Support
Community

g-man · ‎03-27-2019

Hello, I a have a TA924 providing PRI and analog services and I wanted to add the ability to also use the TA as a Router/Firewall. I have been trying to get it working but so far no luck. Currently I have eth0/1 connected to my internet connection and eth0/2 for my LAN on 10.1.88.1. I also have a secondary ip on eth02 as 192.168.88.1. Not sure how to pass traffic to the internet.

Any help would be greatly appreciated.

jayh · ‎03-30-2019

See added config in bold:

!

interface eth 0/1

description WAN

ip address 100.100.100.1 255.255.255.248

media-gateway ip primary

ip access-policy Public

no shutdown

!

interface eth 0/2

description LAN

ip address 10.1.88.1 255.255.255.0

no awcp

ip access-policy Private

no shutdown

!

ip access-list standard allow-all

remark allow all traffic

permit any

!

ip policy-class Public

allow list allow-all self

!

ip policy-class Private

nat source list allow-all interface ethernet 0/1 overload policy Public

allow list allow-all self

!

! Note, you have both ip default-gateway 100.100.100.10 and ip route 0.0.0.0 0.0.0.0 100.100.100.1 in your configuration. Remove the ip default-gateway and change ip route 0.0.0.0 0.0.0.0 w.x.y.z to point to your ISP side of the WAN link, not your own interface. Then configure:

ip firewall

View solution in original post

jayh · ‎03-28-2019

Are you using the setup wizard or the CLI? I'd recommend creating VLANs on subinterfaces of eth 0/2 rather than secondary IPs. A copy of the configuration and a summary of what is and isn't working would help.

The basic idea is to create firewall security zones for Public and Private and NAT the private to the Public interface with overload.

g-man · ‎03-28-2019

Jayh,

Thank you for your response. My current config is working for my PRI and analog fax lines. I actually really only need 1 LAN subnet, but point taken about the VPN. At this point what I am trying to do is putt an IP PBX behind the Adtran to replace the system with the PRI. I was watching some videos last night regarding an SBC setup, but I imagine that requires a working LAN setup. I am using the CLI but I will use whatever works! I tried duplicating your post from Router is up/up but can't connect to Internet from LAN substituting the interface ppp 1 for eth 0/1 with no success. I also found some similar post as well with no success. I did see the ease of using the firewall wizard I was just paranoid it would mess up more working config and I would loose voice all together. Any help pointing me the correct direction would be great!

!
!
! ADTRAN, Inc. OS version R10.9.5.E
! Boot ROM version R10.9.3.B1
! Platform: Total Access 900e (3rd Gen), part number 4243924F1
! Serial number CFG1363988
!

clock timezone -8
!
ip subnet-zero
ip classless
ip default-gateway 100.100.100.10
ip routing
ipv6 unicast-routing
!
!
name-server 8.8.8.8
!
!
auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!

no dot11ap access-point-control
!
interface eth 0/1
description WAN
ip address 100.100.100.1 255.255.255.248
media-gateway ip primary
no shutdown
!
!
interface eth 0/2
description LAN
ip address 10.1.88.1 255.255.255.0
no awcp
no shutdown
!
!
!
interface gigabit-eth 0/1
shutdown
!
!
!
!
interface t1 0/1
shutdown
!
interface t1 0/2
shutdown
!
interface t1 0/3
lbo short 15
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 0/4
shutdown
!
!
interface pri 1
isdn name-delivery proceeding
connect t1 0/3 tdm-group 1
digits-transferred 4
no shutdown
!
!
interface fxs 0/1
impedance 600r
no shutdown
!
interface fxs 0/2
no shutdown
!
interface fxs 0/3
no shutdown
!
interface fxs 0/4
no shutdown
!
interface fxs 0/5
no shutdown
!
interface fxs 0/6
no shutdown
!
interface fxs 0/7
no shutdown
!
interface fxs 0/8
no shutdown
!
interface fxs 0/9
no shutdown
!
interface fxs 0/10
no shutdown
!
interface fxs 0/11
no shutdown
!
interface fxs 0/12
no shutdown
!
interface fxs 0/13
no shutdown
!
interface fxs 0/14
no shutdown
!
interface fxs 0/15
no shutdown
!
interface fxs 0/16
no shutdown
!
interface fxs 0/17
no shutdown
!
interface fxs 0/18
no shutdown
!
interface fxs 0/19
no shutdown
!
interface fxs 0/20
no shutdown
!
interface fxs 0/21
no shutdown
!
interface fxs 0/22
no shutdown
!
interface fxs 0/23
no shutdown
!
interface fxs 0/24
no shutdown
!
!
isdn-group 1
connect pri 1
!
ip access-list standard mgmt-allow-list
permit host X.X.X.X
!
ip access-list standard sip-allow-list
permit hostname X.X.X
permit host X.X.X.X
!

!

ip route 0.0.0.0 0.0.0.0 100.100.100.1
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
no ip scp server
no ip sntp server
!
sip
sip udp 5060
no sip tcp
!
voice feature-mode network
voice forward-mode network
!

voice dial-plan 2 long-distance 1-NXX-NXX-XXXX
!

voice codec-list VOICE
default
codec g711ulaw
!
voice codec-list FAX
codec g711ulaw
!

voice trunk T01 type sip
description "SIP"
match dnis "91-NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"
match dnis "9NXX-XXXX" substitute "1-555-NXX-XXXX"
match dnis "NXX-NXX-XXXX" substitute "1-NXX-NXX-XXXX"
match dnis "NXX-XXXX" substitute "1-555-NXX-XXXX"
sip-server primary X.X.X.X
registrar primary X.X.X.X
domain "X.X.X.X"
register XXXXX auth-name "XXX" password "XXXXX"
codec-list VOICE both
authentication username "XXX" password "XXXXX"
!
voice trunk T02 type isdn
description "DSX-1"
resource-selection linear ascending
connect isdn-group 1
no early-cut-through
match dnis "1800XXX" substitute "XXX"
match dnis "1844XXXX" substitute "XXX"
rtp delay-mode adaptive
codec-list VOICE
!
!
voice grouped-trunk SIP
trunk T01
accept $ cost 0
!
!
voice grouped-trunk ISDN
trunk T02
accept XXXXXXX cost 0

!
!
!
!
voice user 1001
connect fxs 0/1
description "COM1"
modem-passthrough
codec-list VOICE
!
!
voice user 1002
connect fxs 0/2
description "COM2"
caller-id-override external-number XXXX
modem-passthrough
codec-list VOICE
!
!
voice user 1003
connect fxs 0/3
caller-id-override external-number XXXX
modem-passthrough
codec-list VOICE
!
!
voice user 1004
connect fxs 0/4
caller-id-override external-number XXXX
did "XXXX"
modem-passthrough
codec-list VOICE
!
!
voice user 1005
connect fxs 0/5
modem-passthrough
codec-list VOICE
!
!
voice user 1006
connect fxs 0/6
modem-passthrough
codec-list VOICE
!
!
voice user 1007
modem-passthrough
codec-list VOICE
!
!
voice user 1008
modem-passthrough
codec-list VOICE
!
!
voice user 1009
modem-passthrough
codec-list VOICE
!
voice user 1010
modem-passthrough
codec-list VOICE
!
!

sip access-class ip "sip-allow-list" in
!

line con 0
no login
!
line telnet 0 4
login local-userlist
password password
shutdown
ip access-class mgmt-allow-list in
line ssh 0 4
login local-userlist
no shutdown
ip access-class mgmt-allow-list in
!

end

jayh · ‎03-30-2019

See added config in bold:

!

interface eth 0/1

description WAN

ip address 100.100.100.1 255.255.255.248

media-gateway ip primary

ip access-policy Public

no shutdown

!

interface eth 0/2

description LAN

ip address 10.1.88.1 255.255.255.0

no awcp

ip access-policy Private

no shutdown

!

ip access-list standard allow-all

remark allow all traffic

permit any

!

ip policy-class Public

allow list allow-all self

!

ip policy-class Private

nat source list allow-all interface ethernet 0/1 overload policy Public

allow list allow-all self

!

! Note, you have both ip default-gateway 100.100.100.10 and ip route 0.0.0.0 0.0.0.0 100.100.100.1 in your configuration. Remove the ip default-gateway and change ip route 0.0.0.0 0.0.0.0 w.x.y.z to point to your ISP side of the WAN link, not your own interface. Then configure:

ip firewall

g-man · ‎03-30-2019

Jayh,

Thank you, I was able to borrow an Adtran that was not in production to do some testing. Using the firewall wizard and setting up the route tables, exactly what you were saying, I had success!!!

When using the Adtan for both Voice and Data services, how will the rules we just implemented effect the PRI and Analog Lines on my production system if at all?

Thanks for your suggestions

jayh · ‎03-31-2019

From a routing standpoint, they won't be affected. It's possible that the LAN data users can negatively impact voice call quality if they saturate the link to your ISP. You can apply quality of service rules to prioritize voice traffic if needed. That's a separate discussion.

g-man · ‎04-01-2019

Jayh,

I went ahead and used the firewall wizard after applying it I could make outbound calls but lost inbound calls?

g-man · ‎04-01-2019

Jayh,

I think the Firewall wizard maybe overwrote my ACL's. Started over with CLI and I now can access internet from LAN.

Support
Community

Configuring TA924as a Basic Router

Firewall

Routing

SIP

WAN

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

SupportCommunity

Configuring TA924as a Basic Router

Firewall

Routing

SIP

WAN

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Re: Configuring TA924as a Basic Router

Support
Community