This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connection Problems

Hello, I am running a fresh install of ASL to protect just one test server, yet, I am having some problems.  I can access the webadmin from both the internal computer, and the external network, but I cannot connect the two.  I would like full access from the inside out, and do port 80 from then network in.

My current settings are:

under interfaces I have:
External:
Address: X.Y.214.87
Netmask: 255.255.255.0
Gateway: X.Y.214.1  (provided by ISP)
Internal:
Address: 192.168.2.100
Netmask: 255.255.255.0
Gateway: X.Y.214.1

Routing:
Internal -> External
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
XXX.YYY.214.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         XXX.YYY.214.1   0.0.0.0         UG    0      0        0 eth1

Packet Filter:
Internal Any External Allow
External HTTP { Private Networks - RFC1918 } Allow
{ Private Networks - RFC1918 } Any Any Allow

Internal Computer:
Address: 192.168.2.Z
Netmask: 255.255.255.0
Gateway: X.Y.214.1

Thank you.

This thread was automatically locked due to age.

Parents

0 Dennis Koslowski over 23 years ago

Hello,

> Internal Computer:
> Address: 192.168.2.Z
> Netmask: 255.255.255.0
> Gateway: X.Y.214.1

You have to set the internal firewall NIC as gateway on all computers in the LAN:

> Internal:
> Address: 192.168.2.100

Greetings,
--
Dennis
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Dennis Koslowski over 23 years ago

Hello,

> Internal Computer:
> Address: 192.168.2.Z
> Netmask: 255.255.255.0
> Gateway: X.Y.214.1

You have to set the internal firewall NIC as gateway on all computers in the LAN:

> Internal:
> Address: 192.168.2.100

Greetings,
--
Dennis
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 notoriousiroc over 23 years ago in reply to Dennis Koslowski

Ok, Thank you for the reply. I changed the gateway for the internal computer to the internal nic's (etho) IP and that still is not working. What else can I do to try and solge this problem?
Thank you.
Cancel
Vote Up 0 Vote Down

Cancel
0 ClausP over 23 years ago in reply to notoriousiroc

quote:
Originally posted by notoriousiroc:
Hello, I am running a fresh install of ASL to protect just one test server, yet, I am having some problems.  I can access the webadmin from both the internal computer, and the external network, but I cannot connect the two.  I would like full access from the inside out, and do port 80 from then network in.
---------------------------------------------------

Did you enable ip masquerade ? For the direction Internal -> External ? (menu:network)

----------------------------------------------------
My current settings are:

under interfaces I have:
External:
Address: X.Y.214.87
Netmask: 255.255.255.0
Gateway: X.Y.214.1  (provided by ISP)
Internal:
Address: 192.168.2.100
Netmask: 255.255.255.0
Gateway: X.Y.214.1

Routing:
Internal -> External
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
XXX.YYY.214.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         XXX.YYY.214.1   0.0.0.0         UG    0      0        0 eth1

----------------------------------------------------
Packet Filter:
Internal Any External Allow
External HTTP { Private Networks - RFC1918 } Allow
-> could be deleted { Private Networks - RFC1918 } Any Any Allow

This does not work ! You need DNAT !

http://docs.astaro.org/asl-faq.pl#4003

You can map:
      IP/Port => IP/Port
      IP/Port-Range => IP/Port
      IP/Port-Range => IP/Port-Range (same Range only)
      IP-Range/Port => IP/Port
      IP-Range/Port-Range => IP/Port

     You can't map:
      IP => IP
      IP-Range => IP
      IP => IP-Range (load balancing)

Define first a DNATed Service:
PreNAT             PostNAT
X.Y.214.87 HTTP -> 192.168.2.Z HTTP

And than you need a filter rule that allows any traffic on port 80 to the internal IP (PostDNAT)
Packetfiltering starts after DNATing !!!

ex. ANY HTTP 192.168.2.Z  ALLOW
---------------------------------------------------

Internal Computer:
Address: 192.168.2.Z
Netmask: 255.255.255.0
Gateway: X.Y.214.1

Thank you.

Cheers
Claus
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 23 years ago in reply to ClausP

Thank you Claus. I will try that and see what I can find out. [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 23 years ago in reply to notoriousiroc

Ok, I have tried everything I can to get this poor thing set up and it is still not working. [:(]de? Thanks.

NotoriousIROC
Cancel
Vote Up 0 Vote Down

Cancel
0 Mike_C over 23 years ago in reply to notoriousiroc

I had the same problem with 3.030. I even added a ANY ANY ANY ACCEPT rule, disabled all other rules, checked routing, everything, no avail from an internal machine. The ASL box could see everything, but would not pass traffic. I emailed support, no response.
Cancel
Vote Up 0 Vote Down

Cancel