cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
stephab
New Contributor II

We do not see the other Subnet, think it is the placement of the NAT statement. Please advise

Read a few conversations and the intervlan config PDF.

Having trouble seeing a subnet

I think it may be because the NAT statement is before the second intervlan statement

here are the entries in question (in the order they appear in the current router config);

!

ip access-list extended web-acl-3

  remark InterVlan

  permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

!

ip access-list extended web-acl-4

  remark Traffic to unit

  permit ip any  any     log

!

ip access-list extended web-acl-5

  remark NAT

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark Intervlan

  permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

is the NAT statement the reason why the 10.0.0.0 subnet cannot see the 172.16.0.0 subnet?

Should the web-acl-6 be moved above web-acl-5?

Please advise if additional info is required as well

First time using the support forum

Cheers

Labels (1)
0 Kudos
4 Replies
Anonymous
Not applicable

Re: We do not see the other Subnet, think it is the placement of the NAT statement. Please advise

Hi stephab:

Thanks for posting your question in the Support Community!  The part of your configuration you have shared includes access-lists (ACLs) only.  In AOS, ACLs merely match/identify traffic.  A firewall policy is required to take action (allow/discard/nat) traffic which has been matched by an ACL.

ACLs in a running-config are always listed alphabetically.  Their order has no bearing on the unit's firewall logic.  However, allow/discard/nat policies within policy-classes (security zones) are processed top-down.  For this reason, the web GUI includes green up/down arrows next to each policy--this may be the fastest way to reorder them.  In the CLI, you need to "no" each policy as necessary and re-enter them in the desired order.  Beware that this could disrupt traffic, or even break your access to the unit over the network, so be careful making these changes via CLI.

Will this be enough info to sort out your issue?  If you need further assistance, please include your policy-classes or consider attaching your entire config (edit first to remove any sensitive information like passwords, preshared keys and public IP addresses).

Best,

Chris

stephab
New Contributor II

Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise

Thank you for your reply Chris

Will have a look next visit with my client

Here is the config;

Another thing that is happening is all workstations are receiving a 10.0.0.0 address but all essentials (servers, routers, switches are using a 10.10.10.0 address

Cannot ping anything unless i manually change my ip to a 10.10.10.0 address

BUT, the only address i can ping in the 172.16 range is 172.16.0.1...nothing else

Thanks

Cheers

Stephen

! ADTRAN, Inc. OS version R11.5.1.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number LBADTN1340AR695

!

!

hostname *******

enable password encrypted *************************

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-proxy

name-server 4.2.2.1 8.8.8.8

!

!

no auto-config

auto-config authname adtran encrypted password **************************

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

service password-encryption

!

username "admin" password encrypted "**************************************"

username "Adm1n" password encrypted "***************************************"

!

banner motd #

                ****** Important Banner Message ******

Enable and Telnet passwords are configured to "password".

HTTP and HTTPS default username is "admin" and password is "password".

Please change them immediately.

The switchport interfaces are enabled with an address of 10.10.10.1

Telnet, HTTP, and HTTPS access are also enabled.

To remove this message, while in configuration mode type "no banner motd".

                ****** Important Banner Message ******

#

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

!

no dot11ap access-point-control

!

!

vlan 1

  name "Default"

!

vlan 2

  name "Data LAN"

!

vlan 3

  name "Voice LAN"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Internet Connection

  no ip address

  no shutdown

!

!

interface eth 0/2

  no ip address

  shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

  switchport access vlan 2

!

interface switchport 0/3

  no shutdown

  switchport access vlan 3

!

interface switchport 0/4

  no shutdown

  switchport access vlan 2

!

interface switchport 0/5

  no shutdown

  switchport access vlan 2

!

interface switchport 0/6

  no shutdown

  switchport access vlan 2

!

interface switchport 0/7

  no shutdown

  switchport access vlan 2

!

interface switchport 0/8

  no shutdown

  switchport access vlan 2

!

!

!

interface vlan 1

  ip address  192.168.0.1  255.255.255.0

  no shutdown

!

interface vlan 2

  description Data LAN

  ip address  10.10.10.3  255.0.0.0

  ip mtu 1500

  ip access-policy "Data LAN"

  media-gateway ip primary

  no shutdown

!

interface vlan 3

  description Voice LAN

  ip address  172.16.0.1  255.255.255.0

  ip mtu 1500

  ip access-policy "Voice LAN"

  no rtp quality-monitoring

  media-gateway ip primary

  no awcp

  no shutdown

!

interface ppp 1

  description Internet Connection

  ip address negotiated

  ip mtu 1500

  ip access-policy Public

  media-gateway ip primary

  no fair-queue

  ppp pap sent-username ********************** password encrypted *********************************

  no shutdown

  cross-connect 1 eth 0/1 ppp 1

!

!

!

!

!

