Multiple NAT Routing problems.... - TCP-IP

This is a discussion on Multiple NAT Routing problems.... - TCP-IP ; Gday all.... got a few q's on how to properly implement & correct a routing problem i have. Consider the following physical network: LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem +------ PIX -------+ Linux Int - 172.30.1.254, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Multiple NAT Routing problems....

  1. Multiple NAT Routing problems....

    Gday all....
    got a few q's on how to properly implement & correct a routing problem
    i have.
    Consider the following physical network:
    LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem
    +------ PIX -------+

    Linux Int - 172.30.1.254, Ext- 172.30.250.254
    PIX Int - 172.30.1.251, Ext- 172.30.250.251
    ADSL - 172.30.250.250
    ADSL External has static IP - 1.2.3.4

    The LAN has the Linux box as its default gateway. This linux box is
    NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing
    the external to the Internet.

    The External interface of the PIX is defined as the 'DMZ' host in the
    ADSL modem, so it receives all requests hitting the external interface.

    This PIX then forwards on the requests to the appropriate LAN server
    (mail + web etc). This PIX is also a PPTP/IPSEC Vpn server to allow
    internet users to log into the LAN.

    Now...why do it like this? I want the IPSec/Firewall features of the
    PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    and my ADSL2 connection is 24mbit, and I have around 30 machines on the

    LAN.

    Now, the problem. All the LAN users have no hassles accessing the
    internet correctly. External services though...this is the issue. When
    a user, for example, connects to port 25 for a SMTP session, hits the
    1.2.3.4 address, the pix forwards it on to the correct server. When the

    TCP stack on that server replies with its SYN/ACK though, it gets sent
    back via the Linux machine, being the default route. This confuses the
    ADSL modem, which treats it as a new packet, re-nat's it, and sends to
    back to the user. The user's machine then replies with a RST because it

    doesnt understand what the hell is going on. Hence the connection
    fails. What to do?
    I am puzzled. Any help would be fantastic - cheers!!


  2. Re: Multiple NAT Routing problems....

    In article <1157605619.456519.108210@e3g2000cwe.googlegroups.c om>,
    "Skymaster" wrote:

    > Gday all....
    > got a few q's on how to properly implement & correct a routing problem
    > i have.
    > Consider the following physical network:
    > LAN --- (Switch) --- Linux --- (Switch) --- ADSL2+ Modem
    > +------ PIX -------+
    >
    > Linux Int - 172.30.1.254, Ext- 172.30.250.254
    > PIX Int - 172.30.1.251, Ext- 172.30.250.251
    > ADSL - 172.30.250.250
    > ADSL External has static IP - 1.2.3.4
    >
    > The LAN has the Linux box as its default gateway. This linux box is
    > NAT'ing this into the External Network, and the ADSL2 modem is NAT'ing
    > the external to the Internet.
    >
    > The External interface of the PIX is defined as the 'DMZ' host in the
    > ADSL modem, so it receives all requests hitting the external interface.
    >
    > This PIX then forwards on the requests to the appropriate LAN server
    > (mail + web etc). This PIX is also a PPTP/IPSEC Vpn server to allow
    > internet users to log into the LAN.
    >
    > Now...why do it like this? I want the IPSec/Firewall features of the
    > PIX, but the PIX is a 10 user 501, which only has 10mbit interfaces,
    > and my ADSL2 connection is 24mbit, and I have around 30 machines on the
    >
    > LAN.
    >
    > Now, the problem. All the LAN users have no hassles accessing the
    > internet correctly. External services though...this is the issue. When
    > a user, for example, connects to port 25 for a SMTP session, hits the
    > 1.2.3.4 address, the pix forwards it on to the correct server. When the
    >
    > TCP stack on that server replies with its SYN/ACK though, it gets sent
    > back via the Linux machine, being the default route. This confuses the
    > ADSL modem, which treats it as a new packet, re-nat's it, and sends to
    > back to the user. The user's machine then replies with a RST because it
    >
    > doesnt understand what the hell is going on. Hence the connection
    > fails. What to do?
    > I am puzzled. Any help would be fantastic - cheers!!


    You need to configure the PIX so that incoming packets have their source
    address translated to its internal IP, so that replies will go back to
    the PIX rather than going to the default route. Then the PIX will NAT
    the reply to its external IP, and this will match what the ADSL modem
    had already NATted the static IP to.

    If the PIX doesn't support this type of NAT then I think you're out of
    luck.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  3. Re: Multiple NAT Routing problems....

    Hello,

    Barry Margolin a écrit :
    >
    > You need to configure the PIX so that incoming packets have their source
    > address translated to its internal IP, so that replies will go back to
    > the PIX rather than going to the default route.


    This trick as an important drawback : the real source address is hidden
    to the server and therefore becomes unavailable for any useful purpose
    (logging, accounting, access control, blacklist...)

    Skymaster : wouldn't it be possible that the servers running external
    services use the PIX as their default gateway ?

    Or you could change the way the PIX is connected ; have you considered
    connecting its internal interface to a dedicated interface of the Linux
    box instead of the LAN switch, so the Linux box would be the only
    gateway for the LAN ?

+ Reply to Thread