3 Replies Latest reply on May 2, 2017 11:59 AM by jayh

    Simple NAT One to One

    centertech2017 New Member

      Hello,

      I am trying to set up a simple one to one NAT and am stuck, hopefully on something simple.  Router is a NetVanta 3140.  We have block of static i/ps (xxx.xxx.62.137-xxx.xxx.62.142 from ISP.  I am trying to get inbound traffic to an exchange server on a secondary ip (xxx.xxx.62.138).  I have tried both a 1:1 NAT & a NAT Pool.  When connected to ISP, nothing will flow in or out of the secondary ip.  Traffic to and from primary ip is fine, including ability to port forward.

       

      I tested offline by widening the public subnet and placing a PC configured as xxx.xxx.62.180  connected directly to the WAN interface.  I can reach NAT'd host behind the router fine.  Is this a valid test method?

       

      The configuration is below.

      Thanks!

       

      CTR-RTR-002#show config

      Using 2811 bytes

       

      !

      !

      ! ADTRAN, Inc. OS version R12.3.1.E

      ! Boot ROM version R11.5.0

      ! Platform: NetVanta 3140, part number 4700341F2

      ! Serial number CFG1528591

      !

      !

      hostname "CTR-RTR-002"

      enable password password

      !

      !

      clock timezone -5-Eastern-Time

      !

      ip subnet-zero

      ip classless

      ip default-gateway xxx.xxx.62.142

      ip routing

      ipv6 unicast-routing

      !

      !

      name-server 75.75.75.75 8.8.8.8

      !

      !

      no auto-config

      !

      event-history on

      event-history priority warning

      no logging forwarding

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "password"

      !

      !

      ip firewall

      ip firewall stealth

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      ip crypto ffe

      !

      !

      !

      !

      interface gigabit-eth 0/1

        description Center Data

        ip address  192.168.81.1  255.255.255.0

        ip access-policy Private

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      !

      interface gigabit-eth 0/2

        no ip address

        shutdown

      !

      !

      interface gigabit-eth 0/3

        description Center WAN

        ip address  xxx.xxx.62.137  255.255.255.248

        ip mtu 1500

        ip address range  xxx.xxx.62.138  xxx.xxx.62.139  255.255.255.248  secondary

        ip access-policy Public

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-7

        permit icmp any  host xxx.xxx.62.138     log

        permit tcp any  host xxx.xxx.62.138 eq smtp   log

        permit tcp any  host xxx.xxx.62.138 eq www   log

        permit tcp any  host xxx.xxx.62.138 eq https   log

      !

      ip access-list extended web-acl-8

        remark Outbound Exchange

        permit ip host 192.168.81.30  any     log

      !

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list web-acl-8 address xxx.xxx.62.138 overload

        nat source list wizard-ics interface gigabit-ethernet 0/3 overload

      !

      ip policy-class Public

        nat destination list web-acl-7 address 192.168.81.30

      !

      !

      !

      no tftp server

      no tftp server overwrite

      http server

      http session-timeout 7800

      http secure-server

      no snmp agent

      no ip ftp server

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      sip udp 5060

      sip tcp 5060

      !

      !

      !

      voice feature-mode network

      voice forward-mode network

      !

      !

      !

      !

      !

      !

      line con 0

        login

      !

      line telnet 0 4

        login local-userlist

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      sntp server time.nist.gov

      !

      !

      !

      !

      end

      CTR-RTR-002#

        • Re: Simple NAT One to One
          jayh Hall_of_Fame

          We use a similar setup without issue. I see a couple of things that I would change.

           

          You have ip routing enabled, so instead of

           

          ip default-gateway xxx.xxx.62.142

           

          you should use

           

          ip route 0.0.0.0 0.0.0.0 xxx.xxx.62.142

           

          Also, you probably don't need:

           

          ip address range  xxx.xxx.62.138  xxx.xxx.62.139  255.255.255.248  secondary

           

          on interface gi 0/3 because those addresses exist as part of the subnet

           

          ip address  xxx.xxx.62.137  255.255.255.248

           

          If those changes don't fix it, attempt to connect to your mail server from outside and type "show ip policy-session" from the console to see what is going on.

          • Re: Simple NAT One to One
            centertech2017 New Member

            Hello jayh, Thank you for the quick response on Friday.  Unfortunately, I can only do some of this work off hours, so I came on site last evening and tried your fixes, no luck.  

             

            Testing with show ip policy-session results;

            First test; I telneted from my office to xxx.138 port 25.  There were no entries displayed from the public side.

            Second test:  I added a port forward on xxx.137 I/p just so that I could see some inbound traffic, started an outbound ping on the 81.30 exchange server to my office and telneted to port 25 and port 80 at the same time from my office.  I could see the traffic from my office to the xxx.137, but no other public side traffic.  I could see the 81.30 icmp on the private side trying to go out xxx.138 ocrrectly.  I can post those results if it would help.

             

            We are on Comcast business for our ISP.  I did some additional digging this morning on the Comcast modem. Their modem/router is an SMCD3G-CCR, which is really a router.  I suspect we are having issues with that unit and its interaction with the Adtran device.  Our current router is a simple CISCO RV042 and it "interacts" fine.  Mr. Yahoo & Mr. Google indicate to get that device in bridge mode.  Other than disabling LAN DHCP in that device, everything else appears in order, no firewall, etc.  I spoke with Comcast tech this morning and he was reluctant to put that device in true bridge mode because in his experience, it doesn't work.  We removed LAN DHCP and I will try at noon EST.

             

            I will update later today.  Thanks, Joel

              • Re: Simple NAT One to One
                jayh Hall_of_Fame

                Multiple IP addresses on a cable modem connection can be funky, especially if they all terminate on the same device with a single MAC address. You'll probably need to call Comcast and escalate a couple of levels above the "Have you rebooted your router?" group to reach someone with both the clue and the permission to do whatever magic is needed on their end to make it work. Bring a chair and some refreshments. "Your call is important to us...."

                 

                You definitely do NOT want them doing any kind of NAT within the cable modem. Their handoff to you should be a public IP subnet.