NAT issue -- machines outside NATed network don't know where they should respond??

Sat, 05 Feb 2005 06:49:50 -0800 

        Hi. I have problem with nating private network. My nating box has
two ( well three  ) interfaces up: bge0, bge1002 and bge2002

   bge0 has routable IP NATip, bge1002 - 192.168.1.1 and bge2002 -
192.168.2.1. ( netmasks are- 255.255.255.0)

I have been trying to set NAT between 192.x.x.x and rest of the world. I
have started with rule like this (to check if everything works ): map
bge2002 192.168.1.0/24 -> 192.168.3.0/24   ,everything worked fine. Packet
came from 192.168.1.0/24, got translated, went to machine in 192.168.2.0/24
and got back through translation to originating IP.

Than I have tried something like that

map bge0 192.168.1.0/24 -> NATip/32 portmap tcp/udp auto

or map bge0 192.168.1.0/24 -> NATip/32 portmap auto

In this case everything worked fine too, I was able to estabilish connection
beyond unroutable IP's ( from mahcines in 192.168.1.0/24), make DNS lookups
(dns server is in 194) and so on.



But with rule like this:

map bge0 192.168.1.0/24 -> 194.29.145.252/32 portmap auto  ( or
194.29.145.254 ---> it works netween two private networks - 192...)

packets are translated by ipnat and sent to machine I was trying to ping or
ssh, but nothing comes back. Only reaction from peer is arp lookup for
194.29.145.252 or 254.





here is the rest of the stuff:
grinch#  uname -a
SunOS grinch 5.9 Generic_117171-15 sun4u sparc SUNW,Sun-Fire-V210

grinch#  isainfo -vk
64-bit sparcv9 kernel modules



grinch#  ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 4
        inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
        inet NATip netmask ffffff00 broadcast 194.29.145.255
        ether 0:3:ba:9f:84:71
bge1002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 6
        inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
        ether 0:3:ba:9f:84:73
bge2002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 7
        inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255
        ether 0:3:ba:9f:84:73

grinch# netstat -rn



Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.1.0          192.168.1.1          U         1     14  bge1002
192.168.2.0          192.168.2.1          U         1      6  bge2002
194.29.145.0         NATip         U         1    713  bge0
default              194.29.145.1         UG        1   1118
127.0.0.1            127.0.0.1            UH        2      2  lo0



grinch# netstat -i
Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts  Oerrs Collis
Queue
lo0   8232 loopback      localhost      6      0     6      0     0      0
bge0  1500 grinch        grinch         100375 0     14688  0     0      0
bge1002 1500 grinch1002    grinch1002     7703   0     752    0     0      0
bge2002 1500 grinch2002    grinch2002     2200   0     421    0     0      0





grinch#  netstat -s -P ip



IPv4    ipForwarding        =     2     ipDefaultTTL        =   255
        ipInReceives        = 11870     ipInHdrErrors       =     0
        ipInAddrErrors      =     0     ipInCksumErrs       =     0
        ipForwDatagrams     =  8372     ipForwProhibits     =    41
        ipInUnknownProtos   =     0     ipInDiscards        =     0
        ipInDelivers        =  2073     ipOutRequests       =  3234
        ipOutDiscards       =     0     ipOutNoRoutes       =     0
        ipReasmTimeout      =    60     ipReasmReqds        =     0
        ipReasmOKs          =     0     ipReasmFails        =     0
        ipReasmDuplicates   =     0     ipReasmPartDups     =     0
        ipFragOKs           =     0     ipFragFails         =     0
        ipFragCreates       =     0     ipRoutingDiscards   =     0
        tcpInErrs           =     0     udpNoPorts          =  1272
        udpInCksumErrs      =     0     udpInOverflows      =     0
        rawipInOverflows    =     0     ipsecInSucceeded    =     0
        ipsecInFailed       =     0     ipInIPv6            =     0
        ipOutIPv6           =     0     ipOutSwitchIPv6     =     5

grinch#  ipf -V
ipf: IP Filter: v4.1.3 (592)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187



grinch#  ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 0 out 0
 input packets:         blocked 10144 passed 11870 nomatch 4164 counted 0
short 0
output packets:         blocked 0 passed 11608 nomatch 2513 counted 0 short
0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 1177       lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  5158    (out):  3271
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  52      failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      158982
Packet log flags set: (0)
        none

// to be sure everything  from me is passed out

grinch#  ipfstat -io
pass out quick on bge0 all keep state
block in on bge0 all





grinch#  ipnat -slv
mapped  in      82      out     7478
added   942     expired 0
no memory       0       bad nat 1384
inuse   7
rules   3
wilds   0
table ffffffff7ffffbd8 list 3000250a1a8
List of active MAP/Redirect filters:
map bge0 192.168.1.0/24 -> 194.29.145.252/32
map bge0 192.168.2.0/24 -> 194.29.145.252/32
map bge2002 192.168.1.0/24 -> 194.29.145.254/32



List of active sessions:
MAP 192.168.1.2     33043 <- -> 194.29.145.252  1559  [DNSServer 53]
        age 159907 use 0 sumd 0x1773/0x1773 pr 17 bkt 1141/120 flags 2
        ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2     33042 <- -> 194.29.145.252  1558  [DNSServer 53]
        age 159896 use 0 sumd 0x1773/0x1773 pr 17 bkt 1399/378 flags 2
        ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2     33041 <- -> 194.29.145.252  1557  [DNSServer 53]
        age 159706 use 0 sumd 0x1773/0x1773 pr 17 bkt 1139/118 flags 2
        ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.2     33040 <- -> 194.29.145.252  1556  [DNSServer 53]
        age 159696 use 0 sumd 0x1773/0x1773 pr 17 bkt 1397/376 flags 2
        ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f
MAP 192.168.1.3     32829 <- -> 194.29.145.252  1849  [RPCServer 111]
        age 159580 use 0 sumd 0x196a/0x196a pr 17 bkt 1005/487 flags 2
        ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926e
MAP 192.168.1.2     33039 <- -> 194.29.145.252  1555  [RPCServer 111]
        age 159414 use 0 sumd 0x1773/0x1773 pr 17 bkt 1214/193 flags 2
        ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926f
MAP 192.168.2.3     32819 <- -> 194.29.145.252  1839  [RPCServer 111]
        age 159199 use 0 sumd 0x186a/0x186a pr 17 bkt 1251/477 flags 2
        ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 916e



List of active host mappings:
192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 890)
192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 894)
192.168.1.2,RPCServer-> 194.29.145.252 (use = 1 hv = 926)
192.168.1.3,RPCServer-> 194.29.145.252 (use = 1 hv = 928)
192.168.2.3,RPCServer-> 194.29.145.252 (use = 1 hv = 1440)









========
Pozdrawiam
Bartosz Baranowski         mailto: [EMAIL PROTECTED]

Reply via email to