1 Reply Latest reply on Sep 6, 2013 2:22 PM by levi

    Cannot Ping Nodes past Adtran 3448

    neomatrix1217 New Member

      I have an Netvanta 3448 customer has Time Warner Fiber running to 3 locations all locations funnel out through the main location for internet. I have two VLANS  VLAN1 using 10.72.35.x and VLAN 100 using a 10.3.0.x for private communication between sites the internet is working fine all locations can get out to the internet the problem is I cannot ping any nodes past the Adtran using VLAN 100 nodes will respond to pings using VLAN1 but not VLAN100. Firewall is running see below for config thanks in advance for any help.

       

      no ethernet cfm

      !

      interface eth 0/1

        description TWBC internet

        ip address 71.40.59.x 255.255.255.248

        ip mtu 1500

        ip access-policy Public

        no shutdown

      !

      !

      interface eth 0/2

        no ip address

        shutdown

      !

      !

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

      !

      interface switchport 0/3

        speed 100

        no shutdown

        switchport access vlan 100

      !

      interface switchport 0/4

        no shutdown

      !

      interface switchport 0/5

        no shutdown

      !

      interface switchport 0/6

        no shutdown

      !

      interface switchport 0/7

        no shutdown

      !

      interface switchport 0/8

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address 10.72.32.5 255.255.255.0

        ip access-policy Private

        no shutdown

      !

      interface vlan 100

        ip address 10.3.0.1 255.255.255.224

        ip mtu 1500

        ip access-policy Private

        no awcp

        no shutdown

      !

      !

      !

      router rip

        version 2

      !

      !

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any any log

      !

      ip access-list extended web-acl-5

        remark Barracuda

        permit tcp any host 71.40.59.x eq 8000 log

      !

      ip access-list extended web-acl-6

        remark NetVanta Telnet

        permit tcp any any eq telnet log

        permit tcp any any eq ssh log

      !

      ip access-list extended web-acl-7

        remark Allow

        permit ip 10.3.0.0 0.0.0.31 10.3.0.0 0.0.0.31 

        permit ip 10.72.32.0 0.0.0.255 10.72.33.0 0.0.0.255 

        permit ip 10.72.33.0 0.0.0.255 10.72.32.0 0.0.0.255 

        permit ip 10.72.32.0 0.0.0.255 10.72.34.0 0.0.0.255 

        permit ip 10.72.34.0 0.0.0.255 10.72.32.0 0.0.0.255 

        permit ip 10.72.32.0 0.0.0.255 10.72.35.0 0.0.0.255 

        permit ip 10.72.35.0 0.0.0.255 10.72.32.0 0.0.0.255 

        permit ip 10.72.32.0 0.0.0.255 10.72.32.0 0.0.0.255 log

      !

      ip access-list extended web-acl-9

        permit ip 10.3.0.0 0.0.255.255 any 

      !

      ip access-list extended wizard-pfwd-1

        remark Port Forward 1

        permit tcp any host 71.40.59.x eq www log

      !

      ip access-list extended wizard-remote-access

        remark do not hand edit this ACL

        permit tcp any any eq telnet log

        permit tcp any any eq ssh log

        permit tcp any any eq https log

      !

      !

      !

      !

      ip policy-class INTERVLAN

        allow list web-acl-9 policy INTERVLAN

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

        allow list web-acl-7

      !

      ip policy-class Public

        nat destination list wizard-pfwd-1 address 10.72.32.5

        nat destination list web-acl-5 address 10.72.32.254

        allow list web-acl-6 self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 71.40.59.x

      ip route 10.72.33.0 255.255.255.0 10.3.0.3

      ip route 10.72.34.0 255.255.255.0 10.3.0.4

      ip route 10.72.35.0 255.255.255.0 10.3.0.5

        • Re: Cannot Ping Nodes past Adtran 3448
          levi Employee

          neomatrix1217:

           

          Thank you for asking this question in the support community.  I'm not certain I follow your question, specifically, which portion is not working, but am I correct that the problem you are experiencing is routing between subnets? 

           

          If this is the problem, there are several things to check.  First, verify the devices have the appropriate default-gateway configured.  Next, it appears that both subnets are configured in the "Private" policy-class.  In the "Private" policy-class, you may need to move the "nat source list wizard-ics interface eth 0/1 overload" entry below the "allow list web-acl-7," because that appears to be the ACL that you would like to use to allow private subnets to communicate with each other (furthermore, I recommend adding the keyword stateless after the "allow list web-acl-7" entry).  If that entry is below the "NAT," then the source of the IP address will be modified, and routed to the incorrect place on returning traffic.

           

          I hope that makes sense, but based on your configuration and brief description, I think the problem is the order of your firewall entries.  Please, do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi