The complete GNATBox config text file is attached.
Our PSN is to have IP Pass Through (No NAT). Therefore, Our class C needs to be split between the EXT and PSN. We decided a 50/50 split was best. The interfaces are configured accordingly:
Name Type IP Address Netmask NIC
EXT.SREL.edu EXTERNAL 63.xxx.yyy.126 255.255.255.128 xl0
SREL.edu PROTECTED 172.aaa.ccc.254 255.255.254.0 xl1
PSN.SREL.edu PSN 63.xxx.yyy.254 255.255.255.128 xl2
I tried to read up on setting up an IP Pass Through. Nothing gave a good HOWTO, so I winged it.
The big problem is I cannot access the GNATBox from the PSN. The GNATBox simply will not transmit packets in or out. I did all the obvious stuff like check for a link on the hub, reboot the GNATBox, recheck the PSN servers IP settings (address, gateway, routing, ARP). I know I'm missing something obvious and I'm hoping someone will be nice enough to point it out.
At present, the IP Pass Through is configuration is...
Hosts/Networks:
Index Object or Address Range Interface Options
1 PSN_SubNet ANY inbound
Filters:
1 DEFAULT: Allow outbound pass through.
Accept ANY ALL from "PSN_SubNet" to "ANY_IP"
2 CUSTOM: Allow inbound pass through.
Accept ANY ALL log from "ANY_IP" to "PSN_SubNet"
However, I also tried...
Hosts/Networks:
Index Object or Address Range Interface Options
1 ANY_IP PSN.SREL.edu inbound
Filters:
1 DEFAULT: Allow outbound pass through.
Accept ANY ALL from "ANY_IP" to "ANY_IP"
2 CUSTOM: Allow inbound pass through.
Accept ANY ALL from "ANY_IP" to "ANY_IP"
As I said earlier I checked the for obvious problems and noticed the following in the active ARP table...
63.xxx.yyy.148 00:40:33:ac:22:ea 00:19:36 ethernet
63.xxx.yyy.149 00:40:33:ac:22:f1 00:19:06 ethernet
These addresses are on the PSN. I suspect that I have configured the IP Pas Through wrong. Or maybe there is another filter type required to access the PSN other than the default outbound filters.
OUTBOUND FILTER:
DEFAULT PSN: Allow PSN network to access anywhere.
Accept "PSN.SREL.edu" ALL from "ANY_IP" to "ANY_IP"
Other relevant information...
OBJECTS:
EXT_SubNet - SREL CLASS C subnet defined as EXT
Index Beginning Ending _
1 63.xxx.yyy.0 63.xxx.yyy.127
PRO_SubNet - PRIVATE subnet defined as PRO
Index Beginning Ending _
1 172.aaa.bbb.0 172.aaa.ccc.255
PSN_SubNet - SREL CLASS C subnet defined as PSN
Index Beginning Ending _
1 63.xxx.yyy.128 63.xxx.yyy.255
Jason S. Antonacci
Computer Support Specialist IV
Univ. of Georgia - Savannah River Ecology Lab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Office: 803.725.5894
Mobile: 706.373.8863
Fax: 503.218.7129
Email: anton_at_srel_dot_edu
Attachment:
GTA_CFG.rtf
Description: MS-Word document
GNAT Box Software Configuration Summary
--------------------------------------------------------------------------------GNAT Box Pro Version: 3.0.1 Wed Mar 15 08:27:35 2000--------------------------------------------------------------------------------
BASIC CONFIGURATION
DNS
External name server: 198.6.1.65
Internal name server: 172.aaa.bbb.16
Domain: some.net
FEATURES
NETWORK INFORMATION
LOGICAL INTERFACES
Name Type IP Address Netmask NIC
------------------- --------- --------------- --------------- -----
EXT.Some.net EXTERNAL 63.xxx.yyy.126 255.255.255.128 xl0
Some.net PROTECTED 172.aaa.ccc.254 255.255.254.0 xl1
PSN.Some.net PSN 63.xxx.yyy.254 255.255.255.128 xl2
NETWORK INTERFACE CARDS
NIC MAC Address MTU State Options
----- ----------------- ----- ----- -------
xl0 00:50:04:9c:6a:ef 1500 up AUTO
xl1 00:50:04:9c:56:52 1500 up AUTO
xl2 00:50:04:9c:47:0f 1500 up AUTO
PPP 1500 down MANUAL
Default route (gateway): 63.xxx.yyy.1
Hostname: GNAT-Box
PREFERENCES
CONTACT INFORMATION
Name: Jason S. Antonacci
Company: University of Georgia - Savannah River Ecology Lab
Email Address: root_at_some_dot_net
Phone number: 803.725.5894
Serial number: 11002453
Support email: gb-config_at_gta_dot_com
KEYBOARD LAYOUT
United States ISO-8859-1
SCREEN SAVER
Timeout: 600 seconds
REMOTE LOGGING
Logging System Messages to Server: 172.aaa.bbb.98.
