I have a 3140 with a Cox Modem as the Internet Connection. Cox has given us a /27 range for public IPs but then stated we had to use a static /32 for the actual link to our 3140 and that the /27 would "pass through" that connection and out to the Internet.
-G01=LAN-Private
-G02=IP on /27 network (Public)
-G03=COX connection (Public - single IP)
Internet works fine but I need the connection on G02 to be public as if it was on the Internet and NOT NATed "pass though". I cannot seem to get this to work. I can plug a laptop into the G02 interface with a public IP in the /27 range and surf the web but cannot ping the laptop and the debug ip firewall shows it being blocked...
fw=NV3140-DC pri=6 proto=8/icmp src=4.35.15.138 dst=70.164.46.99 msg="No Access Policy matched, dropping packet from Public policy-class on interface giga-eth 0/3" agent=AdFirewall
FIREWALL Deleting Association
This tells be the traffic is being NATed and not "passing through"
Any suggestions would be helpful - Thanks!!
At the end of the day we need the /27 on the G0/2 interface to act as if it were directly connected to the Internet - no firewall or NAT.
Here is the config:
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
no dot11ap access-point-control
!
!
!
!
!
interface gigabit-eth 0/1
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
interface gigabit-eth 0/2
description -SIPtoPRI-908e
ip address G/02.97 255.255.255.224
ip access-policy nexVortex
no shutdown
!
!
interface gigabit-eth 0/3
description Cox Modem
ip address G/03.73 255.255.255.224
ip access-policy Public
ip crypto map VPN
no shutdown
!
!
!
!
!
!
!
ip access-list standard ADMIN-LIST
remark permit management-net inverse-mask
permit 192.168.0.0 0.0.15.255
!
ip access-list standard ATL
permit host 38.122.19.10
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended InterNetworks
remark Allow LAN w/o Firewall
permit ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.15.255
permit ip G/02.96 0.0.0.31 G/02.96 0.0.0.31
!
ip access-list extended nexVortex
permit ip any any
permit icmp any any echo
permit icmp any any echo-reply
!
ip access-list extended self
remark Traffic to UNIT
permit ip any any log
!
ip access-list extended MGMT
permit tcp host MGMT.130 any eq https
permit tcp host MGMT.130 any eq echo
permit tcp host MGMT.130 any eq ssh
permit tcp host MGMT.137 any eq https
permit tcp host MGMT.137 any eq echo
permit tcp host MGMT.137 any eq ssh
permit icmp host Vortex.138 any echo
permit icmp host Vortex.138 any echo-reply
!
!
!
!
!
ip policy-class nexVortex
allow list nexVortex stateless
!
ip policy-class Private
allow list InterNetworks stateless
allow list self self
nat source list wizard-ics interface gigabit-ethernet 0/3 overload
!
ip policy-class Public
allow list VerticalAccess self
allow list ATL self
!
!
!
ip route 0.0.0.0 0.0.0.0 G/03.65
I've noticed that you do not specify the policy-class that the traffic is destined for (NexVortex, Self, etc.) in the Public policy-class.
Since your actual link to the Internet is in the Public policy-class, you may need to account for that.
I may be wrong, but I'm assuming you have SIP equipment connecting to Gig 0/2 that is registering to NexVortex, right?
Try this:
ip policy-class nexVortex
allow list nexVortex policy Public stateless
!
ip policy-class Private
allow list InterNetworks stateless
allow list self self
nat source list wizard-ics interface gigabit-ethernet 0/3 overload
!
ip policy-class Public
allow list VerticalAccess self
allow list ATL self
allow list <acl for inbound traffic to SIP equipment> policy nexVortex stateless
!
I've noticed that you do not specify the policy-class that the traffic is destined for (NexVortex, Self, etc.) in the Public policy-class.
Since your actual link to the Internet is in the Public policy-class, you may need to account for that.
I may be wrong, but I'm assuming you have SIP equipment connecting to Gig 0/2 that is registering to NexVortex, right?
Try this:
ip policy-class nexVortex
allow list nexVortex policy Public stateless
!
ip policy-class Private
allow list InterNetworks stateless
allow list self self
nat source list wizard-ics interface gigabit-ethernet 0/3 overload
!
ip policy-class Public
allow list VerticalAccess self
allow list ATL self
allow list <acl for inbound traffic to SIP equipment> policy nexVortex stateless
!
Thanks, you are right - that is almost exactly what we did to get it to work. Added the following with help from Support.
ip policy-class nexVortex
allow list nexVortex stateless
!
ip policy-class Public
allow list MATCHALL policy nexVortex stateless
Thanks for the reply!