6 Replies Latest reply on Mar 13, 2014 12:28 PM by bizman

    One to One NAT Not Working

    bizman New Member

      I have read through the examples of creating a one-to-one NAT and am struggling with the configuration.

      I want a private server 172.168.0.18 to be available to the public 64.x.x.161.

      Currently the configuration works for VOIP and Internet traffic (one-to-many NAT).

       

      ! ADTRAN, Inc. OS version R10.11.0

      ! Boot ROM version 13.03.00.SB

      ! Platform: NetVanta 3430, part number 1200820E1

      ! Serial number xxx

      !

      hostname "xxx"

      enable password xxx

      !

      ip subnet-zero

      ip classless

      ip default-gateway 64.x.x.98

      ip routing

      ipv6 unicast-routing

      !

      host "D-2950" 172.168.0.18

      domain-name "xxx"

      domain-proxy

      name-server x.x.x.x

      !

      auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      !

      no service password-encryption

      !

      username "x" password "x"

      ip forward-protocol udp time

      ip forward-protocol udp nameserver

      ip forward-protocol udp tacacs

      ip forward-protocol udp tftp

      ip forward-protocol udp netbios-ns

      ip forward-protocol udp netbios-dgm

      ip forward-protocol udp 5061

      !

      ip firewall

      ip firewall stealth

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      no dot11ap access-point-control

      !

      ip dhcp excluded-address 172.168.0.0 172.168.0.199

      ip dhcp excluded-address 172.168.0.255

      !

      ip dhcp pool "Private"

        network 172.168.0.0 255.255.255.0

        dns-server 172.168.0.1

        default-router 172.168.0.1

      !

      qos map ppp1QosWizard 20

        match ip rtp 8000 20000 all

        match dscp cs3 cs4 ef

        priority 926

      qos map ppp1QosWizard 21

        match ip list aclppp1QosWizSignal21

        set dscp 26

      !

      no ethernet cfm

      !

      interface eth 0/1

        ip address  172.168.0.1  255.255.255.0

        ip helper-address  64.x.x.98

        ip access-policy Private

        ip flow ingress S-2950

        no shutdown

      !

      interface eth 0/2

        no ip address

        no awcp

        shutdown

      !

      interface t1 1/1

        description T1

        tdm-group 1 timeslots 1-24 speed 64

        no shutdown

      !

      interface ppp 1

        ip address  64.x.x.98  255.255.255.252

        ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary

        ip helper-address  64.x.x.98

        ip access-policy Public

        ip flow ingress S-2950

        qos-policy out ppp1QosWizard

        no shutdown

        cross-connect 1 t1 1/1 1 ppp 1

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      ip access-list extended aclppp1QosWizSignal21

      !

      ip access-list extended web-acl-11

        remark S_private

        permit ip 172.168.0.0 0.0.0.255  any     log

      !

      ip access-list extended web-acl-12

        remark S_public

        permit ip 64.x.x.0 0.0.0.255  any     log

      !

      ip policy-class Private

        nat source list web-acl-11 address 64.x.x.161 overload

        allow list self self

        nat source list wizard-ics interface ppp 1 overload

      !

      ip policy-class Public

        nat destination list web-acl-12 address 172.168.0.18

      !

      ip route 0.0.0.0 0.0.0.0 64.x.x.97

      ip route 0.0.0.0 0.0.0.0 ppp 1

      ip route 172.168.0.0 255.255.255.0 64.x.x.95

      !

      no tftp server

      no tftp server overwrite

      http server

      no http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      sip

      sip udp 5060

      no sip tcp

      !

      no ip rtp firewall-traversal

      !

      line con 0

        login

        password x

      !

      line telnet 0 4

        login

        password x

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      ntp server 216.x.x.x version 3 source ppp 1

      !

      end

        • Re: One to One NAT Not Working
          levi Employee

          bizman:

           

          Thank you for asking this question in the support community, and for including the relevant portions of your configuration.  This configuration of this application depends if you want a true 1:1 NAT, or if you simply want a inbound 1:1 NAT (also known as a port forward).  Static 1:1 NAT allows connections initiated from a particular private Internet Protocol version 4 (IPv4) address to always map to a particular public IPv4 address. For every private host that requires a 1:1 NAT mapping, there must be a corresponding NAT address on the public side. In previous versions of AOS, this was accomplished by using an exhaustive list of all address mappings. AOS version 17.4 and later provided support for using NAT pools that list ranges of local and global IPv4 addresses to create the 1:1 mappings.  In this post, I will guide you on how to correct the minor mistakes in your current configuration, as well as provide recommendations for how to configure 1:1 NAT in the future.

           

          In the configuration you have submitted, it looks like you have attempted to setup a true 1:1 NAT (where one public IP address is linked to a private IP address for both inbound and outbound traffic) without utilizing the NAT pool feature.  Therefore, to correct the configuration for this application, you will need to modify the the access-control lists (ACLs) for the match criteria.  In the "Public" policy-class you are referencing the ACL "web-acl-12" for the match criteria to be 1:1 NAT'ed.  The ACL and corresponding policy-class are listed below:


          ip access-list extended web-acl-12

            remark S_public

            permit ip 64.x.x.0 0.0.0.255  any     log

           

          ip policy-class Public

            nat destination list web-acl-12 address 172.168.0.18


          This ACL is used to determine which traffic will be selected for the 1:1 NAT.  In this case, you are saying "any traffic arriving at the ADTRAN's "Public" interface with a source address of 64.x.x.0 255.255.255.0 destined for any IP address should be forwarded to 172.168.0.18."  For a 1:1 NAT, most likely you should change the match criteria in the ACL to match only the single public address the traffic is destined for.  It will look similar to the following:


          ip access-list extended web-acl-12

            remark S_public

            permit ip  any host  64.x.x.161    log


          ip policy-class Public

            nat destination list web-acl-12 address 172.168.0.18


          This ACL essentially says "any traffic that arrives at the ADTRAN with a destination address of 64.x.x.161, forward that to the internal address of 172.168.0.18."  I think you had the concept nearly correct, but the order of the ACL needed to be changed.

