1 Reply Latest reply on Oct 14, 2016 5:38 PM by jayh

    One to one NAT for new VLAN not working

    dwolf New Member

      I am trying to implement a second VPN device on a new VLAN 3 on switchport 0/8, but I can't even get ICMP to work.  I can ping the new SSLVPN device from the source switchport 0/8, but I can't from the interface eth 0/2.  The ACLs and Policies are all the same, but yet the original VPN works and the new SSLVPN doesn't (ICMP).  I need the dedicated public IP to route directly to this new SSLVPN IP.  The public IP comes in on eth 0/2 and the SSLVPN device is on switchport 0/8.

       

      I have provided relevant  parts of my configuration below and would appreciate a second set of eyes to see what I am missing.

       

      Thanks,

      dwolf

       

      !

      !

      ! ADTRAN, Inc. OS version R10.9.0.E

      ! Boot ROM version 13.03.00.SB

      ! Platform: NetVanta 3448,

      ip policy-timeout udp all-ports 300

      !

      ip firewall

      ip firewall fast-nat-failover

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      no ip firewall alg sip

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

       

       

      !

      vlan 1

        name "Default"

      !

      vlan 2

        name "Voice"

      !

      vlan 3

        name "SSLVPN"

      !

      !

      !

      no ethernet cfm

      !

      interface eth 0/1

        description WAN-1

        ip address  xx.yy.28.61  255.255.255.248

        ip mtu 1500

        ip address  xx.yy.28.57  255.255.255.248  secondary

        ip address  xx.yy.28.59  255.255.255.248  secondary

        ip access-policy Public

        ip flow ingress

        ip flow egress

        qos-policy out eth0/2QosWizard

        no shutdown

      !

      !

      interface eth 0/2

        description MegaPath

        ip address  xx.yy.186.170  255.255.255.252

        ip mtu 1500

        ip address range  xx.yy.79.83  xx.yy.79.84  255.255.255.248  secondary

        ip access-policy Public2

        ip flow ingress

        ip flow egress

        qos-policy out eth0/2QosWizard

        no shutdown

      !

      !

      !

      interface switchport 0/1

        no shutdown

      !

      interface switchport 0/2

        no shutdown

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      interface switchport 0/5

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/6

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/7

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/8

        no shutdown

        switchport access vlan 3

      !

      !

      !

      interface vlan 1

        ip address  192.xx.yy.1  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      interface vlan 2

        ip address  172.xx.yy.1  255.255.255.0

        ip policy route-map VoiceMap

        ip access-policy Private

        no shutdown

      !

      interface vlan 3

        description Fortinet SSL VPN device

        ip address  10.xxx.yy.2  255.255.255.252

        ip access-policy PrivateSSLVPN

        no shutdown

      !

      !

      !

      !

      route-map local permit 10

        match ip address wan1

        set ip next-hop xx.yy.28.62

      route-map local permit 20

        match ip address wan2

        set ip next-hop xxx.yyy.186.169

      route-map VoiceMap permit 10

        match ip address VoiceMap

        set ip next-hop xxx.yyy.186.169

        set interface null 0

      !

      !

      !

      !

      ip access-list standard natpool

        permit any

      !

      ip access-list standard natpool2

        permit any

      !

      ip access-list standard self

        permit any

      !

      !

      ip access-list extended acleth0/2QosWizRTP20

        permit ip 172.xx.yy.0 0.0.0.255  any   

      !

      ip access-list extended acleth0/2QosWizSignal21

        permit udp any  any range 5060 5061  

        permit tcp any  any range 5060 5061 

      !

