4 Replies Latest reply on Sep 22, 2015 9:37 AM by stephab

    We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise

    stephab New Member

      Read a few conversations and the intervlan config PDF.

      Having trouble seeing a subnet

      I think it may be because the NAT statement is before the second intervlan statement

       

      here are the entries in question (in the order they appear in the current router config);

      !

      ip access-list extended web-acl-3

        remark InterVlan

        permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

      !

      ip access-list extended web-acl-4

        remark Traffic to unit

        permit ip any  any     log

      !

      ip access-list extended web-acl-5

        remark NAT

        permit ip any  any     log

      !

      ip access-list extended web-acl-6

        remark Intervlan

        permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

       

       

      is the NAT statement the reason why the 10.0.0.0 subnet cannot see the 172.16.0.0 subnet?

      Should the web-acl-6 be moved above web-acl-5?

       

      Please advise if additional info is required as well

      First time using the support forum

      Cheers

        • Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise
          cj! Beta_User

          Hi stephab:

           

          Thanks for posting your question in the Support Community!  The part of your configuration you have shared includes access-lists (ACLs) only.  In AOS, ACLs merely match/identify traffic.  A firewall policy is required to take action (allow/discard/nat) traffic which has been matched by an ACL.

           

          ACLs in a running-config are always listed alphabetically.  Their order has no bearing on the unit's firewall logic.  However, allow/discard/nat policies within policy-classes (security zones) are processed top-down.  For this reason, the web GUI includes green up/down arrows next to each policy--this may be the fastest way to reorder them.  In the CLI, you need to "no" each policy as necessary and re-enter them in the desired order.  Beware that this could disrupt traffic, or even break your access to the unit over the network, so be careful making these changes via CLI.

           

          Will this be enough info to sort out your issue?  If you need further assistance, please include your policy-classes or consider attaching your entire config (edit first to remove any sensitive information like passwords, preshared keys and public IP addresses).

           

          Best,

          Chris

            • Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise
              stephab New Member

              Thank you for your reply Chris

              Will have a look next visit with my client

               

              Here is the config;

              Another thing that is happening is all workstations are receiving a 10.0.0.0 address but all essentials (servers, routers, switches are using a 10.10.10.0 address

              Cannot ping anything unless i manually change my ip to a 10.10.10.0 address

              BUT, the only address i can ping in the 172.16 range is 172.16.0.1...nothing else

              Thanks

              Cheers

              Stephen

               

              ! ADTRAN, Inc. OS version R11.5.1.E

              ! Boot ROM version 13.03.00.SB

              ! Platform: NetVanta 3448, part number 1200821E1

              ! Serial number LBADTN1340AR695

              !

              !

              hostname *******

              enable password encrypted *************************

              !

              clock timezone -5-Eastern-Time

              !

              ip subnet-zero

              ip classless

              ip routing

              ipv6 unicast-routing

              !

              !

              domain-proxy

              name-server 4.2.2.1 8.8.8.8

              !

              !

              no auto-config

              auto-config authname adtran encrypted password **************************

              !

              event-history on

              no logging forwarding

              logging forwarding priority-level info

              no logging email

              !

              service password-encryption

              !

              username "admin" password encrypted "**************************************"

              username "Adm1n" password encrypted "***************************************"

              !

              banner motd #

               

               

                              ****** Important Banner Message ******

               

               

              Enable and Telnet passwords are configured to "password".

              HTTP and HTTPS default username is "admin" and password is "password".

              Please change them immediately.

              The switchport interfaces are enabled with an address of 10.10.10.1

              Telnet, HTTP, and HTTPS access are also enabled.

              To remove this message, while in configuration mode type "no banner motd".

               

               

                              ****** Important Banner Message ******

              #

              !

              !

              ip firewall

              no ip firewall alg msn

              no ip firewall alg mszone

              no ip firewall alg h323

              no ip firewall alg sip

              !

              !

              no dot11ap access-point-control

              !

              !

              vlan 1

                name "Default"

              !

              vlan 2

                name "Data LAN"

              !

              vlan 3

                name "Voice LAN"

              !

              !

              !

              no ethernet cfm

              !

              interface eth 0/1

                description Internet Connection

                no ip address

                no shutdown

              !

              !

              interface eth 0/2

                no ip address

                shutdown

              !

              !

              !

              interface switchport 0/1

                no shutdown

              !

              interface switchport 0/2

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/3

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/4

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/5

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/6

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/7

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/8

                no shutdown

                switchport access vlan 2

              !

              !

              !

              interface vlan 1

                ip address  192.168.0.1  255.255.255.0

                no shutdown

              !

              interface vlan 2

                description Data LAN

                ip address  10.10.10.3  255.0.0.0

                ip mtu 1500

                ip access-policy "Data LAN"

                media-gateway ip primary

                no shutdown

              !

              interface vlan 3

                description Voice LAN

                ip address  172.16.0.1  255.255.255.0

                ip mtu 1500

                ip access-policy "Voice LAN"

                no rtp quality-monitoring

                media-gateway ip primary

                no awcp

                no shutdown

              !

              interface ppp 1

                description Internet Connection

                ip address negotiated

                ip mtu 1500

                ip access-policy Public

                media-gateway ip primary

                no fair-queue

                ppp pap sent-username ********************** password encrypted *********************************

                no shutdown

                cross-connect 1 eth 0/1 ppp 1

              !

              !

              !

              !

              !

