The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nthomas852
New Contributor

Ping sourcing private LAN interface

Jump to solution

When working in Adtran devices, I've noticed a behavior that I need some clarification on.

I work for an ISP and we have a number of different devices we have supplied to our enterprise customers.

With Cisco devices, we often confirm Internet access by logging into the device and issuing a ping to an outside IP address and source the LAN interface.

Adtran devices allow this same thing to be done when there is a public address on the LAN interface.  However, if there is a private address (with NAT) the pings always fail.

For example:

xxxxx-908e#ping 8.8.8.8 source 10.10.10.1

Type CTRL+C to abort.

Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address

        '*' = Request timed out, '-' = Destination host unreachable

        'x' = TTL expired in transit

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

*****

Success rate is 0 percent (0/5)

While researching this, I read somewhere that Adtran devices will not NAT self-generated traffic.  Is this true?

Message was edited by: nthomas852

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Ping sourcing private LAN interface

Jump to solution

Nina,

Thanks for posting to the Support Community!  You are correct that the unit will not perform NAT on self sourced traffic.  The NAT rules in the firewall are applied inbound on an interface. Since this traffic never comes in on an interface to which a "NAT source" rule is applied, we are responsible for making sure the source IP address is something reachable by the far end when we issue the command. If your goal is just to verify NAT operation within the unit, the "show ip policy-sessions" command is useful. As long as anything on the LAN is generating traffic you can view the NAT take place.


NetVanta 6355#show ip policy-sessions



Policy class "Private":


tcp (600) -> Public


  192.168.101.34  62472    8.8.8.8   80       s  x.x.x.x   62472 


In this example, we see the source IP and port, followed by the destination IP and port.  The 's' means that the source was modified to x.x.x.x and the source port was not modified.

Hope this helps!

David

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Ping sourcing private LAN interface

Jump to solution

Nina,

Thanks for posting to the Support Community!  You are correct that the unit will not perform NAT on self sourced traffic.  The NAT rules in the firewall are applied inbound on an interface. Since this traffic never comes in on an interface to which a "NAT source" rule is applied, we are responsible for making sure the source IP address is something reachable by the far end when we issue the command. If your goal is just to verify NAT operation within the unit, the "show ip policy-sessions" command is useful. As long as anything on the LAN is generating traffic you can view the NAT take place.


NetVanta 6355#show ip policy-sessions



Policy class "Private":


tcp (600) -> Public


  192.168.101.34  62472    8.8.8.8   80       s  x.x.x.x   62472 


In this example, we see the source IP and port, followed by the destination IP and port.  The 's' means that the source was modified to x.x.x.x and the source port was not modified.

Hope this helps!

David

0 Kudos

Re: Ping sourcing private LAN interface

Jump to solution

Thanks so much for the reply!

I was 99% sure that was the case, but was unable to find this documented by Adtran (I'm sure it's out there somewhere).