I have a 3120 and I cannot get the NAT to work the way I want. Here's my situation: I have connected the router within my internal network and am trying to set up NAT to segregate one Unix server. I set up the WAN port on x.x.2.140 and the LAN side on x.x.1.140. The Unix server is on x.x.1.1 and connected to the LAN side. I would like to telnet to this Unix server through the Adtran device, NATing it's IP to the IP of the Unix server. I have set up a rule to forward all telnet traffic to x.x.1.1 but I get no response when I try to telnet to x.x.2.140. It is not forwarding properly. I am almost positive I am simply doing something wrong, and do not think that the issue is with the router. What am I doing wrong? I included my config file if it helps.
Thanks,
Kurt
@svlkrs - Your configuration and port forward appears to be setup correctly. One thing that I needed clarified was that I noticed there is no default route in your configuration. Which network are you trying to telnet from? If you are attempting to telnet from a network outside of 128.1.1.0 /24 or 128.1.2.0 /24 then you will need a default route in the configuration so the response can be routed correctly.
If the default route is not the issue, there are a couple of things we should take a look at that may help us in figuring out what is happening here.
- First, you can issue the "show ip policy-session Public" as you attempt to telnet to the Unix server from the outside and see if you are seeing that traffic come in. This information can also be viewed in the web GUI by going into the "Security Zones" page and clicking on the 'Active Sessions' number next to the Public security zone. Feel free to respond to this post with the output and I'll be happy to take a look at it.
- If you are seeing that traffic coming in, then verify what the Unix server's default gateway is. I assume you can access the server locally, but we need to verify that the Unix server knows how to respond back through the same connection the telnet connection came in. My assumption would be that the Unix's default gateway needs to be set to 128.1.1.140, but if that is incorrect, please let me know.
- Finally, obtaining a packet capture from a port mirror would help in seeing the telnet transaction. You can follow the link to see how to set up a port mirror. I would suggest leaving this troubleshooting step as last, as answering questions above may help in getting your port forward working.
Let us know if you have any other questions.
Thanks,
Noor
@svlkrs - Your configuration and port forward appears to be setup correctly. One thing that I needed clarified was that I noticed there is no default route in your configuration. Which network are you trying to telnet from? If you are attempting to telnet from a network outside of 128.1.1.0 /24 or 128.1.2.0 /24 then you will need a default route in the configuration so the response can be routed correctly.
If the default route is not the issue, there are a couple of things we should take a look at that may help us in figuring out what is happening here.
- First, you can issue the "show ip policy-session Public" as you attempt to telnet to the Unix server from the outside and see if you are seeing that traffic come in. This information can also be viewed in the web GUI by going into the "Security Zones" page and clicking on the 'Active Sessions' number next to the Public security zone. Feel free to respond to this post with the output and I'll be happy to take a look at it.
- If you are seeing that traffic coming in, then verify what the Unix server's default gateway is. I assume you can access the server locally, but we need to verify that the Unix server knows how to respond back through the same connection the telnet connection came in. My assumption would be that the Unix's default gateway needs to be set to 128.1.1.140, but if that is incorrect, please let me know.
- Finally, obtaining a packet capture from a port mirror would help in seeing the telnet transaction. You can follow the link to see how to set up a port mirror. I would suggest leaving this troubleshooting step as last, as answering questions above may help in getting your port forward working.
Let us know if you have any other questions.
Thanks,
Noor
I checked the Active Sessions in the Private security zone and I do see that the inbound NAT appears to be working properly. the outbound security zone, though, does not show any active connections. Is this normal? I will continue to troubleshoot but I want to see if this leads me in the right direction.
@svlkrs - You should be seeing the session that correlates with your telnet attempt under the Active Sessions under the Public Security Zone. You will not see the reply under the Active Sessions for the Private Security Zone. This is because it is a stateful firewall session and once traffic for that session is allowed one way, the reply traffic will automatically be allowed through.The NetVanta will only show the session under the Security Zone that initiated the connection.
In your case, you should be seeing the telnet session open on the Public Security Zone, but will not see the reply on the Private Security Zone.
Let us know if you have any other questions.
Thanks,
Noor
@svlkrs - I marked this question as "assumed answered," but please do not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi