Thanks Lonnie This is essentially what I did except I put the actual eth interface in the route statement e.g. Ip route add 192.168.6.0/24 via 172.30.10.2 dev eth2 src 172.30.10.1 The routing does work as I can access Astlinux from the firewall LAN but no Internet access.
Does the fact I used eth2 rather than $INT2IF break the firewall masquerading? iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination NAT_PREROUTING_CHAIN all -- anywhere anywhere DNAT tcp -- anywhere anywhere tcp dpt:smtp to:192.168.5.11:25 DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.5.10:443 DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.5.10:80 POST_NAT_PREROUTING_CHAIN all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU NAT_POSTROUTING_CHAIN all -- anywhere anywhere MASQUERADE all -- 192.168.5.0/24 !192.168.5.0/24 MASQUERADE all -- 172.30.30.0/24 !172.30.30.0/24 MASQUERADE all -- 172.30.10.0/24 !172.30.10.0/24 POST_NAT_POSTROUTING_CHAIN all -- anywhere anywhere Does this mean that 192.168.6.0/24 is not being NATed? Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Friday, 27 May 2016 at 11:47 PM To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Firewall forwarding Hi Michael, It sounds like you are on the correct path, but the devil is in the details, so let's talk details with an example. Assume the Cisco firewall is connected to AstLinux's 1st LAN Interface: AstLinux-LAN IPv4: 10.1.1.1 NetMask: 255.255.255.0 Assume the Cisco firewall has two interfaces (routed, no NAT): AstLinux connected interface: 10.1.1.5/24 Gateway: 10.1.1.1 Cisco-LAN: 10.1.2.0/24 Then in AstLinux add a route using /mnt/kd/rc.elocal: -- /mnt/kd/rc.elocal -- #!/bin/sh . /etc/rc.conf ip route add 10.1.2.0/24 via 10.1.1.5 dev $INTIF -- (Note: use INT2IF if 2nd LAN Interface is used instead of 1st) That is basically it, you will need to enable the DHCP server for the Cisco-LAN in the Cisco firewall. Lonnie PS: Alternatively it may be possible to treat the Cisco firewall as a Layer 2 transparent bridge with some Layer 3 proxy services for inspection/filtering, then the LAN would only be AstLinux's (10.1.1.0/24) and no added route would be needed. While easier from AstLinux's point of view (DHCP/DNS in one place) it would take more Cisco configuring. On May 26, 2016, at 11:05 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Hi group > > Ok I think I am missing something here as it seems simple but it is not > working and I am pulling out my hair. > > I have an Astlinux appliance connected directly to the Public network where I > am doing NAT(PAT). > The customer wants to protect their data LAN by a Cisco ASA firewall so I > have placed this behind Astlinux on a separate interface and set up a route > using ip route pointing to the firewall outside interface. > All NAT is turned off in the firewall and I am not getting any errors > displayed for both boxes but I am still not getting any return packets on the > firewall LAN. Short of port monitoring the interface to the firewall, I > suspect the Astlinux NAT is not forwarding to the firewall's LAN subnet. Do I > need to do anything to make this happen? Any other ideas? > > Regards > Michael Knill ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
