Static NAT problem


(Irwan) #1

Hi all, my name Irwan, from Indonesia.
I have problem to setup 1:1 NAT on our server.
We have vlan’s configured from Cisco router, and route traffic internet to DMZ.
We have fortigate as our firewall ( used 2 wan port,1 LAN port and DMZ port ).
On our fortinet, we have no problem when configure 1:1 nat to our server in other vlan, but today, our fortinet is dead ( hardware failed to boot ).
Right now, we have configure nethserver with 4 Ethernet card ( 2 wan, 1Lan and 1 DMZ ).

Internet access from user ( vlan 1 and other vlan ), is route through DMZ and no problem, but when configure 1:1 NAT for webservers, only server with vlan 1 is work fine, but servers with other vlan’s ( let say vlan 10), NAT not working ( only server in vlan 1 can accessed by public IP )

Is there any suggestion for this?
PS : sorry for my English, hopefully not too bad.

Thanks and Regards
Irwan


(Giacomo Sanchietti) #2

I don’t get a thing: are the web server on the DMZ (orange) zone?
Is this card tagged?

Just post some config:
db networks show


(Irwan) #3

HI Giacomo,
yes, this webserver is on the DMZ Zone and this DMZ is not tagged.
here is my db networks show result :

192.168.10.0=network
    Description=DMZ
    Mask=255.255.255.0
WAN1=provider
    Description=isp1
    checkip=115.xx.xxx.xxx
    interface=eth0
    status=enabled
    weight=100
WAN2=provider
    Description=isp2
    checkip=202.xxx.xxx.xxx
    interface=eth2
    status=enabled
    weight=20
eth0=ethernet
    bootproto=none
    gateway=115.xxx.xxx.xxx
    hwaddr=f8:d1:11:b5:47:34
    ipaddr=115.xxx.xxx.xxx
    netmask=255.255.255.248
    role=red
eth0:0=alias
    FwObjectNat=host;websvr1
    ipaddr=115.xxx.xxx.4
    netmask=255.255.255.248
    role=alias
eth1=ethernet
    bootproto=none
    device=eth1
    gateway=
    hwaddr=20:CF:30:AA:0F:CB
    ipaddr=172.25.117.254
    netmask=255.255.255.0
    onboot=yes
    role=green
eth2=ethernet
    bootproto=none
    gateway=202.xxx.xxx.xxx
    hwaddr=1c:7e:e5:5b:c0:38
    ipaddr=202.xxx.xxx.xxx
    netmask=255.255.255.248
    role=red
eth2:0=alias
    FwObjectNat=host;websvr2
    ipaddr=202.xxx.xxx.5
    netmask=255.255.255.248
    role=alias
eth3=ethernet
    bootproto=none
    hwaddr=00:1e:58:36:44:f8
    ipaddr=192.168.10.1
    netmask=255.255.255.0
    role=orange
ppp0=xdsl-disabled
    AuthType=auto
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=

here is my topology :


(Artem Fedai) #4

Is your ip is reachable through Internet? I mean with aliases?


(Irwan) #5

yes, we can reach our server with public ip aliases ( based on pings ), but when access with web, it won’t open it’s contents


(Irwan) #6

update : still cannot access to this server.
check firewall log, found this:
Sep 17 14:04:12 FW-RS1 kernel: Shorewall:net2orang:DROP:IN=eth2 OUT=eth3 SRC=139.228.224.239 DST=172.25.34.1 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=48343 DF PROTO=TCP SPT=51418 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

SRC=139.228.224.239 : is my other ISP beyond on my nethserver
DST=172.25.34.1 : is my target local ip ( nat with public ip 202.xxx.xxx.xxx ) on vlan 10 ( on my pic is 172.25.34.4 )
ETH2 : WAN2 on my Nethserver
ETH3 : DMZ zone

any sugestion where i must check?


(Giacomo Sanchietti) #7

You need to create a rule to allow the traffic from red to orange on the web server host.