Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Astaro Firewall

Posted on 2011-09-20
9
Medium Priority
?
808 Views
Last Modified: 2012-05-12
I have an Astaro ASG V7 firewall.  When we use the Masquerading NAT only, we can not access our own web servers, which sit behind the ASG.  When I setup a SNAT rule and map it to Network>Interfaces>Additional Addresses, I can access our web servers.  Of course we can access our web servers from inside using the private IP's, but not by DNS name which is public IP.

This description is our inside network only, it does not affect external traffic from the internet.

Any ideas?
0
Comment
Question by:Mick Finley
  • 4
  • 3
9 Comments
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 36586295
sorry, first i have to check if i understand you right...
- you are connected to inteface LAN (eth0)
- Webserver are connected to DMZ?? (eth?)
- Internet reside at WAN (eth?)
right?

you are able to ping (or access) the web-server with his private IP but not with the public ip?

you masqerade traffic from "inside network" with "external inteface"?
dmz use privare (or public) IP addresses?
at the packetfilter live log you dont see blocked your traffic to the webserver?
are the HTTP proxy activated?
you have a nat-rule for publishing the web-server to the internt?
- with auto-packet-filter enabled?

please post this NAT rule.
0
 
LVL 6

Author Comment

by:Mick Finley
ID: 36586923
No DMZ...No HTTP Proxy

Network>Interfaces:
     Internal-eth0-private ip
     External-eth1-public ip, WAN interface....by default all internet traffic Masquerades from this ip....222.x.x.x, GW on external cisco router

Network>Additional Addresses
      Web Server1-Assigned to external-eth1, public ip----111.x.x.x, GW on external cisco router[External WebServer Address]

Network Security>Packet Filter:
      Any-->HTTP-->WebServer

Network Security>NAT:
      DNAT--WebServer-->HTTP-->External [WebServer WebServer Address]

auto-packet-filter not enabled

I don't see the traffic blocked





0
 
LVL 6

Author Comment

by:Mick Finley
ID: 36586938
Internal Traffic is multiple VLANS, each of which have it's own SNAT public ip assigned to eth1, WAN interface.  If there is a SNAT rule for the vlan, then web server is accessible.  If internal vlan defaults with the Masquerade NAT, web server is not accessible.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 36595845
sorry - i think i dont understand your nat rules :-(

- intern (at eth0) you use some vlans with private ip`s (like 10.x.x.x)  
- extern you connext to your ISP with 222.0.0.1  defGW is 222.0.0.254 (the cisco router)
- all internal (or all?) traffic leaving this interface are masqueraded as 222.0.0.1 (you see this address within http://myip.dk ?)

- you bound an additional/different ip to your external interface (111.0.0.1 and not 222.0.0.2?)
- if you bound the 222.0.0.2 address to the external-eth1 -- where does the web-server reside?
- if the webserver reside at 10.0.1.222 (one of the private internal vlans) how do you resolve the webserver within dns?

your DNAT rule are not Webservers external additional ip+HTTP --> internal (real) webserver-ip+HTTP ???


0
 
LVL 6

Author Comment

by:Mick Finley
ID: 36903810
We have 4 class C public address networks.

By default all internal traffic would masquerade out as 222.x.x.x, if I had only the masquerade rule.

I have additional public IPs for each VLAN on the internal network to NAT, using the 'Additional Addresses' example:
VLAN 2=192.168.2.0/24....SNAT-->222.1.x.x
VLAN 3=192.168.3.0/24...SNAT-->222.2.x.x
These public IP address are what you would see if you were on the selected vlans and checked with myip.dk.  Networks/VLANs which use SNAT can access website.

If there is not a specific SNAT rule for a network, then 222.x.x.x is what you would see from myip.dk and an internal user would not be able to access the internal webserver.

The webservers public ip address is 223.x.x.x which DNAT's to an internal address of 192.168.1.x
0
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 2000 total points
ID: 37058297
hi,
i have asked the astaro support team - this behavior is by design.
there should be a document within the knowledgebase.
0
 
LVL 6

Author Comment

by:Mick Finley
ID: 37457256
I have found an article from Astaro which states it is by design and requires separate DNS entries which point to the internal/private ip of the websites. The only way around it is using SNAT instead of MASQUERADING, which isn't a problem in itself.  I was looking for an answer to get around what I already knew.

I forgot about this question being out here and it was several months ago when I read the article.  I'm not sure where it was or I'd post the link.

0
 
LVL 33

Expert Comment

by:digitap
ID: 37693328
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Screencast - Getting to Know the Pipeline
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question