4 Replies Latest reply on May 9, 2012 5:58 AM by jkerr

    Netvanta 3430 One to One NAT and One to Many NAT.  Need help

    jkerr New Member

      Good Morning,

      I've spent a horrendous amount of time on this, and would love some assistance.

      I found several discussions on this topic, but no one actually seemed to post an answer.

      All help appreciated.

       

      I have a public set of IP's

       

      I want one IP to be used for One to Many NAT

      And then I have several machines on the inside, that I want addressable via One to One NAT.

       

      I can't seem to get this to work.

       

      No matter what I do, the Many to One seems to work, on all of the machines, including the ones I want to have use to one to one.

       

      help!

        • Re: Netvanta 3430 One to One NAT and One to Many NAT.  Need help
          Employee

          @jkerr - Thanks for posting your question on the forum. After taking a look at your configuration, I think I see the issue you are running into and would like to make a couple of suggestions.

           

          The 'Public' policy-class is configured correctly. However, the 'Private' policy-class needs a couple of modifications.

           

          - First, the rule "allow list 172.outbound stateless" is currently placed above your NAT statements. This is problematic as this rule is matching all traffic sourced from your LAN (172.16.3.x) and allowing it through. The AOS firewall matches traffic in a top-down fashion so once a packet matches a rule, it will not check any rules further below it. This rule needs to be below your NAT statements.

           

          - The ACLs LAN14, LAN11, LAN12, and LAN31 need the same modifications made. The ACLs reference destination traffic instead of source traffic. For example, the ACL LAN14 is currently configured as such:

           

          ip access-list extended LAN14

            permit ip any host 172.16.3.14

           

          This matches traffic destined for 172.16.3.14. This rule actually needs to match traffic sourced from 172.16.3.14. So the ACL should look like this:

           

          ip access-list extended LAN14

            permit ip host 172.16.3.14 any

           

          Once these changes have been made, your 1:1 NAT as well as your Many:1 NAT should all work. Let us know if you have any further questions or issues regarding this.

           

          Thanks,

          Noor

            • Re: Netvanta 3430 One to One NAT and One to Many NAT.  Need help
              jkerr New Member

              Thank you Noor,

              I will give these a shot tonight!

              I did wonder as well about the order of things.

                • Re: Netvanta 3430 One to One NAT and One to Many NAT.  Need help
                  Employee

                  jkerr

                  I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

                   

                  Thanks,

                  Noor

                  1 of 1 people found this helpful
                    • Re: Netvanta 3430 One to One NAT and One to Many NAT.  Need help
                      jkerr New Member

                      Good Morning.

                      It took a wee bit more tweaking, but yes, your answer definitely led to success!

                      Below are the relevant portions that I used.  Hoping it saves someone some time in the future.

                       

                      !

                      ip subnet-zero

                      ip classless

                      ip routing

                      !

                      !

                      no auto-config

                      !

                      !

                      interface eth 0/1

                        description Internal Connection

                        ip address  172.16.3.5  255.255.255.0

                        ip access-policy Private

                        no shutdown

                      !

                      !

                      interface eth 0/2

                        description External Connection

                        ip address  xx.yy.186.2  255.255.255.192

                        ip address range  xx.yy.186.3  xx.yy.186.5  255.255.255.192  secondary

                        ip access-policy Public

                        no rtp quality-monitoring

                        no shutdown

                      !

                      !

                      !

                      !

                      interface t1 1/1

                        description Not used

                        shutdown

                      !

                      interface ppp 1

                        shutdown

                      !

                      !

                      !

                      router rip

                        passive-interface eth 0/1

                        passive-interface eth 0/2

                      !

