4 Replies Latest reply on Mar 29, 2012 8:11 AM by levi

    Adtran 3448 Main site 1 to 1 nat to remote site.  Can't get to work

    touristsis Visitor

      Hi Support,

       

      I have an Adtran 3448 at main site.  This site is the only site with Internet 5 static ip address.  I have a 3430 at remote site.  Two sites are connected via P2P Ethenet.  I have a video conference system at both location.  I natted 1 public ip to the one at main site.  I natted 1 public ip tot he one at the remote site.  Should the two conference system be able to connect to each other via internal static ip address?  Other user outside the network should be able to connect to the conference system via public ip address?

       

      NOTE:

       

      XX.XX.XX.37 nat 192.168.101.126 (Main Site Video Conference System)
      XX.XX.XX.38 nat 192.168.101.130 (Remote Site Video Conference System)  It goes thru Int Ether 0/2 which is the P2P 10 Meg Ethernet.
      Disregard the two T1 card or the ppp1 interface, this was the old P2P 3.0 Meg Connection.

        • Re: Adtran 3448 Main site 1 to 1 nat to remote site.  Can't get to work
          levi Employee

          touristsis:

           

          Thank you for providing the detailed information with this question; this is very helpful to assist in troubleshooting.  I would like to suggest that in the future you attach the configurations instead of posting them inline  This greatly enhances future viewers experience because the post would be much more succinct. I have deleted the two followup posts you made with the remote configuration and ports, but if you would re-add them as attachments, as well as edit the original post to add that configuration as an attachment that would be appreciated.

           

          The main configuration change I would suggest is on the main router, in the Private policy-class.  The entry "allow list private" is below the "nat source list wizard-ics interface eth 0/1 overload."  Since the most specific entry takes precedence, the "allow list private" will not be used, because the NAT statement above it will match all traffic and NAT the source address to the IP address of Ethernet 0/1.  Therefore, when the remote side tries to reply back to the main site, it will try to send traffic to the address of Ethernet 0/1 instead of the private IP address on VLAN 1.  If you move the "allow list private" above the NAT statement, hopefully that will resolve the issue.  Here is an example of what your configuration would look like (I also made this statement "stateless"):

           

          ip policy-class Private

            allow list self self

            allow list private stateless

            nat source list wizard-ics interface eth 0/1 overload

           

          There are several portions of the configuration that I would recommend modifying because many aspects are not used in this design and may cause problems in the future.  You have route-maps, duplicate and repeat ACLs, duplicate route statements, and on the remote router the firewall is enabled, but it is a private network and only one interface has a policy-class assigned to it.  In the future I would recommend "cleaning up" both configurations to make the routers more efficient.

           

          Please, let me know if you still have trouble after making this change.

           

          Levi

          • Re: Adtran 3448 Main site 1 to 1 nat to remote site.  Can't get to work
            levi Employee

            touristsis:

             

            I went ahead and marked this post as "assumed answered".  Feel free to mark any correct or helpful answers from this post.  If you still need assistance with this issue I would be more than happy to help, just let me know in a reply.

             

            Levi