      !

      ip access-list extended SSLVPN

        remark xx.yy.79.84 -> 10.xxx.yy.1

        permit icmp any  host xx.yy.79.84     log

        permit tcp any  host xx.yy.79.84 eq https 

        permit udp any  host xx.yy.79.84 eq 443  

      !

      ip access-list extended SSLVPN-Out2

        remark 10.xxx.yy.1 : xx.yy.79.84

        permit icmp host 10.xxx.yy.1  any     log

        permit udp host 10.xxx.yy.1 eq 443 any   

        permit tcp host 10.xxx.yy.1 eq https any  

      !

      ip access-list extended VoiceMap

        permit ip 172.xx.yy.0 0.0.0.255  any     track wan2

        deny   ip any  any   

      !

      ip access-list extended VPN

        permit icmp any  host xx.yy.28.57  echo   log

        permit gre any  host xx.yy.28.57   

        permit tcp any  host xx.yy.28.57 eq 1723 

      !

      ip access-list extended VPN-Out

        remark 192.xx.yy.250 : xx.yy.28.57

        permit gre host 192.xx.yy.250  any   

        permit tcp host 192.xx.yy.250 eq 1723 any  

        permit icmp host 192.xx.yy.250  any   

      !

      ip access-list extended VPN-Out2

        remark 192.xx.yy.250 : xx.yy.79.83

        permit gre host 192.xx.yy.250  any   

        permit tcp host 192.xx.yy.250 eq 1723 any  

        permit icmp host 192.xx.yy.250  any   

      !

      ip access-list extended VPN2

        permit icmp any  host xx.yy.79.83  echo 

        permit gre any  host xx.yy.79.83   

        permit tcp any  host xx.yy.79.83 eq 1723 

      !

      ip access-list extended wan1

        permit icmp host xx.yy.28.61  host 4.2.2.4     log

      !

      ip access-list extended wan2

        permit icmp host xxx.yyy.186.170  host xxx.yyy.186.169     log

      !

      ip access-list extended web-acl-1

        remark Jive Allow

        permit ip 199.36.248.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

      !

      ip access-list extended web-acl-2

        remark Jive Allow 2

        permit ip 199.87.120.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

      !

      ip access-list extended web-acl-3

        remark Admin Access

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit icmp any  any  echo   log

      !

      ip access-list extended web-acl-4

        remark Jive Allow 3

        permit ip 162.250.60.0 0.0.3.255  172.xx.yy.0 0.0.0.255   

      !

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list VPN-Out address xx.yy.28.57 overload policy Public

        nat source list VPN-Out2 address xx.yy.79.83 overload policy Public2

        nat source list natpool interface eth 0/1 overload policy Public

        nat source list natpool2 interface eth 0/2 overload policy Public2

      !

      ip policy-class PrivateSSLVPN

        nat source list SSLVPN-Out2 address xx.yy.79.84 overload policy Public2

        allow list self self

      !

      no ip policy-class Public rpf-check

      ip policy-class Public

        nat destination list VPN address 192.xx.yy.250

        allow list web-acl-1

        allow list web-acl-2

        allow list web-acl-4

        allow list web-acl-3 self

      !

      no ip policy-class Public2 rpf-check

      ip policy-class Public2

        nat destination list VPN2 address 192.xx.yy.250

        nat destination list SSLVPN address 10.xxx.yy.1

        allow list web-acl-1

        allow list web-acl-2

        allow list web-acl-4

        allow list web-acl-3 self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 xx.yy.28.62 track wan1

      ip route 0.0.0.0 0.0.0.0 xxx.yyy.186.169 track wan2

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      sip udp 5060

      sip tcp 5060

      !

      !

        • Re: One to one NAT for new VLAN not working
          jayh Hall_of_Fame

          It looks like you have a routing issue. You have only a default route out WAN 1 that fails over to Megapath should that fail. Hence you will try to route out the other provider with a source of Megapath's IP.

           

          You could add a static route to the SSLVPN endpoint with a gateway of Megapath's next hop. You could also use a route-map for the remote endpoint.

           

          "show ip policy-session" may give a clue as to how it's routing.

           

          Also, the secondary IPs which I assume are for the LAN block assigned by the ISPs may be conflicting with the primary source of the point-to-point /30 to the provider. You might not be sourcing from where you think you are. Consider using a loopback for these, or a VLAN interface if you need access to these subnets by physical devices.

           

          BTW, It isn't necessary to mask IPs of RFC1918 addresses like 10/8, 172.16/12 and 192.168/16, makes things a bit harder to follow.