                      !

                      ip access-list extended ALL

                        ! Implicit permit (only for empty ACLs)

                      !

                      ip access-list extended AdminAccess

                        remark AdminAccess Access List

                        permit ip host aa.bb.198.84  any     log

                        permit tcp host aa.bb.198.84  any eq telnet   log

                        permit tcp host aa.bb.198.84  any eq https   log

                        permit tcp host aa.bb.198.84  any eq ssh   log

                        permit ip cc.dd.7.0 0.0.0.255  any     log

                      !

                      ip access-list extended LAN011

                        permit ip host 172.16.3.11  any   

                      !

                      ip access-list extended LAN012

                        permit ip host 172.16.3.12  any   

                      !

                      ip access-list extended LAN014

                        permit ip host 172.16.3.14  any   

                      !

                      ip access-list extended LAN172.outbound

                        remark 172.outbound Net Allow Outbound

                        permit ip 172.16.3.0 0.0.0.255  any   

                      !

                      ip access-list extended linuxip-acl

                        ! Implicit permit (only for empty ACLs)

                      !

                      ip access-list extended NATALL

                        permit ip 172.16.3.0 0.0.0.255  any   

                      !

                      ip access-list extended self

                        remark Traffic to NetVanta

                        permit ip any  any     log

                      !

                      ip access-list extended WAN003

                        permit tcp any  host xx.yy.186.3 eq domain   log

                        permit udp any  host xx.yy.186.3 eq domain    log

                        permit tcp any  host xx.yy.186.3 eq www   log

                        permit tcp any  host xx.yy.186.3 eq https   log

                        permit tcp any  host xx.yy.186.3 eq 220   log

                        permit tcp any  host xx.yy.186.3 eq 143   log

                        permit tcp any  host xx.yy.186.3 eq pop3   log

                        permit tcp any  host xx.yy.186.3 eq smtp   log

                        permit tcp any  host xx.yy.186.3 eq ftp-data   log

                        permit tcp any  host xx.yy.186.3 eq ftp   log

                        permit tcp host aa.bb.198.84  host xx.yy.186.3 eq 3389   log

                        permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.3 eq 3389   log

                      !

                      ip access-list extended WAN004

                        permit tcp any  host xx.yy.186.4 eq domain   log

                        permit udp any  host xx.yy.186.4 eq domain    log

                        permit tcp any  host xx.yy.186.4 eq ssh   log

                        permit udp any  host xx.yy.186.4 eq tftp    log

                        permit tcp any  host xx.yy.186.4 eq 989   log

                        permit tcp any  host xx.yy.186.4 eq 990   log

                        permit tcp any  host xx.yy.186.4 eq www   log

                        permit tcp any  host xx.yy.186.4 eq https   log

                        permit tcp host aa.bb.198.84  host xx.yy.186.4 eq 3389   log

                        permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.4 eq 3389   log

                      !

                      ip access-list extended WAN005

                        permit tcp any  host xx.yy.186.5 eq domain   log

                        permit udp any  host xx.yy.186.5 eq domain    log

                        permit tcp any  host xx.yy.186.5 eq ssh   log

                        permit udp any  host xx.yy.186.5 eq tftp    log

                        permit tcp any  host xx.yy.186.5 eq 989   log

                        permit tcp any  host xx.yy.186.5 eq 990   log

                        permit tcp any  host xx.yy.186.5 eq www   log

                        permit tcp any  host xx.yy.186.5 eq https   log

                        permit tcp host aa.bb.198.84  host xx.yy.186.5 eq 3389   log

                        permit tcp cc.dd.7.0 0.0.0.255  host xx.yy.186.5 eq 3389   log

                      !

                      !

                      !

                      ip policy-class Private

                        nat source list LAN011 address xx.yy.186.4 overload

                        nat source list LAN012 address xx.yy.186.5 overload

                        nat source list LAN014 address xx.yy.186.3 overload

                        nat source list NATALL interface eth 0/2 overload

                        allow list LAN172.outbound stateless

                        allow list ALL self

                      !

                      ip policy-class Public

                        nat destination list WAN003 address 172.16.3.14

                        nat destination list WAN004 address 172.16.3.11

                        nat destination list WAN005 address 172.16.3.12

                        allow list AdminAccess

                      !

                      !

                      !

                      ip route 0.0.0.0 0.0.0.0 xx.yy.186.1

                      !

                      !