Announcement

Collapse
No announcement yet.

Static Mappings and VPN Tunnel

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Static Mappings and VPN Tunnel

    I have configured on my GB-2000 (GB-OS v6.0.1) a site-to-site VPN tunnel configured to a (large) customer site. This site-to-site tunnel configuration consists of multiple subnets (non-contiguous IP ranges). Basic firewall configuration is a 192.168.x.x/24 protected subnet with normal outgoing connections NAT'd to the firewall's external IP address. Connections from my company desktops work well and use the site-to-site tunnel as expected.

    Select internal servers that provide services available from the public Internet have a static mapping (and alias) for additional IP addresses assigned to us in a separate IP space from the external IP (a /30 subnet). I.E. web, email, and PPTP servers. If I try to make a connection to our customers site from one of these servers the connection attempts to route through the public Internet instead of the site-to-site tunnel.

    I think I understand why this is happening. This being because the servers external IP address does to match the IP of the site-to-site tunnel source. So it appears that this is the designed/expected operation. I do not want to request from our customer that we setup separate site-to-site tunnels for each of these additional IP addresses.

    Is there a way to make these servers NAT to the firewall's external IP address and use the site-to-site tunnel for these customer subnets?

  • #2
    Hi,

    It sounds like you are using NAT for the VPN. And the static mappings in place break the NAT'ed VPN because they are not NAT'ed to the correct address. Is that correct?

    I think you need v6.1.0.

    Pass Through (No NAT)
    - Remove NAT based on destination address

    http://forum.gta.com/showthread.php?t=1367

    This change allows you to NAT based on destination address as well as source address, interface exit and services. You could then apply a static address mapping that use the remote VPN subnet.

    Comment


    • #3
      Originally posted by Dwight View Post
      Hi,

      It sounds like you are using NAT for the VPN. And the static mappings in place break the NAT'ed VPN because they are not NAT'ed to the correct address. Is that correct?
      Yes in the site-to-site tunnel configuration I have the Gateway set to the EXTERNAL interface. Then in the local section I have NAT checked.
      Originally posted by Dwight View Post
      I think you need v6.1.0.

      Pass Through (No NAT)
      - Remove NAT based on destination address

      http://forum.gta.com/showthread.php?t=1367

      This change allows you to NAT based on destination address as well as source address, interface exit and services. You could then apply a static address mapping that use the remote VPN subnet.
      That sounds like it would work. The description on that link was a little to terse for me to derive the actual function. However, with 6.1 still being beta it is not currently an option for me.

      This weekend I was looking at the Static Mapping configurations. In all my defined static mappings I have I have set (left at default) the Service to ANY_SERVICE. I was going to experiment with that. In one case, the server's main function is to provide Microsoft PPTP VPN connections to workers at home. I was thinking about defining a Service Group as PPTP (TCP port 1723) and GRE protocol and then setting the Static Mapping for that server to use this new Service Group. This was in hope that only the PPTP traffic would use the alias IP address and that any other network traffic would use the default configuration and NAT to the firewalls external IP. Thus allowing any other outbound connection from this server to use the site-to-site tunnel. Does this sound like it would work or have I misinterpreted these configurations settings?

      Comment


      • #4
        Originally posted by Jost View Post

        This weekend I was looking at the Static Mapping configurations. In all my defined static mappings I have I have set (left at default) the Service to ANY_SERVICE. I was going to experiment with that. In one case, the server's main function is to provide Microsoft PPTP VPN connections to workers at home. I was thinking about defining a Service Group as PPTP (TCP port 1723) and GRE protocol and then setting the Static Mapping for that server to use this new Service Group. This was in hope that only the PPTP traffic would use the alias IP address and that any other network traffic would use the default configuration and NAT to the firewalls external IP. Thus allowing any other outbound connection from this server to use the site-to-site tunnel. Does this sound like it would work or have I misinterpreted these configurations settings?
        Never tried with a PPTP/GRE, seems like it should work. You may want to MAP GRE and PPTP (TCP 1723). Also, remember that static maps the order is important.

        Comment


        • #5
          After hours last night I changed the Static Mapping from ANY_SERVICE to PPTP, GRE, and a defined service name PPTP_GRE in order. The latter Service Group consisted of the predefined PPTP and GRE services. As I changed to each setting I ran a Wireshark capture filtering on the PPTP server's external IP address. In all cases the PPTP connection worked and I did not notice a significant difference in the captures. I did not have the time to do a packet by packet inspection of the different connection scenarios (if that was even possible). I also did not try removing or disabling the Static Mapping for this PPTP server (may do this tonight).

