4 Replies Latest reply on Apr 7, 2014 9:49 AM by levi

    IP Policy Class configuration on NV 3430

    bbrown21 New Member

      <code>

      !

      ip policy-class Private

        allow list self self

        allow list ACL-Private policy Private stateless

        allow list ACL-Tunnel policy Tunnel stateless

        nat source list ACL-NAT interface eth 0/2 overload

      !

      </code>

       

      So I'm configuring a NV 3430 that has both a t1 connection and a Comcast connection on the same box.  Everything appeared to be working well from the router, until I started trying to get places from local clients(Default route is over PPP).  After troubleshooting it looked like local clients on this router were being NAT'd when going over the PPP interface!  So I knew the policy-class was missing something, but I'm not sure the best way to remedy this situation.  I know I could build a policy-class for the PPP interface and apply it and insert an allow-list * policy *PPP*, but what I'm wondering if there's something simpler where it will simply allow anything going over the PPP.  I was looking at the 'self' and it says that it includes any 'local interface'.  What I'm not sure of is whether or not PPP interfaces are considered local and are covered by 'self'.  If so, I should be able to simply add a line like:

       

      <new code>

      !

      ip policy-class Private

        allow list self self

        allow list ACL-Private policy Private stateless

        allow list ACL-Private self stateless

        allow list ACL-Tunnel policy Tunnel stateless

        nat source list ACL-NAT interface eth 0/2 overload

      !

      </new code>

       

      Any other ideas on this would be appreciated.  I know there's probably a simple solution I'm just overlooking.

        • Re: IP Policy Class configuration on NV 3430
          levi Employee

          bbrown21:

           

          Thank you for asking this question in the Support Community.  Is the T1 another Internet connection, or a point-to-point connection to another location?  If it is another Internet connection, are you using it for load sharing or Internet WAN failover (guides linked)?  If it is not an Internet connection, then typically the default route will be pointed out the Internet connection (Comcast in your example). 

           

          There are multiple ways to design/configure this application.  Please, provide some additional information about the T1 connection and I will give you recommendations.

           

          Levi

          1 of 1 people found this helpful
            • Re: IP Policy Class configuration on NV 3430
              bbrown21 New Member

              I wound up just adding a policy-class for the ppp interface and everything seems to be working well now.  The T1 is a PPP connection to another location that serves as the primary source of internet (Ideally).  The comcast in this setup would simply be for failover if the t1 went down.  I am curious as to whether or not the 'self' would consider ppp to be a local interface, or if I did really need to build a policy-class for the ppp as well.  Normally this is something we don't do, since the ppp interface goes back to our co-located facility for internet, so I don't need the router to firewall, since that is taken care of by a dedicated box.

                • Re: IP Policy Class configuration on NV 3430
                  levi Employee

                  bbrown21:

                   

                  The firewall guide explains the self keyword:  Configuring the Firewall (IPv4) AOS

                   

                  The self parameter allows all packets passed by the ACL and destined for any local interface on the unit to

                  enter the router system. These packets are terminated by the unit and are not routed or forwarded to other

                  destinations. Using the self parameter is helpful when opening remote administrative access to the unit

                  (Telnet, secure shell (SSH), ICMP, HTTP, Hypertext Transfer Protocol Secure (HTTPS), etc.).

                   

                  If you would like to reply with the current configuration (please, remember to remove any information that may be sensitive to the organization), I will be happy to review it for you.

                   

                  Levi

                  1 of 1 people found this helpful
              • Re: IP Policy Class configuration on NV 3430
                levi Employee

                bbrown21:

                 

                I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                Thanks,

                 

                Levi