6 Replies Latest reply on Oct 17, 2013 9:47 AM by david

    Public IP block behind NAT

    jwink New Member


         I have a customer with a /29 block behind a 908e that is doing NAT for phones.  The problem is the /29 is getting Natted to the IP on the 908 and that defeats the purpose of the customers block.  Does anyone know of a configuration that would allow the /29 block IP's to show through and not be effected by the NAT?  My first thought is to try 802.1q encapsulation.  I'll attach some config examples and would greatly appreciate any feedback. 

       

      interface eth 0/2

        encapsulation 802.1q

        no shutdown

      !

      interface eth 0/2.1

        vlan-id 1 native

      description customer LAN                                         

        ip address  216.176.x.x 255.255.255.252

        no shutdown
      !

      interface eth 0/2.10

        vlan-id 10
        description phones

        access-policy Private

        qos-policy in SET_DSCP

        ip address  192.168.0.1  255.255.255.0

        no shutdown

      Would this NAT VLAN 10 but not 1 ?

        • Re: Public IP block behind NAT
          jayh Hall_of_Fame

          jwink wrote:


             I have a customer with a /29 block behind a 908e that is doing NAT for phones.  The problem is the /29 is getting Natted to the IP on the 908 and that defeats the purpose of the customers block.  Does anyone know of a configuration that would allow the /29 block IP's to show through and not be effected by the NAT?  My first thought is to try 802.1q encapsulation.  I'll attach some config examples and would greatly appreciate any feedback.

           

          interface eth 0/2

            encapsulation 802.1q

            no shutdown

          !

          interface eth 0/2.1

            vlan-id 1 native

          description customer LAN                                       

            ip address  216.176.x.x 255.255.255.252

            no shutdown
          !

          interface eth 0/2.10

            vlan-id 10
            description phones

            access-policy Private

            qos-policy in SET_DSCP

            ip address  192.168.0.1  255.255.255.0

            no shutdown

          Would this NAT VLAN 10 but not 1 ?

           

          You don't have the access-policies shown so it's hard to tell.  Also you show a /30 for 216.176.x.x, not a /29.

           

          Assuming that the /30 is the point-to-point to the provider and they're routing a /29 of www.xxx.yyy.zzz to you, you would have something like the following:

           

          interface eth 0/2

            encapsulation 802.1q

            no shutdown

          !

          interface eth 0/2.1

            vlan-id 1 native

          description WAN link to ISP       

            access-policy Public 

            media-gateway ip primary                               

            ip address  216.176.x.x 255.255.255.252

            no shutdown
          !

          interface eth 0/2.10

            vlan-id 10
            description phones

            access-policy Private

            media-gateway ip primary 

            qos-policy in SET_DSCP

            ip address  192.168.0.1  255.255.255.0

            no shutdown

          !

          interface eth 0/2.20

            vlan-id 20
            description Public LAN block

            access-policy Ethernet

            ip address  www.xxx.yyy.zzz  255.255.255.248

            no shutdown

           

          ip access-list standard ics

            remark Internet Connection Sharing

            permit any

           

          ip access-list extended ether-in

            remark Ethernet in

            permit ip any www.xxx.yyy.zzz 0.0.0.7

             ! This is applied to the Public interface. Specifying the

             ! subnet of the LAN block itself prevents spoofing from outside.

           

          ip access-list extended ether-out

            remark Ethernet out

            permit ip www.xxx.yyy.zzz 0.0.0.7 any

             ! This is applied to the Ethernet interface. Specifying the

             ! subnet of the interface itself prevents spoofing from inside.

           

          ip policy-class Public

            allow list self self

             ! This allows the public zone to receive any traffic for the Adtran itself

            allow list ether-in policy Ethernet

             ! This allows traffic routed to the public addresses on the

             ! ethernet to be routed without NAT.

           

          ip policy-class Ethernet

            allow list ether-out

           

          ip policy-class Private

            allow list self self

             ! This allows traffic sourced from the Adtran to pass, such as ALG traffic.

            nat source list ics interface eth 0/2.1 overload

             ! Allows outbound NAT to the public Internet interface


          Now, on the switch connected to eth 0/2 you would create VLAN 20 which will have the routed /29 block.


          Alternatively, use eth 0/1 for the WAN to the provider and VLAN 10 and 20 on eth 0/2 for your public LAN and phones.

            • Re: Public IP block behind NAT
              jwink New Member

              Wondered if you could look at this config without using 802.1q -  wrote this in trying to get the /29 and /30  around NAT.  It did not work, what am I missing? I hope I didn't take out too much of the config.

