User manual

ADTRAN Routers with CradlePoint CBA750B Configuring the ADTRAN Router

The configuration example below configures the LAN using the default VLAN 1. The ip address

command is used to specify a static ip address and subnet mask for the interface, and the ip policy

route-map CPACCESS command enables policy-based routing to allow PCs on the VLAN to access the

CBA750B for configuration and management. Additionally, the ip access-policy command is used to

assign the Private ACP to the interface to allow PCs on the VLAN to access the ADTRAN router for

configuration.

To configure the LAN interface, enter the following commands at the specified command prompts:

(config)#interface vlan 1

(config-vlan 1)#ip address 10.10.10.1 255.255.255.0

(config-vlan 1)#ip policy route-map CPACCESS

(config-vlan 1)#ip access-policy Private

(config-vlan 1)#no shutdown

Step 4: Configure Policy Classes and Access Lists for Each WAN Connection

Configure separate policy-classes and access-lists for each WAN connection. The firewall uses the

separate ACPs to differentiate between the primary and WAN failover interfaces. Having separate ACLs

helps maintain stability when making configuration changes.

The configuration example below performs several functions: (1) it specifies all traffic on the LAN as

trusted, (2) it allows traffic from the LAN destined for an IP address on the ADTRAN router, (3) it enables

many-to-one NAT for translating LAN IP addresses to the WAN interfaces, (4) and it allows only HTTPS

and SSH traffic from the WAN into the LAN. In total, four extended ACLs are created using the ip

access-list extended command and are configured to permit traffic to be processed using the permit

command: (1) a self ACL is created to permit management traffic from the LAN to any IP address on the

ADTRAN router, (2) an AdminAccess ACL is created to permit SSH and HTTPS traffic from the WAN

for remote management of the ADTRAN router, (3) a NAT1 ACL is created for translating private IP

addresses on the LAN to the IP address of the primary WAN Ethernet interface (many-to-one NAT), and

(4) a NAT2 ACL is created for translating private IP addresses on the LAN to the IP address of the WAN

failover Ethernet interface (many-to-one NAT). Additionally, three ACPs are created using the ip

policy-class command and are configured to define the actions taken on the packets permitted by the

ACLs: (1) a Public ACP is created to allow traffic from the primary WAN into the LAN that matches the

AdminAccess ACL and discard all other traffic, (2) a Public2 ACP is created to allow traffic from the

wireless failover WAN into the LAN that matches the AdminAccess ACL and discard all other traffic, and

(3) a Private ACP is created to allow traffic from the LAN destined for an IP address on the ADTRAN

router, enable NAT for the primary and failover WAN interfaces, and to only allow HTTPS and SSH traffic

over the primary and failover WAN interfaces.

This is an example configuration only. This security policy should be configured to fit your

network. For more information about configuring the firewall, refer to Configuring the

Firewall (IPv4) in AOS available from the ADTRAN support community at

https://supportforums.adtran.com.

The Public2 policy and all associated configurations are added as a best practice. Since the

IP address the AOS device receives from the 3G/4G network is not publicly accessible, it is

not required in most cases.