Static NAT Problem

[tabularasa]

Hey Guys,

Its been a while since i got on here. Thought i would ask a quick one.

Ive got a fresh install of NG FP3 on a Nokia IP330.

4 interfaces

LAN - 10.10.0.x
WAN1 - 63.x.x.x/24
WAN2 - 65.x.x.x/26
DMZ - 10.10.1.x

I have one webserver on the DMZ, static NATted to 65.x.x.x. Works fine.. resolves all over the place..

I have my DNS server on the DMZ. Now i put a static NAT rule to this one for 63.x.x.x, and nothing. It will not NAT this object for anything. I dont know what else to try. Any ideas? We have two DNS servers. The otherone i tried to NAT to the 65.x.x.x. and it will not resolve either..

Help!

Ryan

 

[Piloria]

i presume you have set rules to allow connections to the DNS servers from the WANs. (you can slap me but i always start with basics)

check logs for connections to the DNS servers and see if there are rejections (or drops).

 

[tabularasa]

Yeah, (slap!) j/k!

I have ANY to DNS1 service DNS - Allow
then DNS to ANY service DNS - Allow

The problem is the NAT... All of our webservers and DNS servers are presently NATted behind a stupid SonicWall. I nslookup fine. So, i delete the static NAT on the Sonicwall, then do an NSlookup and it fails. (obviously) then create a Static NAT entry in CP, and push the policy. The policy pushes and verifies fine. Then i do another NSlookup, and it fails.

what gives?

 

[tabularasa]

Ok, i got those automatic NATs to work. Im stupid and figured out the problem was the gateway on the DNS Servers. (slap me, please_

Now im trying to Static NAT our webserver. I have these NAT rules:

Webserverinternal - any - any - webEXT - original - original

any - webEXT - any orig - Webserverinternal - orig

Plus i have the rules set up to allow connections to that machines internal IP and external IP.

The NAT is not working. I can use an automatic rule to make it work. But when i map it myself the NAT does not take. I need to do the manual NAT because i have to do some port translations when i get it to work.

Is there some bug in FP3 that is not allowing manual NAT to work?

 

[ChrisAC]

Just a point that may or may not be unrelated to this problem. Having recently built a couple of Nokia firewalls, one with NG FP2 and the other with FP3 I have also found problems with statically NATed servers in the DMZ. The problem on both occasions has turned out to be proxy arp on the firewall. When checking the router on the WAN interface the NATed addresses cannot be seen. Despite the fact that NG is supposed to do automatic proxy arp I have found that it can't be trusted on the Nokia platform and so now we have a policy of always putting manual ARP entries in via Voyager for all NATed servers. Works a treat!

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

I will definatly try putting the static ARP and static route statements in for the manual static NAT entry. Yes, i realize that you shouldnt have too, so i didnt do it. I will give that a try and let you know.

Its really aggrivating when all your settings seem correct and the stupid thing doesnt work. lol

Thanks Chris

Ryan

 

[tabularasa]

Just to be clear, i need to set up ARP like this.

ARP -s 63.x.x.225 (MAC ADDRESS of 63 interface)

right?

Then add static routes:

route add 63.x.x.225/32 10.10.1.225

This should do it?

 

[ChrisAC]

No,

Firstly, NG does NAT on the client side so you shouldn't need a route like you did on 4.1.

Secondly, to put the static route in, log onto Voyager, go to config > Interface Configuration > ARP. Scroll down to 'Proxy arp entries' and then enter the outside IP address of the server under 'Add a new Proxy ARP entry'. In the drop down list select the external interface that you want to ARP for that IP address. Apply and Save.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

Looking in the NG book that i have, it says,"use the translated IP address assigned to the webserver (63.x.x.225) and the MAC address of the LOCAL network card (10.10.1.225)..

Am i reading this wrong?

Ok, i took the route out. As you said i should not need it. All im going to need is the ARP. Ill try this when i get the chance.

Thanks again Chris

Ryan

 

[ChrisAC]

Ryan,

You need the firewall to ARP for the local server on it's external internet facing address. So, if you have a server on the inside or the DMZ such as a web server or e-mail server then the firewall should ARP for the external IP address of those servers on it's internet facing port, the one that connects to the router. When running firewall-1 on NT we put these proxy arp entries in the local.arp file. On a Nokia platform it's even easier with Proxy ARP configuration available under the Interfaces > ARP page via Voyager.

You shouldn't need to do this with NG but experience has shown be that it's best to put them in anyway.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

Ok, i will arp 63.x.x.225 to the MAC address of the 63.x.x.x interface. Then stop and start the fw process, and give that a try.

Voyager is pretty nice for doing these changes.

Ryan

 

[tabularasa]

Chris,

I tried this ARP configuration and did a cpstop and cpstart, and it still is not natting. i even put in a rule to allow ping, and its not pinging.... :-(

Any other suggestions?

Ryan

 

[tabularasa]

I can use the automatic NAT and it will work. Im trying to get the Manual NAT to work so i can do port translating...

my settings are identical to the autoNAT. there is NO reason is should not work....

 

[tabularasa]

Oddly enough, Chris, I added the static route statements, like for 4.1, and it starting working!

wierd... now lets just hope it doesnt just spontaniously stop working again.....

 

[ChrisAC]

Ah, in that case check your settings in Global Properties > NAT. If 'Translate destination on client side' is checked then you shouldn't need the static routes. I haven't had to put static routes on any NG firewalls so far!

Still, if it's working ......

;-)

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

No joke, very frusterating sometimes... I checked that, and yes, under manual NAT that box was not checked. I checked it, and am going to try to get rid of those routing statements... I'll let you know.

Thanks for all the help! you rock!

Ryan

 

[ChrisAC]

I do my best.

;-)

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[tabularasa]

Ok, i took out those routing statements and things seem to be still working..

Lets hope things just dont spontaniously stop working again!

Hope things are well with you.

Ryan