Hello,
I have spend several hours looking over all posts, and the kb article for port forwarding, forwarding to a web server on the internal network.
Trying to set up just a simple working model to which I can modify later for other port forwards. I have many devices and systems with web management on sitting on my internal LAN.
I just installed the home use of Astaro Security Gateway v7 and now trying to set up all my port forwards.
The KB article instructions I tried is the first one:
Task:
Require servers or systems behind the ASG to be accessible to internet connections. This requires specific services to be forwarded through by opening service ports.
Common implentations used are Webservers (HTTP, HTTPS) FTP servers, Remote Desktop Proctocol (RDP), Outlook Web Access (OWA)
4 common scenarios to setup:
Scenario 1 - Common port on public interface
Scenario 2 - New service port creation needed to forward
Scenario 3 - Additional public address
Scenario 4 - Additional public address and new service port
Steps:
For all scenarios it is recommended to first spend some time creating host definitions for webservers, email servers, ftp servers etc.
Example: Webserver host definition
Goto Definitions>>Networks
New Network Definition
Name: Webserver
Type: Host
Address: 10.200.200.10
Comment: My internal webserver IP
For all Scenarios it is also possible to simply select the option for auto packet filter rules to be applied if you do not wish to create the rule seperately.
Scenario 1 - Common port on public interface
Example: Webserver on HTTP TCP port 80
1) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: Webserver
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver
Destination Service: left blank
Click Save
Once created click traffic light from Red to Green
2) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTP
Destination: Webserver
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to webserver
Click Save
Once created click traffic light from Red to Green
I have one external I.P. assigned to the WAN port.
Internal address of the web server is 192.168.2.80
Do I need to set a definition? if so, is it to be set up in / under the service or network area? Service already has http and https already set up.
Per several article posts, I tried what they suggested and I did try to create a network for the webserver. Right now there is no definition set up for network for the web server. between the posts and this kb article I did try playing with things to get it working with no luck.
under network security the DNAT/SNAT setting has:
name: webserver80
group: no group
position 1
traffic source: any
trafisc service: http
trafic destination: external wan address
nat mode: DNAT (Destination)
Destination: webserver - (this object is correctly set up with the correct I.P. internally)
Destination service: -left blank
log initial packets checked
automatic packet filter rule checked
The filter:
group: no group
it is position 6
source: any
service http
destination: webserver (the object has the correct i.p. settings on it)
action: allow
traffic log checked
the live log shows:
16:21:55 Default DROP UDP
192.168.2.5 : 137
→
192.168.2.255 : 137
len=78 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
16:22:07 DNS request UDP
192.168.2.254 : 44129
→
192.168.2.1 : 53
len=77 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
16:22:08 DNS request UDP
192.168.2.254 : 39709
→
192.168.2.1 : 53
len=75 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
16:22:32 Connection using NAT TCP
192.168.2.254 : 44327
→
64.22.199.118 : 80
[SYN] len=60 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
16:22:33 Packet filter rule #5 TCP
192.168.2.254 : 44327
→
192.168.2.80 : 80
[SYN] len=60 ttl=63 tos=0x00 srcmac=00:02:b3:65:7a:f8 dstmac=00:02:b3:65:7a:f8
16:23:13 Default DROP UDP
192.168.2.80 : 123
→
173.8.198.243 : 123
len=76 ttl=63 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
16:23:21 WebAdmin connection TCP
192.168.2.254 : 57209
→
192.168.2.1 : 4444
[SYN] len=60 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:02:b3:65:7a:f8
What am I doing wrong or missing?
What is the correct settings step by step to get this to work?
I want to be able to access the website from internal with the external address as well as access the website from outside(WAN).
I assume once I get one working port forward set up, I can model off it for any other port and service.
you would think port forwarding would be easy and simple. Last time I worked with Astaro was around 3 1/2 years ago at my old job.
Chad
This thread was automatically locked due to age.
