2 Replies Latest reply on Apr 5, 2016 12:57 PM by abovepoint

    Frame-Relay Setup to pass WAN to customer Firewall

    abovepoint New Member

      Hello All, I have a setup that I am struggling with a little bit. Verizon did not provide T1 equipment for a 2x Frame-Relay T1, so I'm configuring an Adtran for my client, but a little confused how to avoid a double NAT since I do not want to use the 3430 as a firewall. I want the customer's equipment to handle all firewall and NAT.

       

      Here's the scenario:

       

      Verizon has provided me a /30 IP for the Frame-Relay Circuit, as well as a "LAN" set of public IP addresses of /30 as well.

       

      Of course, the first /30 Frame-Relay set of IPs is easy and my 0.0.0.0 route will go to the fr interface.

       

      However, the /30 for the "LAN" gives me only 1 "public" IP address for my eth 0/1 interface since the other usable IP is Verizon's default gateway ip for the LAN subnet. I then have no public IP to assign to my customer's firewall.

       

      Do I need to fix this by simply getting a bigger block from the provider, or is there a way to "bridge" this connection? My SE mentioned SBC, but I'm not very familiar with SBC and all the config guides I found really only have to do with VoIP and this is a data only configuration.

       

      Any guidance would be greatly appreciated!

        • Re: Frame-Relay Setup to pass WAN to customer Firewall
          petersjncv Visitor

          It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them.  But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces.  You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall).  Customer firewall should use y.y.y.1 as its default gateway.

           

          Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30.  The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.

            • Re: Frame-Relay Setup to pass WAN to customer Firewall
              abovepoint New Member

              That's exactly what I was thinking and turns out that the Verizon tech was telling me WRONG that I couldn't use the second /30 for my eth interface and the firewall. Thanks for confirming that for me! I spoke to an engineer today who cleared it up for me further. Thanks Verizon for sending me on a wild goose chase!

               

              Y.Y.Y.1 is the frame-relay /30

              X.X.X.1 is the eth /30

               

              Customer firewall would have X.X.X.2 with gateway of X.X.X.1

               

              Adtran 3430 MLFR 2xT1

              !

              !

              !

              hostname Verizon_Frame_Relay

              enable password adtran

              !

              !

              ip subnet-zero

              ip classless

              ip routing

              ip load-sharing per-destination

              !

              no auto-config

              !

              event-history on

              no logging forwarding

              no logging email

              logging email priority-level info

              !

              no service password-encryption

              !

              no ip firewall alg msn

              no ip firewall alg h323

              !

              interface eth 0/1

              description to Local LAN

              ip address X.X.X.1 255.255.255.252

              no shutdown

              !

              interface t1 1/1

              tdm-group 1 timeslots 1-24 speed 64

              no shutdown

              !

              interface t1 1/2

              tdm-group 1 timeslots 1-24 speed 64

              no shutdown

              !

              interface fr 1 point-to-point

              frame-relay lmi-type ansi

              frame-relay multilink

              frame-relay multilink bid MFR1

              max-reserved-bandwidth 100

              no shutdown

              cross-connect 1 t1 1/1 1 frame-relay 1

              cross-connect 2 t1 1/2 1 frame-relay 1

              !

              interface fr 1.500 point-to-point

              description WAN to Verizon

              frame-relay interface-dlci 500

              ip address Y.Y.Y.1 255.255.255.252

              no lldp send-and-receive

              !

              ip route 0.0.0.0 0.0.0.0 fr 1.500

              !

              no ip tftp server

              no ip tftp server overwrite

              no ip http server

              no ip http secure-server

              ip snmp agent

              no ip ftp server

              no ip scp server

              no ip sntp server

              !

              line con 0

              login

              password adtran

              !

              line telnet 0 4

              login

              password adtran

              !

              line-timeout 30

              line ssh 0 4

              login local-userlist

              !

              end