Michael, I've never tried this before, so bare with me...
How about if your AstLinux 2nd internal interface is: 192.168.6.1 / 255.255.255.0 Configure your Cisco WAN as 192.168.6.2/25 and Cisco LAN as 192.168.6.129/25 (IP range: 192.168.6.129 - 192.168.6.254) finally add AstLinux routes: -- ip route add 192.168.6.1/25 dev eth2 ip route add 192.168.6.128/25 via 192.168.6.2 dev eth2 -- Would the AstLinux /24 broadcast address not matching be an issue ? Lonnie On May 27, 2016, at 8:57 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Wow I didnt realise that only locally connected networks were supported for > NAT! This is certainly going to be a big issue for me moving forward. I > REALLY dont want to do double NAT. > > Can you add a parameter which the firewall uses to add/override the standard > LAN masqueraded networks? > Most firewalls require you to specify the NATed networks! > > Regards > Michael Knill > > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Saturday, 28 May 2016 at 11:39 AM > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Firewall forwarding > > > On May 27, 2016, at 7:17 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Thanks Lonnie >> >> This is essentially what I did except I put the actual eth interface in the >> route statement e.g. Ip route add 192.168.6.0/24 via 172.30.10.2 dev eth2 >> src 172.30.10.1 >> The routing does work as I can access Astlinux from the firewall LAN but no >> Internet access. > > Try without the src option, it should default to the correct 'src' value. > -- > ip route add 192.168.6.0/24 via 172.30.10.2 dev eth2 > -- > >> >> Does the fact I used eth2 rather than $INT2IF break the firewall >> masquerading? > > No, I assume "eth2" and "$INT2IF" are equal in your case. > > >> >> iptables -t nat -L >> >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> NAT_PREROUTING_CHAIN all -- anywhere anywhere >> DNAT tcp -- anywhere anywhere tcp dpt:smtp >> to:192.168.5.11:25 >> DNAT tcp -- anywhere anywhere tcp dpt:https >> to:192.168.5.10:443 >> DNAT tcp -- anywhere anywhere tcp dpt:www >> to:192.168.5.10:80 >> POST_NAT_PREROUTING_CHAIN all -- anywhere anywhere >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> TCPMSS tcp -- anywhere anywhere tcp >> flags:SYN,RST/SYN TCPMSS clamp to PMTU >> NAT_POSTROUTING_CHAIN all -- anywhere anywhere >> MASQUERADE all -- 192.168.5.0/24 !192.168.5.0/24 >> MASQUERADE all -- 172.30.30.0/24 !172.30.30.0/24 >> MASQUERADE all -- 172.30.10.0/24 !172.30.10.0/24 >> POST_NAT_POSTROUTING_CHAIN all -- anywhere anywhere >> >> Does this mean that 192.168.6.0/24 is not being NATed? > > Correct, 192.168.6.0/24 is not being NAT'ed within AstLinux. Indeed that is > your problem, outbound 192.168.6.0/24 packets are hitting AstLinux's eth2 > interface and are not being handled. > > While I dislike double-NAT, that may be the easiest solution, enable NAT in > your Cisco, all else the same. > > I'll have to ponder the best way to handle 192.168.6.0/24 packets on eth2 > sent from behind the Cisco. Possibly some clever subnet choices where the > Cisco WAN subnet and Cisco LAN subnet "add up" to the AstLinux 2nd interface > LAN subnet. > > Lonnie > > > > >> >> Regards >> Michael Knill >> >> >> >> >> >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Friday, 27 May 2016 at 11:47 PM >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Firewall forwarding >> >> Hi Michael, >> >> It sounds like you are on the correct path, but the devil is in the details, >> so let's talk details with an example. >> >> Assume the Cisco firewall is connected to AstLinux's 1st LAN Interface: >> AstLinux-LAN IPv4: 10.1.1.1 >> NetMask: 255.255.255.0 >> >> Assume the Cisco firewall has two interfaces (routed, no NAT): >> AstLinux connected interface: 10.1.1.5/24 Gateway: 10.1.1.1 >> Cisco-LAN: 10.1.2.0/24 >> >> Then in AstLinux add a route using /mnt/kd/rc.elocal: >> -- /mnt/kd/rc.elocal -- >> #!/bin/sh >> >> . /etc/rc.conf >> >> ip route add 10.1.2.0/24 via 10.1.1.5 dev $INTIF >> -- >> (Note: use INT2IF if 2nd LAN Interface is used instead of 1st) >> >> That is basically it, you will need to enable the DHCP server for the >> Cisco-LAN in the Cisco firewall. >> >> Lonnie >> >> PS: Alternatively it may be possible to treat the Cisco firewall as a Layer >> 2 transparent bridge with some Layer 3 proxy services for >> inspection/filtering, then the LAN would only be AstLinux's (10.1.1.0/24) >> and no added route would be needed. While easier from AstLinux's point of >> view (DHCP/DNS in one place) it would take more Cisco configuring. >> >> >> >> On May 26, 2016, at 11:05 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi group >>> >>> Ok I think I am missing something here as it seems simple but it is not >>> working and I am pulling out my hair. >>> >>> I have an Astlinux appliance connected directly to the Public network where >>> I am doing NAT(PAT). >>> The customer wants to protect their data LAN by a Cisco ASA firewall so I >>> have placed this behind Astlinux on a separate interface and set up a route >>> using ip route pointing to the firewall outside interface. >>> All NAT is turned off in the firewall and I am not getting any errors >>> displayed for both boxes but I am still not getting any return packets on >>> the firewall LAN. Short of port monitoring the interface to the firewall, I >>> suspect the Astlinux NAT is not forwarding to the firewall's LAN subnet. Do >>> I need to do anything to make this happen? Any other ideas? >>> >>> Regards >>> Michael Knill ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
