Solved

Astaro Firewall

Posted on 2011-09-20
9
795 Views
Last Modified: 2012-05-12
I have an Astaro ASG V7 firewall.  When we use the Masquerading NAT only, we can not access our own web servers, which sit behind the ASG.  When I setup a SNAT rule and map it to Network>Interfaces>Additional Addresses, I can access our web servers.  Of course we can access our web servers from inside using the private IP's, but not by DNS name which is public IP.

This description is our inside network only, it does not affect external traffic from the internet.

Any ideas?
0
Comment
Question by:mickfinley
  • 4
  • 3
9 Comments
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36586295
sorry, first i have to check if i understand you right...
- you are connected to inteface LAN (eth0)
- Webserver are connected to DMZ?? (eth?)
- Internet reside at WAN (eth?)
right?

you are able to ping (or access) the web-server with his private IP but not with the public ip?

you masqerade traffic from "inside network" with "external inteface"?
dmz use privare (or public) IP addresses?
at the packetfilter live log you dont see blocked your traffic to the webserver?
are the HTTP proxy activated?
you have a nat-rule for publishing the web-server to the internt?
- with auto-packet-filter enabled?

please post this NAT rule.
0
 
LVL 6

Author Comment

by:mickfinley
ID: 36586923
No DMZ...No HTTP Proxy

Network>Interfaces:
     Internal-eth0-private ip
     External-eth1-public ip, WAN interface....by default all internet traffic Masquerades from this ip....222.x.x.x, GW on external cisco router

Network>Additional Addresses
      Web Server1-Assigned to external-eth1, public ip----111.x.x.x, GW on external cisco router[External WebServer Address]

Network Security>Packet Filter:
      Any-->HTTP-->WebServer

Network Security>NAT:
      DNAT--WebServer-->HTTP-->External [WebServer WebServer Address]

auto-packet-filter not enabled

I don't see the traffic blocked





0
 
LVL 6

Author Comment

by:mickfinley
ID: 36586938
Internal Traffic is multiple VLANS, each of which have it's own SNAT public ip assigned to eth1, WAN interface.  If there is a SNAT rule for the vlan, then web server is accessible.  If internal vlan defaults with the Masquerade NAT, web server is not accessible.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36595845
sorry - i think i dont understand your nat rules :-(

- intern (at eth0) you use some vlans with private ip`s (like 10.x.x.x)  
- extern you connext to your ISP with 222.0.0.1  defGW is 222.0.0.254 (the cisco router)
- all internal (or all?) traffic leaving this interface are masqueraded as 222.0.0.1 (you see this address within http://myip.dk ?)

- you bound an additional/different ip to your external interface (111.0.0.1 and not 222.0.0.2?)
- if you bound the 222.0.0.2 address to the external-eth1 -- where does the web-server reside?
- if the webserver reside at 10.0.1.222 (one of the private internal vlans) how do you resolve the webserver within dns?

your DNAT rule are not Webservers external additional ip+HTTP --> internal (real) webserver-ip+HTTP ???


0
 
LVL 6

Author Comment

by:mickfinley
ID: 36903810
We have 4 class C public address networks.

By default all internal traffic would masquerade out as 222.x.x.x, if I had only the masquerade rule.

I have additional public IPs for each VLAN on the internal network to NAT, using the 'Additional Addresses' example:
VLAN 2=192.168.2.0/24....SNAT-->222.1.x.x
VLAN 3=192.168.3.0/24...SNAT-->222.2.x.x
These public IP address are what you would see if you were on the selected vlans and checked with myip.dk.  Networks/VLANs which use SNAT can access website.

If there is not a specific SNAT rule for a network, then 222.x.x.x is what you would see from myip.dk and an internal user would not be able to access the internal webserver.

The webservers public ip address is 223.x.x.x which DNAT's to an internal address of 192.168.1.x
0
 
LVL 23

Accepted Solution

by:
Dirk Kotte earned 500 total points
ID: 37058297
hi,
i have asked the astaro support team - this behavior is by design.
there should be a document within the knowledgebase.
0
 
LVL 6

Author Comment

by:mickfinley
ID: 37457256
I have found an article from Astaro which states it is by design and requires separate DNS entries which point to the internal/private ip of the websites. The only way around it is using SNAT instead of MASQUERADING, which isn't a problem in itself.  I was looking for an answer to get around what I already knew.

I forgot about this question being out here and it was several months ago when I read the article.  I'm not sure where it was or I'd post the link.

0
 
LVL 33

Expert Comment

by:digitap
ID: 37693328
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question