D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: kmdxb on June 02, 2010, 10:45:28 AM

Title: Getting totaly confused with NAT/SAT on DFL800
Post by: kmdxb on June 02, 2010, 10:45:28 AM

I've been trying to figure out a particular configuration that will involve the use of both NAT and SAT - I've read so many docs/faqs/examples etc that I'm now more confused than when I started!!


The IP layout is as follows:

• I have 3 public IP's that I can use, for now lets call these 192.168.200.1, 192.168.200.2 and 192.168.200.3 (obviously these are not the actual real world IP's)
• There is a https server in the DMZ, it's IP is 172.16.100.2 [SAT]
• There is also a server on the LAN which can make connections out, and requires it's own IP. This server can not sit on the DMZ. This is on an internal IP of 10.4.3.2 [SAT]
• All other machines on the LAN can also make outbound connections, but can share the same public IP [NAT]

What I am trying to achieve is the following:

• Any machine on the LAN (other than the one specific server) can make requests out to the internet. They will be somewhere/anywhere in the range of 10.4.3.3 to 10.4.3.100 and need to make their connections to the outside world as if coming from the first public IP (192.168.200.1). Responses to outbound connections are to be allowed, but no initial connections from the outside.
• The server on the LAN (10.4.3.2) is to be allowed to make outbound connections, and these must appear as if from the second public IP (192.168.200.2). Again responses to outbound connections are to be allowed, but no initial connections from outside.
• The server on the DMZ (172.16.100.2) is allowed to be connected via https for requests made to the third public IP (192.168.200.3). It can also make connections out (which must also appear as coming from the third public IP) which must allow the responses back in, but the only connection allowed to be initiated from outside is to the https service.

OK, as you can see I'm finding it hard to even explain what I'm trying to do, let alone figure out how to do it. I've been looking into ARP settings, SAT options etc etc and just can't seem to see a way of doing this. Got to the stage where I'm loosing the ability to read....

Can anyone give any advice on how do to this, assuming I have given you enough details for you to see what I am trying to do.

Thanks.

Title: Re: Getting totaly confused with NAT/SAT on DFL800
Post by: danilovav on June 02, 2010, 10:31:08 PM

1) Objects > Address book > InterfaceAddresses
Set wan1_ip = 192.168.200.1 (let first IP will be assined on interface directly). Also, please set wan1_gw, wan1_net according with your ISP settings
Add wan1_ip2 = 192.168.200.2, wan1_ip3 = 192.168.200.3

Objects > Address book > LocalNetwork
Add
lan_clients = 10.4.3.3-10.4.3.100
lan_server = 10.4.3.2
dmz_server = 172.16.100.2

2) Interfaces > ARP
Add ARP publish records on intreface WAN with addresses wan1_ip2 and wan1_ip3

3) Routing > Routing tables > main
Add routes (intreface network metric)
core wan1_ip2 1
core wan1_ip3 1

4) Rules > IP rules
Disable lan_to_wan1 folder (better to use rules like it contains, in future change (add) NAT rules alike)
Add rules
# WAN to DMZ server
SAT wan1/all-nets core/wan1_ip3 https (SAT: new destination = dmz_server)
Allow wan1/all-nets core/wan1_ip3 https
# LAN server to WAN
NAT lan/lan_server wan1/all-nets all_services (NAT: new source IP = wan1_ip2)
# LAN clients to WAN
NAT lan/lan_clients wan1/all-nets all_services
# DMZ server to WAN
NAT dmz/dmz_server wan1/all-nets all_services (NAT: new source IP = wan1_ip3)

Title: Re: Getting totaly confused with NAT/SAT on DFL800
Post by: kmdxb on June 03, 2010, 01:17:35 AM

Wow, that's a lot easier than what I've been trying...

Worked prefectly, thank you so much.

Title: Re: Getting totaly confused with NAT/SAT on DFL800
Post by: imac on June 17, 2010, 02:00:40 PM

I am trying to do something similar.  Rather than doing a SAT on a WAN interface, I am trying to do one on an IPSEC tunnel interface.   Here's my scenario (with different IPs)

The lan is 172.16.100.0/24;  At a remote site there is a public network 200.20.20.0/24 (remote_lan)

A VPN tunnel connects the two sites using a third public subnet assigned to our end of the VPN.  This network for the VPN tunnel is 100.10.10.0/24.  So we have a VPN with local subnet 100.10.10.0/24 and remote subnet 200.20.20.0/24, and we connect and NAT our local lan devices to various hosts on the 200.20.20.0/24 network.

NAT src/lan/lannet dst/any/remote_lan on all_tcp_udp with NAT sender address set to 100.10.10.1.

This works great.

Now, we want to allow inbound HTTP/HTTPS connections from specific 200.20.20.0/24 hosts to 100.10.10.2 (vpn_snat_inbound) and SNAT that to 172.16.100.4 (local_server)

We have setup two new rules,

SNAT src/ipsec_interface/remote_lan dst/core/vpn_snat_inbound on http-in-all with SAT destination ip set to 172.16.100.4 (local_server)

and

ALLOW src/ipsec_interface/remote_lan dst/core/vpn_snat_inbound on http-in-all

This could probably be narrowed by source to

Reading above... I think we have it right, but its not working as of yet.

There is no way to assign ARP to an ipsec interfaces for vpn_snat_inbound like the example above.  Effectively we have assigned vpn_snat_inbound to our DFL-800 here in theory.. but is it picking up the traffic at core and SNAT'ing it like we want without some additional config?  I will add a route too

route core vpn_sat_inbound 1

Title: Re: Getting totaly confused with NAT/SAT on DFL800
Post by: danilovav on June 17, 2010, 10:06:51 PM

As i understand, you have didn't specified your additional networks in IPsec params? In this case, change Allow to NAT - you should perform network masking.