          I left it at this last PPTP_GRE combination service setting. I then went to internal testing from the PPTP server itself. In my case I used nslookup and set the server to the internal DNS server at my customers site. This connection did use the site-to-site tunnel as I had wanted. I also did some ping and traceroute tests that also used the site-to-site tunnels. So this configuration appears to work as I had desired.

          I couldn't stop wondering why my PPTP connection tests worked in all instances no matter what my Static Mapping service was set to. This brings up some questions. First, does the GB-2000 create a stateful outbound mapping to external IP address that the PPTP client is connecting to? Example, the external IP address for firewall is 24.x.y.110 and PPTP server is 24.x.z.155 (3rd octet differs and they are not part of a contiguous IP space). The client (from somewhere on the Internet external to the firewall) connects to the 24.x.z.155 IP and all traffic I see is to/from that IP. I had kind of expected to see the requests from the client to 24.x.z.155 and replies from the server on 24.x.y.110 (or that I woud have missed the replies because of capture filter). Which I though would have caused problems with the connection. If the replies are automatically mapped to the inbound request then my second question is; Are the Static Mapping definitions needed?
          Last edited by Jost; 2012-08-28, 15:05.

          Comment


          • #6
            Originally posted by Jost View Post


            I couldn't stop wondering why my PPTP connection tests worked in all instances no matter what my Static Mapping service was set to. This brings up some questions. First, does the GB-2000 create a stateful outbound mapping to external IP address that the PPTP client is connecting to? Example, the external IP address for firewall is 24.x.y.110 and PPTP server is 24.x.z.155 (3rd octet differs and they are not part of a contiguous IP space). The client (from somewhere on the Internet external to the firewall) connects to the 24.x.z.155 IP and all traffic I see is to/from that IP. I had kind of expected to see the requests from the client to 24.x.z.155 and replies from the server on 24.x.y.110 (or that I woud have missed the replies because of capture filter). Which I though would have caused problems with the connection. If the replies are automatically mapped to the inbound request then my second question is; Are the Static Mapping definitions needed?
            On a normal tunnel from External to an Internal host the response packets are automatically mapped back to the External IP connected to. So for TCP 1723 it makes sense that client hits the alias and response are NAT'ed to the alias. I assume in your case the GRE protocol (tunnel) is dynamically opened and the same logic is applied to NAT these connections. I assumed maybe PPTP server intiated the GRE connection. However, it seems client initiates all connections.

            Only time you really need a mapping if for say a mail server sends (initiates) connection outbound.

            Comment


            • #7
              Thanks for your explanations Dwight. My configuration is mostly migrated from our original Gnatbox configuration I set up in the late 90's. This static mapping was first configured back when initially setting up that firewall. I am not sure if this Static Mapping was actually required in that old version or not. It may have just been my lack of understanding of the firewall functions that lead to this configuration in the first place. I know a lot of things changed when we upgraded from the software firewall to the GB-2000.

              Originally posted by Dwight View Post
              <snip> I assumed maybe PPTP server intiated the GRE connection. However, it seems client initiates all connections.
              I was under this same assumption. I was also under the impression that the GRE protocol was just used for authentication, so that it would have only been used while initiating the VPN connection. Looking back through my Wireshark captures in all cases the first GRE packet was a PPP LCP (Link Control Protocol) from the client to the server. It further appears that all the PPTP VPN traffic is in GRE PPP Compressed Datagrams with very few packets that are non-GRE until the PPTP termination.

              Originally posted by Dwight View Post
              <snip> Also, remember that static maps the order is important.
              Going back to this statement you made earlier I reset my Static Mapping back to ANY_SERVICE for this PPTP server (the original configuration). I tend to like the assigned Static Mapping for any outbound initiated connections from the servers. It helps to segregate server traffic from desktop client traffic when looking at logs. Since the only traffic I need from this server to use the site-to-site tunnels is DNS queries I put a new Static Mapping in for this server to the firewall's external IP for DNS service requests. (Inserted above the ANY_SERVICE Static Mapping for this PPTP server.) This accomplished what I was trying to do.

              As it turns out the solution was much simpler and straight forward than I was making it out to be. Thanks again for your help.

              Comment

              Working...
              X