cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bbrown21
New Contributor

IP Policy Class configuration on NV 3430

<code>

!

ip policy-class Private

  allow list self self

  allow list ACL-Private policy Private stateless

  allow list ACL-Tunnel policy Tunnel stateless

  nat source list ACL-NAT interface eth 0/2 overload

!

</code>

So I'm configuring a NV 3430 that has both a t1 connection and a Comcast connection on the same box.  Everything appeared to be working well from the router, until I started trying to get places from local clients(Default route is over PPP).  After troubleshooting it looked like local clients on this router were being NAT'd when going over the PPP interface!  So I knew the policy-class was missing something, but I'm not sure the best way to remedy this situation.  I know I could build a policy-class for the PPP interface and apply it and insert an allow-list * policy *PPP*, but what I'm wondering if there's something simpler where it will simply allow anything going over the PPP.  I was looking at the 'self' and it says that it includes any 'local interface'.  What I'm not sure of is whether or not PPP interfaces are considered local and are covered by 'self'.  If so, I should be able to simply add a line like:

<new code>

!

ip policy-class Private

  allow list self self

  allow list ACL-Private policy Private stateless

  allow list ACL-Private self stateless

  allow list ACL-Tunnel policy Tunnel stateless

  nat source list ACL-NAT interface eth 0/2 overload

!

</new code>

Any other ideas on this would be appreciated.  I know there's probably a simple solution I'm just overlooking.

Labels (2)
0 Kudos
4 Replies
Anonymous
Not applicable

Re: IP Policy Class configuration on NV 3430

:

Thank you for asking this question in the Support Community.  Is the T1 another Internet connection, or a point-to-point connection to another location?  If it is another Internet connection, are you using it for load sharing or Internet WAN failover (guides linked)?  If it is not an Internet connection, then typically the default route will be pointed out the Internet connection (Comcast in your example). 

There are multiple ways to design/configure this application.  Please, provide some additional information about the T1 connection and I will give you recommendations.

Levi

Re: IP Policy Class configuration on NV 3430

I wound up just adding a policy-class for the ppp interface and everything seems to be working well now.  The T1 is a PPP connection to another location that serves as the primary source of internet (Ideally).  The comcast in this setup would simply be for failover if the t1 went down.  I am curious as to whether or not the 'self' would consider ppp to be a local interface, or if I did really need to build a policy-class for the ppp as well.  Normally this is something we don't do, since the ppp interface goes back to our co-located facility for internet, so I don't need the router to firewall, since that is taken care of by a dedicated box.

Anonymous
Not applicable

Re: IP Policy Class configuration on NV 3430

:

The firewall guide explains the self keyword:  Configuring the Firewall (IPv4) AOS

The self parameter allows all packets passed by the ACL and destined for any local interface on the unit to

enter the router system. These packets are terminated by the unit and are not routed or forwarded to other

destinations. Using the self parameter is helpful when opening remote administrative access to the unit

(Telnet, secure shell (SSH), ICMP, HTTP, Hypertext Transfer Protocol Secure (HTTPS), etc.).

If you would like to reply with the current configuration (please, remember to remove any information that may be sensitive to the organization), I will be happy to review it for you.

Levi

Anonymous
Not applicable

Re: IP Policy Class configuration on NV 3430

:

I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi