cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jwink
New Contributor III

Public IP block behind NAT


   I have a customer with a /29 block behind a 908e that is doing NAT for phones.  The problem is the /29 is getting Natted to the IP on the 908 and that defeats the purpose of the customers block.  Does anyone know of a configuration that would allow the /29 block IP's to show through and not be effected by the NAT?  My first thought is to try 802.1q encapsulation.  I'll attach some config examples and would greatly appreciate any feedback. 

interface eth 0/2

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  vlan-id 1 native

description customer LAN                                         

  ip address  216.176.x.x 255.255.255.252

  no shutdown
!

interface eth 0/2.10

  vlan-id 10
  description phones

  access-policy Private

  qos-policy in SET_DSCP

  ip address  192.168.0.1  255.255.255.0

  no shutdown

Would this NAT VLAN 10 but not 1 ?

Tags (2)
0 Kudos
6 Replies
jayh
Honored Contributor
Honored Contributor

Re: Public IP block behind NAT


jwink wrote:



   I have a customer with a /29 block behind a 908e that is doing NAT for phones.  The problem is the /29 is getting Natted to the IP on the 908 and that defeats the purpose of the customers block.  Does anyone know of a configuration that would allow the /29 block IP's to show through and not be effected by the NAT?  My first thought is to try 802.1q encapsulation.  I'll attach some config examples and would greatly appreciate any feedback.



interface eth 0/2


  encapsulation 802.1q


  no shutdown


!


interface eth 0/2.1


  vlan-id 1 native


description customer LAN                                       


  ip address  216.176.x.x 255.255.255.252


  no shutdown
!


interface eth 0/2.10


  vlan-id 10
  description phones


  access-policy Private


  qos-policy in SET_DSCP


  ip address  192.168.0.1  255.255.255.0


  no shutdown


Would this NAT VLAN 10 but not 1 ?



You don't have the access-policies shown so it's hard to tell.  Also you show a /30 for 216.176.x.x, not a /29.

Assuming that the /30 is the point-to-point to the provider and they're routing a /29 of www.xxx.yyy.zzz to you, you would have something like the following:

interface eth 0/2

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  vlan-id 1 native

description WAN link to ISP       

  access-policy Public 

  media-gateway ip primary                               

  ip address  216.176.x.x 255.255.255.252

  no shutdown
!

interface eth 0/2.10

  vlan-id 10
  description phones

  access-policy Private

  media-gateway ip primary 

  qos-policy in SET_DSCP

  ip address  192.168.0.1  255.255.255.0

  no shutdown

!

interface eth 0/2.20

  vlan-id 20
  description Public LAN block

  access-policy Ethernet

  ip address  www.xxx.yyy.zzz  255.255.255.248

  no shutdown

ip access-list standard ics

  remark Internet Connection Sharing

  permit any

ip access-list extended ether-in

  remark Ethernet in

  permit ip any www.xxx.yyy.zzz 0.0.0.7

   ! This is applied to the Public interface. Specifying the

   ! subnet of the LAN block itself prevents spoofing from outside.

ip access-list extended ether-out

  remark Ethernet out

  permit ip www.xxx.yyy.zzz 0.0.0.7 any

   ! This is applied to the Ethernet interface. Specifying the

   ! subnet of the interface itself prevents spoofing from inside.

ip policy-class Public

  allow list self self

   ! This allows the public zone to receive any traffic for the Adtran itself

  allow list ether-in policy Ethernet

   ! This allows traffic routed to the public addresses on the

   ! ethernet to be routed without NAT.

ip policy-class Ethernet

  allow list ether-out

ip policy-class Private

  allow list self self

   ! This allows traffic sourced from the Adtran to pass, such as ALG traffic.

  nat source list ics interface eth 0/2.1 overload

   ! Allows outbound NAT to the public Internet interface


Now, on the switch connected to eth 0/2 you would create VLAN 20 which will have the routed /29 block.


Alternatively, use eth 0/1 for the WAN to the provider and VLAN 10 and 20 on eth 0/2 for your public LAN and phones.

jwink
New Contributor III

Re: Public IP block behind NAT

Wondered if you could look at this config without using 802.1q -  wrote this in trying to get the /29 and /30  around NAT.  It did not work, what am I missing? I hope I didn't take out too much of the config.


