Solved

cannot access websrvr on 2xfirewalled local network from internet

Posted on 2004-08-18
16
445 Views
Last Modified: 2013-12-14
Hi,
connetion looks like:
localWebServer(WS)<-->FirewalledPC(FW)<-->ADSLRouter(R)<-->ISP-Internet(I).

IPs:
WS-192.168.30.1
FW- 192.168.30.220 to_localnetwork and 10.0.0.1 to_R
R- 10.0.0.138 to_FW and 212.x.x.x to_I

FW runs on W2K,...is WinRoutePro4.2.5 and has 2 NICs.
R is a THOMSON SpeedTouch510i with Softw.4.2.3

FW hasnot NAT enabled, R has NAPT on outer interface 212.xxx. and it looks like:protocol-tcp;outsideIP212.x.x.x:80;insideIP:192.168.30.1:80

What else and How do I need to configure to accept incoming connection from internet to my local webserver?
If You need additional info, please ask for.
Thank's a lot.

PS:I think the problem is in my R configuration. At address: http://www.speedtouch.com/pdf/ST500%20CLI%20Reference%20Guide%20R4.2.pdf    can be found information on CLI for my R. CHapter NAT or Firewall Commands can be useful.

MY PARAMETERS FOLLOWS>
[firewall]=>list
:firewall assign hook=input chain=None
:firewall assign hook=sink chain=sink
:firewall assign hook=forward chain=forward
:firewall assign hook=source chain=source
:firewall assign hook=output chain=None
[firewall]=>
:firewall chain list
:firewall chain create chain=sink
:firewall chain create chain=forward
:firewall chain create chain=source
=>
:firewall rule list
:firewall rule create chain=sink index=0 srcintfgrp=!wan action=accept
:firewall rule create chain=sink index=1 prot=udp dstport=dns action=accept
:firewall rule create chain=sink index=2 prot=udp dstport=bootpc action=accept
:firewall rule create chain=sink index=3 prot=icmp icmptype=echo-reply action=ac
cept
:firewall rule create chain=sink index=4 prot=udp dstport=snmp log=yes action=co
unt
:firewall rule create chain=sink index=5 action=drop
:firewall rule create chain=forward index=0 srcintfgrp=wan dstintfgrp=wan action
=drop
:firewall rule create chain=source index=0 dstintfgrp=!wan action=accept
:firewall rule create chain=source index=1 prot=udp dstport=dns action=accept
:firewall rule create chain=source index=2 prot=udp dstport=bootps action=accept
:firewall rule create chain=source index=3 prot=icmp icmptype=echo-request actio
n=accept
:firewall rule create chain=source index=4 prot=udp srcport=snmp log=yes action=
count
:firewall rule create chain=source index=5 action=drop
0
Comment
Question by:tanka_zsolt
  • 7
  • 6
  • 3
16 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11831844
Your NAT configuration is correct on the router.  Are you allowing TCP port 80 traffic through your firewall?
0
 

Author Comment

by:tanka_zsolt
ID: 11833826
JFrederick29: Your question is good, but I'm not sure on answer. I found a site http://www.sdharris.com/speedtouch510/
and modified my settings -I hope done it well, but I'm not able to test the visibility my webserver on the inet today. The timesync doe'snt work-I also added that, so I'm not optimistic on my websrvcs.

[firewall]=>list
:firewall assign hook=input chain=None
:firewall assign hook=sink chain=sink
:firewall assign hook=forward chain=forward
:firewall assign hook=source chain=source
:firewall assign hook=output chain=None
[firewall]=>rule
[firewall rule]=>list
:firewall rule create chain=sink index=0 srcintfgrp=!wan action=accept
:firewall rule create chain=sink index=1 prot=udp dstport=dns action=accept
:firewall rule create chain=sink index=2 prot=udp dstport=bootpc action=accept
:firewall rule create chain=sink index=3 prot=icmp icmptype=echo-reply action=ac
cept
:firewall rule create chain=sink index=4 prot=udp dstport=snmp log=yes action=co
unt
:firewall rule create chain=sink index=5 action=drop
:firewall rule create chain=forward index=0 srcintfgrp=wan dstintfgrp=wan action
=drop
:firewall rule create chain=forward index=1 srcintfgrp=lan prot=tcp dstport=www-
http action=accept
:firewall rule create chain=forward index=2 srcintfgrp=wan prot=tcp srcport=www-
http action=accept
:firewall rule create chain=forward index=3 srcintfgrp=lan prot=udp dstport=sntp
 action=accept
:firewall rule create chain=forward index=4 srcintfgrp=wan src=132.163.4.101 pro
t=udp srcport=sntp action=accept
:firewall rule create chain=source index=0 dstintfgrp=!wan action=accept
:firewall rule create chain=source index=1 prot=udp dstport=dns action=accept
:firewall rule create chain=source index=2 prot=udp dstport=bootps action=accept
:firewall rule create chain=source index=3 prot=icmp icmptype=echo-request actio
n=accept
:firewall rule create chain=source index=4 prot=udp srcport=snmp log=yes action=
count
:firewall rule create chain=source index=5 action=drop
[firewall rule]=>
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11834007
If you are using the PC as your firewall, why not open the router up all the way?  Let all traffic pass through the router to the Firewall PC and let it handle access control.  Allow inbound TCP 80 on the firewall PC and you should be all set.
0
 
