Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nokia Cluster and NAT issue??

Status
Not open for further replies.

fatboy69

Technical User
May 15, 2002
56
AU
Racking My brain hope somone can help.

I have recently installed 2x IP350's with IPSO 3.7 and NG AI. I have configured Nokia clustering with seperate control network (dual port 10/100 card). I am also using all four built in interfaces. 1x internal, 1x External 1x DMZ (private), 1x DMZ (public). In addition I have a 2000 box running as a policy server on the Public dmz.

I have licensed all components successfully through smart update (no issues there) and I am in the process of configuring the rule base. My problem which I beleive to be NAT related goes like this-

I have set up a rule to allow myself to telnet to the internet router on the external side of the firewall. Pretty basic rule. Myself(internal)-->Internet router-->telnet install to cluster. Log says the tlent data is being accepted but I do not get a telnet session. I also have Proxy server on the public dmz and I have set up a rule to allow http proxy access from internal to the dmz and the from the proxy to the internet.

Basically I think it is NAT related but I dont know! I have my DFG's on all client set to the cluster(virtual) IP addresses on their corresponding interfaces.

I have also unloaded the policy and enable ipsofwd on and I still cant get traffic through my firewalls.

Funny thing is though that I can quite successfully install the policy to the Policy server which is on the Public DMZ. Go figure.

Any Help would be great. The problem more than likely lies between the user and the keyboard, but hey! I'm stumped.!

FB
 

Hi FB,

what about your NAT configuration ? How is it configured ?

It seems that your package is accepted and forwarded from the FW to the 'external' devices but this device has no route back.

/Martin


 
Cheers for the Reply,

I have routes for all my networks on the internet router and the devices on the DMZ have their DFG pointing to cluster virutal interface on thier DMZ. I would have thought that the networks, being directly attached to the firewalls would be fine and not require routes to be added to all devices on all my subnets. If that is what you are refering to. I will add them to the proxy server and see what If that changes anything.

Wehn I intially set it up with out FW running it worked fine when I had IPSOFWD set to on. As soon As I have loaded checkpoint I cant even go back to that original state as above.

I know I dont need a return rule....do I?

Regards,

FB.
 

you're right, you don't need a return rule.
Routes for you're internal networks on your Internet router should also be ok.

If you run a tcpdump on the ext. FW interface of your primary vrrp box - do you see outgoing packages to your internet router ?

/Martin

 
I havent done that yet, but I have run a packet capture on that external segment and it shows the telnet and ICMP requests coming from the Private address I am making the connection from but nothing is coming back.

I'm not actually running VRRP, I'm running Nokia Clustering. I just notice you mentioned VRRP.

I havent created any hide rules in the NAT section. I have a checkpoint 4.1 NT4 stonebeat cluster running in parralell which I will be cutting over from and it doesnt have any NAT rules to hide internal traffic except for when I'm making a direct connection to say a citrx box out on the web I hide it then behind one of the interfaces. This is why I am a little confused as to why the Nokias arent just working ipfwd running.!

FB
 

Hm ... if you capture the traffic on the ext. segment and see outgoing but no returning packages, are you sure that this is a problem with you FW ?

Maybe the packages are routet back to your old Cluster ???

/M.
 
Sorry, I should have been more specific. When I said parrallel I meant the firewalls are conneected to the same internal Lan but both gow out different internet connections and the subnets are completley seperate, different IP space.

I managed to get the DMZs communicating with my LAN by removing the 3rd party synhcronisation from the Custer object in Smart Dashbord and then re adding it but I can still not get out through the firewall from internal or even browsing from the proxy server which is on the DMZ and I have configured a blanket any -> any rule.

Could it be somthing to do with the ARP table?

Man, its doing my head in!

FB
 
Thanks for all the Help. I have solved my issue.

In the clustering section I had Multicast mode set instead of Forwarding mode set. This was causing the router to receive an incomplete MAC address for the CLuster IP. Once I changed to forwarding mode all came good.

Lesson learned. God Bless.

FB.
 
This may sound like a silly suggestion, but have you enabled Telnet on the Nokia Firewalls through Voyager? If you go into the Config option and look under Network services there are options to enable or disable Telnet, Web, etc...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top