Title: Port Forward- IS changing SYN packets to ACKs?? Post by: yeganeh on Sunday 01 August 2010, 10:46:37 pm I’m using Endian 2.3 and trying to forward 192.168.70.0 /24 port 4100 traffic to the internal server which is located on the green network with IP 192.168.40.40 port 7100. To configure this scenario I followed these steps:
1- Port Forwarding/ NAT > Destination NAT 1-1 Access From: Network IP/Range: 192.168.70.0 /24 1-2 Target: Zone/VPN/Uplink: ANY Uplink 1-3 Filter Policy: ALLOW 1-4 Service: ANY , Protocol: TCP, Target: 4100 1-5 Translate to: IP, DNAT Policy: NAT 1-6 Insert IP: 192.168.40.40, port: 7100 2- Outgoing Traffic 2-1 Source: Network/IP , IP: 192.168.40.40 2-2: Destination: Network/IP, IP: 192.168.70.0 /24 2-3 Service: ANY, Protocol: TCP, Destination Port: 4100 2-4 Policy: ALLOW 3- System Access 3-1 Source address: 192.168.70.0/24 3-2: Source Interface: RED 3-3 Service: ANY, Protocol: TCP, Destination Port: 7100 3-4 Policy: ALLOW Unfortunately, the DNAT rule is not working as planned. I monitored the connections in the status section of the Endian system and I can see that the DNAT properly directs the packets and I monitored the my server (IP 192.168.40.40) with TCPDUMP and I found that the server receive packets but unfortunately the connection is not been built because the initial SYN packets from my client to my server is being translated by Endian Firewall into ACK packets which is preventing the initial 3 way handshake establishing. TCPDUMP of 192.168.40.40 IP 192.168.70.92.50924 > 192.168.40.40.7100: S 1705309870:170530 9870(0) win 5840 <mss 1460,sackOK,timestamp 1791227116[|tcp]> 0x0000: 4500 003c 1f9b 4000 3f06 f7d5 c0a8 7723 E..<..@.?.....w# 0x0010: c0a8 2bd7 c6ec 0016 65a4 f6ae 0000 0000 ..+.....e....... 0x0020: a002 16d0 89de 0000 0204 05b4 0402 080a ................ 0x0030: 6ac3 f4ec 0000 j..... Am I missing something simple here? What should I do to solve this problem?? Thanks in advance for you help... |