cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

Good Morning,

I've spent a horrendous amount of time on this, and would love some assistance.

I found several discussions on this topic, but no one actually seemed to post an answer.

All help appreciated.

I have a public set of IP's

I want one IP to be used for One to Many NAT

And then I have several machines on the inside, that I want addressable via One to One NAT.

I can't seem to get this to work.

No matter what I do, the Many to One seems to work, on all of the machines, including the ones I want to have use to one to one.

help!

Labels (2)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

Good Morning.

It took a wee bit more tweaking, but yes, your answer definitely led to success!

Below are the relevant portions that I used.  Hoping it saves someone some time in the future.

!

ip subnet-zero

ip classless

ip routing

!

!

no auto-config

!

!

interface eth 0/1

  description Internal Connection

  ip address  172.16.3.5  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

interface eth 0/2

  description External Connection

  ip address  xx.yy.186.2  255.255.255.192

  ip address range  xx.yy.186.3  xx.yy.186.5  255.255.255.192  secondary

  ip access-policy Public

  no rtp quality-monitoring

  no shutdown

!

!

!

!

interface t1 1/1

  description Not used

  shutdown

!

interface ppp 1

  shutdown

!

!

!

router rip

  passive-interface eth 0/1

  passive-interface eth 0/2

!

!

ip access-list extended ALL

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended AdminAccess

  remark AdminAccess Access List

  permit ip host aa.bb.198.84  any     log

  permit tcp host aa.bb.198.84  any eq telnet   log

  permit tcp host aa.bb.198.84  any eq https   log

  permit tcp host aa.bb.198.84  any eq ssh   log

  permit ip cc.dd.7.0 0.0.0.255  any     log

!

ip access-list extended LAN011

  permit ip host 172.16.3.11  any   

!

ip access-list extended LAN012

  permit ip host 172.16.3.12  any   

!

ip access-list extended LAN014

  permit ip host 172.16.3.14  any   

!

ip access-list extended LAN172.outbound

  remark 172.outbound Net Allow Outbound

  permit ip 172.16.3.0 0.0.0.255  any   

!

ip access-list extended linuxip-acl

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended NATALL

  permit ip 172.16.3.0 0.0.0.255  any   

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended WAN003

  permit tcp any  host xx.yy.186.3 eq domain   log

  permit udp any  host xx.yy.186.3 eq domain    log

  permit tcp any  host xx.yy.186.3 eq www   log

  permit tcp any  host xx.yy.186.3 eq https   log

  permit tcp any  host xx.yy.186.3 eq 220   log

  permit tcp any  host xx.yy.186.3 eq 143   log

  permit tcp any  host xx.yy.186.3 eq pop3   log

  permit tcp any  host xx.yy.186.3 eq smtp   log

  permit tcp any  host xx.yy.186.3 eq ftp-data   log

  permit tcp any  host xx.yy.186.3 eq ftp   log

  permit tcp host aa.bb.198.84  host xx.yy.186.3 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.3 eq 3389   log

!

ip access-list extended WAN004

  permit tcp any  host xx.yy.186.4 eq domain   log

  permit udp any  host xx.yy.186.4 eq domain    log

  permit tcp any  host xx.yy.186.4 eq ssh   log

  permit udp any  host xx.yy.186.4 eq tftp    log

  permit tcp any  host xx.yy.186.4 eq 989   log

  permit tcp any  host xx.yy.186.4 eq 990   log

  permit tcp any  host xx.yy.186.4 eq www   log

  permit tcp any  host xx.yy.186.4 eq https   log

  permit tcp host aa.bb.198.84  host xx.yy.186.4 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.4 eq 3389   log

!

ip access-list extended WAN005

  permit tcp any  host xx.yy.186.5 eq domain   log

  permit udp any  host xx.yy.186.5 eq domain    log

  permit tcp any  host xx.yy.186.5 eq ssh   log

  permit udp any  host xx.yy.186.5 eq tftp    log

  permit tcp any  host xx.yy.186.5 eq 989   log

  permit tcp any  host xx.yy.186.5 eq 990   log

  permit tcp any  host xx.yy.186.5 eq www   log

  permit tcp any  host xx.yy.186.5 eq https   log

  permit tcp host aa.bb.198.84  host xx.yy.186.5 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.5 eq 3389   log

!

!

!

ip policy-class Private

  nat source list LAN011 address xx.yy.186.4 overload

  nat source list LAN012 address xx.yy.186.5 overload

  nat source list LAN014 address xx.yy.186.3 overload

  nat source list NATALL interface eth 0/2 overload

  allow list LAN172.outbound stateless

  allow list ALL self

!

ip policy-class Public

  nat destination list WAN003 address 172.16.3.14

  nat destination list WAN004 address 172.16.3.11

  nat destination list WAN005 address 172.16.3.12

  allow list AdminAccess

!

!

!

ip route 0.0.0.0 0.0.0.0 xx.yy.186.1

!

!

View solution in original post

4 Replies
Anonymous
Not applicable

Re: Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

@jkerr - Thanks for posting your question on the forum. After taking a look at your configuration, I think I see the issue you are running into and would like to make a couple of suggestions.

The 'Public' policy-class is configured correctly. However, the 'Private' policy-class needs a couple of modifications.

- First, the rule "allow list 172.outbound stateless" is currently placed above your NAT statements. This is problematic as this rule is matching all traffic sourced from your LAN (172.16.3.x) and allowing it through. The AOS firewall matches traffic in a top-down fashion so once a packet matches a rule, it will not check any rules further below it. This rule needs to be below your NAT statements.

