution

Accepted Solutions
david
Valued Contributor
Valued Contributor

Re: PAT statements not working

Jump to solution

Tonycaf,

Thanks for posting!  There are a couple of things I would check first as potential problems.  First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL.  Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked.  If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management.  Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules.  Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom. 

Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway.  We want to make sure that return traffic goes through the Adtran unit.  Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command.  This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.

Feel free to respond to this thread if you have any further questions.

Thanks!

David

View solution in original post

0 Kudos
2 Replies
david
Valued Contributor
Valued Contributor

Re: PAT statements not working

Jump to solution

Tonycaf,

Thanks for posting!  There are a couple of things I would check first as potential problems.  First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL.  Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked.  If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management.  Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules.  Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom. 

Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway.  We want to make sure that return traffic goes through the Adtran unit.  Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command.  This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.

Feel free to respond to this thread if you have any further questions.

Thanks!

David

0 Kudos
tonycaf
New Contributor

Re: PAT statements not working

Jump to solution

Thank you David, That helped. I was able to put "allow list MGDR_TELNET" at the bottom of the list of rules and that resolved the issue. I also did a port scan against that IP adddress and it showed the ports as open.