Filter facility: local1
NAT facility: local0
WWW facility: local2
Open priority: notice
Close priority: notice
WWW priority: notice
AUTHORIZATION
ADMINISTRATION ACCOUNTS
Index User Permissions
----- --------------- -------------------------
1 gnatbox admin console www remote
2 root admin www remote
EMAIL PROXY
Enabled: yes
Primary server: sparky.some.net
Alternate server: ecolab.some.net
Time out: 180 seconds
Maximum connections: 180
Domain: some.net
Use MX: yes
Verify RDNS: no
Maximum size: 16384 kilobytes
MAPS 1: disabled rbl.maps.vix.com
MAPS 2: disabled dul.maps.vix.com
MAPS 3: disabled relays.orbs.org
MAPS 4: disabled relays.radparker.com
REMOTE ADMINISTRATION
WWW Server: enabled
Updates: enabled
Port: 8083
RMC Server: enabled
Updates: enabled
Port: 7780
URL BLOCKING
disabled
MOBILE CODE BLOCKING
JAVA blocking: disabled
JAVA script blocking: disabled
ActiveX blocking: disabled
ROUTING
RIP
disabled
STATIC ROUTES
Index IP Address Netmask Gateway
----- --------------- --------------- ---------------
OBJECTS
ADDRESSES
1 ANY_IP - DEFAULT: Matches all IP addresses.
Index Beginning Ending
----- --------------- ---------------
1 0.0.0.0 255.255.255.255
2 EXT_SubNet - SREL CLASS C subnet defined as EXT
Index Beginning Ending
----- --------------- ---------------
1 63.xxx.yyy.0 63.xxx.yyy.127
3 PRO_SubNet - PRIVATE subnet defined as PRO
Index Beginning Ending
----- --------------- ---------------
1 172.aaa.bbb.0 172.aaa.ccc.255
4 PSN_SubNet - SREL CLASS C subnet defined as PSN
Index Beginning Ending
----- --------------- ---------------
1 63.xxx.yyy.128 63.xxx.yyy.255
5 Restricted_HTTP - These PRO_Subnet hosts can NOT bypass the proxy and access the internet.
Index Beginning Ending
----- --------------- ---------------
1 172.aaa.bbb.232
2 172.aaa.bbb.181
6 UnRestricted_H323 - These PSN_Subnet hosts can be reached by Telnet, FTP and H.323 (NetMeeting).
Index Beginning Ending
----- --------------- ---------------
1 63.xxx.yyy.129
7 UnRestricted_HTTP - These PRO_Subnet hosts can bypass the proxy and access the internet.
Index Beginning Ending
----- --------------- ---------------
1 172.aaa.bbb.98
2 172.aaa.bbb.71
FILTERS
OUTBOUND
1 #CUSTOM: Deny Restricted HTTP (Add IP to Squid src_passwd file).
