Hi All,
I have some trouble to access to an IBM LUM Server from computer behind NAT.
LUM Server = licence Server used for Catia for example.
I have a private network : 10.33.1.0/16 with a test computer (10.33.2.105)
I am using pfsense 1.2.3-RELEASE with 4 interfaces
WAN, LAN, DMZ, and PRIV
LAN is my internal LAN using public IP addresses
PRIV is another internal LAN using private IP addresses
The internal address on PRIV is 10.33.1.1 (/16)
The external address on WAN is 194.57.169.18
The external address on LAN is 193.48.196.1 (/23)
I try to connect to IBM LUM Server IP 193.52.82.50
The particularity of IBM LUM Server and Client is that the LUM Server try to
call back to the client using a different source port, but always on the dest
port used by the client at starting.
I made a NAT Outbound rule :
Interface WAN
Source 10.33.0.0/16
Source Port *
Destination *
Dest Port *
NAT Addr 193.48.197.252
NAT Port *
Static Port NO
For testing purpose, I made rules on WAN and PRIV to permit all UDP from any to
any
Using tcpdump, it look like :
Internal Interface (PRIV) :
# tcpdump -i re3 -n host 193.52.82.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re3, link-type EN10MB (Ethernet), capture size 96 bytes
15:01:36.124046 IP 10.33.2.105.1106 > 193.52.82.50.1515: UDP, length 80
15:01:38.189623 IP 10.33.2.105.1106 > 193.52.82.50.1515: UDP, length 80
15:01:38.191473 IP 193.52.82.50.1515 > 10.33.2.105.1106: UDP, length 80
15:01:41.314689 IP 10.33.2.105.1106 > 193.52.82.50.1515: UDP, length 80
15:01:41.316368 IP 193.52.82.50.1515 > 10.33.2.105.1106: UDP, length 80
15:02:11.076816 IP 193.52.82.50.1515 > 10.33.2.105.1106: UDP, length 84
External Interface (WAN) :
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
15:01:36.124086 IP 193.48.197.252.39627 > 193.52.82.50.1515: UDP, length 80
15:01:36.126577 IP 193.52.82.50.1044 > 193.48.197.252.39627: UDP, length 100
15:01:38.067828 IP 193.52.82.50.1044 > 193.48.197.252.39627: UDP, length 80
15:01:38.189644 IP 193.48.197.252.39627 > 193.52.82.50.1515: UDP, length 80
15:01:38.191457 IP 193.52.82.50.1515 > 193.48.197.252.39627: UDP, length 80
15:01:40.071247 IP 193.52.82.50.1044 > 193.48.197.252.39627: UDP, length 80
15:01:41.314710 IP 193.48.197.252.39627 > 193.52.82.50.1515: UDP, length 80
15:01:41.316352 IP 193.52.82.50.1515 > 193.48.197.252.39627: UDP, length 80
As you can see, the second packet on external interface is from port 1044 (new
port used by server, it seems to be always the same) to port 39627 (used by
client at first).
Some lines from rules.debug :
# Outbound NAT rules
no nat on $wan from 193.48.196.0/23 to any
nat on $wan from 10.33.0.0/16 to any -> 193.48.197.252/32 port 1024:65535
nat on $wan from 192.168.50.0/24 to any -> 193.48.197.5/32 port 1024:65535
no nat on $lan from 10.33.0.0/21 to any
nat on $lan from 10.33.0.0/16 to any -> 193.48.197.252/32 port 1024:65535
I understand what I need to do violate the IP NAT task. The problem is that I
know some people who are able to communicate through NAT to IBM LUM Server
using a cisco firewall (asap) just configuring a simply dynamic NAT.
Am I missing a rule ? why is it working for cisco ? are they doing some
mysterious NAT ?
Cordialy,
Matthieu MARC
---
Matthieu MARC
Responsable du Service Informatique du Centre d'Angers
Arts et Métiers ParisTech
Tél : 02 41 20 73 61
