This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cant figure out SNAT

I am running AIS v 2.023, and am having problems getting SNAT configured properly.  I'm sure is something I'm doing wrong (PEBKAC).  Here is my configuration.

3 Nics
Eth0 = 24.x.x.230 (External)
Eth1 = 10.4.2.1 (Internal)
Eth2 = 10.4.10.1 (DMZ)

Eth0 has alias's 24.x.x.226 - 24.x.x.229

I would like to use those Alias's for 3 of my Internal machines, and one for a web server in the DMZ.  Then use Masquerade for the rest of my machines.

Defined Networks are as follows.

SNAT1 = 10.4.2.3/255.255.255.255
SNAT2 = 10.4.2.4/255.255.255.255
SNAT3 = 10.4.2.5/255.255.255.255
SNAT4 = 10.4.10.2/255.255.255.255

ESNAT1 = 24.x.x.226/255.255.255.255
ESNAT2 = 24.x.x.227/255.255.255.255
ESNAT3 = 24.x.x.228/255.255.255.255
ESNAT4 = 24.x.x.229/255.255.255.255

MASQ = 10.4.2.32/255.255.255.242

I have tried setting SNAT rules to what makes sense to me (probably wrong) as follows.

SNAT1 - Any - Any - ESNAT1
ESNAT - Any - Any - SNAT1
ext....

I have (RTFM) and (STFW) [;)]th SNAT.

Probably wont need the following, but just in case....

I have Masuqerade working for the rest of the coputers working using the following.

MASQ -> External

Any help would be greatly appriciated, as I have completly frustrated myself.  Sorry for the long post.

Thanx in advance,

This thread was automatically locked due to age.

Parents

0 MadHatter over 23 years ago

Sorry forgot to mention that I have Packet Filter rule set to.
ANY - ANY - ANY - ALLOW

Just for troubleshooting purposes, I didn't want a rule stopping my routing, till I get it figured out.
Cancel
Vote Up 0 Vote Down

Cancel
0 MadHatter over 23 years ago in reply to MadHatter

K I got outgoing working, by using SNAT as follows.

SNAT1 - ANY - ANY - ESNAT1
SNAT1 - ANY - ANY - ESNAT2

But I still can't connect to any of the machines from the outside. I tried DNAT as follows.

ESNAT1 - FTP - SNAT - FTP

Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 23 years ago in reply to MadHatter

I am not sure what esnat1 or snat are supposed to be in your rule, but the proper way to set that up would be:

External -> FTP -> FTPServer -> FTP

Try that. It should send all of the external requests for FTP onto the ftp server. OK?

notoriousiroc
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 23 years ago in reply to notoriousiroc

I am not sure what esnat1 or snat are supposed to be in your rule, but the proper way to set that up would be:

External -> FTP -> FTPServer -> FTP

Try that. It should send all of the external requests for FTP onto the ftp server. OK?

notoriousiroc
Cancel
Vote Up 0 Vote Down

Cancel
0 MadHatter over 23 years ago in reply to notoriousiroc

notoriousiroc,

Thank you for you reply, espically since this subject has been discussed so many times.  I have it setup as you have specified, but my FTP client gives me the following error when I attempt to connect.

STATUS:>   Socket connected. Waiting for welcome message...
ERROR:>    Control connection closed.

I am connecting to port 21, and get the same message if my client is set to active or passive.  From a command line FTP (WinXP) I get a message stating Connection closed by remote host.

Thanx again for the help.   [;)]

quote:
I am not sure what esnat1 or snat are supposed to be in your rule, but the proper way to set that up would be:
External -> FTP -> FTPServer -> FTP

Try that. It should send all of the external requests for FTP onto the ftp server. OK?
Cancel
Vote Up 0 Vote Down

Cancel
0 notoriousiroc over 23 years ago in reply to MadHatter

Check the log files of your ftp server. If it is any good it should have good logging capabilities and you should be able to at least see if you are able to make a connection. The ideal situation is that you may follow the complete process and see what is wrong with it.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 notoriousiroc over 23 years ago in reply to MadHatter

Check the log files of your ftp server. If it is any good it should have good logging capabilities and you should be able to at least see if you are able to make a connection. The ideal situation is that you may follow the complete process and see what is wrong with it.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 kenary over 23 years ago in reply to notoriousiroc

Hello

Do not forget to set up yor firewall as the default gateway for the ftp server and anything else using DNAT inside the internal network

Hope this helps
Cancel
Vote Up 0 Vote Down

Cancel
0 MadHatter over 23 years ago in reply to kenary

Thanx for the help everyone. It's all working now I appriciate the input.

....now if I could only figure out how to connect to my VPN from behind a work firewall..... probably not going to happen.... oh well..... would be kewl though.

;-)
Cancel
Vote Up 0 Vote Down

Cancel