Hi all. Trying to port forward in a 908e. But is not working.. Below is the config. Would appreciate any help
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
interface eth 0/1
description WAN interface
speed 100
ip address 74.8.x.x 255.255.255.252
ip address 63.x.x.162 255.255.255.248 secondary
access-policy OUTSIDE
ip access-group NOSPOOF in
ip flow ingress
ip flow egress
no shutdown
interface eth 0/2
description LAN interface
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
access-policy INSIDE
no shutdown
ip access-list standard MGDR_TELNET
remark Telnet Access List
permit 64.x.x.0 0.0.0.31
permit 64.x.x.0 0.0.3.255
permit 64.x.x.0 0.0.3.255
permit 207.x.x.192 0.0.0.7
permit 205.x.x.0 0.0.0.255
permit host 63.x.x.86
permit host 216.x.x.86
permit 74.8.x.x 0.0.0.3
permit 64.206.x.x 0.0.0.3
!
ip access-list extended NAT
permit ip host 192.168.0.128 any
permit ip host 192.168.0.155 any
permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended NOSPOOF
deny 53 any any
deny 55 any any
deny 77 any any
deny 103 any any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 7.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 63.x.x.160 0.0.0.7 any
permit ip any any
ip access-list extended PAT01
permit tcp any host 63.x.x.162 eq 1723
permit tcp any host 63.x.x.162 eq 3389
permit gre any host 63.x.x.162
permit udp any host 63.x.x.162 eq 1723
!
ip access-list extended PAT02
permit tcp any host 63.x.x.162 eq 143
permit tcp any host 63.x.x.162 eq pop3
permit tcp any host 63.x.x.162 eq https
permit tcp any host 63.x.x.162 eq smtp
permit udp any host 63.x.x.162 eq 25
!
ip access-list extended PAT03
permit tcp any host 63.x.x.162 eq 4000
!
ip access-list extended PAT04
permit tcp any host 63.x.x.162 eq 8245
permit tcp any host 63.x.x.162 eq 9010
permit tcp any host 63.x.x.162 eq 9011
!
ip access-list extended PAT05
permit tcp any host 63.x.x.162 eq 9898
!
ip access-list extended SELF
permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
!
ip access-list extended SMTP_OUT
permit tcp host 192.168.0.3 any eq smtp
permit udp host 192.168.0.3 any eq 25
ip policy-class INSIDE
allow list SELF
nat source list SMTP_OUT address 63.x.x.162 overload
nat source list NAT interface eth 0/1 overload
!
ip policy-class OUTSIDE
allow list MGDR_TELNET
nat destination list PAT01 address 192.168.0.2
nat destination list PAT03 address 192.168.0.15
nat destination list PAT04 address 192.168.0.10
nat destination list PAT05 address 192.168.0.50
nat destination list PAT02 address 192.168.0.3
Tonycaf,
Thanks for posting! There are a couple of things I would check first as potential problems. First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL. Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked. If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management. Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules. Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom.
Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway. We want to make sure that return traffic goes through the Adtran unit. Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command. This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.
Feel free to respond to this thread if you have any further questions.
Thanks!
David
Tonycaf,
Thanks for posting! There are a couple of things I would check first as potential problems. First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL. Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked. If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management. Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules. Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom.
Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway. We want to make sure that return traffic goes through the Adtran unit. Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command. This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.
Feel free to respond to this thread if you have any further questions.
Thanks!
David
Thank you David, That helped. I was able to put "allow list MGDR_TELNET" at the bottom of the list of rules and that resolved the issue. I also did a port scan against that IP adddress and it showed the ports as open.