PDA

View Full Version : Duplicating NAT from Shorewall Firewall



DrkNite
2007-11-18, 19:50
I am having a problem duplicating a setup i have in a Shorewall firewall under NGX r65 and Im not sure if I've forgotten to do something or Im not doing it right.

Here is my situation

Note ip addresses have been change to protect the innocent :)

I have 150+ branches each with 24bit subnets starting at 10.0.1.x for the first branch 10.0.2.x for the second and so on
these connect to our HQ via an MPLS network
At the HQ they Terminate on a router on the 172.16.1.1/22 network
this router also final router before the firewall it have a ip route 0.0.0.0 0.0.0.0 172.16.1.100 route in it.
172.16.1.100 being the internal NIC of the Firewall
externally we will for simplicity use 100.100.100.5 as eth1 , with eth0 being the internal ip address of 172.16.1.100 as above
I have an external 2 external routers 100.100.100.1 which is connected to our internet provider and 100.100.100.20 connected to a partners network

now the partner has a site we communicate with, this is on 100.0.0.50 and to get to it traffic must go to 100.100.100.20 and it must come from a 100.100.100.7 ip address and on tcp port 2222

each of the 150 branches has a piece of equipment that talks to the 100.100.100.20 every 30 second or so.
This equipment is always on the .150 address


what i have so far is this

I created a route in the firewall saying

dest : 100.0.0.50 mask 255.255.255.255 gateway : 100.100.100.20 static Ethernet 1


I create a security rule thats says

source : All Internal Networks group ( this group contains all internal network objects )
Dest : Partner Object (an object created with the 100.0.0.50 ip address )
sevice : partner service ( service for tcp port 2222 ) + ICMP service object
Active : Accept
Track: Log

I then created a NAT Rule

Orginal Packet
source : All Internal Networks group ( same object as above )
Dest : Partnet Object (an object created with the 100.0.0.50 ip address )
Service : any
Translated packet
source : Partner_Ext_NAT_IP ( this object has the ipaddress of 100.100.100.7 )
Dest : Original
Service : Original

The Partner_Ext_NAT_IP is selected as hide NAT.



I get an excepted log entry on smart tracker yet the data does not seem to get to 100.0.0.50 as though it not coming from the correct IP address

is there anything else I need to do to get this to work?

This Partner_Ext_NAT_IP object i created has just a name and ip address under General properties, topology, NAT and Advanced setting are default
did i create this correctly?

Do i need to do something to the arp tables on the gateway?


additionally this is what is in the current masq file on the current firewall


old firewall route on eth1
100.0.0.50 via 100.100.100.20

shorewall masq file
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0:1:100.0.0.50 172.16.0.0/16 100.100.100.7 icmp
eth0:1:100.0.0.50 172.16.0.0/16 100.100.100.7 tcp 2227
eth0:1:100.0.0.50 10.0.0.0/8 100.100.100.7 tcp 2227
eth0 172.16.0.0/16
eth0 10.0.0.0/8

and this will allow me to ping 100.0.0.50 but when i put the r65 gateway in with the above rules in i cant ping 100.0.0.50

it's driving me mad and i'm running out of time to get this firewall in and running
any help would be grateful.

note I have add automatic NAT rules and Hide behind gateway turned on for all the networks in the All Internal Networks group
Should i just have that on for the networks that touch the firewall directly?

thanks.

James Hopwood

melipla
2007-11-19, 10:52
I get an excepted log entry on smart tracker yet the data does not seem to get to 100.0.0.50 as though it not coming from the correct IP address

In smartview tracker, for the accepted log entry--double click on it and select "More Information" You should see a row labeled "Xlatesrc" which should be your NATed IP address. Please verify that the packet is indeed being NATed.

Also, this is where fw monitor or perhaps wireshark would be helpful as it would show you what packets are being sent or received.


is there anything else I need to do to get this to work?

If we could narrow down the problem that would help--say by identifying if any return traffic is coming to the firewall with fw monitor. My guess is that its an ARP issue but we'll get to that in a minute.


This Partner_Ext_NAT_IP object i created has just a name and ip address under General properties, topology, NAT and Advanced setting are default did i create this correctly?

For a New Node -> Host using the default for these other sections should be fine.


Do i need to do something to the arp tables on the gateway?

