1 Reply Latest reply on Apr 5, 2017 11:57 PM by jayh

    static nat issue.

    rsheph78 New Member

      I have a NAT overload statement to route all IP phones out to a public registration server. At times I need to create a static mapping for an Analog device from Public to Private to update, modify, adjust configuration on a specific device. I have checked the "how to's" and they are not helping with getting this mapping successful. I was able to map the device and reach it through a browser with port 80 but I lose all access (SSH) to the 3140 device and it needs to be rebooted to bring it back. Here is my current configuration with some IP's "x"'d out. What i need to do is to map private IP 10.30.30.52 to public ip xx.xx.xx.58 port 80 so I can access this device. All of this without effecting router access or any other voice traffic.

       

      interface gigabit-eth 0/1

        description WAN

        ip address  xx.xx.xx.58  255.255.255.252

        traffic-shape rate 1500000

        qos-policy out outboundsip

        no shutdown

      !

      interface gigabit-eth 0/3

        encapsulation 802.1q

        no shutdown

      !

      interface gigabit-eth 0/3.300

        description VOICE

        vlan-id 300

        ip address  10.30.30.254  255.255.255.0

        ip access-policy PHONES

        no shutdown

      !

      ip access-list standard CUST_PHONE

        permit 10.30.30.0 0.0.0.255

      !

      ip policy-class PHONES

        nat source list CUST_PHONE interface gigabit-ethernet 0/1 overload

        • Re: static nat issue.
          jayh Hall_of_Fame

          The problem is that when you using the public interface IP and port for the static mapping you can then no longer use it for access to the 3140 itself.

           

          Your options are:

          • Route a second public IP to a loopback address and statically destination NAT to the loopback for configuring your devices.
          • Use port-translations so that a different public port maps to the inside device than is used for accessing the 3140.

           

          For example:

           

          ip access-list extended device-access

            remark inside device access

            permit tcp any host xx.xx.xx.58 eq 8080

           

          interface gigabit-eth 0/1

            description WAN

            ip address  xx.xx.xx.58  255.255.255.252

            ip access-policy Public

          ...

           

          ip policy-class Public

          nat destination list device-access address 10.30.30.10 port 80

          ...

           

          Now pointing a browser to the public IP xx.xx.xx.58 on port 80 gets to the Adtran 3140 but pointing a browser to xx.xx.xx.58:8080 takes you to port 80 of the inside device. Obviously you can build multiple access-list and nat destination pairs for different services and inside IPs.

           

          The Adtran firewall web GUI actually does a fairly decent job of this but you wind up with wacky names for the access-lists which makes for fun reading trying to decipher the config later.