I have a NAT overload statement to route all IP phones out to a public registration server. At times I need to create a static mapping for an Analog device from Public to Private to update, modify, adjust configuration on a specific device. I have checked the "how to's" and they are not helping with getting this mapping successful. I was able to map the device and reach it through a browser with port 80 but I lose all access (SSH) to the 3140 device and it needs to be rebooted to bring it back. Here is my current configuration with some IP's "x"'d out. What i need to do is to map private IP 10.30.30.52 to public ip xx.xx.xx.58 port 80 so I can access this device. All of this without effecting router access or any other voice traffic.
interface gigabit-eth 0/1
description WAN
ip address xx.xx.xx.58 255.255.255.252
traffic-shape rate 1500000
qos-policy out outboundsip
no shutdown
!
interface gigabit-eth 0/3
encapsulation 802.1q
no shutdown
!
interface gigabit-eth 0/3.300
description VOICE
vlan-id 300
ip address 10.30.30.254 255.255.255.0
ip access-policy PHONES
no shutdown
!
ip access-list standard CUST_PHONE
permit 10.30.30.0 0.0.0.255
!
ip policy-class PHONES
nat source list CUST_PHONE interface gigabit-ethernet 0/1 overload
The problem is that when you using the public interface IP and port for the static mapping you can then no longer use it for access to the 3140 itself.
Your options are:
For example:
ip access-list extended device-access
remark inside device access
permit tcp any host xx.xx.xx.58 eq 8080
interface gigabit-eth 0/1
description WAN
ip address xx.xx.xx.58 255.255.255.252
ip access-policy Public
...
ip policy-class Public
nat destination list device-access address 10.30.30.10 port 80
...
Now pointing a browser to the public IP xx.xx.xx.58 on port 80 gets to the Adtran 3140 but pointing a browser to xx.xx.xx.58:8080 takes you to port 80 of the inside device. Obviously you can build multiple access-list and nat destination pairs for different services and inside IPs.
The Adtran firewall web GUI actually does a fairly decent job of this but you wind up with wacky names for the access-lists which makes for fun reading trying to decipher the config later.