Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 06:10:25 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Can't access AS400 in Orange from outside
0 Members and 9 Guests are viewing this topic. « previous next »
Pages: [1] 2  All Go Down Print
Author Topic: Can't access AS400 in Orange from outside  (Read 36638 times)
faber1965
Full Member
***
Offline Offline

Posts: 11


« on: Friday 07 May 2010, 04:25:52 am »

First of all hello everybody as I'm a new Forum member.

This is my actual configuration:

                                                                191.x.x.54(main uplink-RED)<------|                                             
                                                                                                                   |
      87.x.x.248(public IP address)----->191.x.x.1(ADSL modem/router)------>Endian FW--->10.x.1.111(green)-------->10.x.1.n(PCs)
                                                                                                                   |
                                                                                                                   |--------->10.x.0.111(orange)------->10.x.0.100(AS400)
                                                                                                                   |
                                                                                                                   |--------->10.x.2.111(blue)---------->Not used
 
I can access AS400 from PCs, PCs can surf the web with content filter enabled which works fine, but it's impossible to reach the AS400 from outside.
Outside users connect to my public IP 87.x.x.248 and they should reach AS400 on 10.x.0.100, which listen on port 23.

I tried everything, first of all NATted 87.x.x.248 TCP/23 to 10.x.0.100 in port forwarding, then tried in the incoming routed traffic rules, then in system access rules (I know is for Endian itself but I'm driven by desperation), disabled HTTP proxy, interzone FW, outgoing FW, Snort Intrusion filtering, added all rules I learn after reading other posts, but nothing works. The strangest thing is I have no hits in my firewall log, seems like the firewall itself is unreachable from outside.

Thank you in advance for any help which is sincerely appreciated.
Logged
yhenao
Full Member
***
Offline Offline

Posts: 34


« Reply #1 on: Friday 07 May 2010, 04:37:58 am »

Hi,

You have first create the nat-direction rule with all port open.....Please tell me the results.

Regards,

Yhenao
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #2 on: Friday 07 May 2010, 04:59:27 am »


Hello, thank for your reply.

One of my tries was to create in Port forwarding a rule like this:
- From <main uplink-RED> to <Orange-All known IPs>, ALLOW ANY, NAT, no natted IP, no port specified.

Didn't work, then I tried adding a second rule as I read in a post, and put it at 1st place in list:
- From <ANY> to <RED>, ALLOW ANY, NAT, no natted IP, no port specified.

If this is what you meant, unfortunately nothing worked. Or if I'm doing something wrong, I ask you please to teach me how to do in details, I thank you in advance.

Regards, Faber
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Friday 07 May 2010, 05:28:01 am »

Break your problem into pieces, and start removing well tested points:

a) Check you ADSL modem, maybe it is configured as a normal router/firewall that not let any extern traffic enter in your lan.
Try to connect from main
b) Create a rule on Port forwarding/NAT-> Destination NAT:

Quote
          Target     Service                          Policy                 Translate to     Remark 
1    Uplink ANY    <<Port You NEED>>    ALLOW with IPS    10.x.0.100      Your Rule Name
     Access from:    <ANY>
Check Logging
c) Verify firewall logs to see the traffic
d) Check Port forwarding to GREEN to any other machine
e) Check Port forwarding to Orange to any other machine rathen than the AS/400
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #4 on: Friday 07 May 2010, 06:03:49 am »

Actually this lan has a Zyxel Zywall instead the Endian, and everything works. The Zywall has been configured by someone who is lost and the admin password with him, so it's impossible to know how is configured.

That's why I want to change the Zywall with the Endian, whichs add some better features I need and works fine except for the issue I posted.
This said, to confirm the modem permits external communications to flow through.

I'll make the test with the rule suggested by mrkroket, and then I'll let you know.

Thanks for you help.
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #5 on: Friday 07 May 2010, 10:59:59 pm »

Hello!

I removed all previous custom rules.
Outgoing firewall=OFF. Interzone Firewall=ON. Intrusion detection=OFF.
 
I did the try with the rule from mrkroket, but didn't work. No entries in the firewall log.

I was considering an aspect: if outside clients should connect to AS400 using public ip 87.x.x.248, I suppose the modem/router is doing a static nat from that ip to 10.x.0.100, I'm I right?

If this is correct, how change the incoming rules scenario? Should I still use Port forwarding?

Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #6 on: Saturday 08 May 2010, 06:48:49 am »

I suppose the modem/router is doing a static nat from that ip to 10.x.0.100, I'm I right?
Probably not. The modem/router should be sending traffic to your old firewall, not your AS/400.
Then your Zyxel firewall resent the traffic to (finally) the AS/400.

