Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 1119 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installation problems

gawws
I am having a very difficult time configuring ASG 7. I think I missed something obvious and simple. I have a linksys as a perimeter firewall and configuring ASG as an interior firewall. I setup an any-to-any rule and turned on the ping checkboxes, yet clients cannot ping through the ASG much less get http. I didn't setup a MASQ/NAT rule because address translation is being handled at the perimeter. Ideas? Is there a simple parameter I forgot?


This thread was automatically locked due to age.
Parents
  • 0
    You do need NAT (MASQ) to get traffic through except when using the proxies.

    As a safeguard you might like to change your packet filter rule to
    internal network -> any -> any -> allow
    with this rule it only allows internal traffic to use the ASG otherwise with your rule everyone can come and go through the ASG.

    Ian M
  • 0 in reply to RFCat_vk_01
    It's not a good idea to have two nat devices running back to back in most configurations... try bridging the two interfaces on the Astaro, or eliminate the Linksys and use NAT on the Astaro.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Which kind/product from Linksys? The smaller ones (like WRT54G) will make trouble, when using NAT extensively. I would also suggest, eliminating the Linksys.
  • 0 in reply to Kernel_Panic
    Yes, WRT54G (firmware 1.41.2). It is doing the NATing.

    I have been using ISA 2006 as the interior firewall and it has been working fine with NAT turned off.

    I'd prefer to keep a perimeter firewall and have ASG replace ISA as the interior, so do I have any other option than removing the Linksys?
  • 0 in reply to gawws
    Setup the ASG in bridging mode.  Packet filter, IPS, etc. all still works fine (I have several clients setup that way behind another Mfg. firewall... they would remove the other firewall, except that they just purchased them and the powers that be would be asking why a somewhat new piece of equipment is "obsolete."  Bridging eliminates the "double-NAT" issue.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I made the ASG the perimeter firewall and all works fine, although I am discouraged that it could not function as an interior firewall. According to the menu, NAT is an option that can be turned off or on.

    Thanks for the help.
  • 0 in reply to gawws
    I have several customers configured with the Astaro as the secondary (interior) firewall.. not sure what you're looking for here.  It can work in both capacities.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I could not get it to work. And the advice in this thread was to not put it behind another NAT firewall.
  • 0 in reply to gawws
    You can put it behind another NAT firewall, but you should put the Astaro in Bridging mode (it acts as a layer 2 device then, no NAT issues, Layer 2 devices can't do NAT) as I posted in an earlier thread.  Working this way, just fine at two large customer sites right now.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to gawws
    You can put it behind another NAT firewall, but you should put the Astaro in Bridging mode (it acts as a layer 2 device then, no NAT issues, Layer 2 devices can't do NAT) as I posted in an earlier thread.  Working this way, just fine at two large customer sites right now.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner