2 Replies Latest reply on Oct 9, 2012 12:32 PM by tonycaf

    PAT statements not working

    tonycaf New Member

      Hi all. Trying to port forward in a 908e. But is not working.. Below is the config. Would appreciate any help

       

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

       

      interface eth 0/1

        description WAN interface

        speed 100

        ip address  74.8.x.x  255.255.255.252

        ip address  63.x.x.162  255.255.255.248  secondary

        access-policy OUTSIDE

        ip access-group NOSPOOF in

        ip flow ingress

        ip flow egress

        no shutdown

       

      interface eth 0/2

      description LAN interface

        ip address  192.168.0.1  255.255.255.0

        no ip proxy-arp

        access-policy INSIDE

        no shutdown

       

      ip access-list standard MGDR_TELNET

        remark Telnet Access List

        permit 64.x.x.0 0.0.0.31

        permit 64.x.x.0 0.0.3.255

        permit 64.x.x.0 0.0.3.255

        permit 207.x.x.192 0.0.0.7

        permit 205.x.x.0 0.0.0.255

        permit host 63.x.x.86

        permit host 216.x.x.86

        permit 74.8.x.x 0.0.0.3

        permit 64.206.x.x 0.0.0.3

      !

      ip access-list extended NAT

        permit ip host 192.168.0.128  any

        permit ip host 192.168.0.155  any

        permit ip 192.168.0.0 0.0.0.255  any

      !

      ip access-list extended NOSPOOF

        deny   53 any  any

        deny   55 any  any

        deny   77 any  any

        deny   103 any  any

        deny   ip 127.0.0.0 0.255.255.255  any

        deny   ip 255.0.0.0 0.255.255.255  any

        deny   ip 224.0.0.0 7.255.255.255  any

        deny   ip host 0.0.0.0  any

        deny   ip 10.0.0.0 0.255.255.255  any

        deny   ip 172.16.0.0 0.15.255.255  any

        deny   ip 192.168.0.0 0.0.255.255  any

        deny   ip 63.x.x.160 0.0.0.7  any

        permit ip any  any

       

      ip access-list extended PAT01

        permit tcp any  host 63.x.x.162 eq 1723

        permit tcp any  host 63.x.x.162 eq 3389

        permit gre any  host 63.x.x.162

        permit udp any  host 63.x.x.162 eq 1723

      !

      ip access-list extended PAT02

        permit tcp any  host 63.x.x.162 eq 143

        permit tcp any  host 63.x.x.162 eq pop3

        permit tcp any  host 63.x.x.162 eq https

        permit tcp any  host 63.x.x.162 eq smtp

        permit udp any  host 63.x.x.162 eq 25

      !

      ip access-list extended PAT03

        permit tcp any  host 63.x.x.162 eq 4000

      !

      ip access-list extended PAT04

        permit tcp any  host 63.x.x.162 eq 8245

        permit tcp any  host 63.x.x.162 eq 9010

        permit tcp any  host 63.x.x.162 eq 9011

      !

      ip access-list extended PAT05

        permit tcp any  host 63.x.x.162 eq 9898

      !

      ip access-list extended SELF

        permit ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.0.255

      !

      ip access-list extended SMTP_OUT

        permit tcp host 192.168.0.3  any eq smtp

        permit udp host 192.168.0.3  any eq 25

       

      ip policy-class INSIDE

        allow list SELF

        nat source list SMTP_OUT address 63.x.x.162 overload

        nat source list NAT interface eth 0/1 overload

      !

      ip policy-class OUTSIDE

        allow list MGDR_TELNET

        nat destination list PAT01 address 192.168.0.2

        nat destination list PAT03 address 192.168.0.15

        nat destination list PAT04 address 192.168.0.10

        nat destination list PAT05 address 192.168.0.50

        nat destination list PAT02 address 192.168.0.3

        • Re: PAT statements not working
          david Employee

          Tonycaf,

           

          Thanks for posting!  There are a couple of things I would check first as potential problems.  First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL.  Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked.  If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management.  Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules.  Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom. 

           

          Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway.  We want to make sure that return traffic goes through the Adtran unit.  Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command.  This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.

           

          Feel free to respond to this thread if you have any further questions.

           

          Thanks!

          David