Its possible that the switch is not routing the NATed traffic back to the firewall. There are multiple ways to fix this--one of which is to create a local arp entry on your firewall like so:

[Expert@cpmodule]# route add host 100.100.100.7 gw 172.16.1.1
[Expert@cpmodule]# ifconfig eth0 |grep HWaddr
[Expert@cpmodule]# arp s 100.100.100.7 <eth0 HWaddr, ie 00:05:11:C1:1F:5C> pub

In that example, eth0 is my external interface, and where traffic destined for the NAT IP would originate from. I don't particularly recommend this method for resolving your problems as now you have to maintain an ARP list. I would think that breaking up the 100.100.100.0/22 network and routing a chunk of it to the firewall & using that chunk for NAT would be simpler. Some SK's regarding ARP for reference: sk9270 sk8022 sk25851


note I have add automatic NAT rules and Hide behind gateway turned on for all the networks in the All Internal Networks group
Should i just have that on for the networks that touch the firewall directly?

Technically Automatic NAT will create ARP entries on your firewall for the IPs it uses to NAT to. That doesn't always work. There's a pretty good thread that discusses Automatic NAT vs Manual NAT, I'd suggest you read through it regarding the pros and cons of which NAT type to use. Its probably relevant to your questions too, you can find it here (http://www.cpug.org/forums/nat-network-address-translation/2600-how-view-automatic-proxy-arps-ngx.html).

DrkNite
2007-11-19, 23:50
melipla thanks for the info.

Here is a sanitized copy of one of the log files


Number: 12844
Date: 18Nov2007
Time: 10:23:18
Product: VPN-1 Power/UTM
Interface: eth0
Origin: xxxxxxxxxxxx
Type: Log
Action: Accept
Protocol: tcp
Service: partner_service (2222)
Source: 10.0.57.150
Destination: Partner_Object
Rule: 13
Current Rule Number: 13-Standard
Rule Name: Partner
Source Port: 1047
NAT additional rule number: 0
NAT rule number: 1
Rule UID: {5DE07C3B-4844-4EFE-9451-91F644338741}
SmartDefense Profile: Default_Protection
XlateSPort: 10255
XlateSrc: Partner_Ext_NAT_IP
Policy Info: Policy Name: Standard
Created at: Sat Nov 17 01:50:34 2007
Installed from: xxxxxxxxxxxxxx


I think you may be right about the ARP causing the problems

Would it be possible to cheat the firewall in to creating the ARP correctly by creating an object and setting up automatic Hide NAT on the object itself to make the ARP entry and then place my manual NAT statement above it, thus getting passed the need to keep an ARP list?
Just a thought.

melipla
2007-11-20, 11:28
Would it be possible to cheat the firewall in to creating the ARP correctly by creating an object and setting up automatic Hide NAT on the object itself to make the ARP entry and then place my manual NAT statement above it, thus getting passed the need to keep an ARP list?

Every time I've used Automatic NAT it ends up causing more problems than its worth. I don't know if your approach would work or not, however if it did--I don't think I'd recommend it over manual ARP entries on the firewall. I'd seriously look at routing it differently so that you don't have to do any ARP (automatic or static).

DrkNite
2007-11-20, 18:39
Thanks for the all Info
My hands are currently tied with the routing, but it's something I can look at this the future
I'll try tricking it and then if that doesnt work I'll add the arp to the firewall manually
I dont have that many NAT entries so it should be small and easy to maintain.

DrkNite
2007-11-23, 12:27
OK
well I tried both tricking it by adding an object with an Auto NAT of the external ip I wanted and that didn't work
I also tried

[Expert@cpmodule]# route add host 100.100.100.7 gw 172.16.1.1
[Expert@cpmodule]# ifconfig eth0 |grep HWaddr
[Expert@cpmodule]# arp s 100.100.100.7 <eth0 HWaddr, ie 00:05:11:C1:1F:5C> pub

with the correct IP and MAC address and still nothing

I'm hopefully going to get out to the site where this is installed Today or Monday to take some wireshark logs to see whats going on.

Will keep you up to date as i find out more.

DrkNite
2008-01-02, 15:29
Ok well got my problem sorted out just wanted to post a thank you to melipla and also post an update

Word of advice when trying to fault find your NAT issues dont forget the other hardware that might be in your external switching domain

Turns out my problem was ARP but not on my switch but on the our partners router that is connected to our switch, it seem that his router was holding the arp table persistantly and was not updating it so while my NAT was working packets were not coming back they were trying to go to the old firewall MAC address

melipla
2008-01-02, 16:09
Probably don't even need the arp entries now that you've been able to clear the external device's arp cache. I'm glad to hear you got it resolved!