We have a server behind our 3430 firewall on a local IP :192.168.2.202. We have a public IP address that has been configured into a NAT rule in the 3430 and successfully allows connections to the server from the internet. However internal clients on the same private network (192.168.2.xxx) are unable to access the server on their web browsers using the public IP. The public IP does not have a domain name assigned. The clients on the internal network can access the server using its internal address.
The internal network is connected to the eth0 interface on the 3430 and that interface is assigned to the Private security zone. The WAN connection is on interface eth1 and is assigned to the Public security zone. Security zone Public has a policy performing the NAT from the internet to the server on the internal IP.
I attempted to configure the same policy on the Private security zone, believing it would see the public IP request and perform a translation to the local IP but it does not work. We need to provide the internal clients with the ability to access the internal server using the public IP.
Thanks!
-Marco
Sorry, I didn't read that one through all the way. The ACL and policy-class are correct. What may work well is to add a host entry into the 3430 or your local DNS server that points to the local 192.168.2.202 address. That hostname should match that of the public hostname associated with your public IP.
At my installation I have an Active Directory server providing DNS, so I use the LAN address of the 3430 (most likely 192.168.2.1 for your installation) as the primary Forwarder address in DNS.
Then you just enable DNS services in the NetVanta:
ip domain-lookup
ip domain-proxy
then a simple host entry that matches the public hostname
host <hostname> 192.168.2.202
When the client attempts a connection to the computer by the public hostname, DNS will return 192.168.2.202 vs. the public IP as the address.
I hope this makes sense.
R\
First you need an ACL that allows the selected traffic of your choice to the public IP address. An example would be tcp 80 for web traffic.
ip access-list ext web.inbound
remark web traffic to internal computer
permit tcp any <public IP address> eq 80 log
..additional permit/deny statements as needed.
Then you need to put the NAT statement into the Public policy-class.
ip policy-class Public
nat destination list web.inbound address 192.168.2.202
Sorry, I didn't read that one through all the way. The ACL and policy-class are correct. What may work well is to add a host entry into the 3430 or your local DNS server that points to the local 192.168.2.202 address. That hostname should match that of the public hostname associated with your public IP.
At my installation I have an Active Directory server providing DNS, so I use the LAN address of the 3430 (most likely 192.168.2.1 for your installation) as the primary Forwarder address in DNS.
Then you just enable DNS services in the NetVanta:
ip domain-lookup
ip domain-proxy
then a simple host entry that matches the public hostname
host <hostname> 192.168.2.202
When the client attempts a connection to the computer by the public hostname, DNS will return 192.168.2.202 vs. the public IP as the address.
I hope this makes sense.
R\
Thanks for the info vmaxdawg. We are using the 3430 as our DNS server also. I did try earlier with the host name entries. The problem I have is that the servers don't have a registered hostnames. So even when accessing the servers from the internet the users must use the public IP. So I don't have a way to replace site.com with 192.168.2.202 as you suggest. I think it would work but I don't have a way to implement it on the 3430.
I am confused as to why the policy I set, which I believe should loop around the requests for the external IP to the internal is not working.
Ah. If you need to use the IP vs. hostname, then you may want to consider putting the server on a different interface so you can NAT from both the public and the private. That way you are always accessing the server by the public IP address. The interface doesn't need to be in a different policy-class, but it may make sense if you want to better protect the server.
levi, one of Adtran TSE's explains what you can do in another post ( NAT reflection? ). It might be tricky if you are already using both of your ethernet interfaces on your 3430. You can always apply 802.1q encapsulation on one of the interfaces and create sub-interfaces on one of the ethernet interfaces. Then connect it to a Layer-2 switch. I've had success with that.
I hope it makes sense.
R\
We are not using the 3430 in the intended way. We inherited the 3430 with the office. At the time the router was connected to a T1 line but when we moved in the owner switched service providers. The current provider drops an Ethernet line for us and so we configured the 3430 such that it bridges the internet and our network over the Ethernet ports. Our network is on eth0 and the internet on eth1. I am not a network admin so I struggle with these issues a bit. Maybe our best solution is to switch out the 3430 for an appropriate router in this configuration. We are happy with adtran so I'll have to check what they might have available in an all Ethernet router.
@red - It may be helpful to see your current configuration to see if there is a workaround for you. If you post it, please remember to remove any sensitive information.
Thanks,
Noor
Ok, here is the configuration. I have masked the external ip addresses for security but left the subnet values so they can be tracked in the file.
!
!
! ADTRAN, Inc. OS version 18.02.03.00.E
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3430, part number 1200820E1
! Serial number LBADTN0829AF814
!
!
hostname "phcs-fw"
enable password encrypted
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip default-gateway XXX.XXX.XXX.161
ip routing
ipv6 unicast-routing
!
!
ip domain-name "PHCS.OFFICE"
ip domain-proxy
ip name-server 209.18.47.61 209.18.47.62
!
