Solved

Astaro Firewall

Posted on 2011-09-20
9
784 Views
Last Modified: 2012-05-12
I have an Astaro ASG V7 firewall.  When we use the Masquerading NAT only, we can not access our own web servers, which sit behind the ASG.  When I setup a SNAT rule and map it to Network>Interfaces>Additional Addresses, I can access our web servers.  Of course we can access our web servers from inside using the private IP's, but not by DNS name which is public IP.

This description is our inside network only, it does not affect external traffic from the internet.

Any ideas?
0
Comment
Question by:mickfinley
  • 4
  • 3
9 Comments
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
sorry, first i have to check if i understand you right...
- you are connected to inteface LAN (eth0)
- Webserver are connected to DMZ?? (eth?)
- Internet reside at WAN (eth?)
right?

you are able to ping (or access) the web-server with his private IP but not with the public ip?

you masqerade traffic from "inside network" with "external inteface"?
dmz use privare (or public) IP addresses?
at the packetfilter live log you dont see blocked your traffic to the webserver?
are the HTTP proxy activated?
you have a nat-rule for publishing the web-server to the internt?
- with auto-packet-filter enabled?

please post this NAT rule.
0
 
LVL 6

Author Comment

by:mickfinley
Comment Utility
No DMZ...No HTTP Proxy

Network>Interfaces:
     Internal-eth0-private ip
     External-eth1-public ip, WAN interface....by default all internet traffic Masquerades from this ip....222.x.x.x, GW on external cisco router

Network>Additional Addresses
      Web Server1-Assigned to external-eth1, public ip----111.x.x.x, GW on external cisco router[External WebServer Address]

Network Security>Packet Filter:
      Any-->HTTP-->WebServer

Network Security>NAT:
      DNAT--WebServer-->HTTP-->External [WebServer WebServer Address]

auto-packet-filter not enabled

I don't see the traffic blocked





0
 
LVL 6

Author Comment

by:mickfinley
Comment Utility
Internal Traffic is multiple VLANS, each of which have it's own SNAT public ip assigned to eth1, WAN interface.  If there is a SNAT rule for the vlan, then web server is accessible.  If internal vlan defaults with the Masquerade NAT, web server is not accessible.
0
 
LVL 23

Expert Comment

by:Dirk Kotte
Comment Utility
sorry - i think i dont understand your nat rules :-(

- intern (at eth0) you use some vlans with private ip`s (like 10.x.x.x)  
- extern you connext to your ISP with 222.0.0.1  defGW is 222.0.0.254 (the cisco router)
- all internal (or all?) traffic leaving this interface are masqueraded as 222.0.0.1 (you see this address within http://myip.dk ?)

- you bound an additional/different ip to your external interface (111.0.0.1 and not 222.0.0.2?)
- if you bound the 222.0.0.2 address to the external-eth1 -- where does the web-server reside?
- if the webserver reside at 10.0.1.222 (one of the private internal vlans) how do you resolve the webserver within dns?

your DNAT rule are not Webservers external additional ip+HTTP --> internal (real) webserver-ip+HTTP ???


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Author Comment

by:mickfinley
Comment Utility
We have 4 class C public address networks.

By default all internal traffic would masquerade out as 222.x.x.x, if I had only the masquerade rule.

I have additional public IPs for each VLAN on the internal network to NAT, using the 'Additional Addresses' example:
VLAN 2=192.168.2.0/24....SNAT-->222.1.x.x
VLAN 3=192.168.3.0/24...SNAT-->222.2.x.x
These public IP address are what you would see if you were on the selected vlans and checked with myip.dk.  Networks/VLANs which use SNAT can access website.

If there is not a specific SNAT rule for a network, then 222.x.x.x is what you would see from myip.dk and an internal user would not be able to access the internal webserver.

The webservers public ip address is 223.x.x.x which DNAT's to an internal address of 192.168.1.x
0
 
LVL 23

Accepted Solution

by:
Dirk Kotte earned 500 total points
Comment Utility
hi,
i have asked the astaro support team - this behavior is by design.
there should be a document within the knowledgebase.
0
 
LVL 6

Author Comment

by:mickfinley
Comment Utility
I have found an article from Astaro which states it is by design and requires separate DNS entries which point to the internal/private ip of the websites. The only way around it is using SNAT instead of MASQUERADING, which isn't a problem in itself.  I was looking for an answer to get around what I already knew.

I forgot about this question being out here and it was several months ago when I read the article.  I'm not sure where it was or I'd post the link.

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now