I have an Netvanta 3448 customer has Time Warner Fiber running to 3 locations all locations funnel out through the main location for internet. I have two VLANS VLAN1 using 10.72.35.x and VLAN 100 using a 10.3.0.x for private communication between sites the internet is working fine all locations can get out to the internet the problem is I cannot ping any nodes past the Adtran using VLAN 100 nodes will respond to pings using VLAN1 but not VLAN100. Firewall is running see below for config thanks in advance for any help.
no ethernet cfm
!
interface eth 0/1
description TWBC internet
ip address 71.40.59.x 255.255.255.248
ip mtu 1500
ip access-policy Public
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
speed 100
no shutdown
switchport access vlan 100
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
no shutdown
!
!
!
interface vlan 1
ip address 10.72.32.5 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 100
ip address 10.3.0.1 255.255.255.224
ip mtu 1500
ip access-policy Private
no awcp
no shutdown
!
!
!
router rip
version 2
!
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-5
remark Barracuda
permit tcp any host 71.40.59.x eq 8000 log
!
ip access-list extended web-acl-6
remark NetVanta Telnet
permit tcp any any eq telnet log
permit tcp any any eq ssh log
!
ip access-list extended web-acl-7
remark Allow
permit ip 10.3.0.0 0.0.0.31 10.3.0.0 0.0.0.31
permit ip 10.72.32.0 0.0.0.255 10.72.33.0 0.0.0.255
permit ip 10.72.33.0 0.0.0.255 10.72.32.0 0.0.0.255
permit ip 10.72.32.0 0.0.0.255 10.72.34.0 0.0.0.255
permit ip 10.72.34.0 0.0.0.255 10.72.32.0 0.0.0.255
permit ip 10.72.32.0 0.0.0.255 10.72.35.0 0.0.0.255
permit ip 10.72.35.0 0.0.0.255 10.72.32.0 0.0.0.255
permit ip 10.72.32.0 0.0.0.255 10.72.32.0 0.0.0.255 log
!
ip access-list extended web-acl-9
permit ip 10.3.0.0 0.0.255.255 any
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host 71.40.59.x eq www log
!
ip access-list extended wizard-remote-access
remark do not hand edit this ACL
permit tcp any any eq telnet log
permit tcp any any eq ssh log
permit tcp any any eq https log
!
!
!
!
ip policy-class INTERVLAN
allow list web-acl-9 policy INTERVLAN
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/1 overload
allow list web-acl-7
!
ip policy-class Public
nat destination list wizard-pfwd-1 address 10.72.32.5
nat destination list web-acl-5 address 10.72.32.254
allow list web-acl-6 self
!
!
!
ip route 0.0.0.0 0.0.0.0 71.40.59.x
ip route 10.72.33.0 255.255.255.0 10.3.0.3
ip route 10.72.34.0 255.255.255.0 10.3.0.4
ip route 10.72.35.0 255.255.255.0 10.3.0.5
Thank you for asking this question in the support community. I'm not certain I follow your question, specifically, which portion is not working, but am I correct that the problem you are experiencing is routing between subnets?
If this is the problem, there are several things to check. First, verify the devices have the appropriate default-gateway configured. Next, it appears that both subnets are configured in the "Private" policy-class. In the "Private" policy-class, you may need to move the "nat source list wizard-ics interface eth 0/1 overload" entry below the "allow list web-acl-7," because that appears to be the ACL that you would like to use to allow private subnets to communicate with each other (furthermore, I recommend adding the keyword stateless after the "allow list web-acl-7" entry). If that entry is below the "NAT," then the source of the IP address will be modified, and routed to the incorrect place on returning traffic.
I hope that makes sense, but based on your configuration and brief description, I think the problem is the order of your firewall entries. Please, do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi