Support
Community

Anonymous · ‎10-04-2012

Hi all. Trying to port forward in a 908e. But is not working.. Below is the config. Would appreciate any help

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

interface eth 0/1

description WAN interface

speed 100

ip address 74.8.x.x 255.255.255.252

ip address 63.x.x.162 255.255.255.248 secondary

access-policy OUTSIDE

ip access-group NOSPOOF in

ip flow ingress

ip flow egress

no shutdown

interface eth 0/2

description LAN interface

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

access-policy INSIDE

no shutdown

ip access-list standard MGDR_TELNET

remark Telnet Access List

permit 64.x.x.0 0.0.0.31

permit 64.x.x.0 0.0.3.255

permit 207.x.x.192 0.0.0.7

permit 205.x.x.0 0.0.0.255

permit host 63.x.x.86

permit host 216.x.x.86

permit 74.8.x.x 0.0.0.3

permit 64.206.x.x 0.0.0.3

!

ip access-list extended NAT

permit ip host 192.168.0.128 any

permit ip host 192.168.0.155 any

permit ip 192.168.0.0 0.0.0.255 any

!

ip access-list extended NOSPOOF

deny 53 any any

deny 55 any any

deny 77 any any

deny 103 any any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 255.0.0.0 0.255.255.255 any

deny ip 224.0.0.0 7.255.255.255 any

deny ip host 0.0.0.0 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 63.x.x.160 0.0.0.7 any

permit ip any any

ip access-list extended PAT01

permit tcp any host 63.x.x.162 eq 1723

permit tcp any host 63.x.x.162 eq 3389

permit gre any host 63.x.x.162

permit udp any host 63.x.x.162 eq 1723

!

ip access-list extended PAT02

permit tcp any host 63.x.x.162 eq 143

permit tcp any host 63.x.x.162 eq pop3

permit tcp any host 63.x.x.162 eq https

permit tcp any host 63.x.x.162 eq smtp

permit udp any host 63.x.x.162 eq 25

!

ip access-list extended PAT03

permit tcp any host 63.x.x.162 eq 4000

!

ip access-list extended PAT04

permit tcp any host 63.x.x.162 eq 8245

permit tcp any host 63.x.x.162 eq 9010

permit tcp any host 63.x.x.162 eq 9011

!

ip access-list extended PAT05

permit tcp any host 63.x.x.162 eq 9898

!

ip access-list extended SELF

permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

!

ip access-list extended SMTP_OUT

permit tcp host 192.168.0.3 any eq smtp

permit udp host 192.168.0.3 any eq 25

ip policy-class INSIDE

allow list SELF

nat source list SMTP_OUT address 63.x.x.162 overload

nat source list NAT interface eth 0/1 overload

!

ip policy-class OUTSIDE

allow list MGDR_TELNET

nat destination list PAT01 address 192.168.0.2

nat destination list PAT03 address 192.168.0.15

nat destination list PAT04 address 192.168.0.10

nat destination list PAT05 address 192.168.0.50

nat destination list PAT02 address 192.168.0.3

Anonymous · ‎10-08-2012

Tonycaf,

Thanks for posting! There are a couple of things I would check first as potential problems. First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL. Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked. If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management. Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules. Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom.

Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway. We want to make sure that return traffic goes through the Adtran unit. Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command. This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.

Feel free to respond to this thread if you have any further questions.

Thanks!

David

View solution in original post

Anonymous · ‎10-08-2012

Tonycaf,

Thanks for posting! There are a couple of things I would check first as potential problems. First, given your configuration, you would not be able to test the port forward from any device matching the MGDR_TELNET ACL. Since this is a standard ACL, it will match all traffic from those sources and not allow any other rules to be checked. If you suspect this is the problem, you may want to consider making MGDR_TELNET and extended ACL that specifies just the specific protocols used for management. Alternatively, you could move that rule, "allow list MGDR_TELNET", to the bottom of the list of rules. Generally speaking you want your more specific rules at the top of your list and the most general rules at the bottom.

Another thing to always check is to make sure that the devices on the LAN, 192.168.0.0/24, are using the Adtran unit's LAN IP address as their default gateway. We want to make sure that return traffic goes through the Adtran unit. Lastly, to check the behavior of any session/flow through the firewall, we can use the "show ip policy-sessions" command. This will show us if traffic has been allowed thought the unit and if any IP address translation has taken place.

Feel free to respond to this thread if you have any further questions.

Thanks!

David

Anonymous · ‎10-09-2012

Thank you David, That helped. I was able to put "allow list MGDR_TELNET" at the bottom of the list of rules and that resolved the issue. I also did a port scan against that IP adddress and it showed the ports as open.

Support
Community

PAT statements not working

Re: PAT statements not working

Re: PAT statements not working

Re: PAT statements not working

SupportCommunity

PAT statements not working

Re: PAT statements not working

Re: PAT statements not working

Re: PAT statements not working

Support
Community