               


              !
              !
              ip firewall
              !

              !
              no ip firewall nat-preserve-source-port
              no ip firewall alg msn
              no ip firewall alg mszone
              no ip firewall alg h323
              !
              !
              !
              no dot11ap access-point-control

              !
              !
              qos map SET_DSCP 10
                match list VOICE_RTP
                set dscp ef
              qos map SET_DSCP 20
                match list VOICE_CTRL
                set dscp af31
              !
              qos map VOIP_STANDARD 10
                match dscp 46
                match dscp 26
                match list VOICE_RTP
                match list VOICE_CTRL
                priority unlimited
              !
              !
              !
              !
              interface eth 0/1
                description Metro Ethernet
                ip address  209.x.x.x 255.255.255.0                        ! this is the IP we use to manage the router for the customer
                access-policy Public
                media-gateway ip primary
                traffic-shape rate 7000000
                max-reserved-bandwidth 90
                qos-policy out VOIP_STANDARD
                no shutdown
              !
              !
              !
              interface ethernet 0/2
                 description Voice and LAN
                 ip address 216.176.x.x 255.255.255.252
                 ip address 192.168.0.1 255.255.255.0 secondary
                 ip address 216.176.x.x 255.255.255.248 secondary
                 access-policy Private
                 qos-policy in SET_DSCP
                 no shutdown
              !
              !
              ip access-list extended From_Cust_Public_IP
                remark From Customer Public IP Range
                permit ip 216.176.x.x 0.0.0.7  any       ! the /29 network
                permit ip 216.176.x.x 0.0.0.3  any       ! the /30 network
              !
              !
              !
              ip access-list extended To_Cust_Public_IP
                remark to Customer Public IP Range
                permit ip any  host 216.176.x.x
                permit ip any  host 216.176.x.x
                permit ip any  host 216.176.x.x     ! the /29 addresses
                permit ip any  host 216.176.x.x
                permit ip any  host 216.176.x.x 
                permit ip any  host 216.176.x.x     !the other /30
              !
              !
              !
              !

              !
              ip access-list standard VPN
                permit any
              !
              ip access-list standard wizard-ics
                remark Internet Connection Sharing
                permit any
              !
              !
              ip access-list extended self
                remark Traffic to Total Access
                permit ip any  any     log
                remark VPN NO NAT
              !
              ip access-list extended SIP
                remark CCI SIP TRUNK
                permit udp any  any eq 5060
              !
              !
              !
              ip policy-class Private
                allow list self self
                allow list From_Cust_Public_IP
                nat source list wizard-ics interface eth 0/1 overload
                allow list VPN
              !
              !
              !
              ip policy-class Public
                allow list To_Cust_Public_IP policy Private stateless
                allow list CCI
                allow list VPN
                allow list SIP
              !
              !
              !
              !
              ip route 0.0.0.0 0.0.0.0 209.107.x.x
              !
              !
              !

               


                • Re: Public IP block behind NAT
                  jayh Hall_of_Fame

                  You have four layer-3 subnets with substantially different policies and QoS needs on a box with two physical interfaces.  In my opinion, 802.1q is the only practical way to make this work short of getting a box with more physical routed ports.

                   

                  Using secondary IPs on the same physical interface is very limiting in terms of ability to apply QoS, policy-classes, and the like.  It also makes it very interesting (and not in a good way) if one or more of the subnets has a DHCP server and you're trying to police who goes where.

                   

                  I would put the /30 from the provider on eth 0/1 and use 802.1q on eth 0/2 for the three subnets of data /29, voice-NAT /24, and out-of-band management.

                    • Re: Public IP block behind NAT
                      jwink New Member


                      Could you recommend a different router in the Adtran lineup?  Something more than an ethernet in and out.  Also, does every box in the Adtran family speak the same CLI?

                       

                      Thanks so much for your input, it's very much appreciated!

                        • Re: Public IP block behind NAT
                          jayh Hall_of_Fame

                          Netvanta 1335 has 24 ethernet ports as well as a modular slot for optional WAN interfaces such as T1.

                           

                          CLI for Adtran AOS is the same across just about everything. There will be some slight differences depending on the capabilities of the units and evolution of the code but it's essentially the same.

                           

                          It's also available in a PoE version for powering IP phones if needed.

                  • Re: Public IP block behind NAT
                    david Employee

                    Jwink,

                     

                    I went ahead and flagged this post as "Assumed Answered".  If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

                     

                    Thanks!

                    David