Rule to allow modem to talk to internal network?

[Jon_Starr]

Hi everyone,

This is a re-statement of my previous unanswered post as I think I made it too unclear exactly what I was trying to do. I hope no-one minds me posting again.

Setup:

I have a cisco router acting as a NAT modem and an Untangle box behind it in router mode. This works exactly as expected with no problems.

Please see the network diagram attached for my current setup.


What I'm trying to do:

I now want the Cisco router to be able to talk to the internal network (so it can send logs).


Things I've tried:

1. Added a static route on the Cisco to direct all traffic destined for internal (192.168.158.0/24) to the external interface on Untangle. This allowed the router to talk to all the interfaces in the Untangle box but no further.

2. I've tried a bypass rule for all traffic coming from the Cisco's IP address going to anywhere on all protocols but this had no effect.



I'm not sure where the traffic is going. If the Cisco can talk to an interface in Untangle that's on the same subnet as the internal network why can't it talk to the internal network?

Hopefully the answer is blindingly obvious and someone can educate me

[raditude]

Are you sure you are working in bridged mode? Based on your diagram you have the UT EXT_IF as 192.168.1.x, and the INT_IF as 192.168.158.x, and DMZ_IF as 192.168.2.x, this would be a router configuration, not bridge.

[Jon_Starr]

Hi raditude, thanks for the reply.

I apologise, that was a mistake on my part. Untangle is in router mode.

[raditude]

So do you have port forward rules in place to pass whatever ports to whatever server/system internally? What about your firewall module installed? Set to pass by default or block?

[Jon_Starr]

That's right, I have forwarding rules for the internal services.

The default firewall option is Pass. The only rule enabled is to block any port 21 (FTP) traffic.

[raditude]

Can you post what your port forward rule looks like?

[Jon_Starr]

Sure, the one I tried was:

Code:

If all of the following conditions are met:

Source Address   192.168.1.1
Destination Address:   192.168.158.100

Forward traffic to the following location:

New Destination:   192.168.158.100

I just tried a more sensible variation of:

Code:

If all of the following conditions are met:

Source Address   192.168.1.1

Forward traffic to the following location:

New Destination:   192.168.158.100

But there was no change.

[raditude]

So you want ALL traffic to just go to that 1 internal address? Since ALL of your traffic would come from 192.168.1.1 based on your diagram, IF this rule worked ONLY 192.168.158.100 would get ANY traffic, as that is what your rule is saying.

In your first rule you say from source 192.168.1.1 to destination 192.168.158.100, you can not do that, you could say source 192.168.1.1, destination 192.168.1.2 to new destination 192.168.158.100, but you also need to add which ports you want to forward, and which protocols (tcp, udp, icmp..etc).

[Jon_Starr]

I might have got myself confused with how NAT works, but wouldn't all internet traffic NOT look like it was coming from the router's IP of 192.168.1.1?

I was assuming that only traffic coming from inside the router itself would seem to occur from 192.168.1.1 as there is no NAT involved for that.


Edit:

I want all traffic from the router itself (so internally generated traffic, not web traffic) to go to 192.168.158.100.

As I've set up the static route in the router to send all traffic for 192.168.158.0/24 to Untangle's external interface, is there a simple way to tell Untangle just to route that to Internal?
As those addresses are never going to be requested from the web it would be safe to do that right?

[raditude]

Nope, here you are double NAT'ing, so if you wanted to say forward port 80 from the internet to 192.168.158.100, you would have to set the cisco up to forward from EXT_IF to INT_IF, then you have to setup UT (since it is in router mode) to forward anything coming from the cisco INT_IF (IP Address) to 192.168.158.100, port 80, and I would nail down which protocols as well (tcp).

ALL traffic that is coming from your cisco (from or through), is going to be coming from 192.168.1.1. Unfortunately it is not as easy as you had hoped because of this. You will need to figure out what port the logs will be coming from, and forward just that port (seen some listings that some cisco routers use port udp 514, but you will want to check yours specifically).