Hey Folks,
I am configuring an Adtran 3448 and I am stumped. I need the subnet on vlan 1 (192.168.3.0) to be able to talk to a subnet on another network (192.168.2.0). The connection to the other network is physically connected to port 8 (vlan 15) with a route statement to the 192.168.2.0 network. I can always ping any IP address in the 192.168.2.0 network from the router. Here's the problem... With the configuration below, from a PC on the 192.168.3.0 network I can ping the 192.168.2.0 network, but my internet does not work; HOWEVER, on the ip policy-class Private if I move my NAT statement to be first and then allow list INTERVLAN stateless as the second statement, I have Internet access, but I cannot ping the 192.168.2.0 network. I can't figure out what's wrong in the ACL's. Any suggestions? I've tried all kinds of things with no luck..
Below is the config (WAN IP's changed to 1.1.1.1 for security)
-----------------------------------------------------------------------------------------
interface eth 0/1
description Connection To Internet
speed 100
ip address 1.1.1.1 255.255.255.252
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
description Uplink to Other Network
no shutdown
switchport access vlan 15
!
!
!
interface vlan 1
description Customer LAN
ip address 192.168.3.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 15
ip address 10.10.10.1 255.255.255.252
ip access-policy Private
no shutdown
!
!
!
!
!
!
!
ip access-list standard matchall
permit any
!
!
ip access-list extended INTERVLAN
permit ip any any log
!
ip access-list extended self
permit ip any any log
!
ip access-list extended wan
permit tcp any any eq www log
permit tcp any any eq telnet log
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
!
!
!
ip policy-class Private
allow list INTERVLAN stateless
nat source list matchall address 1.1.1.1 overload
!
ip policy-class Public
allow list wan self
!
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.2.0 255.255.255.0 10.10.10.2
- Thank you for posting your question on the forum!
To understand what is happening here, you will need to know that traffic will look for a match on the policy-class and ACL in a top to bottom order. Once a matching entry is found, all remaining entries will not be checked. Since your ACLs, INTERVLAN and matchall, have a 'permit ip any any' entry, the ACL on top will match all traffic while the ACL below will never be checked.
There are a couple of ways to configure this, but I would suggest restricting the INTERVLAN ACL so that instead of a 'permit ip any any' entry, you will have a 'permit 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255' entry and a 'permit 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255' entry. Also, the INTERVLAN allow statement will need to be placed above your internet NAT statement.
I hope this answers your questions, but please do not hesitate if you have any issues.
Thanks,
Noor
- Thank you for posting your question on the forum!
To understand what is happening here, you will need to know that traffic will look for a match on the policy-class and ACL in a top to bottom order. Once a matching entry is found, all remaining entries will not be checked. Since your ACLs, INTERVLAN and matchall, have a 'permit ip any any' entry, the ACL on top will match all traffic while the ACL below will never be checked.
There are a couple of ways to configure this, but I would suggest restricting the INTERVLAN ACL so that instead of a 'permit ip any any' entry, you will have a 'permit 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255' entry and a 'permit 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255' entry. Also, the INTERVLAN allow statement will need to be placed above your internet NAT statement.
I hope this answers your questions, but please do not hesitate if you have any issues.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor