Wow I didnt realise that only locally connected networks were supported for NAT! This is certainly going to be a big issue for me moving forward. I REALLY dont want to do double NAT.
Can you add a parameter which the firewall uses to add/override the standard LAN masqueraded networks? Most firewalls require you to specify the NATed networks! Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Saturday, 28 May 2016 at 11:39 AM To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Firewall forwarding On May 27, 2016, at 7:17 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Thanks Lonnie > > This is essentially what I did except I put the actual eth interface in the > route statement e.g. Ip route add 192.168.6.0/24 via 172.30.10.2 dev eth2 > src 172.30.10.1 > The routing does work as I can access Astlinux from the firewall LAN but no > Internet access. Try without the src option, it should default to the correct 'src' value. -- ip route add 192.168.6.0/24 via 172.30.10.2 dev eth2 -- > > Does the fact I used eth2 rather than $INT2IF break the firewall masquerading? No, I assume "eth2" and "$INT2IF" are equal in your case. > > iptables -t nat -L > > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > NAT_PREROUTING_CHAIN all -- anywhere anywhere > DNAT tcp -- anywhere anywhere tcp dpt:smtp > to:192.168.5.11:25 > DNAT tcp -- anywhere anywhere tcp dpt:https > to:192.168.5.10:443 > DNAT tcp -- anywhere anywhere tcp dpt:www > to:192.168.5.10:80 > POST_NAT_PREROUTING_CHAIN all -- anywhere anywhere > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > TCPMSS tcp -- anywhere anywhere tcp > flags:SYN,RST/SYN TCPMSS clamp to PMTU > NAT_POSTROUTING_CHAIN all -- anywhere anywhere > MASQUERADE all -- 192.168.5.0/24 !192.168.5.0/24 > MASQUERADE all -- 172.30.30.0/24 !172.30.30.0/24 > MASQUERADE all -- 172.30.10.0/24 !172.30.10.0/24 > POST_NAT_POSTROUTING_CHAIN all -- anywhere anywhere > > Does this mean that 192.168.6.0/24 is not being NATed? Correct, 192.168.6.0/24 is not being NAT'ed within AstLinux. Indeed that is your problem, outbound 192.168.6.0/24 packets are hitting AstLinux's eth2 interface and are not being handled. While I dislike double-NAT, that may be the easiest solution, enable NAT in your Cisco, all else the same. I'll have to ponder the best way to handle 192.168.6.0/24 packets on eth2 sent from behind the Cisco. Possibly some clever subnet choices where the Cisco WAN subnet and Cisco LAN subnet "add up" to the AstLinux 2nd interface LAN subnet. Lonnie > > Regards > Michael Knill > > > > > > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Friday, 27 May 2016 at 11:47 PM > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Firewall forwarding > > Hi Michael, > > It sounds like you are on the correct path, but the devil is in the details, > so let's talk details with an example. > > Assume the Cisco firewall is connected to AstLinux's 1st LAN Interface: > AstLinux-LAN IPv4: 10.1.1.1 > NetMask: 255.255.255.0 > > Assume the Cisco firewall has two interfaces (routed, no NAT): > AstLinux connected interface: 10.1.1.5/24 Gateway: 10.1.1.1 > Cisco-LAN: 10.1.2.0/24 > > Then in AstLinux add a route using /mnt/kd/rc.elocal: > -- /mnt/kd/rc.elocal -- > #!/bin/sh > > . /etc/rc.conf > > ip route add 10.1.2.0/24 via 10.1.1.5 dev $INTIF > -- > (Note: use INT2IF if 2nd LAN Interface is used instead of 1st) > > That is basically it, you will need to enable the DHCP server for the > Cisco-LAN in the Cisco firewall. > > Lonnie > > PS: Alternatively it may be possible to treat the Cisco firewall as a Layer 2 > transparent bridge with some Layer 3 proxy services for inspection/filtering, > then the LAN would only be AstLinux's (10.1.1.0/24) and no added route would > be needed. While easier from AstLinux's point of view (DHCP/DNS in one place) > it would take more Cisco configuring. > > > > On May 26, 2016, at 11:05 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Hi group >> >> Ok I think I am missing something here as it seems simple but it is not >> working and I am pulling out my hair. >> >> I have an Astlinux appliance connected directly to the Public network where >> I am doing NAT(PAT). >> The customer wants to protect their data LAN by a Cisco ASA firewall so I >> have placed this behind Astlinux on a separate interface and set up a route >> using ip route pointing to the firewall outside interface. >> All NAT is turned off in the firewall and I am not getting any errors >> displayed for both boxes but I am still not getting any return packets on >> the firewall LAN. Short of port monitoring the interface to the firewall, I >> suspect the Astlinux NAT is not forwarding to the firewall's LAN subnet. Do >> I need to do anything to make this happen? Any other ideas? >> >> Regards >> Michael Knill > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