Recheck your modem/router config, as stated in a). It must let incoming traffic, and it must send the traffic to your Endian Firewall!!!

In case you don't have access to modem/router config anymore, try this:
What was the external IP of your old Zyxel Zywall, the one that connects to the modem/router?
Add that IP as an alias on your Endian Firewall, on the correct RED interface.
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #7 on: Saturday 08 May 2010, 07:28:22 am »


Thanks mrkroket, I'll try to expose better my scenario, just to be sure my basis are right before going on with tests.

Since I cannot access the Zywall anymore because the password is lost, and cannot access the ADSL modem/router because is property of the ISP, I should work with all parameters ISP gave me and some others I learn from actual LAN configuration.

The chain actually working is: modem/router ----> Zywall -----> PCs and AS400 on same switch.
Parallel, I have my test chain with endian ------> 1 PC on green switch
                                                   |---------> orange switch

When I do tests I move the cable going to Zywall to Endian RED-IF and connect the AS400 to orange switch. Since the modem/router is the same and RED is well configured with parameters got from ISP, I can surf the web and can connect to AS400, but this remains unreachable from 87.x.x.248. I tried to take command of my green PC from outside using TeamViewer, and it works.

Then, what should I suppose about currently working chain? Maybe public IP 87.x.x.248 is NATted 1:1 (or bridged) in the ZyWall so all requests flow directly to the AS400? If this is true, how can this be applied using Endian, where I must use the 10.x.0.100 of Orange?

Finally, to answer to your question: what do you mean as external IP of the Zywall?
Regading aliases, under Endian 2.3 something has changed. I saw aliases in 2.2 manual but I didn't see any similar in 2.3. How this could apply in the new release?

Regards, Faber





 
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #8 on: Saturday 08 May 2010, 09:28:36 pm »

Well, I searched around in the forum for issues like mine, found some pertinent advises, now I'll try to collect all informations to see if I'm having the right approach.

Just want to add further details to my chain:

                                                     191.x.x.54(RED)<---|
                                                                                   |
  Public IPs   87.x.x.250 (the router) -------->ADSL Router/modem------->Endian----->10.x.0.111(green)
                  87.x.x.248 (AS400)                                                              |-------->10.x.1.111(orange)----->10.x.0.100(AS400)
                  87.x.x.247 (2nd AS400-                                                                                |-------------->10.x.0.99(2nd AS400)
                                   will be added in the future)
                  87.x.x.246-4 (Not used)

Since RED is configured as Ethernet Static using 191.x.x.54, I'm thinking to add 87.x.x.248 and 87.x.x.247 in the additional IPs field provided in the network interface config mask, even if I'm in doubt regarding similarity between 191.x.x.54 and 87.x.x.248-7.

I think this is the way to add aliases in EFW 2.3, and suppose is what mrkroket suggested to do.

Is this approach correct? Could it fit for my needs?
If so, what are next steps to have 87.x.x.248 routed to 10.x.0.100 and 87.x.x.247 routed to 10.x.0.99 (using port 23 and 449)?

Thanks in advance

Faber
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #9 on: Tuesday 11 May 2010, 12:09:18 am »

Each router, firewall, etc should have at least 2 network interfaces, each one with one different IP/subnet.
One only IP doesn't define well your setup. With external I refer to RED interface, the one not controlled by the firewall.
We should need these details:

"External Ifaces" (RED)                       "Secured Interfaces" (GREEN, ORANGE,BLUE)

(87.x.x.250)   | ADSL Router Modem  | (191.x.x.1)
(87.x.x.248)   |                                         
(87.x.x.247)   |
(87.x.x.246-4)|

(191.x.x.YYY)|        Zywall              |  (10.x.0.ZZZ)

(191.x.x.54)   |    Endian Firewall       |  (10.x.0.111) ORANGE
                                                      |  (10.x.1.111) GREEN                                                           
                                                      |  (10.x.2.111) BLUE

As I stated before, it seems to me that your modem router is routing all traffic coming from 87.x.x.248 to (191.x.x.YYY) (your Zywall external IP).
Then your Zywall NAT/route that traffic to 10.x.0.100 (you AS400).
You should determine that external IP and use that IP (191.x.x.YYY) (NOT 87.x.x.248 or 87.x.x.247) as an alias for RED.
So your Endian will have those IP's:

(191.x.x.54)   |    Endian Firewall       |  (10.x.0.111) ORANGE
(191.x.x.YYY)|                               |  (10.x.1.111) GREEN                                                           
                                                      |  (10.x.2.111) BLUE
Then you should remove the Zywall from your switch, to avoid double IP assignment.

IP Alias can be added in Network->Interfaces->Uplink->Uplink Edit->Check option: Add additional addresses (one IP/Netmask or IP/CIDR per line)
then add on the new textbox the new IP: 191.x.x.YYY/24
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #10 on: Tuesday 11 May 2010, 01:27:55 am »

Hello,
I did some check with my ISP and the IBM technician.
These are some updates I collected:

1) The IP address 87.x.x.248 is written inside the AS400 config; this means anybody from anywere pointing to 87.x.x.248 will reach the machine
2) The ISP provider who own the modem/router said that modem act as a bridge; this means all attempt pointing to 87.x.x.248 will flow through the modem and will reach the ZyWall. The latter just survey the traffic through the ports requested to be opened (23 and 449) and finally let it flow to the AS400.

This said, seems there is no need of NATting, I just need to reach 87.x.x.248 from interne, bearing in mind that the machise is in the Orange zone (GW 10.x.0.111). How this could be done in Endian?

Thanks in advance for your kind reply.

Faber
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #11 on: Tuesday 11 May 2010, 01:40:41 pm »

this means all attempt pointing to 87.x.x.248 will flow through the modem and will reach the ZyWall.

I was saying the very same on the last posts!.
It seems your modem is sending the traffic to the Zywall. You need to force that this traffic goes to Endian instead.

As you cannot change any config, your only option is "replacing" the Zywall for the Endian.

Just reread my last post: You need to get your external IP of your Zywall (191.x.x.YYY) and place it as an alias on Endian RED. Try to ask your ISP about the IP that 87.x.x.248 is sending to. Still without their help, there are many ways to get an unknown IP.
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #12 on: Wednesday 12 May 2010, 01:13:33 am »


Maybe there is some misunderstanding between us.

Quote
It seems your modem is sending the traffic to the Zywall. You need to force that this traffic goes to Endian instead.
As you cannot change any config, your only option is "replacing" the Zywall for the Endian.

I'm using two distinct chains to make the test: one has the Zywall, other has Endian. The only gear they have in common is the modem/router, but when a chain is active, the other is disconnected and vice-versa.
I'm trying to replicate in Endian the same working configuration I have in the ZyWall (obvioulsy I don't know it since the ZyWall menus are unaccessible).

I'll be wrong, but I understood you are suggesting me to put the External IP into Endian RED Aliases, and this make me think you are figuring the Endian AFTER the ZyWall and want to config the ZyWall as the gateway for Endian. Please correct me if this is not what you meant.

At the end, my final purpose is to reach a machine in the DMZ via its public IP. I'm frankly surprised this topic is so hard to solve and the Endian seem to be so unfriendly to configurate. Huh

If I did some mistake somewhere, I'm ready to rebuild my chain from scratch.
Just want to get out from something which is turning into a nightmare.

Faber



Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #13 on: Wednesday 12 May 2010, 08:48:23 am »

****************Just find the external IP of the Zywall************************************
**********************Focus on that first! And forget anything else*************************

Google about discover IP's on a subnet (in your case the subnet 191.x.x.0/24) . Options are:
-"tracert 87.x.x.248" to see where it fails to continue
-nmap utility, with command: nmap -sP 191.x.x.1-255
-Ping to broadcast
-Network analyzer
-"arp -a" command
-Maybe from Zywall web interface, without entering any user/pass (as it is
etc.. etc...

Your problem is not related at all with Endian, it's not a problem in the Firewall, or any difficulty on their config. It just the traffic that doesn't reach your Endian Firewall.
Logged
faber1965
Full Member
***
Offline Offline

Posts: 11


« Reply #14 on: Wednesday 12 May 2010, 09:14:42 pm »


OK, I did the tests you suggested, but didn't retrieve some relevant information.

Then I found a freeware called TheDude and installed it on a PC of my actual working chain (with ZyWall): the program returned a graphic report of my lan and I could examine it in detail.

Well, the ZyWall is configured with two IPs: the first is 10.x.0.111 (the same I used for the DMZ in Endian) and there is no doubt this is the internal one; the second is 87.x.x.248 which is identical to the public IP of the AS400.
Then, I examined with surprise the wan connections, as follows:
- 87.x.x.244 = the network itself, not to be used
- 87.x.x.247 = the new AS400, not involved in these tests yet
- 87.x.x.250 = the router

Note that 87.x.x.248 isn't listed here, so I can only think the current AS400 (the one involved in the post) hasn't is public IP - I gave this for granted instead - and connection made from outside to 87.x.x.248 point to the ZyWall, which send it to the AS400 by NATting all into 10.x.x.100.

Do you think all this have a logic?

Regards, Faber

 

Logged
Pages: [1] 2  All Go Up Print 
« previous next »
Jump to:  

Page created in 0.203 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com