Astaro Firewall

I have an Astaro ASG V7 firewall.  When we use the Masquerading NAT only, we can not access our own web servers, which sit behind the ASG.  When I setup a SNAT rule and map it to Network>Interfaces>Additional Addresses, I can access our web servers.  Of course we can access our web servers from inside using the private IP's, but not by DNS name which is public IP.

This description is our inside network only, it does not affect external traffic from the internet.

Any ideas?
LVL 6
Mick FinleyNetwork EngineerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Dirk KotteConnect With a Mentor SECommented:
hi,
i have asked the astaro support team - this behavior is by design.
there should be a document within the knowledgebase.
0
 
Dirk KotteSECommented:
sorry, first i have to check if i understand you right...
- you are connected to inteface LAN (eth0)
- Webserver are connected to DMZ?? (eth?)
- Internet reside at WAN (eth?)
right?

you are able to ping (or access) the web-server with his private IP but not with the public ip?

you masqerade traffic from "inside network" with "external inteface"?
dmz use privare (or public) IP addresses?
at the packetfilter live log you dont see blocked your traffic to the webserver?
are the HTTP proxy activated?
you have a nat-rule for publishing the web-server to the internt?
- with auto-packet-filter enabled?

please post this NAT rule.
0
 
Mick FinleyNetwork EngineerAuthor Commented:
No DMZ...No HTTP Proxy

Network>Interfaces:
     Internal-eth0-private ip
     External-eth1-public ip, WAN interface....by default all internet traffic Masquerades from this ip....222.x.x.x, GW on external cisco router

Network>Additional Addresses
      Web Server1-Assigned to external-eth1, public ip----111.x.x.x, GW on external cisco router[External WebServer Address]

Network Security>Packet Filter:
      Any-->HTTP-->WebServer

Network Security>NAT:
      DNAT--WebServer-->HTTP-->External [WebServer WebServer Address]

auto-packet-filter not enabled

I don't see the traffic blocked





0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Mick FinleyNetwork EngineerAuthor Commented:
Internal Traffic is multiple VLANS, each of which have it's own SNAT public ip assigned to eth1, WAN interface.  If there is a SNAT rule for the vlan, then web server is accessible.  If internal vlan defaults with the Masquerade NAT, web server is not accessible.
0
 
Dirk KotteSECommented:
sorry - i think i dont understand your nat rules :-(

- intern (at eth0) you use some vlans with private ip`s (like 10.x.x.x)  
- extern you connext to your ISP with 222.0.0.1  defGW is 222.0.0.254 (the cisco router)
- all internal (or all?) traffic leaving this interface are masqueraded as 222.0.0.1 (you see this address within http://myip.dk ?)

- you bound an additional/different ip to your external interface (111.0.0.1 and not 222.0.0.2?)
- if you bound the 222.0.0.2 address to the external-eth1 -- where does the web-server reside?
- if the webserver reside at 10.0.1.222 (one of the private internal vlans) how do you resolve the webserver within dns?

your DNAT rule are not Webservers external additional ip+HTTP --> internal (real) webserver-ip+HTTP ???


0
 
Mick FinleyNetwork EngineerAuthor Commented:
We have 4 class C public address networks.

By default all internal traffic would masquerade out as 222.x.x.x, if I had only the masquerade rule.

I have additional public IPs for each VLAN on the internal network to NAT, using the 'Additional Addresses' example:
VLAN 2=192.168.2.0/24....SNAT-->222.1.x.x
VLAN 3=192.168.3.0/24...SNAT-->222.2.x.x
These public IP address are what you would see if you were on the selected vlans and checked with myip.dk.  Networks/VLANs which use SNAT can access website.

If there is not a specific SNAT rule for a network, then 222.x.x.x is what you would see from myip.dk and an internal user would not be able to access the internal webserver.

The webservers public ip address is 223.x.x.x which DNAT's to an internal address of 192.168.1.x
0
 
Mick FinleyNetwork EngineerAuthor Commented:
I have found an article from Astaro which states it is by design and requires separate DNS entries which point to the internal/private ip of the websites. The only way around it is using SNAT instead of MASQUERADING, which isn't a problem in itself.  I was looking for an answer to get around what I already knew.

I forgot about this question being out here and it was several months ago when I read the article.  I'm not sure where it was or I'd post the link.

0
 
digitapCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.