Gateway and Routing help


Recommended Posts

Hello all.

 

I work for a company that installs Voice/PBX servers for businesses.

We recently installed a site that required a point-to-point T1 connection with one Voice Server at each location linked over the T1.

This is basically a dedicated connection for VoIP between the two.

We used Adtran 3040's at each site with the T1 wired directly on each end.

From that, the Ethernet port connects to a switch we provided and the phones/server are connected to that.

 

The customer has an existing data infrastructure with another company that supports it for them.

They have set up an interface on their Cisco ASA's that we connect to and configured rules for traffic between our Voice LAN and their Data LAN as well as to the Internet.

 

Our equipment is on 172.16.x.x networks with the Adtran 172.16.x.1 as the gateway.

The DNS servers are on the 192.168.x.x networks.

In the Adtran it is set as default route and 0.0.0.0/0.0.0.0 route to the Cisco 172.16.x.254.

There is a route set for 172.16.4.0/255.255.255.0 in site A and 172.16.3.0/255.255.255.0 in site B set to use the T1 ppp connection.

Everything seems to be working, with the exception of their NAT/Port Forwarding from their Internet to our devices.

The traffic between the 172.16.x.x networks goes over the T1 properly and we can connect to anything on the 192.168.x.x networks including DNS and we can also get out to the Internet on each side.

 

They claim the NAT rules are set up correctly.

Am I missing something on our end in the Adtrans?

 

Here is an image of the set up:

post-3059-0-63710600-1427577673.png

 

Thank you for any help and ideas.

Link to comment
Share on other sites

do you have a route on the 192.168 network to go back to the 172.16 network? 

Yes, we can get from the 192.168 network to the 172.16 network.

 

The only thing not working is Internet port forwarding to the 172.16 networks.

Link to comment
Share on other sites

I left out the part where it's bonded T1's, but regardless, we don't control the Cisco firewalls unfortunately.

They say they can see the traffic on the NAT'ed ports being forwarded, but aren't getting a response.

 

It wouldn't have anything to do with the devices actually using the 172.16.x.1 as their gateway, the 172.16.x.1 should then be forwarding the traffic to the `172.16.x.254 right?

I feel that is the case since I can successfully get to the Internet when on my laptop using the same settings.

Link to comment
Share on other sites

192.168.4.254 should have a route that looks like this:

 

ip route 172.16.3.0 255.255.255.0 172.16.4.1

 

 

192.168.1.254 should have a route that looks like this:

 

ip route 172.16.4.0 255.255.255.0 172.16.3.1

 

that would get the asa's talking to the different lans and understanding how to reach them.  The next bit is a little harder.  They say they see the traffic going through the asa but they don't reach the phone network....are there any other devices (like a web filter) in between.   I recently had a issue with a port not going through because of a webfilter causing a block even though it was supposed to be pass through or block that specific port (it is only supposed to filter on 80 and 443...but it was still hosing me)....once I added the rule to the web filter traffic was flowing through it. 

Link to comment
Share on other sites

I believe they have those routes, we can talk to any of the subnets locally just fine, even across the links.

The only issue is the port forwarding.

I can't hit our phone server's web page or ssh from outside the office through the Internet even though they say the rules are in place.

Link to comment
Share on other sites

Then something is blocking it. I would have to look at it to figure it out. Could be a config issue on the firewall, could be another device on the way, could be a software firewall on the server.

I am sorry, only so much you can do without access.

Link to comment
Share on other sites

So they have problem with getting to your voip box from the internet.  Well you have a asynchronous routing problem in this sort of setup.  Your default route of your voip box is your adtran 

 

"Our equipment is on 172.16.x.x networks with the Adtran 172.16.x.1 as the gateway"  While sure the adtran default points back to your asa.. This is a bad sort of hairpin async setup.

 

so you get this - say they are coming from 1.2.3.4 on the public internet

 

post-14624-0-58192000-1427638578.png

 

This is a horrific sort of setup..  Are you doing any sort of nat at the adtran, just at the asa ?

 

To validate the traffic is getting to you, why don't you just sniff on your voip box?  You could setup host routing on the voip box where he routes all networks on the other side of the T1 to your adtran, and the 192.168 network connected to cisco to cisco and default to the cisco as well.

 

Or you could setup transit network so you don't run into async routing problem.. I would not design in the way you have it for sure. But vs pointing figures they say they foward the traffic to you - why not just sniff and validate that.. From it seeing the traffic and either than answering it or not answering it you can track down the actual problem.

 

But from this setup its not optimal with hairpin and asynchronous routing.  

 

 

Link to comment
Share on other sites

I get what you're saying, but the Adtran forwards to the correct route.

We actually got this solved, although not in the way they originally wanted.

 

I did some packet sniffing with a hub between our network and theirs, and I never saw the packets being forwarded.

 

We ended up putting our equipment on their LAN subnet since they couldn't get the NAT working (although it still didn't work at first after that).

The NAT problem was apparently due to them having built the rules as "dynamic" instead of "static".

I'm not familiar with Cisco enough to know exactly what the difference is, but once they changed it, we can now get to it from outside.

 

Although now it is working, it probably would have worked if they had done that even when it was separated.

They also couldn't get to the opposite site VoIP server from one side to the other for some reason when they were separate, but now can.

I really just think they don't know the Cisco well enough.

 

We are still using our Adtran as the gateway, and it works just fine.

I at least knew I had my routes built properly...

 

Thanks again for the help!

Link to comment
Share on other sites

Bad design all around.. Why don't you route the networks that you need to talk to the adtran for to tha dtran, and the default gateway to an acutal default gateway where internet and other traffic will come from.  Be it no matter what segment you sit?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.