cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rsheph78
New Contributor

static nat issue.

I have a NAT overload statement to route all IP phones out to a public registration server. At times I need to create a static mapping for an Analog device from Public to Private to update, modify, adjust configuration on a specific device. I have checked the "how to's" and they are not helping with getting this mapping successful. I was able to map the device and reach it through a browser with port 80 but I lose all access (SSH) to the 3140 device and it needs to be rebooted to bring it back. Here is my current configuration with some IP's "x"'d out. What i need to do is to map private IP 10.30.30.52 to public ip xx.xx.xx.58 port 80 so I can access this device. All of this without effecting router access or any other voice traffic.

interface gigabit-eth 0/1

  description WAN

  ip address  xx.xx.xx.58  255.255.255.252

  traffic-shape rate 1500000

  qos-policy out outboundsip

  no shutdown

!

interface gigabit-eth 0/3

  encapsulation 802.1q

  no shutdown

!

interface gigabit-eth 0/3.300

  description VOICE

  vlan-id 300

  ip address  10.30.30.254  255.255.255.0

  ip access-policy PHONES

  no shutdown

!

ip access-list standard CUST_PHONE

  permit 10.30.30.0 0.0.0.255

!

ip policy-class PHONES

  nat source list CUST_PHONE interface gigabit-ethernet 0/1 overload

0 Kudos
1 Reply
jayh
Honored Contributor
Honored Contributor

Re: static nat issue.

The problem is that when you using the public interface IP and port for the static mapping you can then no longer use it for access to the 3140 itself.

Your options are:

  • Route a second public IP to a loopback address and statically destination NAT to the loopback for configuring your devices.
  • Use port-translations so that a different public port maps to the inside device than is used for accessing the 3140.

For example:

ip access-list extended device-access

  remark inside device access

  permit tcp any host xx.xx.xx.58 eq 8080

interface gigabit-eth 0/1

  description WAN

  ip address  xx.xx.xx.58  255.255.255.252

  ip access-policy Public

...

ip policy-class Public

nat destination list device-access address 10.30.30.10 port 80

...

Now pointing a browser to the public IP xx.xx.xx.58 on port 80 gets to the Adtran 3140 but pointing a browser to xx.xx.xx.58:8080 takes you to port 80 of the inside device. Obviously you can build multiple access-list and nat destination pairs for different services and inside IPs.

The Adtran firewall web GUI actually does a fairly decent job of this but you wind up with wacky names for the access-lists which makes for fun reading trying to decipher the config later.