Solved

Astaro Firewall

Posted on 2011-09-20
9
800 Views
Last Modified: 2012-05-12
I have an Astaro ASG V7 firewall.  When we use the Masquerading NAT only, we can not access our own web servers, which sit behind the ASG.  When I setup a SNAT rule and map it to Network>Interfaces>Additional Addresses, I can access our web servers.  Of course we can access our web servers from inside using the private IP's, but not by DNS name which is public IP.

This description is our inside network only, it does not affect external traffic from the internet.

Any ideas?
0
Comment
Question by:mickfinley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 36586295
sorry, first i have to check if i understand you right...
- you are connected to inteface LAN (eth0)
- Webserver are connected to DMZ?? (eth?)
- Internet reside at WAN (eth?)
right?

you are able to ping (or access) the web-server with his private IP but not with the public ip?

you masqerade traffic from "inside network" with "external inteface"?
dmz use privare (or public) IP addresses?
at the packetfilter live log you dont see blocked your traffic to the webserver?
are the HTTP proxy activated?
you have a nat-rule for publishing the web-server to the internt?
- with auto-packet-filter enabled?

please post this NAT rule.
0
 
LVL 6

Author Comment

by:mickfinley
ID: 36586923
No DMZ...No HTTP Proxy

Network>Interfaces:
     Internal-eth0-private ip
     External-eth1-public ip, WAN interface....by default all internet traffic Masquerades from this ip....222.x.x.x, GW on external cisco router

Network>Additional Addresses
      Web Server1-Assigned to external-eth1, public ip----111.x.x.x, GW on external cisco router[External WebServer Address]

Network Security>Packet Filter:
      Any-->HTTP-->WebServer

Network Security>NAT:
      DNAT--WebServer-->HTTP-->External [WebServer WebServer Address]

auto-packet-filter not enabled

I don't see the traffic blocked





0
 
LVL 6

Author Comment

by:mickfinley
ID: 36586938
Internal Traffic is multiple VLANS, each of which have it's own SNAT public ip assigned to eth1, WAN interface.  If there is a SNAT rule for the vlan, then web server is accessible.  If internal vlan defaults with the Masquerade NAT, web server is not accessible.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:Dirk Kotte
ID: 36595845
sorry - i think i dont understand your nat rules :-(

- intern (at eth0) you use some vlans with private ip`s (like 10.x.x.x)  
- extern you connext to your ISP with 222.0.0.1  defGW is 222.0.0.254 (the cisco router)
- all internal (or all?) traffic leaving this interface are masqueraded as 222.0.0.1 (you see this address within http://myip.dk ?)

- you bound an additional/different ip to your external interface (111.0.0.1 and not 222.0.0.2?)
- if you bound the 222.0.0.2 address to the external-eth1 -- where does the web-server reside?
- if the webserver reside at 10.0.1.222 (one of the private internal vlans) how do you resolve the webserver within dns?

your DNAT rule are not Webservers external additional ip+HTTP --> internal (real) webserver-ip+HTTP ???


0
 
LVL 6

Author Comment

by:mickfinley
ID: 36903810
We have 4 class C public address networks.

By default all internal traffic would masquerade out as 222.x.x.x, if I had only the masquerade rule.

I have additional public IPs for each VLAN on the internal network to NAT, using the 'Additional Addresses' example:
VLAN 2=192.168.2.0/24....SNAT-->222.1.x.x
VLAN 3=192.168.3.0/24...SNAT-->222.2.x.x
These public IP address are what you would see if you were on the selected vlans and checked with myip.dk.  Networks/VLANs which use SNAT can access website.

If there is not a specific SNAT rule for a network, then 222.x.x.x is what you would see from myip.dk and an internal user would not be able to access the internal webserver.

The webservers public ip address is 223.x.x.x which DNAT's to an internal address of 192.168.1.x
0
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 500 total points
ID: 37058297
hi,
i have asked the astaro support team - this behavior is by design.
there should be a document within the knowledgebase.
0
 
LVL 6

Author Comment

by:mickfinley
ID: 37457256
I have found an article from Astaro which states it is by design and requires separate DNS entries which point to the internal/private ip of the websites. The only way around it is using SNAT instead of MASQUERADING, which isn't a problem in itself.  I was looking for an answer to get around what I already knew.

I forgot about this question being out here and it was several months ago when I read the article.  I'm not sure where it was or I'd post the link.

0
 
LVL 33

Expert Comment

by:digitap
ID: 37693328
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question