!
!
ip firewall
!

!
no ip firewall nat-preserve-source-port
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
no dot11ap access-point-control

!
!
qos map SET_DSCP 10
  match list VOICE_RTP
  set dscp ef
qos map SET_DSCP 20
  match list VOICE_CTRL
  set dscp af31
!
qos map VOIP_STANDARD 10
  match dscp 46
  match dscp 26
  match list VOICE_RTP
  match list VOICE_CTRL
  priority unlimited
!
!
!
!
interface eth 0/1
  description Metro Ethernet
  ip address  209.x.x.x 255.255.255.0                        ! this is the IP we use to manage the router for the customer
  access-policy Public
  media-gateway ip primary
  traffic-shape rate 7000000
  max-reserved-bandwidth 90
  qos-policy out VOIP_STANDARD
  no shutdown
!
!
!
interface ethernet 0/2
   description Voice and LAN
   ip address 216.176.x.x 255.255.255.252
   ip address 192.168.0.1 255.255.255.0 secondary
   ip address 216.176.x.x 255.255.255.248 secondary
   access-policy Private
   qos-policy in SET_DSCP
   no shutdown
!
!
ip access-list extended From_Cust_Public_IP
  remark From Customer Public IP Range
  permit ip 216.176.x.x 0.0.0.7  any       ! the /29 network
  permit ip 216.176.x.x 0.0.0.3  any       ! the /30 network
!
!
!
ip access-list extended To_Cust_Public_IP
  remark to Customer Public IP Range
  permit ip any  host 216.176.x.x
  permit ip any  host 216.176.x.x
  permit ip any  host 216.176.x.x     ! the /29 addresses
  permit ip any  host 216.176.x.x
  permit ip any  host 216.176.x.x 
  permit ip any  host 216.176.x.x     !the other /30
!
!
!
!

!
ip access-list standard VPN
  permit any
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to Total Access
  permit ip any  any     log
  remark VPN NO NAT
!
ip access-list extended SIP
  remark CCI SIP TRUNK
  permit udp any  any eq 5060
!
!
!
ip policy-class Private
  allow list self self
  allow list From_Cust_Public_IP
  nat source list wizard-ics interface eth 0/1 overload
  allow list VPN
!
!
!
ip policy-class Public
  allow list To_Cust_Public_IP policy Private stateless
  allow list CCI
  allow list VPN
  allow list SIP
!
!
!
!
ip route 0.0.0.0 0.0.0.0 209.107.x.x
!
!
!


jayh
Honored Contributor
Honored Contributor

Re: Public IP block behind NAT

You have four layer-3 subnets with substantially different policies and QoS needs on a box with two physical interfaces.  In my opinion, 802.1q is the only practical way to make this work short of getting a box with more physical routed ports.

Using secondary IPs on the same physical interface is very limiting in terms of ability to apply QoS, policy-classes, and the like.  It also makes it very interesting (and not in a good way) if one or more of the subnets has a DHCP server and you're trying to police who goes where.

I would put the /30 from the provider on eth 0/1 and use 802.1q on eth 0/2 for the three subnets of data /29, voice-NAT /24, and out-of-band management.

jwink
New Contributor III

Re: Public IP block behind NAT


Could you recommend a different router in the Adtran lineup?  Something more than an ethernet in and out.  Also, does every box in the Adtran family speak the same CLI?

Thanks so much for your input, it's very much appreciated!

jayh
Honored Contributor
Honored Contributor

Re: Public IP block behind NAT

Netvanta 1335 has 24 ethernet ports as well as a modular slot for optional WAN interfaces such as T1.

CLI for Adtran AOS is the same across just about everything. There will be some slight differences depending on the capabilities of the units and evolution of the code but it's essentially the same.

It's also available in a PoE version for powering IP phones if needed.

Anonymous
Not applicable

Re: Public IP block behind NAT

Jwink,

I went ahead and flagged this post as "Assumed Answered".  If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks!

David