I am looking for some help, I am trying to set up a Nortel SR1001 as our router / firewall with a T-1 connection. I have a /29 block assigned from the ISP: XXX.XXX.213.113 - XXX.XXX.213.118. With the other two T-1 connections at our company, the ISP, which is different for each T-1, provided us with a /30 for the actuall T-1 connection. This particular ISP did not, so we must use one of the /29 we were assigned as the address of the T-1. It does work if we set it up this way. The issue comes in that we have a host we need in a DMZ. We need to have several ports open to this host. Ideally the router would be at XXX.XXX.213.113, and the host would be XXX.XXX.213.115, with .114 being used for PAT from the LAN. I cannot get it to work. The SR1001 will not let two interfaces be on the same subnet. Annoying, but okay. I tried subnetting my /29 into 2 - /30 blocks. If I set up the router with the firewall zone Corp on the LAN side, and Internet on the wan side, PAT works, and the LAN can browse the web, but the internet zone will not allow transit policies, meaning it will not forward any packets to anther interface. The target must be the interface assigned to the internet zone (wan). If I set up a different policy (public), and assign it to the wan interface, it breaks PAT from the LAN. It also still won't forward packets to the DMZ host. I do not know what to do, I have tried several different ideas on configuration. If I use access lists instead of the firewall, then I cannot get PAT to work (I didn't test to see if the DMZ host was accessible). I have tried setting up NAT using another zone on the DMZ side with no luck (no traffic is forwarded).
I have attached my current config. Any suggestions on what I am doing wrong would be greatly appreciated.
Router information:
SealTecSR > show version
HW Assembly REV: A
PCB Assembly REV: A
BOOT VERSION: r9.2
SW VERSION: r9.2
FPGA REVISION: 17.4
Firmware revision: r9.2 - Jan 19 2007, 19:30:57
Model Number: SR 1001
Nortel
600 Technology Park Drive, Billerica, MA. 01821
Secure Router 1001
All Rights Reserved.
Nortel Secure Router CLI
Copyright (c) 1998-2007, Nortel
router > show system configuration
System Configuration:
------------------------------------------------
Hardware Status:
DRAM quantity: 128MB
DRAM type: SDRAM
Flash: 16MB
Model Number: 1001
Serial Number: **************
Processor ID: NEC VR4133
FPGA Revision Id: 17.4
HW Assembly Revision: A
PCB Revision: A
Level 2 Cache: 0KB
Level 3 Cache: 0KB
----------------------------------------
VPN Accelerator card is not present
------------------------------------------------
WAN Interface ports -
T1 - 1 port available
------------------------------------------------
Software Status:
Application Image Version: r9.2
BOOT VERSION: r9.2
Mode: Routing
------------------------------------------------
Memory Status:
TOTAL DRAM: 0x8000000 bytes
status bytes blocks avg block max block
------ --------- -------- ---------- ----------
current
free 32080528 54 594083 31246768
alloc 66710016 60339 1105 -
cumulative
alloc 153681200 91886 1672 -
------------------------------------------------
Flash Status:/flash1 ---------
Total Memory Free Memory in flash
15597568 4980736
------------------------------------------------
System Diagnostics Results:
DRAM Test: PASSED
Flash Memory Test: PASSED
Temperature Test: PASSED
------------------------------------------------
Hardware Watchdog Timer Status: enabled
------------------------------------------------
Config:
router> show start
# Nortel system configuration file (.CFG).
#
# Nortel assumes no responsibility for product reliability,
# performance, or both if the user modifies the .CFG file. Full
# responsibility for any modification made to the .CFG file, by
# the user, is assumed by the user.
#
# Version: r9.2
# File Created: 04/29/2008-13:50:00
secure_passwords
module t1 1
yellow_alarm gen_det
clock_source line
contactInfo REDACTED
description T1
name Century
exit t1
interface ethernet 0
ip address 192.168.12.1 255.255.255.0
mtu 1500
qos
exit qos
exit ethernet
interface ethernet 1
ip address XXX.XXX.213.117 255.255.255.252
mtu 1500
qos
exit qos
exit ethernet
interface bundle wan
link t1 1
encapsulation hdlc
hdlc keepalive 10 packet_type unicast mtu 1500
ip address XXX.XXX.213.113 255.255.255.252
ip multicast ospfrip2
qos
exit qos
red
exit red
exit bundle
hostname router
log utc
telnet_server
ssh_server
timeout 120
logevents
exit ssh_server
telnet_banner
banner "Unauthorized Access Is Logged\nAuthorized Personell Only"
exit telnet_banner
system display-boot-config no
ip
pname_server XXX.XXX.202.29
name_server XXX.XXX.192.254
load_balance per_flow
route 0.0.0.0 0.0.0.0 wan 1
route 192.168.2.0 255.255.255.0 192.168.12.9 1
access-list firewall
exit access-list
access-list firewll
exit access-list
dhcps
pool Sealtec
dnsserver XXX.XXX.202.29
dnsserver XXX.XXX.192.254
lease 86400
network 192.168.12.0 255.255.255.0
default_router 192.168.12.1
exclude-range 192.168.12.1 192.168.12.20
exclude-range 192.168.12.100 192.168.12.200
commit
exit pool
interface ethernet0
enable
exit dhcps
exit ip
firewall global
dos-protect
win-nuke
ftp-bounce
dns-replay-attack
ip-unaligned-timestamp
tcp-seq-number-predict
exit dos-protect
algs
exit algs
max-connection-limit self 2048
exit firewall
firewall internet
interface wan
policy 105 in permit protocol icmp self
exit policy
exit firewall
firewall corp
interface ethernet0
policy 100 out permit nat-ip XXX.XXX.213.114
exit policy
policy 1024 out permit
exit policy
exit firewall
gui
enable
exit gui
snmp-server
chassis-id router
trap-version 1
exit snmp-server
I have attached my current config. Any suggestions on what I am doing wrong would be greatly appreciated.
Router information:
SealTecSR > show version
HW Assembly REV: A
PCB Assembly REV: A
BOOT VERSION: r9.2
SW VERSION: r9.2
FPGA REVISION: 17.4
Firmware revision: r9.2 - Jan 19 2007, 19:30:57
Model Number: SR 1001
Nortel
600 Technology Park Drive, Billerica, MA. 01821
Secure Router 1001
All Rights Reserved.
Nortel Secure Router CLI
Copyright (c) 1998-2007, Nortel
router > show system configuration
System Configuration:
------------------------------------------------
Hardware Status:
DRAM quantity: 128MB
DRAM type: SDRAM
Flash: 16MB
Model Number: 1001
Serial Number: **************
Processor ID: NEC VR4133
FPGA Revision Id: 17.4
HW Assembly Revision: A
PCB Revision: A
Level 2 Cache: 0KB
Level 3 Cache: 0KB
----------------------------------------
VPN Accelerator card is not present
------------------------------------------------
WAN Interface ports -
T1 - 1 port available
------------------------------------------------
Software Status:
Application Image Version: r9.2
BOOT VERSION: r9.2
Mode: Routing
------------------------------------------------
Memory Status:
TOTAL DRAM: 0x8000000 bytes
status bytes blocks avg block max block
------ --------- -------- ---------- ----------
current
free 32080528 54 594083 31246768
alloc 66710016 60339 1105 -
cumulative
alloc 153681200 91886 1672 -
------------------------------------------------
Flash Status:/flash1 ---------
Total Memory Free Memory in flash
15597568 4980736
------------------------------------------------
System Diagnostics Results:
DRAM Test: PASSED
Flash Memory Test: PASSED
Temperature Test: PASSED
------------------------------------------------
Hardware Watchdog Timer Status: enabled
------------------------------------------------
Config:
router> show start
# Nortel system configuration file (.CFG).
#
# Nortel assumes no responsibility for product reliability,
# performance, or both if the user modifies the .CFG file. Full
# responsibility for any modification made to the .CFG file, by
# the user, is assumed by the user.
#
# Version: r9.2
# File Created: 04/29/2008-13:50:00
secure_passwords
module t1 1
yellow_alarm gen_det
clock_source line
contactInfo REDACTED
description T1
name Century
exit t1
interface ethernet 0
ip address 192.168.12.1 255.255.255.0
mtu 1500
qos
exit qos
exit ethernet
interface ethernet 1
ip address XXX.XXX.213.117 255.255.255.252
mtu 1500
qos
exit qos
exit ethernet
interface bundle wan
link t1 1
encapsulation hdlc
hdlc keepalive 10 packet_type unicast mtu 1500
ip address XXX.XXX.213.113 255.255.255.252
ip multicast ospfrip2
qos
exit qos
red
exit red
exit bundle
hostname router
log utc
telnet_server
ssh_server
timeout 120
logevents
exit ssh_server
telnet_banner
banner "Unauthorized Access Is Logged\nAuthorized Personell Only"
exit telnet_banner
system display-boot-config no
ip
pname_server XXX.XXX.202.29
name_server XXX.XXX.192.254
load_balance per_flow
route 0.0.0.0 0.0.0.0 wan 1
route 192.168.2.0 255.255.255.0 192.168.12.9 1
access-list firewall
exit access-list
access-list firewll
exit access-list
dhcps
pool Sealtec
dnsserver XXX.XXX.202.29
dnsserver XXX.XXX.192.254
lease 86400
network 192.168.12.0 255.255.255.0
default_router 192.168.12.1
exclude-range 192.168.12.1 192.168.12.20
exclude-range 192.168.12.100 192.168.12.200
commit
exit pool
interface ethernet0
enable
exit dhcps
exit ip
firewall global
dos-protect
win-nuke
ftp-bounce
dns-replay-attack
ip-unaligned-timestamp
tcp-seq-number-predict
exit dos-protect
algs
exit algs
max-connection-limit self 2048
exit firewall
firewall internet
interface wan
policy 105 in permit protocol icmp self
exit policy
exit firewall
firewall corp
interface ethernet0
policy 100 out permit nat-ip XXX.XXX.213.114
exit policy
policy 1024 out permit
exit policy
exit firewall
gui
enable
exit gui
snmp-server
chassis-id router
trap-version 1
exit snmp-server