Read a few conversations and the intervlan config PDF.
Having trouble seeing a subnet
I think it may be because the NAT statement is before the second intervlan statement
here are the entries in question (in the order they appear in the current router config);
!
ip access-list extended web-acl-3
remark InterVlan
permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log
!
ip access-list extended web-acl-4
remark Traffic to unit
permit ip any any log
!
ip access-list extended web-acl-5
remark NAT
permit ip any any log
!
ip access-list extended web-acl-6
remark Intervlan
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.0.255 log
is the NAT statement the reason why the 10.0.0.0 subnet cannot see the 172.16.0.0 subnet?
Should the web-acl-6 be moved above web-acl-5?
Please advise if additional info is required as well
First time using the support forum
Cheers
Hi stephab:
Thanks for posting your question in the Support Community! The part of your configuration you have shared includes access-lists (ACLs) only. In AOS, ACLs merely match/identify traffic. A firewall policy is required to take action (allow/discard/nat) traffic which has been matched by an ACL.
ACLs in a running-config are always listed alphabetically. Their order has no bearing on the unit's firewall logic. However, allow/discard/nat policies within policy-classes (security zones) are processed top-down. For this reason, the web GUI includes green up/down arrows next to each policy--this may be the fastest way to reorder them. In the CLI, you need to "no" each policy as necessary and re-enter them in the desired order. Beware that this could disrupt traffic, or even break your access to the unit over the network, so be careful making these changes via CLI.
Will this be enough info to sort out your issue? If you need further assistance, please include your policy-classes or consider attaching your entire config (edit first to remove any sensitive information like passwords, preshared keys and public IP addresses).
Best,
Chris
Thank you for your reply Chris
Will have a look next visit with my client
Here is the config;
Another thing that is happening is all workstations are receiving a 10.0.0.0 address but all essentials (servers, routers, switches are using a 10.10.10.0 address
Cannot ping anything unless i manually change my ip to a 10.10.10.0 address
BUT, the only address i can ping in the 172.16 range is 172.16.0.1...nothing else
Thanks
Cheers
Stephen
! ADTRAN, Inc. OS version R11.5.1.E
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number LBADTN1340AR695
!
!
hostname *******
enable password encrypted *************************
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
domain-proxy
name-server 4.2.2.1 8.8.8.8
!
!
no auto-config
auto-config authname adtran encrypted password **************************
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
service password-encryption
!
username "admin" password encrypted "**************************************"
username "Adm1n" password encrypted "***************************************"
!
banner motd #
****** Important Banner Message ******
Enable and Telnet passwords are configured to "password".
HTTP and HTTPS default username is "admin" and password is "password".
Please change them immediately.
The switchport interfaces are enabled with an address of 10.10.10.1
Telnet, HTTP, and HTTPS access are also enabled.
To remove this message, while in configuration mode type "no banner motd".
****** Important Banner Message ******
#
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
no dot11ap access-point-control
!
!
vlan 1
name "Default"
!
vlan 2
name "Data LAN"
!
vlan 3
name "Voice LAN"
!
!
!
no ethernet cfm
!
interface eth 0/1
description Internet Connection
no ip address
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
switchport access vlan 2
!
interface switchport 0/3
no shutdown
switchport access vlan 3
!
interface switchport 0/4
no shutdown
switchport access vlan 2
!
interface switchport 0/5
no shutdown
switchport access vlan 2
!
interface switchport 0/6
no shutdown
switchport access vlan 2
!
interface switchport 0/7
no shutdown
switchport access vlan 2
!
interface switchport 0/8
no shutdown
switchport access vlan 2
!
!
!
interface vlan 1
ip address 192.168.0.1 255.255.255.0
no shutdown
!
interface vlan 2
description Data LAN
ip address 10.10.10.3 255.0.0.0
ip mtu 1500
ip access-policy "Data LAN"
media-gateway ip primary
no shutdown
!
interface vlan 3
description Voice LAN
ip address 172.16.0.1 255.255.255.0
ip mtu 1500
ip access-policy "Voice LAN"
no rtp quality-monitoring
media-gateway ip primary
no awcp
no shutdown
!
interface ppp 1
description Internet Connection
ip address negotiated
ip mtu 1500
ip access-policy Public
media-gateway ip primary
no fair-queue
ppp pap sent-username ********************** password encrypted *********************************
no shutdown
cross-connect 1 eth 0/1 ppp 1
!
!
!
!
!
