2 Replies Latest reply on Sep 13, 2018 11:08 AM by aiken8758

    Wan connection with No-NAT to pass though another Wan connection

    aiken8758 New Member

      I have a 3140 with a Cox Modem as the Internet Connection. Cox has given us a /27 range for public IPs but then stated we had to use a static /32 for the actual link to our 3140 and that the /27 would "pass through" that connection and out to the Internet.

      -G01=LAN-Private

      -G02=IP on /27 network (Public)

      -G03=COX connection (Public - single IP)

      Internet works fine but I need the connection on G02 to be public as if it was on the Internet and NOT NATed "pass though". I cannot seem to get this to work. I can plug a laptop into the G02 interface with a public IP in the /27 range and surf the web but cannot ping the laptop and the debug ip firewall shows it being blocked...

      fw=NV3140-DC pri=6 proto=8/icmp src=4.35.15.138 dst=70.164.46.99 msg="No Access Policy matched, dropping packet from Public policy-class on interface giga-eth 0/3" agent=AdFirewall

      FIREWALL Deleting Association

      This tells be the traffic is being NATed and not "passing through"

       

      Any suggestions would be helpful - Thanks!!

      At the end of the day we need the /27 on the G0/2 interface to act as if it were directly connected to the Internet - no firewall or NAT.

       

      Here is the config:

       

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      interface gigabit-eth 0/1

        description LAN

        ip address  192.168.2.1  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      !

      interface gigabit-eth 0/2

        description -SIPtoPRI-908e

        ip address  G/02.97  255.255.255.224

        ip access-policy nexVortex

        no shutdown

      !

      !

      interface gigabit-eth 0/3

        description Cox Modem

        ip address  G/03.73  255.255.255.224

        ip access-policy Public

        ip crypto map VPN

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      ip access-list standard ADMIN-LIST

        remark permit management-net inverse-mask

        permit 192.168.0.0 0.0.15.255

      !

      ip access-list standard ATL

        permit host 38.122.19.10

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended InterNetworks

        remark Allow LAN w/o Firewall

        permit ip 192.168.0.0 0.0.15.255  192.168.0.0 0.0.15.255   

        permit ip G/02.96 0.0.0.31  G/02.96 0.0.0.31   

      !

      ip access-list extended nexVortex

        permit ip any  any   

        permit icmp any  any  echo 

        permit icmp any  any  echo-reply 

      !

      ip access-list extended self

        remark Traffic to UNIT

        permit ip any  any     log

      !

      ip access-list extended MGMT

        permit tcp host MGMT.130  any eq https 

        permit tcp host MGMT.130  any eq echo 

        permit tcp host MGMT.130  any eq ssh 

        permit tcp host MGMT.137  any eq https 

        permit tcp host MGMT.137  any eq echo 

        permit tcp host MGMT.137  any eq ssh 

        permit icmp host Vortex.138  any  echo 

        permit icmp host Vortex.138  any  echo-reply 

      !

      !

      !

      !

      !

      ip policy-class nexVortex

        allow list nexVortex stateless

      !

      ip policy-class Private

        allow list InterNetworks stateless

        allow list self self

        nat source list wizard-ics interface gigabit-ethernet 0/3 overload

      !

      ip policy-class Public

        allow list VerticalAccess self

        allow list ATL self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 G/03.65

        • Re: Wan connection with No-NAT to pass though another Wan connection
          vmaxdawg05 Past_Featured_Member

          I've noticed that you do not specify the policy-class that the traffic is destined for (NexVortex, Self, etc.) in the Public policy-class.

           

          Since your actual link to the Internet is in the Public policy-class, you may need to account for that.

          I may be wrong, but I'm assuming you have SIP equipment connecting to Gig 0/2 that is registering to NexVortex, right?

          Try this:

           

          ip policy-class nexVortex

            allow list nexVortex policy Public stateless

          !

          ip policy-class Private

            allow list InterNetworks stateless

            allow list self self

            nat source list wizard-ics interface gigabit-ethernet 0/3 overload

          !

          ip policy-class Public

            allow list VerticalAccess self

            allow list ATL self

            allow list <acl for inbound traffic to SIP equipment> policy nexVortex stateless

          !