Deny "Some.net" TCP log
from "Restricted_HTTP"
to "ANY_IP" 80 8080
2 #CRITICAL - CUSTOM: Allow this UnRestricted_HTTP to access anywhere.
Accept "Some.net" ALL log
from "UnRestricted_HTTP"
to "ANY_IP"
3 #CRITICAL - CUSTOM: Allow PRO network to access HTTP during peaktime.
Accept "Some.net" TCP log timeBased
from "ANY_IP"
to "ANY_IP" 8080 80 timeGroup peaktime
4 #CRITICAL - CUSTOM: Deny PRO network to access HTTP.
Deny "Some.net" TCP log
from "ANY_IP"
to "ANY_IP" 8080 80
5 #DEFAULT TRADITIONAL URL PROXY: allow access to DNS.
DISABLED - Accept "Some.net" UDP
from "ANY_IP"
to "ANY_IP" 53
6 #DEFAULT NO TRADITIONAL URL PROXY: Allow protected network access to anywhere.
Accept "Some.net" ALL
from "ANY_IP"
to "ANY_IP"
7 #DEFAULT PSN: Allow PSN network to access anywhere.
Accept "PSN.Some.net" ALL
from "ANY_IP"
to "ANY_IP"
REMOTE ACCESS
1 #CUSTOM: Allow any PSN destined packets through.
Accept "PSN.Some.net" ALL log
from "ANY_IP"
to "ANY_IP"
2 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 21
3 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 1677
4 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 515
5 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 6000
6 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.11/255.255.255.255 21
7 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.11/255.255.255.255 23
8 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 80
9 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.2/255.255.255.255 1755
10 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.97/255.255.255.255 21
11 #DEFAULT: Allow all networks to connect to GNAT Box inbound tunnel.
Accept ANY TCP
from "ANY_IP"
to 63.xxx.yyy.3/255.255.255.255 515
12 #DEFAULT: Allow protected network access to WWW remote admin server.
Accept "Some.net" TCP
from 172.aaa.bbb.0/255.255.254.0
to 172.aaa.ccc.254/255.255.255.255 8083
13 #DEFAULT: Allow protected network access to RMC remote admin server.
Accept "Some.net" TCP
from 172.aaa.bbb.0/255.255.254.0
to 172.aaa.ccc.254/255.255.255.255 7780
14 #DEFAULT TRADITIONAL URL PROXY: Allow connections to URL proxy.
DISABLED - Accept "Some.net" TCP
from "ANY_IP"
to 0.0.0.0/0.0.0.0 2784
15 #DEFAULT EMAIL PROXY: Allow connections to email proxy.
Accept "EXT.Some.net" TCP
from "ANY_IP"
to "ANY_IP" 25
16 #DEFAULT: Block/nolog discard bootp, netbios, snmp, and rwho.
Deny ANY UDP nolog
from "ANY_IP"
to "ANY_IP" 9 67 68 137 138 161 513
17 #DEFAULT NO RIP: Block/nolog rip.
Deny ANY UDP nolog
from "ANY_IP"
to "ANY_IP" 520
18 #DEFAULT RIP: Accept UDP rip.
DISABLED - Accept ANY UDP
from "ANY_IP"
to "ANY_IP" 520
19 #DEFAULT RIP: Accept IGMP multicast for router addresses.
DISABLED - Accept ANY 2
from "ANY_IP"
to 224.0.0.0/255.255.255.0
20 #DEFAULT RIP: Accept router solicititations and advertisements
DISABLED - Accept ANY ICMP
from "ANY_IP"
to 224.0.0.0/255.255.255.0 9 10
21 #DEFAULT STEALTH: Block with alarm any other access to external interface.
DISABLED - Deny "EXT.Some.net" ALL alarm
from "ANY_IP"
to "ANY_IP"
22 #DEFAULT: Accept/nolog authentication (ident).
Accept ANY TCP nolog
from "ANY_IP"
to "ANY_IP" 113
23 #DEFAULT: Allow pings and ICMP traceroutes to GNAT Box.