!
no auto-config
!
event-history on
event-history priority notice
logging forwarding on
no logging console
logging forwarding receiver-ip 192.168.2.204
no logging email
logging email priority-level fatal
logging email receiver-ip 192.168.2.204
logging email address-list admin@phcs.office
logging email ip urlfilter top-websites address-list admin@phcs.office
logging email ip urlfilter top-websites send-time 23:59:59
!
service password-encryption
!
username "XXXXX" password encrypted
!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
aaa on
ftp authentication LoginUseLocalUsers
!
!
aaa authentication login LoginUseRadius group radius
aaa authentication login LoginUseLocalUsers local
aaa authentication login LoginUseLinePass line
!
aaa authentication enable default enable
!
!
!
!
no dot11ap access-point-control
!
!
!
!
ip dhcp-server excluded-address 192.168.0.0
ip dhcp-server excluded-address 192.168.0.255
ip dhcp-server excluded-address 192.168.2.0
ip dhcp-server excluded-address 192.168.2.255
!
ip dhcp-server pool "LISA_I"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.200 255.255.255.0
hardware-address 00:18:8b:73:73:4f ethernet
!
ip dhcp-server pool "STEWIE_I"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.202 255.255.255.0
hardware-address b4:99:ba:aa:e2:5a ethernet
!
ip dhcp-server pool "Private"
network 192.168.2.0 255.255.255.0
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
!
ip dhcp-server pool "LISA_E"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.201 255.255.255.0
hardware-address 00:18:8b:73:73:4d ethernet
!
ip dhcp-server pool "STEWIE_E"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.203 255.255.255.0
hardware-address b4:99:ba:aa:e2:5b ethernet
!
ip dhcp-server pool "CopyPrinter"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.2 255.255.255.0
hardware-address bc:b1:81:d4:96:c3 ethernet
!
ip dhcp-server pool "GuestRouter"
domain-name "GuestNet"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.254 255.255.255.0
hardware-address 00:25:9c:e0:d2:b3 ethernet
!
ip dhcp-server pool "FLEXICAPTURE"
domain-name "PHCS"
dns-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.87 255.255.255.0
hardware-address 70:54:d2:96:64:1b ethernet
ntp-server 192.168.2.1
!
ip dhcp-server pool "Gordo"
dns-server 192.168.2.1
netbios-name-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.204 255.255.255.0
hardware-address 00:11:32:25:12:33 ethernet
ntp-server 192.168.2.1
!
ip dhcp-server pool "Gordo2"
dns-server 192.168.2.1
netbios-name-server 192.168.2.1
default-router 192.168.2.1
host 192.168.2.205 255.255.255.0
hardware-address 00:11:32:25:12:34 ethernet
ntp-server 192.168.2.1
!
ip urlfilter Web_Http_Filter http
ip urlfilter exclusive-domain deny "cdn-games.bigfishsites.com"
ip urlfilter exclusive-domain deny "kingsisle.hs.llnwd.net"
ip urlfilter exclusive-domain deny "www.bigfishgames.com"
ip urlfilter exclusive-domain deny "www.gamefudge.com"
ip urlfilter exclusive-domain deny "www.kifreegames.com"
ip urlfilter exclusive-domain deny ""*.facebook.*""
ip urlfilter allowmode
ip urlfilter top-website
!
!
ip crypto
!
crypto ike client configuration pool "Mobile Workers"
ip-range 192.168.4.1 192.168.4.254
dns-server 192.168.2.1
!
crypto ike policy 100
!
crypto ike remote-id
!
crypto ipsec transform-set
!
crypto map VPN
!
!
!
ip flow export destination 192.168.2.200 30000
ip flow cache sample one-out-of 50 random
ip flow cache timeout active 15
ip flow top-talkers
interval 15
top 20
!
!
no ethernet cfm
!
interface eth 0/1
description InternalLink
ip address 192.168.2.1 255.255.255.0
ip access-policy Private
ip flow egress
no awcp
no shutdown
!
!
interface eth 0/2
description ExternalLink
ip address XXX.XXX.XXX.162 255.255.255.248
ip mtu 1500
ip address range XXX.XXX.XXX.163 XXX.XXX.XXX.166 255.255.255.248 secondary
ip access-policy Public
ip urlfilter Web_Http_Filter out
crypto map VPN
ip flow ingress
no awcp
no shutdown
!
!
!
!
interface t1 1/1
description ckt id OC00721554/36HCGS214850GTEN
shutdown
!
!
!
!
!
!
