Hi anyone and everyone,
Please pardon this long winded posting. I'm just tring to supply as
much info as possible
to get the help I need.
I've just purchased ASL, which I'm very excited about. I've yet to
recieve my key so
the unit is still in Evaluation.
I have limited Linux/Unix expertise, but am a fast learner. I'm good
with firewall
concepts, but I'm sure I need to learn much more.
I am willing to provide further information if neccessary.
I have TWO problems;
1.DNS Proxy seems shaky- sometimes the LAN users will lose Internet
connection,
so I added line 5 to my packet filter rule set below, hoping this would
help.
2. I've been struggling to get PPTP/VPN to work and so far have had
limited success.
Perhaps my problems have related sources, I don't know. Some of the log
files
are undecipherable to me.
Here 's my basic setup:
ASL 3.216 on a brand new Dell PowerEdge350
My LAN is Win NT4.0 w/ Exchange 5.5. All latest service packs
VPN Client is Win2k PPTP which worked before my temp key expired and I had to re-install ASL (long story)
PPTP Roadwarrior enabled
DNS Proxy enabled
SMTP Relay Proxy enabled
Also, my home network uses static IP's, a Flowpoint 2200 w/NAT turned
OFF (all Static),
has a Linksys router (very basic firewall) configured to allow PPTP and
IPSec
passthrough connections.
Here are some details of my ASL config;
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
6x.x.xx.x4 0.0.0.0 255.255.255.248 U 0 0
0 eth1
10.xx.x.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
10.xx.1.x 0.0.0.0 255.255.255.0 U 0 0
0 eth2
10.xxx.xxx.0 10.xx.x.1 255.255.255.0 UG 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 6x.x.xx.x3 0.0.0.0 UG 0 0
0 eth1
0.0.0.0 10.xx.x.2 0.0.0.0 UG 0 0
0 eth0
0.0.0.0 10.xx.x.1 0.0.0.0 UG 0 0
0 eth2
Arp Table
Address HWtype HWaddress Flags Mask
Iface
10.xx.x.2 ether xx:10:xx:55:xx:1C C
eth0
6x.x.xx.x3 ether xx:20:xx:06:xx:FE C
eth1
10.xx.x.228 ether xx:C0:xx:41:xx:45 C
eth0
10.xx.x.28 ether xx:C0:xx:6D:xx:CA C
eth0
Kernel Routing Table
6x.x.xx.x2/29 dev eth1 scope link
10.xx.x.0/24 dev eth0 scope link
10.xx.1.0/24 dev eth2 scope link
10.xxx.xxx.0/24 via 10.xx.x.1 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 6x.x.xx.x3 dev eth1
default via 10.xx.x.2 dev eth0
default via 10.xx.x.1 dev eth2 scope link
Here are some NAT rules I created
GRE Any -> eth1_Interface__ / GRE Any PPTP-Pool (not working)
HTTPS Any -> eth1_Interface__ / HTTPS Any eth1_Interface__
(works)
IMAP Any -> eth1_Interface__ / IMAP None NT4.0 Exchange Server
(works)
Masquerade Internal -> All / All MASQ__eth1 None (works)
NetBios Any -> Internal / netbios-ns Any Any (to try to map
drives to the NT Server)
POP Any -> eth1_Interface__ / POP3 None NT4.0 Exchange Server
(works)
PPTP Any -> eth1_Interface__ / PPTP Any PPTP-Pool (not
working)
SSH Any -> eth1_Interface__ / SSH Any eth1_Interface__ (to try
to get to the ASL box command line
from the outside (not working))
Here is my Packet filter Rule set;
1 Internal HTTP Any Allow
2 Internal HTTPS Any Allow
3 Any POP3 NT Exchange Server Allow
4 Any IMAP NT Exchange Server Allow
5 Internal DNS Any Allow
6 Internal { traceroute } Any Allow
7 Internal { ping } Any Allow
8 Internal Telnet Any Allow
9 Mayor SSH Any Allow
10 Any SSH eth1_Interface__ Allow
11 Mayor SNMP dsl-router-internal Allow
12 Mayor Telnet dsl-router-internal Allow
13 Any PPTP PPTP-Pool Allow
14 Any GRE PPTP-Pool Allow
15 Any Telnet NT Exchange Server Allow
16 PPTP-Pool Any Internal Allow
17 PPTP-Pool Microsoft-SMB Internal Allow
18 PPTP-Pool netbios-dgm Internal Allow
19 PPTP-Pool netbios-ns Internal Allow
20 PPTP-Pool netbios-ssn Internal Allow
21 Any HTTPS eth1_Interface__ Allow
Entries 12 & 13,16-20 were an attempt to get drive mapping to work from PPTP Pool to the Internal LAN.
