cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dwolf
New Contributor

One to one NAT for new VLAN not working

I am trying to implement a second VPN device on a new VLAN 3 on switchport 0/8, but I can't even get ICMP to work.  I can ping the new SSLVPN device from the source switchport 0/8, but I can't from the interface eth 0/2.  The ACLs and Policies are all the same, but yet the original VPN works and the new SSLVPN doesn't (ICMP).  I need the dedicated public IP to route directly to this new SSLVPN IP.  The public IP comes in on eth 0/2 and the SSLVPN device is on switchport 0/8.

I have provided relevant  parts of my configuration below and would appreciate a second set of eyes to see what I am missing.

Thanks,

dwolf

!

!

! ADTRAN, Inc. OS version R10.9.0.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448,

ip policy-timeout udp all-ports 300

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

!

!

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "Voice"

!

vlan 3

  name "SSLVPN"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description WAN-1

  ip address  xx.yy.28.61  255.255.255.248

  ip mtu 1500

  ip address  xx.yy.28.57  255.255.255.248  secondary

  ip address  xx.yy.28.59  255.255.255.248  secondary

  ip access-policy Public

  ip flow ingress

  ip flow egress

  qos-policy out eth0/2QosWizard

  no shutdown

!

!

interface eth 0/2

  description MegaPath

  ip address  xx.yy.186.170  255.255.255.252

  ip mtu 1500

  ip address range  xx.yy.79.83  xx.yy.79.84  255.255.255.248  secondary

  ip access-policy Public2

  ip flow ingress

  ip flow egress

  qos-policy out eth0/2QosWizard

  no shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

  switchport access vlan 2

!

interface switchport 0/6

  no shutdown

  switchport access vlan 2

!

interface switchport 0/7

  no shutdown

  switchport access vlan 2

!

interface switchport 0/8

  no shutdown

  switchport access vlan 3

!

!

!

interface vlan 1

  ip address  192.xx.yy.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

interface vlan 2

  ip address  172.xx.yy.1  255.255.255.0

  ip policy route-map VoiceMap

  ip access-policy Private

  no shutdown

!

interface vlan 3

  description Fortinet SSL VPN device

  ip address  10.xxx.yy.2  255.255.255.252

  ip access-policy PrivateSSLVPN

  no shutdown

!

!

!

!

route-map local permit 10

  match ip address wan1

  set ip next-hop xx.yy.28.62

route-map local permit 20

  match ip address wan2

  set ip next-hop xxx.yyy.186.169

route-map VoiceMap permit 10

  match ip address VoiceMap

  set ip next-hop xxx.yyy.186.169

  set interface null 0

!

!

!

!

ip access-list standard natpool

  permit any

!

ip access-list standard natpool2

  permit any

!

ip access-list standard self

  permit any

!

!

ip access-list extended acleth0/2QosWizRTP20

  permit ip 172.xx.yy.0 0.0.0.255  any   

!

ip access-list extended acleth0/2QosWizSignal21

  permit udp any  any range 5060 5061  

  permit tcp any  any range 5060 5061 

!

!

ip access-list extended SSLVPN

  remark xx.yy.79.84 -> 10.xxx.yy.1

  permit icmp any  host xx.yy.79.84     log

  permit tcp any  host xx.yy.79.84 eq https 

  permit udp any  host xx.yy.79.84 eq 443  

!

ip access-list extended SSLVPN-Out2

  remark 10.xxx.yy.1 : xx.yy.79.84

  permit icmp host 10.xxx.yy.1  any     log

  permit udp host 10.xxx.yy.1 eq 443 any   

  permit tcp host 10.xxx.yy.1 eq https any  

!

ip access-list extended VoiceMap

  permit ip 172.xx.yy.0 0.0.0.255  any     track wan2

  deny   ip any  any   

!

ip access-list extended VPN

  permit icmp any  host xx.yy.28.57  echo   log

  permit gre any  host xx.yy.28.57   

  permit tcp any  host xx.yy.28.57 eq 1723 

!

ip access-list extended VPN-Out

  remark 192.xx.yy.250 : xx.yy.28.57

  permit gre host 192.xx.yy.250  any   

  permit tcp host 192.xx.yy.250 eq 1723 any  

  permit icmp host 192.xx.yy.250  any   

!

ip access-list extended VPN-Out2

  remark 192.xx.yy.250 : xx.yy.79.83

  permit gre host 192.xx.yy.250  any   

  permit tcp host 192.xx.yy.250 eq 1723 any  

  permit icmp host 192.xx.yy.250  any   

!

ip access-list extended VPN2

  permit icmp any  host xx.yy.79.83  echo 

  permit gre any  host xx.yy.79.83   

  permit tcp any  host xx.yy.79.83 eq 1723 

!

ip access-list extended wan1

  permit icmp host xx.yy.28.61  host 4.2.2.4     log

!

ip access-list extended wan2

  permit icmp host xxx.yyy.186.170  host xxx.yyy.186.169     log

!

ip access-list extended web-acl-1

  remark Jive Allow

  permit ip 199.36.248.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

ip access-list extended web-acl-2

  remark Jive Allow 2

  permit ip 199.87.120.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

ip access-list extended web-acl-3

  remark Admin Access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-4

  remark Jive Allow 3

  permit ip 162.250.60.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list VPN-Out address xx.yy.28.57 overload policy Public

  nat source list VPN-Out2 address xx.yy.79.83 overload policy Public2

  nat source list natpool interface eth 0/1 overload policy Public

  nat source list natpool2 interface eth 0/2 overload policy Public2

!

ip policy-class PrivateSSLVPN

  nat source list SSLVPN-Out2 address xx.yy.79.84 overload policy Public2

  allow list self self

!

no ip policy-class Public rpf-check

ip policy-class Public

  nat destination list VPN address 192.xx.yy.250

  allow list web-acl-1

  allow list web-acl-2

  allow list web-acl-4

  allow list web-acl-3 self

!

no ip policy-class Public2 rpf-check

ip policy-class Public2

  nat destination list VPN2 address 192.xx.yy.250

  nat destination list SSLVPN address 10.xxx.yy.1

  allow list web-acl-1

  allow list web-acl-2

  allow list web-acl-4

  allow list web-acl-3 self

!

!

!

ip route 0.0.0.0 0.0.0.0 xx.yy.28.62 track wan1

ip route 0.0.0.0 0.0.0.0 xxx.yyy.186.169 track wan2

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

0 Kudos
1 Reply
jayh
Honored Contributor
Honored Contributor

Re: One to one NAT for new VLAN not working

It looks like you have a routing issue. You have only a default route out WAN 1 that fails over to Megapath should that fail. Hence you will try to route out the other provider with a source of Megapath's IP.

You could add a static route to the SSLVPN endpoint with a gateway of Megapath's next hop. You could also use a route-map for the remote endpoint.

"show ip policy-session" may give a clue as to how it's routing.

Also, the secondary IPs which I assume are for the LAN block assigned by the ISPs may be conflicting with the primary source of the point-to-point /30 to the provider. You might not be sourcing from where you think you are. Consider using a loopback for these, or a VLAN interface if you need access to these subnets by physical devices.

BTW, It isn't necessary to mask IPs of RFC1918 addresses like 10/8, 172.16/12 and 192.168/16, makes things a bit harder to follow.