cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
neomatrix1217
New Contributor

Cannot Ping Nodes past Adtran 3448

I have an Netvanta 3448 customer has Time Warner Fiber running to 3 locations all locations funnel out through the main location for internet. I have two VLANS  VLAN1 using 10.72.35.x and VLAN 100 using a 10.3.0.x for private communication between sites the internet is working fine all locations can get out to the internet the problem is I cannot ping any nodes past the Adtran using VLAN 100 nodes will respond to pings using VLAN1 but not VLAN100. Firewall is running see below for config thanks in advance for any help.

no ethernet cfm

!

interface eth 0/1

  description TWBC internet

  ip address 71.40.59.x 255.255.255.248

  ip mtu 1500

  ip access-policy Public

  no shutdown

!

!

interface eth 0/2

  no ip address

  shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  speed 100

  no shutdown

  switchport access vlan 100

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  no shutdown

!

interface switchport 0/7

  no shutdown

!

interface switchport 0/8

  no shutdown

!

!

!

interface vlan 1

  ip address 10.72.32.5 255.255.255.0

  ip access-policy Private

  no shutdown

!

interface vlan 100

  ip address 10.3.0.1 255.255.255.224

  ip mtu 1500

  ip access-policy Private

  no awcp

  no shutdown

!

!

!

router rip

  version 2

!

!

!

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any any log

!

ip access-list extended web-acl-5

  remark Barracuda

  permit tcp any host 71.40.59.x eq 8000 log

!

ip access-list extended web-acl-6

  remark NetVanta Telnet

  permit tcp any any eq telnet log

  permit tcp any any eq ssh log

!

ip access-list extended web-acl-7

  remark Allow

  permit ip 10.3.0.0 0.0.0.31 10.3.0.0 0.0.0.31 

  permit ip 10.72.32.0 0.0.0.255 10.72.33.0 0.0.0.255 

  permit ip 10.72.33.0 0.0.0.255 10.72.32.0 0.0.0.255 

  permit ip 10.72.32.0 0.0.0.255 10.72.34.0 0.0.0.255 

  permit ip 10.72.34.0 0.0.0.255 10.72.32.0 0.0.0.255 

  permit ip 10.72.32.0 0.0.0.255 10.72.35.0 0.0.0.255 

  permit ip 10.72.35.0 0.0.0.255 10.72.32.0 0.0.0.255 

  permit ip 10.72.32.0 0.0.0.255 10.72.32.0 0.0.0.255 log

!

ip access-list extended web-acl-9

  permit ip 10.3.0.0 0.0.255.255 any 

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any host 71.40.59.x eq www log

!

ip access-list extended wizard-remote-access

  remark do not hand edit this ACL

  permit tcp any any eq telnet log

  permit tcp any any eq ssh log

  permit tcp any any eq https log

!

!

!

!

ip policy-class INTERVLAN

  allow list web-acl-9 policy INTERVLAN

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

  allow list web-acl-7

!

ip policy-class Public

  nat destination list wizard-pfwd-1 address 10.72.32.5

  nat destination list web-acl-5 address 10.72.32.254

  allow list web-acl-6 self

!

!

!

ip route 0.0.0.0 0.0.0.0 71.40.59.x

ip route 10.72.33.0 255.255.255.0 10.3.0.3

ip route 10.72.34.0 255.255.255.0 10.3.0.4

ip route 10.72.35.0 255.255.255.0 10.3.0.5

Labels (2)
Tags (2)
0 Kudos
1 Reply
Anonymous
Not applicable

Re: Cannot Ping Nodes past Adtran 3448

:

Thank you for asking this question in the support community.  I'm not certain I follow your question, specifically, which portion is not working, but am I correct that the problem you are experiencing is routing between subnets? 

If this is the problem, there are several things to check.  First, verify the devices have the appropriate default-gateway configured.  Next, it appears that both subnets are configured in the "Private" policy-class.  In the "Private" policy-class, you may need to move the "nat source list wizard-ics interface eth 0/1 overload" entry below the "allow list web-acl-7," because that appears to be the ACL that you would like to use to allow private subnets to communicate with each other (furthermore, I recommend adding the keyword stateless after the "allow list web-acl-7" entry).  If that entry is below the "NAT," then the source of the IP address will be modified, and routed to the incorrect place on returning traffic.

I hope that makes sense, but based on your configuration and brief description, I think the problem is the order of your firewall entries.  Please, do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi