So as luck would have it my techie is on vacation and they just activated my new T1. I've managed to get the router configured, or so I thought, but I can't connect to the Internet from my LAN so I figure I must have a setting wrong somewhere. If someone could take a look at my config posted below and see what you think I'd REALLY appreciate it. I can ping, traceroute, etc. from the router just fine, and DHCP seems to be working as it's assigning an IP to my laptop, but I just can't connect from the laptop. Eventually I'd like to add my netgear wireless router behind the 3200, but for now I just have my laptop plugged directly into the single ethernet port on the back of the 3200 ...
Router#show run
Building configuration...
!
!
! ADTRAN, Inc. OS version 15.12.00
! Boot ROM version 12.02.00
! Platform: NetVanta 3200, part number 1202860L1
! Serial number LBADTN0651AF993
!
!
hostname "Router"
enable password ********
!
clock timezone -8
!
ip subnet-zero
ip classless
ip name-server 198.6.100.98 198.6.100.25
ip default-gateway 152.179.250.29
no ip routing
!
auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
no service password-encryption
!
username "admin" password "********"
!
!
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
!
!
ip dhcp-server database local
ip dhcp-server excluded-address 192.168.1.1
ip dhcp-server excluded-address 192.168.1.197
!
ip dhcp-server pool "Office"
network 192.168.1.0 255.255.255.0
dns-server 198.6.100.98
netbios-node-type h-node
default-router 192.168.1.1
!
!
!
interface eth 0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
!
!
!
!
interface t1 1/1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
ip address 152.179.250.30 255.255.255.252
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
!
!
!
router rip
version 2
!
!
!
!
!
!
!
no ip tftp server
no ip tftp server overwrite
ip http server
ip http secure-server
no ip snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
line con 0
login
password adtran
!
line telnet 0 4
login
password ********
line-timeout 30
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
end
Router#
Your LAN addresses are private and can't directly route across the Internet. You need to define access policies to NAT them to the public Internet address of the T1. Add the following:
ip access-list standard self
remark Traffic to Adtran
permit any
ip access-list standard ics
remark Internet Connection Sharing
permit any
ip policy-class Public
allow list self self
ip policy-class Private
allow list self self
nat source list ics interface ppp 1 overload
Then add the policies to the interfaces and enable the firewall.
interface ppp 1
access-policy Public
interface eth 0/1
access-policy Private
ip firewall
Doh! Thanks so much for the detailed help I REALLY appreciate it.
Now that I have it working I'd like to add a wireless router to give me more ports and wireless access. Would I simply turn off DHCP on the adtran and turn on DHCP on my wireless router, or is there more that I would need to do?
Thanks again for the reply. I was able to setup the ACL using the first 2 lines you gave, but couldn't get the rest to take. While in global config mode I get "unrecognized command" when I enter "http ip access-class admin-access in" for example. What am I doing wrong?
Your LAN addresses are private and can't directly route across the Internet. You need to define access policies to NAT them to the public Internet address of the T1. Add the following:
ip access-list standard self
remark Traffic to Adtran
permit any
ip access-list standard ics
remark Internet Connection Sharing
permit any
ip policy-class Public
allow list self self
ip policy-class Private
allow list self self
nat source list ics interface ppp 1 overload
Then add the policies to the interfaces and enable the firewall.
interface ppp 1
access-policy Public
interface eth 0/1
access-policy Private
ip firewall
Doh! Thanks so much for the detailed help I REALLY appreciate it.
Now that I have it working I'd like to add a wireless router to give me more ports and wireless access. Would I simply turn off DHCP on the adtran and turn on DHCP on my wireless router, or is there more that I would need to do?
dsiomtw wrote:
Now that I have it working I'd like to add a wireless router to give me more ports and wireless access. Would I simply turn off DHCP on the adtran and turn on DHCP on my wireless router, or is there more that I would need to do?
What I do is add a wireless access point instead of a router. This allows wired and wireless devices on the LAN to share the same DHCP pool, avoids double NAT, and is cleaner IMHO.
What is weird is that consumer wireless routers are typically priced much lower than access points, most likely due to volume purchasing. What often works is to get a wireless router, turn off DHCP on it, don't use its "Internet" or WAN port, and connect one of its LAN ports to the ethernet of the Adtran, effectively turning it into an access point and small ethernet switch.
Thanks for the advice. I'll pickup a wireless access point as I definitely don't need to make this any more technical than it needs to be. I'm struggling to keep up as it is.
Last question for now if you have 2 more seconds...
I just noticed my adtran router is accessible via the web if you just type in the IP for my side of the circuit. I definitely don't want this. Any chance you know what I need to do to make my router inaccessible via the WAN?
dsiomtw wrote:
Last question for now if you have 2 more seconds...
I just noticed my adtran router is accessible via the web if you just type in the IP for my side of the circuit. I definitely don't want this. Any chance you know what I need to do to make my router inaccessible via the WAN?
Most secure and flexible:
ip access-list standard admin-access
permit 192.168.1.0 0.0.0.255
http ip access-class admin-access in
http ip secure-access-class admin-access in
line telnet 0 4
ip access-class admin-access in
line ssh 0 4
ip access-class admin-access in
This allows you to allow specific outside hosts or networks to administer the device by modifying the admin-access list.
Alternatively, remove the line
allow list self self
from the Public policy-class. This can bite you later if you add a VPN or voice/dns/other proxy where sources on the Internet need to communicate with the Adtran itself but you don't want to allow remote administration.
Or do both.
Thanks again for the reply. I was able to setup the ACL using the first 2 lines you gave, but couldn't get the rest to take. While in global config mode I get "unrecognized command" when I enter "http ip access-class admin-access in" for example. What am I doing wrong?
The command syntax has changed slightly as AOS has matured. With the addition of IPv6, the "ip" keyword has been added or moved slightly in several places. Try the following variants:
http access-class admin-access in
ip http access-class admin-access in
as well as for the secure-access-class command.
Typing a "?" at any point in configuration mode will give you all of the possible options.
Thanks a million, you rock.