LVL 11

Expert Comment

by:Eric
ID: 11835298
You need port forwarding not simple allowing port 80.  

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11835320
He has port forwarding setup:

>FW hasnot NAT enabled, R has NAPT on outer interface 212.xxx. and it looks like:protocol-tcp;outsideIP212.x.x.x:80;insideIP:192.168.30.1:80
0
 
LVL 11

Expert Comment

by:Eric
ID: 11835393
On the firewall... FW  (software)

your talking about the dsl router.  The webserver is ona  different subnet and has to be routed through FW
0
 

Author Comment

by:tanka_zsolt
ID: 11838410
sorry for a stupid question-which one is forwardig and which is allowing? Is this right: NAT=forwarding, firewallsettingsonR=allowing?
A note: it seems my sw-FW(WinRoute) has no function by now(disabled NAT) and I use it as just a proxy/mail server.
firewall-setting-on-R-concernig-web-follows:
:firewall rule create chain=forward index=1 srcintfgrp=lan prot=tcp dstport=www-
http action=accept
:firewall rule create chain=forward index=2 srcintfgrp=wan prot=tcp srcport=www-
http action=accept

On my sw-FW WinRoute I also have "port mapping" (TCP;outsideIP212.x.x.x:80;insideIP:192.168.30.1:80)

ecszone:I've been thinking about opening/disable my firewall on the R and use only the software one on my FW(PC), because of its better user-interface and easier use, but I'm not sure in one (another one :-) ) thing, that is: if I disable the firewall on R, cannot be anyone able to hack my adsl/Router's setting from the internet? ...the communication to it will not be filtered, it isn't so?
0
 

Author Comment

by:tanka_zsolt
ID: 11839490
Cannot even ping from my WS-pc to internet adresses, to local adresses
I do. Do I also have problems with my gateways or what? I can ping from my FW to both.

localWebServer(WS)<-->FirewalledPC(FW)<-->ADSLRouter(R)<-->ISP-Internet(I).

localWebServer(WS)
gw:192.168.30.220
<-->FirewalledPC(FW)
gw:onNICtolocal...none
gw:onNICtoR...10.0.0.138
<-->ADSLRouter(R)
<-->ISP-Internet(I).
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 11840156
First off, make sure you are able to route correctly before attempting to implement advanced features.

Your ADSL router needs a static route configured for the 192.168.30.0 subnet via 10.0.0.1 and a default gateway to your ISP.
The Firewalled PC needs a default gateway to the ADSL router.
The internal hosts including the web server need a default gateway to 192.168.30.220.

The NAT for the webserver needs to be configured on the ADSL router.  Disable all firewall rules and test basic connectivity first.  Once you are able to route properly and your webserver is reachable from the Internet.  You can then start locking down your network with firewalls.  You should be able to restrict management of the router to your local network.
0
 

Author Comment

by:tanka_zsolt
ID: 11840740
Your ADSL router needs a static route configured for the 192.168.30.0 subnet via 10.0.0.1
-...on which I-face? I've got this one, isn't it right?: gw:onNIC(10.0.0.1)toR...gw:10.0.0.138 This isn't configured on Adslroutr but on pcnic leading to adsl.

and a default gateway to your ISP.
-...I've got this one...Destination 213.81.255.46/32 ;  Label -; Gateway  212.x.x.x; Intf PPPoE_1; Metric 0.

The Firewalled PC needs a default gateway to the ADSL router
-...on which I-face? I've got this one, isn't it right?: gw:onNIC(10.0.0.1)toR...gw:10.0.0.138 This isn't configured on Adslroutr but on pcnic leading to adsl.

The internal hosts including the web server need a default gateway to 192.168.30.220
-...that's set:localWebServer(WS)
gw:192.168.30.220

The NAT for the webserver needs to be configured on the ADSL router.
-...R has NAPT on outer interface 212.xxx. and it looks like:protocol-tcp;outsideIP212.x.x.x:80;insideIP:192.168.30.1:80

 Disable all firewall rules and test basic connectivity first
-...disabled

Once you are able to route properly and your webserver is reachable from the Internet.
-...it seems I'm not able to route properly, because I tested/tried to connect to my public ip from an other isdn-line on another pc and: netmonitor.org tells that>ping-OK, traceroute-OK, TCPtraceroute port80-NotRespond, port80 does't appear to be open.