Accept ANY ICMP
from "ANY_IP" 8
to "ANY_IP" 8
24 #DEFAULT: Allow UDP traceroutes to GNAT Box.
Deny ANY UDP nolog genICMP
from "ANY_IP"
to "ANY_IP" 32767:65535
25 #DEFAULT: Block/nolog stale WWW accesses.
Deny ANY TCP nolog
from "ANY_IP" 80
to "ANY_IP" 1024:65535
26 #DEFAULT: Block with alarm any other access to all interfaces.
Deny ANY ALL alarm
from "ANY_IP"
to "ANY_IP"
TIME GROUPS
1 peaktime
Peak hours of use during normal work week.
0:00-0:00 7:00-18:00 7:00-18:00 7:00-18:00 7:00-18:00 7:00-18:00 0:00-0:00
PROTOCOLS
Index Name Number
----- ---------- ------
1 IGMP 2
PREFERENCES
DEFAULT LOGGING
Log ALL packets rejected.
ALARMS
Send email for alarms when 10 seen within 120 seconds.
Send a maximum of 500 alarms per email.
Do not attempt to log host names using reverse DNS.
GENERAL
Stealth mode: disabled
Doorknob twists generate: logMessage
Address spoofs generate: logMessage
EMAIL SERVER
Server name: linux20.some.net
From: GNATBox
To: root
SNMP TRAPS
disabled
PAGER
disabled
IP PASS THROUGH
HOSTS/NETWORKS
Index Object or Address Range Interface Options
----- -------------------------------- ------------------ ---------
1 ANY_IP PSN.Some.net inbound
FILTERS
1 #DEFAULT: Allow outbound pass through.
Accept ANY ALL
from "ANY_IP"
to "ANY_IP"
2 #CUSTOM: Allow inbound pass through.
Accept ANY ALL
from "ANY_IP"
to "ANY_IP"
NAT
ALIASES
Index Interface IP Address Netmask
----- ------------------- --------------- ---------------
1 EXT.Some.net 63.xxx.yyy.97 255.255.255.255
2 EXT.Some.net 63.xxx.yyy.98 255.255.255.255
3 EXT.Some.net 63.xxx.yyy.2 255.255.255.255
4 EXT.Some.net 63.xxx.yyy.3 255.255.255.255
5 EXT.Some.net 63.xxx.yyy.11 255.255.255.255
INBOUND TUNNELS
Index Protocol From IP Address Port To IP Address Port Options
----- -------- --------------- ----- --------------- ----- -----------
1 TCP 63.xxx.yyy.2 21 172.aaa.bbb.10 21
2 TCP 63.xxx.yyy.2 1677 172.aaa.bbb.10 1677
3 TCP 63.xxx.yyy.2 515 172.aaa.bbb.44 515
4 TCP 63.xxx.yyy.2 6000 172.aaa.bbb.47 6000
5 TCP 63.xxx.yyy.11 21 172.aaa.bbb.11 21
6 TCP 63.xxx.yyy.11 23 172.aaa.bbb.11 23
7 TCP 63.xxx.yyy.2 80 172.aaa.bbb.12 80
8 TCP 63.xxx.yyy.2 1755 172.aaa.bbb.17 1755
9 TCP 63.xxx.yyy.97 21 172.aaa.bbb.97 21
10 TCP 63.xxx.yyy.3 515 172.aaa.bbb.69 515
STATIC ADDRESS MAPPINGS
Index From - Object or Address Range To IP Address
----- -------------------------------- ---------------
1 PRO_SubNet 63.xxx.yyy.2
TIMEOUTS
ICMP: 15 seconds
TCP wait for ACK: 30 seconds
TCP: 600 seconds
TCP keep alive enabled: yes
UDP: 600 seconds
Wait after close: 20 seconds
--------------------------------------------------------------------------------
Copyright (c) 1996-1999 Global Technology Associates, Inc.
|