My kernel log file shows an attempt at PPTP but no PPTP log entries, at
least from my home test location.
I HAVE had connection from a second location, same OS, same PPTP client
settings. But MY location does not connect.
Here is the part of the kernel log file that seems to show PPTP
attempt;
Feb 26 10:18:57 (none) kernel: ip_nat_pptp.c:tcp_help: entering
Feb 26 10:18:57 (none) kernel: ip_nat_pptp.c:tcp_help: Not touching dir
ORIG at hook PREROUTING
Feb 26 10:19:00 (none) kernel: ip_nat_pptp.c:tcp_help: entering
Feb 26 10:19:00 (none) kernel: ip_nat_pptp.c:tcp_help: Not touching dir
ORIG at hook PREROUTING
Feb 26 10:19:06 (none) kernel: ip_nat_pptp.c:tcp_help: entering
Feb 26 10:19:06 (none) kernel: ip_nat_pptp.c:tcp_help: Not touching dir
ORIG at hook PREROUTING
Also, my packet filter log shows alot of forgiegn IP's in it. Is this
bad?
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10443 DF PROTO=TCP SPT=80 DPT=1696
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10444 DF PROTO=TCP SPT=80 DPT=1697
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10445 DF PROTO=TCP SPT=80 DPT=1703
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.223 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=47602 DF PROTO=TCP SPT=80 DPT=1698
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10446 DF PROTO=TCP SPT=80 DPT=1700
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10447 DF PROTO=TCP SPT=80 DPT=1701
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10448 DF PROTO=TCP SPT=80 DPT=1704
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10449 DF PROTO=TCP SPT=80 DPT=1705
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.222 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=23941 DF PROTO=TCP SPT=80 DPT=1706
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.222 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=23942 DF PROTO=TCP SPT=80 DPT=1708
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.223 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=47603 DF PROTO=TCP SPT=80 DPT=1712
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10450 DF PROTO=TCP SPT=80 DPT=1707
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10451 DF PROTO=TCP SPT=80 DPT=1713
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:19 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.228 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=10452 DF PROTO=TCP SPT=80 DPT=1711
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:20 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.226 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=18903 DF PROTO=TCP SPT=80 DPT=1714
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.222 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=23943 DF PROTO=TCP SPT=80 DPT=1724
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.226 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=18904 DF PROTO=TCP SPT=80 DPT=1725
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.226 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=18905 DF PROTO=TCP SPT=80 DPT=1727
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.226 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=18906 DF PROTO=TCP SPT=80 DPT=1730
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.223 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=47604 DF PROTO=TCP SPT=80 DPT=1731
WINDOW=64240 RES=0x00 ACK FIN URGP=0
Feb 26 10:37:32 (none) kernel: TCP Drop: IN=eth1 OUT=
MAC=00:02:b3:be:8b:e1:00:20:6f:06[:D]3:fe:08:00 SRC=192.193.195.222 DST=6x.x.xx.x4 LEN=40
TOS=0x00 PREC=0x00 TTL=242 ID=23944 DF PROTO=TCP SPT=80 DPT=1734
WINDOW=64240 RES=0x00 ACK FIN URGP=0
I hope this information is helpful and not TOO much. I'm just trying
to supply any info that may be useful.
I also made changes in /var/chroot-pptp/etc/ppp/options-default and
/var/chroot-pptp/etc/ppp/options:
lcp-echo-failure 5
lcp-echo-interval 8
silent
as per a previous post to this site suggested.
Thanks in advance for any help.
Brian Macaluso
This thread was automatically locked due to age.
