2 Replies Latest reply on Jul 9, 2013 7:17 AM by noor

    Adtran 3448 will not ping between subnets with firewall applied

    killon New Member

      Hey Folks,

       

      I am configuring an Adtran 3448 and I am stumped.  I need the subnet on vlan 1 (192.168.3.0) to be able to talk to a subnet on another network (192.168.2.0).  The connection to the other network is physically connected to port 8 (vlan 15) with a route statement to the 192.168.2.0 network.  I can always ping any IP address in the 192.168.2.0 network from the router.  Here's the problem...  With the configuration below, from a PC on the 192.168.3.0 network I can ping the 192.168.2.0 network, but my internet does not work; HOWEVER, on the ip policy-class Private if I move my NAT statement to be first and then allow list INTERVLAN stateless as the second statement, I have Internet access, but I cannot ping the 192.168.2.0 network.  I can't figure out what's wrong in the ACL's.  Any suggestions?  I've tried all kinds of things with no luck..

       

      Below is the config (WAN IP's changed to 1.1.1.1 for security)

      -----------------------------------------------------------------------------------------

       

      interface eth 0/1

        description Connection To Internet

        speed 100

        ip address  1.1.1.1  255.255.255.252

        no shutdown

      !

      !

      interface eth 0/2

        no ip address

        shutdown

      !

      !

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      interface switchport 0/5

        no shutdown

      !

      interface switchport 0/6

        no shutdown

      !

      interface switchport 0/7

        no shutdown

      !

      interface switchport 0/8

        description Uplink to Other Network

        no shutdown

        switchport access vlan 15

      !

      !

      !

      interface vlan 1

        description Customer LAN

        ip address  192.168.3.1  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      interface vlan 15

        ip address  10.10.10.1  255.255.255.252

        ip access-policy Private

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      ip access-list standard matchall

        permit any

      !

      !

      ip access-list extended INTERVLAN

        permit ip any  any     log

      !

      ip access-list extended self

        permit ip any  any     log

      !

      ip access-list extended wan

        permit tcp any  any eq www   log

        permit tcp any  any eq telnet   log

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit icmp any  any  echo   log

      !

      !

      !

      !

      ip policy-class Private

        allow list INTERVLAN stateless

        nat source list matchall address 1.1.1.1 overload

      !

      ip policy-class Public

        allow list wan self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 1.1.1.1

      ip route 192.168.2.0 255.255.255.0 10.10.10.2

        • Re: Adtran 3448 will not ping between subnets with firewall applied
          Employee

          killon - Thank you for posting your question on the forum!

           

          To understand what is happening here, you will need to know that traffic will look for a match on the policy-class and ACL in a top to bottom order. Once a matching entry is found, all remaining entries will not be checked. Since your ACLs, INTERVLAN and matchall, have a 'permit ip any any' entry, the ACL on top will match all traffic while the ACL below will never be checked.

           

          There are a couple of ways to configure this, but I would suggest restricting the INTERVLAN ACL so that instead of a 'permit ip any any' entry, you will have a 'permit 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255' entry and a 'permit 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255' entry. Also, the INTERVLAN allow statement will need to be placed above your internet NAT statement.

           

          I hope this answers your questions, but please do not hesitate if you have any issues.

           

          Thanks,

          Noor

            • Re: Adtran 3448 will not ping between subnets with firewall applied
              Employee

              killon -

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               


              Thanks,

              Noor