3 Replies Latest reply on Oct 27, 2015 5:52 AM by nfletcher2

    Adtran Netvanta 3200 - Pass all traffic

    nfletcher2 New Member

      I could really use some help from the Adtran masters here! I am pretty well versed in system side and used to be pretty good with Cisco CLI but we have an adtran we are trying to get working and we are having issues. So on to our problem!

       

      Equipment: Adtran Netvanta running OS verion 13.02.00 and a Mikrotik router

      Line in: Bonded T1 into a dual T1 card on the Adtran

       

      Ultimate goal: Pass all traffic and make the the adtran transparent.

       

      Setup: We have a client that recently ordered a bonded T1. The company they leased it from ran it into the building and did not quote any equipment to aggregate the line in. We were left with 2 open ports and no equipment to plug 2 T1 lines into. AT all our sites we have a Mikrotik as our border router that performs OSPF routing over VPN's between sites. The mikrotik must be the border device, or atleaset appear to be.

       

      What we have done: We set the adtran up between the mikrotik and the 2 open T1 ports. I have a console connection to the device. What we tried to do is a 1to1 NAT translation from the new external IP to an internal /30 between the adtran and mikrotik. Then we did another 1to1 NAT translation between the /30 IP to the external IP. This should of passed everything and made the adtran transparent. But then the problem!

       

      The problem: When you enable NAT on this verison of Adtran you also have to enable the firewall. We really did not want to filter packets. Just pass everything! We can not seem to get the config worked out where it will pass everything. We have tried setting it to unfiltered and tried filtering but allowing all. Every time we switch the client onto the bonded T1 it starts dropping packets. We get notifications about spoofing attacks and post connection SYN attacks. There is also several websites that the site utilizes that just flat out won't load when on the Bonded T1. We have verified that the websites will load over the single T1 they still have and can load elsewhere so the common denominator is the adtran.

       

      How can we set this adtran up to pass all traffic? If we are going about this the wrong way using NAT I am open to suggestions. Either way the other router (the Mikrotik) needs to be accessible from the outside via the public IP address.

       

      Config: Below is a current config of what we have. I took out some identifying info to protect our client. Items changed are bolded and in italics.

       

      ! ADTRAN, Inc. OS version 13.02.00

      ! Boot ROM version 06.03.00

      ! Platform: NetVanta 3200, part number 1202860L1

      ! Serial number LBADTN0505AA057

      ! Flash: 16777216 bytes  DRAM: 33554431 bytes

      ! Date/Time: Tue Oct 20 2015, 09:12:08 GMT-05:00

      !

      !

      hostname "Companyname_Adtran"

      enable password encrypted 141asfdbv34987th954jnnos52bgin8b95

      !

      clock timezone -5

      clock no-auto-correct-DST

      !

      ip subnet-zero

      ip classless

      ip routing

      !

      auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      logging email priority-level info

      !

      service password-encryption

      !

      username "admin" password encrypted "1c1ds897fb8438bfsdbv8b20f512883c"

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg h323

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      interface eth 0/1

        description Local LAN

        speed 100

        ip address  10.255.255.2  255.255.255.252

        access-policy PRIVATE

        max-reserved-bandwidth 100

        no shutdown

      !

      !

      !

      !

      interface t1 1/1

        clock source through

        tdm-group 1 timeslots 1-24 speed 64

        no shutdown

      !

      interface t1 1/2

        tdm-group 1 timeslots 1-24 speed 64

        no shutdown

      !

      !

      interface fr 1 point-to-point

        frame-relay lmi-type ansi

        frame-relay multilink

        frame-relay multilink bid MFR65000

        max-reserved-bandwidth 100

        no shutdown

        cross-connect 1 t1 1/1 1 frame-relay 1

        cross-connect 2 t1 1/2 1 frame-relay 1

      !

      interface fr 1.500 point-to-point

        frame-relay interface-dlci 500

        description WAN To ISP

        ip address WAN_IP  255.255.255.252

        access-policy PUBLIC

        no lldp send-and-receive

      !

      !

      !

      !

      !

      !

      ip access-list standard MATCHALL

        permit any

      !

      !

      ip access-list extended ALL

        ! Implicit permit (only for empty ACLs)

      !

      ip policy-class PRIVATE

        nat source list ALL address WAN_IP overload

        allow list ALL

        allow list ALL self

      !

      ip policy-class PUBLIC

        nat destination list ALL address 10.255.255.1

        allow list ALL

        allow list ALL self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 WAN_NEXT_HOP

      !

      no ip tftp server

      no ip tftp server overwrite

      no ip http server

      no ip http secure-server

      no ip snmp agent

      no ip ftp server

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      line con 0

        login

        password encrypted 1816f0u073d988cdflgjnosinv89408484ed

      !

      line telnet 0 4

        login local-userlist

        password encrypted 4ujnbef2f00gb3cdc07f1338dae4c656bd9f

        line-timeout 30

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      !

      end

        • Re: Adtran Netvanta 3200 - Pass all traffic
          nfletcher2 New Member

          Okay so a little more information. Commands we have ran since posting yesterday:

           

          no ip firewall check reflexive-traffic (Comment: Does not show in running config that this was applied after we ran command)

          no ip firewall check syn-flood (Comment: Shows in config)

          no ip firewall check rst-seq (Comment: Required us to select ports, selected range 0-65535. Config only shows no ip firewall check rst-seq 0)

          no ip firewall check winnuke (Comment: Shows in config)

           

          It appears that some websites will not load at all. We had to switch the client back to their legacy T1 line and can not utilize the bonded T1 until we figure this out. For example, acesetsthepace.com will not load with this config.

           

          We are getting to the point where we are running out of ideas. If anyone has a better way for us to complete this it would be greatly appreciated. Or even a different device that only aggregates the 2 T1's into a single Ethernet line and will allow us to manage the IP and everything from the site router that would be even better. Suggestions?