Hello All, I have a setup that I am struggling with a little bit. Verizon did not provide T1 equipment for a 2x Frame-Relay T1, so I'm configuring an Adtran for my client, but a little confused how to avoid a double NAT since I do not want to use the 3430 as a firewall. I want the customer's equipment to handle all firewall and NAT.
Here's the scenario:
Verizon has provided me a /30 IP for the Frame-Relay Circuit, as well as a "LAN" set of public IP addresses of /30 as well.
Of course, the first /30 Frame-Relay set of IPs is easy and my 0.0.0.0 route will go to the fr interface.
However, the /30 for the "LAN" gives me only 1 "public" IP address for my eth 0/1 interface since the other usable IP is Verizon's default gateway ip for the LAN subnet. I then have no public IP to assign to my customer's firewall.
Do I need to fix this by simply getting a bigger block from the provider, or is there a way to "bridge" this connection? My SE mentioned SBC, but I'm not very familiar with SBC and all the config guides I found really only have to do with VoIP and this is a data only configuration.
Any guidance would be greatly appreciated!
It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them. But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces. You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall). Customer firewall should use y.y.y.1 as its default gateway.
Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30. The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.
It is odd for a service provider not to provide a router for T1 termination if you are also getting IP space from them. But if you are using an Adtran 3430, then you have a T1 interface and 2 Ethernet interfaces. You should configure your frame relay T1 interface and assign the first /30 to that (likely x.x.x.2 with x.x.x.1 being the default gateway) and then configure your LAN interface similarly with the additional /30 (y.y.y.1 on the LAN interface, with y.y.y.2 for your customer firewall). Customer firewall should use y.y.y.1 as its default gateway.
Basically, both /30's aren't configured in Verizon's core. They are very likely configured to use the first /30 as the routed PTP IPs with the second /30 routed in their core to the far end IP built on your router from the first /30. The entire /30 #2 will basically live on your router, so configure your LAN interface and firewall to use these IPs and your should be good to go.
That's exactly what I was thinking and turns out that the Verizon tech was telling me WRONG that I couldn't use the second /30 for my eth interface and the firewall. Thanks for confirming that for me! I spoke to an engineer today who cleared it up for me further. Thanks Verizon for sending me on a wild goose chase!
Y.Y.Y.1 is the frame-relay /30
X.X.X.1 is the eth /30
Customer firewall would have X.X.X.2 with gateway of X.X.X.1
Adtran 3430 MLFR 2xT1
!
!
!
hostname Verizon_Frame_Relay
enable password adtran
!
!
ip subnet-zero
ip classless
ip routing
ip load-sharing per-destination
!
no auto-config
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
no service password-encryption
!
no ip firewall alg msn
no ip firewall alg h323
!
interface eth 0/1
description to Local LAN
ip address X.X.X.1 255.255.255.252
no shutdown
!
interface t1 1/1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface fr 1 point-to-point
frame-relay lmi-type ansi
frame-relay multilink
frame-relay multilink bid MFR1
max-reserved-bandwidth 100
no shutdown
cross-connect 1 t1 1/1 1 frame-relay 1
cross-connect 2 t1 1/2 1 frame-relay 1
!
interface fr 1.500 point-to-point
description WAN to Verizon
frame-relay interface-dlci 500
ip address Y.Y.Y.1 255.255.255.252
no lldp send-and-receive
!
ip route 0.0.0.0 0.0.0.0 fr 1.500
!
no ip tftp server
no ip tftp server overwrite
no ip http server
no ip http secure-server
ip snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
line con 0
login
password adtran
!
line telnet 0 4
login
password adtran
!
line-timeout 30
line ssh 0 4
login local-userlist
!
end