6 Replies Latest reply on Apr 7, 2019 9:50 PM by jayh

    1:1 NAT Help.

    g-man New Member

      I am trying to configure a 1:1 NAT allowing only a group of IP's to access the server via https. I used the Example 9 - Static 1:1 NAT from IPv4 Firewall Protection in AOS and its just not making it to the Server. When the secondary IP had a subnet of 255.255.255.255 requests were going to the Adtran Web Interface. I updated the subnet to 255.255.255.248 and not I do not get anything. What am I missing?

       

      Config

      !

      clock timezone -8

      !

      ip subnet-zero

      ip classless

      ip routing

      ipv6 unicast-routing

      !

      !

      name-server 8.8.8.8

      !

      !

      auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      !

      service password-encryption

      !

      username "" password ""

      username "" password ""

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

       

       

      no dot11ap access-point-control

      !

      !

      interface eth 0/1

        description WAN

        ip address  76.10.76.10  255.255.255.248

        ip address  76.10.76.11  255.255.255.255  secondary

        ip access-policy Public

        media-gateway ip primary

        no shutdown

      !

      !

      interface eth 0/2

        description  (LAN)

        ip address  192.168.33.1  255.255.255.0

        ip access-policy Private

        media-gateway ip primary

        no awcp

        no shutdown

      !

      !

      !

      interface gigabit-eth 0/1

        no ip address

        shutdown

      !

      !

      !

      !

      interface t1 0/1

        shutdown

      !

      interface t1 0/2

        shutdown

      !

      interface t1 0/3

        lbo short 15

        tdm-group 1 timeslots 1-24 speed 64

        no shutdown

      !

      interface t1 0/4

        shutdown

      !

      !

      interface pri 1

        isdn name-delivery proceeding

        connect t1 0/3 tdm-group 1

        digits-transferred 4

        no shutdown

      !

      !

      interface fxs 0/1

        impedance 600r

        no shutdown

      !

      interface fxs 0/2

        no shutdown

      !

      interface fxs 0/3

        no shutdown

      !

      interface fxs 0/4

        no shutdown

      !

      interface fxs 0/5

        no shutdown

      !

      interface fxs 0/6

        no shutdown

      !

      interface fxs 0/7

        no shutdown

      !

      interface fxs 0/8

        no shutdown

      !

      interface fxs 0/9

        no shutdown

      !

      interface fxs 0/10

        no shutdown

      !

      interface fxs 0/11

        no shutdown

      !

      interface fxs 0/12

        no shutdown

      !

      interface fxs 0/13

        no shutdown

      !

      interface fxs 0/14

        no shutdown

      !

      interface fxs 0/15

        no shutdown

      !

      interface fxs 0/16

        no shutdown

      !

      interface fxs 0/17

        no shutdown

      !

      interface fxs 0/18

        no shutdown

      !

      interface fxs 0/19

        no shutdown

      !

      interface fxs 0/20

        no shutdown

      !

      interface fxs 0/21

        no shutdown

      !

      interface fxs 0/22

        no shutdown

      !

      interface fxs 0/23

        no shutdown

      !

      interface fxs 0/24

        no shutdown

      !

      !

      isdn-group 1

        connect pri 1

      !

      !

      ip access-list standard allow-all

        remark allow all traffic

        permit any

      !

      ip access-list standard mgmt-allow-list

        permit host 70.11.11.99

       

       

      !

      ip access-list standard sip-allow-list

        permit hostname X.X.COM

      !

      !

      ip access-list extended WEB-ACL-3

        permit tcp any  any eq https 

        permit tcp any  any eq ssh 

      !

      ip access-list extended WEB-ACL-4

        remark 1:1 NAT 76.10.76.11 > 192.168.33.11

        permit ip any  host 76.10.76.11   

      !

      ip access-list extended WEB-ACL-5

        remark 1:1 NAT 192.168.33.11 > 76.10.76.11

        permit ip host 192.168.33.11 any   

      !

      !

      !

      !

      ip policy-class Private

        nat source list allow-all interface eth 0/1 overload policy Public

        allow list allow-all self

        nat source list WEB-ACL-5 address 76.10.76.11 overload

      !

      ip policy-class Public

        allow list allow-all self

        nat destination list WEB-ACL-4 address 192.168.33.11

        allow list WEB-ACL-3 self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 76.10.76.9

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      no ip scp server

      no ip sntp server

      !

      !

       

       

      !

      sip

      sip udp 5060

      no sip tcp

      !

      !

      !

      voice feature-mode network

      voice forward-mode network

      !

       

       

      !

      voice dial-plan 2 long-distance 1-NXX-NXX-XXXX

      !

       

       

      voice codec-list VOICE

        default

        codec g711ulaw

      !

      voice codec-list FAX

        codec g711ulaw

      !

      voice trunk T01 type sip

        description "SIP"

        match dnis "91-NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"

        match dnis "9NXX-XXXX" substitute "1-310-NXX-XXXX"

        match dnis "NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"

        match dnis "NXX-XXXX" substitute "1-310-NXX-XXXX"

        sip-server primary 188.255.88.10

        registrar primary 188.255.88.10

        register 15555555555 auth-name "" password "

        codec-list VOICE both

        authentication username "" password ""

      !

      voice trunk T02 type isdn

        description "DSX-1"

        resource-selection linear ascending

        connect isdn-group 1

        no early-cut-through

        match dnis "1NXXNXXXXXX" substitute "1NXXNXXXXXX"

        match dnis "1NXXNXXXXXX" substitute "1NXXNXXXXXX"

        rtp delay-mode adaptive

        codec-list VOICE

      !

      !

      voice grouped-trunk SIP

        trunk T01

        accept $ cost 0

      !

      !

      voice grouped-trunk ISDN

        trunk T02

        accept 1NXXNXXXXXX cost 0

      !

      !

      voice user 1000

        password ""

        description "fax 001"

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1001

        connect fxs 0/1

        password ""

        description "LD fax COM2"

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1002

        connect fxs 0/2

        password ""

        description "LD Fax COM5"

        caller-id-override external-number 1NXXNXXXXXX

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1003

        connect fxs 0/3

        password ""

        caller-id-override external-number 1NXXNXXXXXX

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1004

        connect fxs 0/4

        password ""

        caller-id-override external-number 1NXXNXXXXXX

        did "1NXXNXXXXXX"

        did "1NXXNXXXXXX"

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1005

        connect fxs 0/5

        password ""

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1006

        connect fxs 0/6

        password ""

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1007

        password ""

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1008

        password ""

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 1009

        password ""

        modem-passthrough

        codec-list VOICE

      !

      !

      voice user 101

        password ""

        codec-list VOICE

      !

      !

      voice user 1010

        password ""

        modem-passthrough

        codec-list VOICE

      !

      sip access-class ip "sip-allow-list" in

      !

      !

      line con 0

        no login

      !

      line telnet 0 4

        login local-userlist

        password password

        shutdown

        ip access-class mgmt-allow-list in

      line ssh 0 4

        login local-userlist

        no shutdown

        ip access-class mgmt-allow-list in

      !

      end

        • Re: 1:1 NAT Help.
          mick Visitor

          Hi g-man,

           

          I can see two things which need changing, but there may be more.

           

          You have not set a default geteway:

           

          !

          ip subnet-zero

          ip classless

          ip default-gateway 76.10.76.10

          ip routing

          ipv6 unicast-routing

          !

           

          Also, the secondary IP's subnet is incorrect:

           

          !

          interface eth 0/1

            description WAN

            ip address  76.10.76.10  255.255.255.248

            ip address  76.10.76.11  255.255.255.248  secondary

            ip access-policy Public

            media-gateway ip primary

            no shutdown

          !

           

          Hope this helps,

          --

          Regards,

          Mick

            • Re: 1:1 NAT Help.
              g-man New Member

              Hey Mick,

               

              Thank you for the feed back. I updated the default gateway, ip default-gateway 76.10.76.10 and changed the subnet to ip address  76.10.76.11  255.255.255.255. When I attempt to connect via my web browser to https://76.10.76.11 I get redirected to the AOS web interface, not the server on the Private interface. From the logs it looks like it is not passing the session to the Private IP

               

              debug ip firewall

               

              2019.04.06 04:58:19 FIREWALL   Assoc Index = 83232, Count (total, policy-class) = 13, 8

              2019.04.06 04:58:19 FIREWALL   allow, flags = 0x0000003D, 0x00000014, timeout = 4

              2019.04.06 04:58:19 FIREWALL   Selector1: Dir=Public, int=eth 0/1, Protocol=6  cookie-> Loopback

              2019.04.06 04:58:19 FIREWALL     SrcIp: 105.15.175.111, DstIp: 76.10.76.11

              2019.04.06 04:58:19 FIREWALL     SrcPort: 57240, DstPort: 443

              2019.04.06 04:58:19 FIREWALL   Selector2: Dir=SELF, int=Loopback, Protocol=6  cookie-> eth 0/1

              2019.04.06 04:58:19 FIREWALL     SrcIp: 76.10.76.11, DstIp: 105.15.175.111

              2019.04.06 04:58:19 FIREWALL     SrcPort: 443, DstPort: 57240

              2019.04.06 04:58:19 FIREWALL Deleting Association

              2019.04.06 04:58:19 FIREWALL   Assoc Index = 83231, Count (total, policy-class) = 13, 8

              2019.04.06 04:58:19 FIREWALL   allow, flags = 0x0000003D, 0x00000014, timeout = 4

              2019.04.06 04:58:19 FIREWALL   Selector1: Dir=Public, int=eth 0/1, Protocol=6  cookie-> Loopback

              2019.04.06 04:58:19 FIREWALL     SrcIp: 105.15.175.111, DstIp: 76.10.76.11

              2019.04.06 04:58:19 FIREWALL     SrcPort: 57239, DstPort: 443

              2019.04.06 04:58:19 FIREWALL   Selector2: Dir=SELF, int=Loopback, Protocol=6  cookie-> eth 0/1

              2019.04.06 04:58:19 FIREWALL     SrcIp: 76.10.76.11, DstIp: 105.15.175.111

              2019.04.06 04:58:19 FIREWALL     SrcPort: 443, DstPort: 57239

              2019.04.06 04:58:19 FIREWALL id=firewall time="2019-04-06 04:58:19" fw=VVV pri=6 rule=3  proto=https src=105.15.175.111 dst=76.10.76.11 msg="Connection closed.Bytes transferred : 1353 Src 57239 Dst 443 from Public policy-class on interface eth 0/1" agent=AdFirewall

              2019.04.06 04:58:19 FIREWALL Deleting Association

            • Re: 1:1 NAT Help.
              jayh Hall_of_Fame

              Your Public zone is configured as follows:

               

              !

              ip policy-class Public

                allow list allow-all self

                nat destination list WEB-ACL-4 address 192.168.33.11

                allow list WEB-ACL-3 self

              !

               

              and you have:

               

              http secure-server

               

              Policy-class rules are processed in order. Because allow list allow-all self is before nat destination list WEB-ACL-4 address 192.168.33.11 in the Public policy class, https requests will first go to the AOS web interface.

               

              You can change the Public policy-class as follows:

               

              !

              ip policy-class Public

                nat destination list WEB-ACL-4 address 192.168.33.11

                allow list allow-all self

                allow list WEB-ACL-3 self

              !

               

              This will cause the NAT to your internal server first. Change the NAT destination list to only match https traffic.

               

              !

              ip access-list extended WEB-ACL-4

                remark 1:1 NAT 76.10.76.11 > 192.168.33.11 for HTTPS webserver

                no permit ip any host 76.10.76.11   

                permit tcp any host 76.10.76.11 eq 443

              !

               

              Alternatively, you can change the port on which the internal Adtran web server is listening.

               

              http secure-server 8443

               

              for example.

               

              For security, you may also want to limit the IPs that can access the AOS web interface. The following will use the same ACL you use for SSH. Don't lock yourself out. You might want to add your LAN subnet of 192.168.33.0 0.0.0.255 to mgmt-allow-list.

              !

              http ip access-class mgmt-allow-list in

              http ip secure-access-class mgmt-allow-list in

              !

               

              Contrary to the previous reply, DO NOT configure a default gateway. This would only be used if you didn't have ip routing enabled with a static default route. It won't break anything now, but it isn't good practice should something go wonky with your static default route. This command is primarily for use on layer 2 switches and not routers. If you ever do use ip default-gateway, don't point it to your own interface but to that of the next-hop upstream router.

                • Re: 1:1 NAT Help.
                  mick Visitor

                  It seems I had misunderstood the default gateway setting - thank you jayh for correcting my post above.

                  --

                  Regards,

                  Mick

                  • Re: 1:1 NAT Help.
                    g-man New Member

                    Jayh,

                     

                    Thank, that did it. One final question, if I wanted to only allow certain IP addresses to be able to access the server via https and ssh would I just need to update ACL3?

                     

                    ip access-list extended WEB-ACL-3

                      permit tcp host 55.20.76.76  any eq https 

                      permit tcp host 79.15.22.13 any eq https 

                      permit tcp host 55.20.76.76  any eq ssh 

                      permit tcp host 79.15.22.13 any eq ssh

                      • Re: 1:1 NAT Help.
                        jayh Hall_of_Fame

                        Your WEB-ACL-4 is what controls access to the server on 192.168.33.11. If you wanted to control access to that server, you would modify WEB-ACL-4 for that. Obviously remove the permit tcp any, and you would specify the IP that NATs to the webserver as the destination. So:

                         

                        ip access-list extended WEB-ACL-4

                          permit tcp host 55.20.76.76  host 76.10.76.11 eq https 

                          permit tcp host 79.15.22.13 host 76.10.76.11 eq https 

                          permit tcp host 55.20.76.76  host 76.10.76.11 eq ssh 

                          permit tcp host 79.15.22.13 host 76.10.76.11 eq ssh

                         

                         

                        WEB-ACL-3 actually does nothing. You reference it in the Public policy-class but it's after "allow list allow-all self" so it will never be seen.

                         

                        If you want to limit access to management of the device itself, use your existing standard ACL "ip access-list standard mgmt-allow-list" and put the allowed hosts and subnets there. Usually you'll also want to include your 192.168.33.0 0.0.0.255 in that ACL for local access, but that depends on your preference and security policy. Reference this ACL in your "line ssh", "http server" and "http secure-server" configuration, also SNMP if enabled. This is far easier to manage than including it in the Public policy-class as there is other traffic to the device such as SIP and RTP to the phones so you generally want to allow any to self and then lock down the services as needed. You can also create a SIP access list to control sip-vicious, etc. by limiting SIP to your SIP provider.