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors7
permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
!
ip access-list extended web-acl-10
remark Block Log Me In
deny ip 69.25.20.0 0.0.0.255 any
deny ip 77.242.192.0 0.0.0.255 any log
!
ip access-list extended web-acl-11
remark Internet ---> Gordo
permit tcp any host XXX.XXX.XXX.165 range 5000 5001 log
permit tcp any host XXX.XXX.XXX.165 eq 5006 log
permit tcp any host XXX.XXX.XXX.165 eq 6690 log
!
ip access-list extended web-acl-13
remark Guest Int ---> Ext
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended web-acl-14
remark Block Guest ---> LAN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended web-acl-15
remark Internet ---> TimeTre...
permit tcp any host XXX.XXX.XXX.164 eq 8085 log
!
ip access-list extended web-acl-5
remark EXT ---> LISA
deny tcp any host XXX.XXX.XXX.163 eq www log
permit tcp any host XXX.XXX.XXX.163 eq ssh log
remark Internet ---> LISA_E
permit tcp any host XXX.XXX.XXX.163 eq https log
permit tcp any host XXX.XXX.XXX.163 eq 8443 log
permit tcp any host XXX.XXX.XXX.163 eq 8080 log
permit tcp any host XXX.XXX.XXX.163 eq 8085 log
!
ip access-list extended web-acl-6
remark Internet ---> STEWIE_E
deny tcp any host XXX.XXX.XXX.164 eq www log
permit tcp any host XXX.XXX.XXX.164 eq ssh log
permit tcp any host XXX.XXX.XXX.164 eq https log
permit tcp any host XXX.XXX.XXX.164 eq 8080 log
permit tcp any host XXX.XXX.XXX.164 eq 8443 log
permit tcp any host XXX.XXX.XXX.164 range 5900 5903 log
!
ip access-list extended web-acl-7
remark Int to Ext
permit ip any any
!
ip access-list extended wizard-remote-access
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit tcp any any eq ftp log
permit icmp any any echo log
!
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors7 stateless
nat source list web-acl-7 interface eth 0/2 overload
allow list self self
discard list web-acl-14
nat source list web-acl-13 interface eth 0/1 overload
!
ip policy-class Public
discard list web-acl-10
allow reverse list VPN-10-vpn-selectors7 stateless
nat destination list web-acl-6 address 192.168.2.202
nat destination list web-acl-15 address 192.168.2.202 port 80
nat destination list web-acl-5 address 192.168.2.200
nat destination list web-acl-11 address 192.168.2.204
allow list wizard-remote-access self
!
!
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.161
!
no tftp server
no tftp server overwrite
ip http authentication LoginUseLocalUsers
no ip http server
ip http secure-server
no snmp agent
ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
ip sip proxy grammar contact outbound-server-reference host domain
!
!
!
!
!
!
!
!
!
!
line con 0
password encrypted
!
line telnet 0
login authentication LoginUseLinePass
password encrypted
no shutdown
line telnet 1
login authentication LoginUseLinePass
password encrypted
no shutdown
line telnet 2
login authentication LoginUseLinePass
password encrypted
no shutdown
line telnet 3
login authentication LoginUseLinePass
password encrypted
no shutdown
line telnet 4
login authentication LoginUseLinePass
password encrypted
no shutdown
line ssh 0 4
no shutdown
!
sntp server ntp.glorb.com
!
!
!
!
end
@red - Are you able to put the webserver on a different subnet? For example, say your 3430 LAN port (eth 0/1) plugs into a switch. You can add a secondary subnet to the LAN port and put your webserver in that subnet. Keep in mind, this would require you to update your port forward to reflect the webserver's new internal IP address. Once that is done, you can set up a destination NAT on the Private policy-class to the new internal IP of the webserver. In the example below, the new subnet will be 192.168.3.x. Let's say the webserver now has an internal IP of 192.168.3.202. The configuration would look something like this:
interface eth 0/1
description InternalLink
ip address 192.168.2.1 255.255.255.0
ip address 192.168.3.1 255.255.255.0 secondary
ip access-policy Private
ip flow egress
no awcp
no shutdown
ip access-list extended InternalWeb
permit ip any host XXX.XXX.XXX.164 log
ip policy-class Private
allow list VPN-10-vpn-selectors7 stateless
nat destination list InternalWeb address 192.168.3.202
nat source list web-acl-7 interface eth 0/2 overload
allow list self self
discard list web-acl-14
nat source list web-acl-13 interface eth 0/1 overload
Let us know if you have any questions.
Thanks,
Noor
OK, I think I see where you are going with this. I will try this next time I am on site and will report back to the thread.
Thanks!
Red:
I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi
Thanks, I have been unable to get out to the site where I need to test this. Once I do I will update the posting with my results.
I have been down the road of NAT Reflection in the Adtran routers many times. I worked through my sales channel to try and get it in as a feature request. Last I spoke to them, while it was presented to the development team, it seemed that it wasn't going to be a feature added anytime soon.
Either setting up separate networks and using NAT between them or using an FQDN and host entries is the only real 'fix'. But its really a work around.
I finally made it to where I could attend to this issue.... I went with vmaxdawg05's original suggestion of the domain and the hostname entries. It works but I do agree with petersjncv that it feels like a workaround.