This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT to RDP with Availability Group

I have set up a DNAT. This is used to connect to a Windows Terminal Server.

I have set up an Availability Group with 5 different hosts configured. These are all external addresses with 2 being the public address of business partners.

For some reason I am getting dropped packets from some of these hosts.

On the DNAT I have the following:

Position 1
Traffic Source = GP ALLOWED (This contains the hosts)
Traffic Service = Microsoft Remote Desktop (RDP)
Traffic Destination = EXTERNAL WAN (The address of the public addess of the TS Box)

NAT MODE = DAT (Destination)

Destination = INTERNAL TS SERVER
Destination Service = Microsoft Remote Desktop (RDP)

Log = enabled
Automatic Firewall = enabled

I have checked the addresses of the hosts in the access group. These match the address on the firewall logs.

The interesting thing is when I change the source to be ALL the DNAT works.

Am I missing something?

EDIT:

I am running an ASG120 and the latest version as of today (8.305)

On the Firewall Log I can see the clients that are allowed through indicates "fwrule=60021" action=log and the clients that are blocked have "fwrule=60001" action=drop

Is there some kind of default rule blocking this somewhere?

This thread was automatically locked due to age.

Parents

0 derekrussell over 13 years ago

Here are some examples from the logs

Working client:

/var/log/packetfilter.log:2012:06:11-18:20:22 ASTARO ulogd[4961]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" initf="eth1" srcmac="0:23:f8:cc:ea[:D]5" dstmac="0:1a:8c:10:fa:cd" srcip="188.220.a.b" dstip="84.19.x.y" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="56023" dstport="3389" tcpflags="SYN"

and one from the blocked

/var/log/packetfilter.log:2012:06:11-18:02:55 ASTARO ulogd[4961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:23:f8:cc:ea[:D]5" dstmac="0:1a:8c:10:fa:cd" srcip="2.103.a.b" dstip="84.19.x.y" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="1606" dstport="3389" tcpflags="SYN"
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 derekrussell over 13 years ago

Here are some examples from the logs

Working client:

/var/log/packetfilter.log:2012:06:11-18:20:22 ASTARO ulogd[4961]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60021" initf="eth1" srcmac="0:23:f8:cc:ea[:D]5" dstmac="0:1a:8c:10:fa:cd" srcip="188.220.a.b" dstip="84.19.x.y" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="56023" dstport="3389" tcpflags="SYN"

and one from the blocked

/var/log/packetfilter.log:2012:06:11-18:02:55 ASTARO ulogd[4961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:23:f8:cc:ea[:D]5" dstmac="0:1a:8c:10:fa:cd" srcip="2.103.a.b" dstip="84.19.x.y" proto="6" length="52" tos="0x00" prec="0x00" ttl="117" srcport="1606" dstport="3389" tcpflags="SYN"
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Hallowach2 over 13 years ago in reply to derekrussell

I think your problem is that you have used an availability group. That object resolves to only one ip address (..pls check online help.. ). Is there areason why you did not use a normal host or dns group?

Regards
Manfred
Cancel
Vote Up 0 Vote Down

Cancel