WHAT TO DO NEXT?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11842380
You need to add a static route on the ADSL router so traffic has a route to the internal network beyond the firewall.  For example, if traffic is destined to your web server, it will come in to 212.x.x.x.  It will be NAT'ed on your router and sent to 192.168.30.1.  The router looks up the 192.168.30.0 network in its routing table and it does not exist so it sends it back to your ISP using the default route.  If the router has a route to 192.168.30.0 via the Firewalled PC, routing will work properly.  I'm not sure how to add a static route on your particular ADSL router, it should be in the product documentation.  When configuring the static route, the destination network will be 192.168.30.0, the subnet mask will be 255.255.255.0, and the gateway/next hop router will be 10.0.0.1.   The Firewalled PC is all set and doesn't need further routing information.
0
 
LVL 11

Expert Comment

by:Eric
ID: 11842592
heh my head is going to explode.. to busy to read all this...
port maping may be = port forwarding.. im guessing it is.  You still need to forward twice I belive as you have 3 diffeerent subnets going on.

to simplilfy consider a sw firewall like zone alarm on the web server and putting it at the same level as FW.  only send web traffic to it.

sorry I dont have more time to read this indepth
0
 

Author Comment

by:tanka_zsolt
ID: 11869845
I configured a static route at R as JFrederick29 mentioned above-doesn't work.

Turned on the debug-window in Winroute and:
1)*Ping from WS to 10.0.0.138, debug shows-sender 192.168.30.1 target 10.0.0.138.
On WS request timed out-no replay. 100%loss.

2)*Ping from FW-pc to 10.0.0.138, debug shows-...ttl128,type8,code0 10.0.0.1->10.0.0.138
...ttl64,type0,code0 10.0.0.138->10.0.0.1
On FW-pc ping was echoed -OK. 100% received.
0
 

Author Comment

by:tanka_zsolt
ID: 11892679
It seems this is not a firewall problem. I got closer, know the problem but have no solution by now.
The problem is in the communication between my both subnets, the previous topic's-replay(pinging) shows that. I set up a webserver on FW-pc on ip 192.168.30.220 and everything works now. I'm-my webserver is- visible to the internet.
But I need the other webserver to be visible, the one on the 192.168.30.1 subnet, not THIS ONE. But it seems the packets can't get back from 10.0.0.138 to 192.168.30.x. They goes: 192.168.30.1request>10.0.0.1hasgateway10.0.0.138>10.0.0.138>and can't go back because of the 10.0.0.1's gateway it routes packets outside.
This is an idea and don't know if i'm right.

JFrederick29:
You are very close to the solution, but as I mentioned a replay before "I configured a static route at R and it has not worked" WHAT AND HOW TO DO NEXT?
Here are the listing:
:ip rtlist
Destination                Gateway                 Intf Mtrc Status
213.81.255.47/32       212.5.193.172     PPPoE_1   0  [UP]
212.5.193.172/32       212.5.193.172     PPPoE_1   0  [UP]
255.255.255.255/32    10.0.0.138                eth0   0  [UP]
10.0.0.138/32             10.0.0.138                eth0   0  [UP]
127.0.0.1/32              127.0.0.1                   loop   0  [UP]
212.5.193.172/32       10.0.0.138                 eth0   1  [UP]
10.0.0.1/32                10.0.0.138                eth0   1  [UP]
10.0.0.1/32                10.0.0.138*               eth0   1  [UP]
192.168.30.0/24         10.0.0.1                   eth0   1  [UP]
224.0.0.0/4                10.0.0.138*              eth0   0  [UP]
0.0.0.0/0                    212.5.193.172    PPPoE_1   1  [UP]
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11892794
What is the Firewalled PC running? Windows 2000?  You need to make sure RRAS is routing between the two interfaces on the PC.  Is RRAS enabled as a network router?  If you are able to reach 192.168.30.220 and by looking at the routing table, routing is setup correctly on the router.  The problem may lie on the Firewall PC.  Make sure it is routing...
0
 

Author Comment

by:tanka_zsolt
ID: 11899726
Problem solved.
The solution was the adding of a static route 192.168.30.0/24 via 10.0.0.1 to the R-router as JFrederick29 mentioned above. It didn't worked for me at first because I was trying different combinations and forgot to change back the gateway on WS-webserver on which I had 10.0.0.138 and not 192.168.30.220 that was mentioned in the beginning of this discusion-therefore were my pingings the way they were.
Big Sorry for chaos! ...and Thank's for JFrederick29. The points are yours.
Thank's!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now