!
ip access-list extended web-acl-1
remark traffic to unit
permit ip any any log
!
ip access-list extended web-acl-10
remark ftp
permit tcp any any range ftp-data ftp log
!
ip access-list extended web-acl-11
remark http
permit tcp any any eq www log
!
ip access-list extended web-acl-12
remark imap
permit tcp any any eq 143 log
!
ip access-list extended web-acl-14
remark smtp relay out
permit tcp any any eq 2525 log
!
ip access-list extended web-acl-15
remark terminal
permit tcp any any eq 3389 log
!
ip access-list extended web-acl-16
remark monitor 1
permit tcp any any eq 1121 log
!
ip access-list extended web-acl-17
remark monitor 2
permit tcp any any eq 1122 log
!
ip access-list extended web-acl-18
remark tmonitor
permit tcp any any eq 8020 log
!
ip access-list extended web-acl-19
remark smonitor
permit tcp any any eq 8021 log
!
ip access-list extended web-acl-2
remark NAT
permit ip any any log
!
ip access-list extended web-acl-20
remark xmonitor
permit tcp any any eq 8022 log
!
ip access-list extended web-acl-21
remark bmonitor
permit tcp any any eq 8023 log
!
ip access-list extended web-acl-22
remark DVR 1
permit tcp any any eq 8000 log
!
ip access-list extended web-acl-23
remark DVR 2
permit tcp any any eq 100 log
!
ip access-list extended web-acl-24
remark DVR 3
permit tcp any any eq 10554 log
!
ip access-list extended web-acl-25
remark Alarm1
permit tcp any any range 3060 3065 log
!
ip access-list extended web-acl-26
remark Alarm 69
permit tcp any any eq 69 log
!
ip access-list extended web-acl-27
remark Phone system NEC
permit tcp any any eq 8888 log
!
ip access-list extended web-acl-29
remark jonar
permit tcp any any eq 4389 log
!
ip access-list extended web-acl-3
remark InterVlan
permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log
!
ip access-list extended web-acl-4
remark Traffic to unit
permit ip any any log
!
ip access-list extended web-acl-5
remark NAT
permit ip any any log
!
ip access-list extended web-acl-6
remark Intervlan
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.0.255 log
!
ip access-list extended web-acl-7
remark Admin
permit tcp any any eq https log
permit tcp any any eq ssh log
!
ip access-list extended web-acl-8
remark pop3
permit tcp any any eq pop3 log
!
ip access-list extended web-acl-9
remark smtp
permit tcp any any eq smtp log
!
!
!
!
ip policy-class "Data LAN"
allow list web-acl-1 self stateless
allow list web-acl-3 stateless
nat source list web-acl-2 interface ppp 1 overload policy Public
!
ip policy-class Public
allow list web-acl-7 self
nat destination list web-acl-8 address 10.10.10.7
nat destination list web-acl-9 address 10.10.10.7
nat destination list web-acl-10 address 10.10.10.21
nat destination list web-acl-11 address 10.10.10.7
nat destination list web-acl-12 address 10.10.10.7
nat destination list web-acl-14 address 10.10.10.8
nat destination list web-acl-15 address 10.10.10.9
nat destination list web-acl-16 address 10.10.10.2
nat destination list web-acl-17 address 10.10.10.5
nat destination list web-acl-18 address 10.10.10.9
nat destination list web-acl-19 address 10.10.10.2
nat destination list web-acl-20 address 10.10.10.5
nat destination list web-acl-21 address 10.10.10.15
nat destination list web-acl-22 address 10.10.10.209
nat destination list web-acl-23 address 10.10.10.209
nat destination list web-acl-24 address 10.10.10.209
nat destination list web-acl-25 address 10.10.10.239
nat destination list web-acl-26 address 10.10.10.239
nat destination list web-acl-27 address 172.16.0.10 port 8000
nat destination list web-acl-29 address 10.10.10.5
!
ip policy-class "Voice LAN"
allow list web-acl-4 self stateless
allow list web-acl-6 stateless
nat source list web-acl-5 interface ppp 1 overload
!
!
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
line con 0
login
!
line telnet 0 4
login
password encrypted **************************
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
end
Update: when we connect the Voice LAN to the router. The VoIP phones do not work. There is no 2-way traffic.
I noticed the permit ip statements were assigned to different security zones.
ip access-list extended web-acl-3 is assigned to Voice LAN security zone
ip access-list extended web-acl-6 is assigned to Data LAN security zone
Should I remove the association to the security zones?
Or should I add the reverse permit ip statement for each security zone?
Q: Does the security zone block traffic?
example;
ip access-list extended web-acl-3 (assigned to security zone Data LAN)
remark InterVlan
permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log
add a permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.0.255 to this security zone?
ip access-list extended web-acl-6
remark Intervlan
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.0.255 log
add a permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 to this security zone?
Issue has been resolved
Problem in the end was the intervlan routes pointing in one direction only under their respective security policies
Added the return route within each security policy
Was able to see voice and data traffic
Thank you for everyone help in resolving the matter