6 Replies Latest reply on Oct 6, 2014 12:17 PM by david

    remote administation

    sum1 New Member

      Hello

       

      I have a 900e setup w/ a t1 connection to the internet w/ an ip address of x.x.x.242 (provider's edge is x.x.x.241)

      eth1 is configured as the first of my usable IPs from my provider. its address is 40.x.x.145 and with that interface i can provide internet access to the other 4 usable IP addresses (40.x.x.146-150)

      eth0 is configured as 192.x.x.2 and is the private side of the 908e's firewall with the t1 port being the public side of the firewall. Thus 192.x.x.2 is the router/gateway to the internet for our LAN.

       

      From the LAN I can administer the 908e via the web browser gui via 192.x.x.2 and via 40.x.x.145.  Even though the 40.x.x.145 is a public, I can not ping it when the fire wall is enabled and I can not remotely log in via the web gui and administer the 908e from the public internet using either the 40.x.x.145 or the x.x.x.242 address. 

       

      Is it possible to setup remote web administration with the fire wall engaged as I have it?

       

      Also is it possible to have a similar setup with an with a 3200 series t1 router?  ie where there is a provider edge and an IP address for the t1 port that faces the providers edge. Then a firewall that allows a private 192.x.x.x network to get internet access from the t1 port?  It seems that the usable IPs have to be configured somehow as well to conform to what the provider is giving us. 

       

      Thank you

       

      Robert

        • Re: remote administation
          sum1 New Member

          I figured out the remote admin in the firewall section under security zone.

           

          However I'm still wondering if it is possible to have a similar setup with an with a 3200 series t1 router?  ie where there is a provider edge and an IP address for the t1 port that faces the providers edge. Then a firewall that allows a private 192.x.x.x network to get internet access from the t1 port?  It seems that the usable IPs have to be configured somehow as well to conform to what the provider is giving us.

           

          Robert

            • Re: remote administation
              cj! Beta_User

              Hi Robert:

               

              I've used the 3200 mostly for point-to-point T1 links between offices, but we have used T1 Internet from a provider in our area on the 4430.  You need to setup an IP interface of some kind; we used PPP (not sure all of the options, but I think PPP is pretty common).  The PPP interface is assigned to a security zone and basically works like any other public interface.  Here's an example:

               

              !

              interface t1 0/1

                description Internet_T1

                tdm-group 1 timeslots 1-24 speed 64

                no shutdown

              !

              interface ppp 1

                description Internet_T1

                ip address  12.34.56.78 255.255.255.252

                ip mtu 1500

                ip access-policy Public

                no shutdown

                cross-connect 1 t1 0/1 1 ppp 1

              !

               

              Here's a great article with configuration examples: Configuring PPP in AOS

              Also useful:  Configuring PPP Authentication in AOS - Quick Configuration Guide

              1 of 1 people found this helpful
                • Re: remote administation
                  sum1 New Member

                  Thank you

                   

                  I'm not sure the provider will work with a PPP connection I think it is all HDLC (maybe this is apples and oranges though). 

                   

                  Sounds like the 3200 might not be able to go directly to the LAN because it only has one ethernet port.

                  Is there a way to have a virtual router/firewall in the 3200 allow a connection the the LAN? 

                  Assuming the 3200 can't, can you confirm this configuration should work for public internet access for our LAN:

                   

                  Public Internet<->

                  Provider's Edge<->

                  3200 T1 port<->

                  3200 Ethernet port using first usable IP address from the provider<->

                  Basic Firewall/Router WAN port with second usable IP address from provider<->

                  Basic Firewall/Router Ethernet Port<->

                  LAN

                   

                  Thanks

                   

                  Robert

                    • Re: remote administation
                      cj! Beta_User

                      Robert:

                       

                      That's outside my experience; good question.  I would guess that bridging is possible between the T1 and Ethernet interfaces of the 3200, but I'm not sure it will get you where you need.  I think you'll have to use the 3200 to support whatever Layer 3 protocol is being used across the T1 by the ISP.  The guide Configuring Bridging in AOS is really good, covering legacy bridging techniques and configuration examples.

                       

                      Perhaps someone else will have a more definitive answer!  Let us know if you learn something useful along the way.

                       

                      Chris

                      • Re: remote administation
                        jayh Hall_of_Fame

                        sum1 wrote:

                         

                        I'm not sure the provider will work with a PPP connection I think it is all HDLC (maybe this is apples and oranges though). 

                        You can configure either PPP or HDLC encapsulation, as long as it matches the provider you're good.

                         

                        Sounds like the 3200 might not be able to go directly to the LAN because it only has one ethernet port.

                        Is there a way to have a virtual router/firewall in the 3200 allow a connection the the LAN?

                        Assuming the 3200 can't, can you confirm this configuration should work for public internet access for our LAN:

                         

                        Public Internet<->

                        Provider's Edge<->

                        3200 T1 port<->

                        3200 Ethernet port using first usable IP address from the provider<->

                        Basic Firewall/Router WAN port with second usable IP address from provider<->

                        Basic Firewall/Router Ethernet Port<->

                        LAN

                         

                        If you are assigning private IPs to the LAN, you can NAT directly to the PPP or HDLC serial interface IP and not need a routed LAN block from the ISP.  The single IP on the serial link can be both the remote management for the 3200 and the outside NAT for the LAN.  The only potential conflict would be if a server on the LAN requires outside telnet, ssh, or web access you would need to use a different port for the Adtran.

                         

                        Alternatively, if the provider gives you a routed LAN block such as a /29, you can assign an IP in that range as a loopback on the 3200 and anchor the NAT to that loopback or any IP in that block.

                         

                        You can also use VLANs on the Ethernet interface to create multiple logical Ethernet interfaces on the one physical, and then break them out to physical interfaces with a switch. 

                         

                        In other words, yes it's very possible and there are multiple ways to do it.  I wouldn't recommend bridging here.

                  • Re: remote administation
                    david Employee

                    Robert,

                     

                    I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                     

                    Thanks,

                    David