!

ip access-list extended web-acl-1

  remark traffic to unit

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark ftp

  permit tcp any  any range ftp-data ftp   log

!

ip access-list extended web-acl-11

  remark http

  permit tcp any  any eq www   log

!

ip access-list extended web-acl-12

  remark imap

  permit tcp any  any eq 143   log

!

ip access-list extended web-acl-14

  remark smtp relay out

  permit tcp any  any eq 2525   log

!

ip access-list extended web-acl-15

  remark terminal

  permit tcp any  any eq 3389   log

!

ip access-list extended web-acl-16

  remark monitor 1

  permit tcp any  any eq 1121   log

!

ip access-list extended web-acl-17

  remark monitor 2

  permit tcp any  any eq 1122   log

!

ip access-list extended web-acl-18

  remark tmonitor

  permit tcp any  any eq 8020   log

!

ip access-list extended web-acl-19

  remark smonitor

  permit tcp any  any eq 8021   log

!

ip access-list extended web-acl-2

  remark NAT

  permit ip any  any     log

!

ip access-list extended web-acl-20

  remark xmonitor

  permit tcp any  any eq 8022   log

!

ip access-list extended web-acl-21

  remark bmonitor

  permit tcp any  any eq 8023   log

!

ip access-list extended web-acl-22

  remark DVR 1

  permit tcp any  any eq 8000   log

!

ip access-list extended web-acl-23

  remark DVR 2

  permit tcp any  any eq 100   log

!

ip access-list extended web-acl-24

  remark DVR 3

  permit tcp any  any eq 10554   log

!

ip access-list extended web-acl-25

  remark Alarm1

  permit tcp any  any range 3060 3065   log

!

ip access-list extended web-acl-26

  remark Alarm 69

  permit tcp any  any eq 69   log

!

ip access-list extended web-acl-27

  remark Phone system NEC

  permit tcp any  any eq 8888   log

!

ip access-list extended web-acl-29

  remark jonar

  permit tcp any  any eq 4389   log

!

ip access-list extended web-acl-3

  remark InterVlan

  permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

!

ip access-list extended web-acl-4

  remark Traffic to unit

  permit ip any  any     log

!

ip access-list extended web-acl-5

  remark NAT

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark Intervlan

  permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

!

ip access-list extended web-acl-7

  remark Admin

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

!

ip access-list extended web-acl-8

  remark pop3

  permit tcp any  any eq pop3   log

!

ip access-list extended web-acl-9

  remark smtp

  permit tcp any  any eq smtp   log

!

!

!

!

ip policy-class "Data LAN"

  allow list web-acl-1 self stateless

  allow list web-acl-3 stateless

  nat source list web-acl-2 interface ppp 1 overload policy Public

!

ip policy-class Public

  allow list web-acl-7 self

  nat destination list web-acl-8 address 10.10.10.7

  nat destination list web-acl-9 address 10.10.10.7

  nat destination list web-acl-10 address 10.10.10.21

  nat destination list web-acl-11 address 10.10.10.7

  nat destination list web-acl-12 address 10.10.10.7

  nat destination list web-acl-14 address 10.10.10.8

  nat destination list web-acl-15 address 10.10.10.9

  nat destination list web-acl-16 address 10.10.10.2

  nat destination list web-acl-17 address 10.10.10.5

  nat destination list web-acl-18 address 10.10.10.9

  nat destination list web-acl-19 address 10.10.10.2

  nat destination list web-acl-20 address 10.10.10.5

  nat destination list web-acl-21 address 10.10.10.15

  nat destination list web-acl-22 address 10.10.10.209

  nat destination list web-acl-23 address 10.10.10.209

  nat destination list web-acl-24 address 10.10.10.209

  nat destination list web-acl-25 address 10.10.10.239

  nat destination list web-acl-26 address 10.10.10.239

  nat destination list web-acl-27 address 172.16.0.10 port 8000

  nat destination list web-acl-29 address 10.10.10.5

!

ip policy-class "Voice LAN"

  allow list web-acl-4 self stateless

  allow list web-acl-6 stateless

  nat source list web-acl-5 interface ppp 1 overload

!

!

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

sip udp 5060

sip tcp 5060

!

!

!

!

line con 0

  login

!

line telnet 0 4

  login

  password encrypted **************************

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

!

end

stephab
New Contributor II

Re: We do not see the other Subnet, think it is the placement of the NAT statement. Please advise

Update:  when we connect the Voice LAN to the router.  The VoIP phones do not work.  There is no 2-way traffic.

I noticed the permit ip statements were assigned to different security zones. 

ip access-list extended web-acl-3  is assigned to Voice LAN security zone

ip access-list extended web-acl-6 is assigned to Data LAN security zone

Should I remove the association to the security zones?

Or should I add the reverse permit ip statement for each security zone?

Q: Does the security zone block traffic?

example;

ip access-list extended web-acl-3  (assigned to security zone Data LAN)

  remark InterVlan

  permit ip 172.16.0.0 0.0.0.255  10.0.0.0 0.255.255.255     log

add a permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255 to this security zone?

ip access-list extended web-acl-6

  remark Intervlan

  permit ip 10.0.0.0 0.255.255.255  172.16.0.0 0.0.0.255     log

add a permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 to this security zone?

stephab
New Contributor II

Re: We do not see the other Subnet, think it is the placement of the NAT statement.  Please advise

Issue has been resolved

Problem in the end was the intervlan routes pointing in one direction only under their respective security policies

Added the return route within each security policy

Was able to see voice and data traffic

Thank you for everyone help in resolving the matter