Board index Linux Networking

NAT to ISA on DMZ

NAT to ISA on DMZ

Post by brenddi » Thu, 01 Feb 2007 10:32:20



Hi all, this couple of weeks we have been designing the migration to
Exchange server from a highly customized qmail installation (not my
decision...). Im in charge that whatever setup we install complies
with our current firewall setup. This is an IPCop firewall whit RED-
ORANGE-BLUE-GREEN zones. Exchange 2003 failed miserably when trying to
set a front end on the DMZ whit out making the firewall swiss cheese.
Exchange 2007 seems a little better but it needs an ISA server for the
front end. We have part of the setup done with ISA inside the DMZ and
another subnet inside the DMZ for the "untrusted" interface of the
ISA. As for Port forwarding email traffic coming from the internet
will get directed to the router in the DMZ, then to the ISA , then
back to the firewall and finally to the exchange backend (what a hack,
thanks MS). The problem is that the exchange backend REQUIRES that its
gateway is the ISA. This is where iptables come into play. I cant
specify the ISA server as gateway but I can forward email traffic from
the firewall to the ISA on the DMZ and it will send it back to the
client on the internet.

REQUEST:

NEEDED
                            internet
                                |  |
                                |  v     --

Quote:>                                                             -->

                             ---------          DMZ  
192.168.99                       10.0.0              192.168.99
                             | FW |-----------------------------------
[DSL router]------------------ [ISA]------------------    |
                             ---------         <--        
|                                                                      
     |   v
                                 |     |               ^  
-----------------------------------------------------------------------
---- |
                                 |     v              
|                            <--
                                 |
                               LAN
                                 |
                          [Exchange]

RESPONSE

NEEDED:

                            internet
                                |  ^
                                |  |    
<--                                                             <--
                             ---------          DMZ  
192.168.99                       10.0.0              192.168.99
                             | FW |-----------------------------------
[DSL router]------------------ [ISA]------------------    ^
                             ---------         -->        
|                                                                      
     |   |
                                 |     ^              |    
-----------------------------------------------------------------------
---- |
                                 |     |              
V                           -->
                                 |
                               LAN
                                 |
                          [Exchange]

INSTEAD OF:

                            internet
                                |
                       ^        |
                       |      ---------          DMZ  
192.168.99                       10.0.0              192.168.99
                       |      | FW |-----------------------------------
[DSL router]------------------ [ISA]------------------
                             ---------                    
|                                                                      
     |
                                 |                        
-----------------------------------------------------------------------
---- |
                       ^        
|
                       |         |
                       |        LAN
                                 |
                          [Exchange]

I'm following some examples for forwarding traffic between proxies but
haven't make progress
Can anyone help me create the needed rules for this.

I may have an issue on the DMZ as both the DSL Router and ISA have the
same gateway but haven't got the chance to test it.

Is this even posible?

Thanks

 
 
 
Top

NAT to ISA on DMZ

Post by brenddi » Thu, 01 Feb 2007 10:59:07


In case the diagram broke

http://img254.imageshack.us/img254/7797/iptablesproblemxa1.jpg

 
 
 
Top

1. IP HELP PLEASE: Source Routing, Multiple Internet Connections, NAT, Firewalls, and NO DMZ

Dear Linux Network Gurus,

Consider the following network:
http://mywebpages.comcast.net/mgeorge3/network_layout.jpg

Summary
=======

The linux box has (3) interfaces,

eth0 can get to the Internet via a pure IP connection and to Internal
Network A via a router.
eth1 is a private network and not routed
eth2 can get to the Internet via a NAT/Firewall is directly connected to
Internal Network B.

The linux box does NOT have to route for the network, but has to do source
routing because the Firewall runs NAT and translates addresses, thus
anything that comes in from the Internet, needs to go out via the same
interface/path it came in on.  The main purpose of this server is to accept
incoming SSH connections from all interfaces and host a SQUID proxy server.

Source routing works fine using the following "ip" commands:

# Setup Source Routing for ISP#1
ip rule add from 159.138.101.44 lookup 1
ip route add 0/0 via 159.138.101.3 table 1
# Setup Source IP Routing for ISP#2
ip rule add from 148.9.200.210 lookup 2
ip route add 0/0 via 148.9.200.4 table 2

However, I can not seem to construct rules/routes that get traffic initiated
from the server to the respective networks.

For example, if I add this: "ip route add 158.138.52.0 via 159.138.101.3
table 1"

I would expect an traffic destined for 159.138.52.0 to be forwarded to the
router interface 159.138.101.3, however both traceroute and ping fail.  Even
if I put in a static route using the "route add -net 159.138.52.0 netmask
255.255.255.0 gw 159.138.101.3", I still can't get packets to leave the
server.

To make it even more complex, the 148.9.200.210 is tricky since the
Inbound/Outbound interface are the same.  This interface doesn't have a DMZ
and there are hosts sitting on the subnet.

I have been racking my brain on this for 2 days and reading everything I can
find on IP, but there isn't an example for my situation.   I am sick of
driving out to the console of this server everytime I hose up the routing
tables.  I have found many fine examples, but they do not address my
particular situation.  This may just be something that the "ip route/rule"
command can't handle, but I doubt it.

Fine Examples:
http://www.linuxgrill.com
http://www.samag.com

As always, I appreciate the insight and help from this newgroup.
I don't think I'll figure this solution out on my own anytime soon.

-Michael George

<--

2. windows manager in 15 or 16bpp mode

3. OpenBSD PF/NAT with also a DMZ

4. Gnome 2.0 Beta 1 won't start/hang on login

5. What happens when Linux server is behind firewall but in "DMZ" area, w/NAT?

6. Compiling Kernel

7. ISA sound YAMAHA and ISA 3COm Etherlink III ISA are CONFLICTING

8. Kensington Thinking mouse and Mandrake???

9. To ISA or not to ISA?

10. Nat to Nat?

11. NAT-T (NAT Traversal) support for Linux


All times are UTC
Board index