              !

              ip access-list extended web-acl-1

                remark traffic to unit

                permit ip any  any     log

              !

              ip access-list extended web-acl-10

                remark ftp

                permit tcp any  any range ftp-data ftp   log

              !

              ip access-list extended web-acl-11

                remark http

                permit tcp any  any eq www   log

              !

              ip access-list extended web-acl-12

                remark imap

                permit tcp any  any eq 143   log

              !

              ip access-list extended web-acl-14

                remark smtp relay out

                permit tcp any  any eq 2525   log

              !

              ip access-list extended web-acl-15

                remark terminal

                permit tcp any  any eq 3389   log

              !

              ip access-list extended web-acl-16

                remark monitor 1

                permit tcp any  any eq 1121   log

              !

              ip access-list extended web-acl-17

                remark monitor 2

                permit tcp any  any eq 1122   log

              !

              ip access-list extended web-acl-18

                remark tmonitor

                permit tcp any  any eq 8020   log

              !

              ip access-list extended web-acl-19

                remark smonitor

                permit tcp any  any eq 8021   log

              !

              ip access-list extended web-acl-2

                remark NAT

                permit ip any  any     log

              !

              ip access-list extended web-acl-20

                remark xmonitor

                permit tcp any  any eq 8022   log

              !

              ip access-list extended web-acl-21

                remark bmonitor

                permit tcp any  any eq 8023   log

              !

              ip access-list extended web-acl-22

                remark DVR 1

                permit tcp any  any eq 8000   log

              !

              ip access-list extended web-acl-23

                remark DVR 2

                permit tcp any  any eq 100   log

              !

              ip access-list extended web-acl-24

                remark DVR 3

                permit tcp any  any eq 10554   log

              !

              ip access-list extended web-acl-25

                remark Alarm1

                permit tcp any  any range 3060 3065   log

              !

              ip access-list extended web-acl-26

                remark Alarm 69

                permit tcp any  any eq 69   log

              !

              ip access-list extended web-acl-27

                remark Phone system NEC

                permit tcp any  any eq 8888   log

              !

              ip access-list extended web-acl-29

                remark jonar

                permit tcp any  any eq 4389   log

              !

              ip access-list extended web-acl-3

                remark InterVlan

                permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

              !

              ip access-list extended web-acl-4

                remark Traffic to unit

                permit ip any  any     log

              !

              ip access-list extended web-acl-5

                remark NAT

                permit ip any  any     log

              !

              ip access-list extended web-acl-6

                remark Intervlan

                permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

              !

              ip access-list extended web-acl-7

                remark Admin

                permit tcp any  any eq https   log

                permit tcp any  any eq ssh   log

              !

              ip access-list extended web-acl-8

                remark pop3

                permit tcp any  any eq pop3   log

              !

              ip access-list extended web-acl-9

                remark smtp

                permit tcp any  any eq smtp   log

              !

              !

              !

              !

              ip policy-class "Data LAN"

                allow list web-acl-1 self stateless

                allow list web-acl-3 stateless

                nat source list web-acl-2 interface ppp 1 overload policy Public

              !

              ip policy-class Public

                allow list web-acl-7 self

                nat destination list web-acl-8 address 10.10.10.7

                nat destination list web-acl-9 address 10.10.10.7

                nat destination list web-acl-10 address 10.10.10.21

                nat destination list web-acl-11 address 10.10.10.7

                nat destination list web-acl-12 address 10.10.10.7

                nat destination list web-acl-14 address 10.10.10.8

                nat destination list web-acl-15 address 10.10.10.9

                nat destination list web-acl-16 address 10.10.10.2

                nat destination list web-acl-17 address 10.10.10.5

                nat destination list web-acl-18 address 10.10.10.9

                nat destination list web-acl-19 address 10.10.10.2

                nat destination list web-acl-20 address 10.10.10.5

                nat destination list web-acl-21 address 10.10.10.15

                nat destination list web-acl-22 address 10.10.10.209

                nat destination list web-acl-23 address 10.10.10.209

                nat destination list web-acl-24 address 10.10.10.209

                nat destination list web-acl-25 address 10.10.10.239

                nat destination list web-acl-26 address 10.10.10.239

                nat destination list web-acl-27 address 172.16.0.10 port 8000

                nat destination list web-acl-29 address 10.10.10.5

              !

              ip policy-class "Voice LAN"

                allow list web-acl-4 self stateless

                allow list web-acl-6 stateless

                nat source list web-acl-5 interface ppp 1 overload

              !

              !

              !

              no tftp server

              no tftp server overwrite

              http server

              http secure-server

              no snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              !

               

              sip udp 5060

              sip tcp 5060

              !

              !

              !

              !

              line con 0

                login

              !

              line telnet 0 4

                login

                password encrypted **************************

                no shutdown

              line ssh 0 4

                login local-userlist

                no shutdown

              !

              !

              end

            • Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise
              stephab New Member

              Update:  when we connect the Voice LAN to the router.  The VoIP phones do not work.  There is no 2-way traffic.

              I noticed the permit ip statements were assigned to different security zones. 

              ip access-list extended web-acl-3  is assigned to Voice LAN security zone

              ip access-list extended web-acl-6 is assigned to Data LAN security zone

               

              Should I remove the association to the security zones?

              Or should I add the reverse permit ip statement for each security zone?

              Q: Does the security zone block traffic?

               

              example;

              ip access-list extended web-acl-3  (assigned to security zone Data LAN)

                remark InterVlan

                permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

              add a permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255 to this security zone?

               

              ip access-list extended web-acl-6

                remark Intervlan

                permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

              add a permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 to this security zone?

              • Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise
                stephab New Member

                Issue has been resolved

                 

                Problem in the end was the intervlan routes pointing in one direction only under their respective security policies

                Added the return route within each security policy

                Was able to see voice and data traffic

                 

                Thank you for everyone help in resolving the matter