           

          Furthermore, you will need to correct the exact same thing on the "Private" policy-class's ACL.  Currently, the ACL and policy-class are as follows:


          ip access-list extended web-acl-11

            remark S_private

            permit ip 172.168.0.0 0.0.0.255  any     log

          !

          ip policy-class Private

            nat source list web-acl-11 address 64.x.x.161 overload


          In this configuration, you will need to change "web-acl-11" to match traffic from the private host (172.168.0.18).  The ACL should be changed to something similar to the following:


          ip access-list extended web-acl-11

            remark S_private

            permit ip host 172.168.0.18  any     log


          I hope that makes sense, but please do not hesitate to reply to this post if you have any further questions or additional information.  I will be happy to help in any way I can.

           

          You mentioned you were referencing some documentation.  Which documentation were you reviewing?  This configuration can be found in the following guides:

           

          An example for this application can be found on page 40 of the Configuring the Firewall (IPv4) in AOS guide.  Furthermore, ADTRAN recommends 1:1 NAT applications use the NAT Pools feature, which is a little different method than the way you have the configuration).  The example for this method starts on page 6:  Configuring NAT Pools in AOS

           

          Finally, for future reference, if you simply desire a one-way inbound mapping, then you can configure a port forward, by referencing the following links:

           

          [video] Configuring a Port Forward in AOS (NetVanta)

           

          Port Forwarding Quick Configuration Guide


          Again, do not hesitate to reply with any questions.

           

          Levi

            • Re: One to One NAT Not Working
              bizman New Member

              I made the changes as you indicated but I get the same result...  The router (port 80) is answering and wants me to log into the router web interface, which is what was happening before.  I want to get access to (port 80) on the local machine.  So the 1-to-1 NAT is still not working.  I am missing something.

                • Re: One to One NAT Not Working
                  levi Employee

                  bizman:

                   

                  Typically, when you are prompted for the ADTRAN's login instead of being forwarded, that is because there is a more specific ACL entry in the policy-class that is matching the port 80 traffic and is used for "admin-access." 

                  When you get a chance, will you please reply and attach the current configuration (please, remember to remove any information that might be sensitive to the organization)?  I will be happy to review the configuration for you.

                   

                  Levi

                    • Re: One to One NAT Not Working
                      bizman New Member

                      Attached is the current configuration. 

                       

                      no ethernet cfm

                      !

                      interface eth 0/1

                        ip address  172.168.0.1  255.255.255.0

                        ip helper-address  64.x.x.98

                        ip access-policy Private

                        ip flow ingress S-2950

                        no shutdown

                      !

                      interface eth 0/2

                        no ip address

                        no awcp

                        shutdown

                      !

                      interface t1 1/1

                        description AA T1

                        tdm-group 1 timeslots 1-24 speed 64

                        no shutdown

                      !

                      interface ppp 1

                        ip address  64.x.x.98  255.255.255.252

                        ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary

                        ip helper-address  64.x.x.98

                        ip access-policy Public

                        ip flow ingress S-2950

                        qos-policy out ppp1QosWizard

                        no shutdown

                        cross-connect 1 t1 1/1 1 ppp 1

                      !

                      ip access-list standard wizard-ics

                        remark Internet Connection Sharing

                        permit any

                      !

                      ip access-list extended aclppp1QosWizSignal21

                      !

                      ip access-list extended S-2950

                        permit ip 64.x.x.160 0.0.0.7  any     log

                      !

                      ip access-list extended web-acl-11

                        remark S_private

                        permit ip host 172.168.0.18  any     log

                      !

                      ip access-list extended web-acl-12

                        remark S_public

                        permit ip any  host 64.x.x.161     log

                      !

                      ip policy-class Private

                        nat source list web-acl-11 address 64.x.x.161 overload

                        allow list self self

                        nat source list wizard-ics interface ppp 1 overload

                      !

                      ip policy-class Public

                        nat destination list web-acl-12 address 172.168.0.18

                      !

                      ip route 0.0.0.0 0.0.0.0 64.x.x.97

                      ip route 0.0.0.0 0.0.0.0 ppp 1

                      ip route 172.168.0.0 255.255.255.0 64.x.x.95

                      !

                        • Re: One to One NAT Not Working
                          levi Employee

                          bizman:

                           

                          Thank you for replying with this information.  The only thing I see in the configuration is the secondary range on PPP 1 (ip address range  64.x.x.161  64.x.x.166  255.255.255.0  secondary).  Is that supposed to be a 255.255.255.0 subnet mask? 

                           

                          When you get a chance, when you attempt to connect to the public interface, will you reply (and attach) the output from the show ip policy-sessions command?  I will be happy to review this output and see what is happening when you attempt to connect to the 64.x.x.161 IP address. 

                           

                          Levi

                          1 of 1 people found this helpful