ozzy

Hi guys,

I'm looking for some routing advice involving NAT. One of our offices has a setup as shown below. The public IP addresses are made up incase we have any hackers amongst us



With NAT enabled on the internal W2K router, servers and workstations can ping all of the IP addresses shown in the diagram. So Server #1 can ping Server #2, Server #3, the firewall and the router.

When I disable NAT on this internal W2K router I can still ping the internal networks 52.0, 54.0 & 56.0 and the local IP address of the firewall but no further. It all works from the internal router itself - I can ping public internet addresses, but anything inside the router fails.

Is what I'm trying to do possible? or is this because I have a NAT interface on the firewall, which then cannot route traffic to another internal network?

Stefan

Andrewza

I'd usually break out tcpdump and see what's on the wire, but guesses:

1. NAT/Firewall isn't actually nat'ing and router carries on regardless, but packets won't get routed back your way.

2. NAT/Firewall is nat'ing, but it's not configured to NAT for the .54 and .56 /24's

3. NAT/Firewall is just dropping packets from .54 and .56 /24's somewhere along the lines.

2. or 3. seems most likely since turning the win2k NAT off would make those subnets visible to the Firewall and since you can ping it from them I assume it has routes for those subnets.

ozzy

Hi,

The firewall has routes back to the 54.0 & 56.0 networks. I can ping as far as the firewall's local interface, just no further.

From what you've described it sounds as if the firewall just ins't NAT'ing those two subnets.

I'll check this out.

Stefan

dsmith

Wot Andrew said.

if the Firewall is FW-1 you may have to create objects for the servers(or their subnets) and add them to both the NAT rules and access rules.

Deano

Jeff Wiltshire

Probable a stupid question but....

The Internal servers (Server 1 & 2) have a one to one or Static NAT to the middle address range ?

ozzy

Jeff,

it's using Static NAT. It's enabled on the interface connected to the middle network. It just uses normal routing between each of the internal networks (those with Server 1 & 2), but will translate everything from those two LAN's to the 192.168.52.1 IP address.

Stefan

Jeff Wiltshire

So server 1 is NAT'ed to 192.168.52.5 and server 2 is 192.168.52.6....ie they have unique addresses in the middle address range ?

ozzy

No, they all share 192.168.52.1. It's the port addresses that are mapped for the translation.

e.g. client 192.168.56.112 on port 2224 makes some TCP request and it's mapped to 192.168.52.1 on port 1027

Stefan

Jeff Wiltshire

Which is fine for outbound work, but will not work if the middle network needs to get to the back end networks.

If they where NATed through (ie had their own address in the middle range) then it would work as if they existed in the middle of the diagram. Is that what you wanted ?


Jeff

ozzy

sort of.

At the moment outbound is fine since it's just HTTP, FTP and DNS traffic. We have a VPN now, so I need to disable NAT to get it too route properly into those two internal subnets.

When I remove NAT from the Windows 2000 server, then clients on those subnets can no longer browse the net and our DNS servers can make requests.

What I need is for NAT to be removed and the server to just act as a router, but it seems like there's some config to do on the firewall. I was just really asking if the theory was sound and achievable. At least then I can ask the right questions when talking to the support guys for the firewall we have.

Stefan

ozzy

OK, just discovered our firewall actually implements IP Masquerading (a Linuxey thing I'm told), so it ain't using NAT so too speak.

I'm told it should masq the internal subnets, but I can't get it working

Any Linux folk around that have experience of IP Masq?

Stefan

Andrewza

IP Masq is the linux name for NAT

And unless someone has some very weird netmask (/22? /21?) listed I suspect it's currently only NAT'ing for the .52/24 range.

of course if it's linux, just connect up and run tcpdump and see where the packets are going...

[Edited by Andrewza - 5/14/2003 4:07:41 PM]

ozzy

It's a secure version of Linux, so no nice utils on the server

I've been running the Windows port of tcpdump, but it ain't showing much.

Gives me a list of ARP requests, but nothing else. On the other internal hosts that work, I'll show ping requests and replies.

It's starting to get right on my nipple end.

ozzy

Just to add, the support guys told me to add a subnet then create a masq rule between that subnet and the Internet connection.

I've done this (and it shows on the rules list), but it still doesn't work.

Is there any debug info under Linux that I could look at to see what it's doing? or is that a tcpdump thing?

Stefan

Jeff Wiltshire

This comes down to what the Firewall understands is its internal networks. It needs to know what is internal and what is external, once this has been achieved then you can deal with the routing issue (192.168.53 & 54 via the router), NAT issue (Hide all these subnets behind the external address) and the VPN issue.

None of this is difficult in itself once the Firewall understands what is internal.

Andrewza

This is where my knowledge ends I'm afraid, I don't use linux for firewalling/nat because it's frankly crap.

IPF/IPNAT on *BSD, solaris and a few others or PF on OpenBSD are miles better, more flexible rules allows more readable config in less lines and stateful is the only kind of firewall worth having