- The ACLs LAN14, LAN11, LAN12, and LAN31 need the same modifications made. The ACLs reference destination traffic instead of source traffic. For example, the ACL LAN14 is currently configured as such:

ip access-list extended LAN14

  permit ip any host 172.16.3.14

This matches traffic destined for 172.16.3.14. This rule actually needs to match traffic sourced from 172.16.3.14. So the ACL should look like this:

ip access-list extended LAN14

  permit ip host 172.16.3.14 any

Once these changes have been made, your 1:1 NAT as well as your Many:1 NAT should all work. Let us know if you have any further questions or issues regarding this.

Thanks,

Noor

Anonymous
Not applicable

Re: Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

Thank you Noor,

I will give these a shot tonight!

I did wonder as well about the order of things.

Anonymous
Not applicable

Re: Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor

Anonymous
Not applicable

Re: Netvanta 3430 One to One NAT and One to Many NAT. Need help

Jump to solution

Good Morning.

It took a wee bit more tweaking, but yes, your answer definitely led to success!

Below are the relevant portions that I used.  Hoping it saves someone some time in the future.

!

ip subnet-zero

ip classless

ip routing

!

!

no auto-config

!

!

interface eth 0/1

  description Internal Connection

  ip address  172.16.3.5  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

interface eth 0/2

  description External Connection

  ip address  xx.yy.186.2  255.255.255.192

  ip address range  xx.yy.186.3  xx.yy.186.5  255.255.255.192  secondary

  ip access-policy Public

  no rtp quality-monitoring

  no shutdown

!

!

!

!

interface t1 1/1

  description Not used

  shutdown

!

interface ppp 1

  shutdown

!

!

!

router rip

  passive-interface eth 0/1

  passive-interface eth 0/2

!

!

ip access-list extended ALL

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended AdminAccess

  remark AdminAccess Access List

  permit ip host aa.bb.198.84  any     log

  permit tcp host aa.bb.198.84  any eq telnet   log

  permit tcp host aa.bb.198.84  any eq https   log

  permit tcp host aa.bb.198.84  any eq ssh   log

  permit ip cc.dd.7.0 0.0.0.255  any     log

!

ip access-list extended LAN011

  permit ip host 172.16.3.11  any   

!

ip access-list extended LAN012

  permit ip host 172.16.3.12  any   

!

ip access-list extended LAN014

  permit ip host 172.16.3.14  any   

!

ip access-list extended LAN172.outbound

  remark 172.outbound Net Allow Outbound

  permit ip 172.16.3.0 0.0.0.255  any   

!

ip access-list extended linuxip-acl

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended NATALL

  permit ip 172.16.3.0 0.0.0.255  any   

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended WAN003

  permit tcp any  host xx.yy.186.3 eq domain   log

  permit udp any  host xx.yy.186.3 eq domain    log

  permit tcp any  host xx.yy.186.3 eq www   log

  permit tcp any  host xx.yy.186.3 eq https   log

  permit tcp any  host xx.yy.186.3 eq 220   log

  permit tcp any  host xx.yy.186.3 eq 143   log

  permit tcp any  host xx.yy.186.3 eq pop3   log

  permit tcp any  host xx.yy.186.3 eq smtp   log

  permit tcp any  host xx.yy.186.3 eq ftp-data   log

  permit tcp any  host xx.yy.186.3 eq ftp   log

  permit tcp host aa.bb.198.84  host xx.yy.186.3 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.3 eq 3389   log

!

ip access-list extended WAN004

  permit tcp any  host xx.yy.186.4 eq domain   log

  permit udp any  host xx.yy.186.4 eq domain    log

  permit tcp any  host xx.yy.186.4 eq ssh   log

  permit udp any  host xx.yy.186.4 eq tftp    log

  permit tcp any  host xx.yy.186.4 eq 989   log

  permit tcp any  host xx.yy.186.4 eq 990   log

  permit tcp any  host xx.yy.186.4 eq www   log

  permit tcp any  host xx.yy.186.4 eq https   log

  permit tcp host aa.bb.198.84  host xx.yy.186.4 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.4 eq 3389   log

!

ip access-list extended WAN005

  permit tcp any  host xx.yy.186.5 eq domain   log

  permit udp any  host xx.yy.186.5 eq domain    log

  permit tcp any  host xx.yy.186.5 eq ssh   log

  permit udp any  host xx.yy.186.5 eq tftp    log

  permit tcp any  host xx.yy.186.5 eq 989   log

  permit tcp any  host xx.yy.186.5 eq 990   log

  permit tcp any  host xx.yy.186.5 eq www   log

  permit tcp any  host xx.yy.186.5 eq https   log

  permit tcp host aa.bb.198.84  host xx.yy.186.5 eq 3389   log

  permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.5 eq 3389   log

!

!

!

ip policy-class Private

  nat source list LAN011 address xx.yy.186.4 overload

  nat source list LAN012 address xx.yy.186.5 overload

  nat source list LAN014 address xx.yy.186.3 overload

  nat source list NATALL interface eth 0/2 overload

  allow list LAN172.outbound stateless

  allow list ALL self

!

ip policy-class Public

  nat destination list WAN003 address 172.16.3.14

  nat destination list WAN004 address 172.16.3.11

  nat destination list WAN005 address 172.16.3.12

  allow list AdminAccess

!

!

!

ip route 0.0.0.0 0.0.0.0 xx.yy.186.1

!

!