Sophos UTM Firewall – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo

 Astaro, Internet, Linux, Sophos, Sophos UTM  34 Responses »
Jul 032010
 

I’ve had my main web server directly on the net for some time now. The box runs CentOS and I always have it fully up to date, with a minimal install just to act as a web server.

It’s always concerned me a little bit, the fact is I keep the box up to date as much as possible, but it’s still always in the back of my mind.

This weekend I had some time to mess around with some stuff. I wanted to get it setup behind my Sophos UTM, however I did NOT want it to use the public IP address that it’s setup for as I have numerous static IPs all for different services.

I spent a good 3-4 hours doing lots of searching on Google, and Astaro.org. I saw a few people that wanted to do the same thing as me, but didn’t really find an explanation for anything.

Ultimately I wanted to setup another external IP address on the Sophos UTM software appliance box, and have that external IP dedicated to JUST the web server. Everything else would continue to run as configured before I started modifying anything.

I finally got it going, and I thought I would do a little write up on this since I saw a lot of people were curious, however no one was having luck with it. So far I’ve just done it for my main web server, however in the future I’ll be doing this with a few more external IPs and servers of mine. So let’s log into the Astaro web interface and get started!

PLEASE NOTE: I performed this configuration on Astaro Security Gateway Version 8, this will also work on a Sophos UTM

  1. Configure the additional IP  –              “Interfaces & Routing”, then choose “Interfaces”. Select the “Additional Addresses” tab on the top of the screen. Hit the “New additional address…” button and configure the additional IP. Please note this worked for me as all my static IPs use the same gateway for the most part, if you have multiple statics that use different gateways this may not work for you. In my case I called this address “DA-Web”. Make sure you enable this afterwards by hitting the green light!
  2. Configure the NAT Rules      –              On the left select “Network Security”, then choose the sub item “NAT”. We do not want to touch anything under “Masquerading” so lets go ahead and select the “DNAT/SNAT” tab. In this section we need to create two rules, one for DNAT, and one for SNAT. Keep in mind that “Full NAT” is available, but due to the setup of the traffic initiation I don’t think we want to touch this at all.
    1. Create the DNAT Rule            –              Hit the “New NAT rule” button. Set “Position” to Top”. “Traffic Source” and “Traffic Service” to “Any”. “Traffic Destination” set to the additional address you created (keep in mind this has the same name as the main external, only with the name of the connection inside of it). Set “NAT mode” to “DNAT”. And finally set Destination to the server you want this going to, or create a new definition for the server. Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    2. Create the SNAT Rule            –              Hit the “New NAT rule” button. Set the “Position” to top. “Traffic Source” should be set to the definition you created for the server you are doing this for. “Traffic Service” should be “Any”. “Traffic Destination” should be “Internet”. Keep in mind this is very important, we want to make sure that if you use multiple subnets inside your network that SNAT is ONLY performed when needed when data gets shipped out to the Internet, and NOT when your internal boxes are accessing it. Set “NAT mode” to SNAT. And finally “Source” being the additional IP you created (again this looks like your normal External IP, but hold the mouse over when selecting the definition to make sure it’s the “additional” IP you created). Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    3. Create Packet Filter Rules    –              Now it’s time to open some ports up so that your server can offer services to the internet. This is fairly standard so I’m sure that you can do it on your own. In my example I created a few rules that allowed HTTP, DNS, and FTP from “any” using the service, to the destination “DA-Webserver” to allow the traffic I needed.

This should be it, it should be working now. If you don’t want to create the packet filter rules and want ALL traffic allowed, you can simply forget section c above, and when creating the DNAT and SNAT rules check the “Create automatic packet filter rules” box on both rules. Keep in mind this will be opening your box up to the internet!

If you find this useful, have any questions, or want to comment or tell me how to do it better, please leave me a comment!

Thanks!

Random Pictures from Projects: 2004-2007

 Apple, DD-WRT, Internet, Linux, Mobile Computing, Trixbox, VMware, Wireless  No Responses »
Jul 012010
 

Here’s a few oldies I found while going through the millions of pictures I’ve taken over the years…

Trixbox/FreePBX SIP trunk to Cisco Unified Call Manager 7.X

 Linux, Trixbox, VoIP  75 Responses »
Apr 112010
 

Some time ago, I needed to configure an SIP trunk between a Trixbox/FreePBX (Asterisk on Linux) PBX and a Cisco Call Manager PBX. It was pretty hard to find any relevant information on the internet, however eventually I figured out how to do it. Originally this article was written for Trixbox, however the same configuration applies to FreePBX (with minor differences in steps due to the UI differences).

Please note that the following configuration reflects a Trixbox/FreePBX PBX configured with phones with extensions of 1XX and the Cisco Unified Call Manager configured with extensions of 3XX.

If you are simply using CUCM for Cisco IP Phone handset connectivity, you don’t even need CUCM anymore, you can simply use the commercial “EndPoint Manager” on FreePBX to handle Cisco IP Phone connectivity to FreePBX (includes the Cisco 7961 phone’s I use).

Trixbox/FreePBX Configuration

Create an SIP Trunk (Leave settings default unless otherwise specified below)

Outgoing Settings

Trunk Name: CallManager

Peer Details:

type=friend

qualify=yes

nat=no

insecure=very

host=ip.address.of.CUCM

fromdomain=ip.address.of.CUCM

dtmf=rfc2833

disallow=all

context=from-internal

canreinvite=no

allow=ulaw

Incoming Settings

USER Context: ip.address.of.CUCM

USER Details:

type=friend

qualify=yes

nat=no

insecure=very

host= ip.address.of.CUCM

fromdomain= ip.address.of.CUCM

dtmf=rfc2833

disallow=all

context=from-internal

canreinvite=no

allow=ulaw

Create an Outbound Route to route calls made to 3XX to the Cisco Call Manager

Create outbound route “Cisco”. Check the “Intra Company Route”, and inside of the Dial Patterns type in 3XX. Under Trunk Sequence select “CallManager”.

This pretty much sums up the amount of configuration required on the Trixbox/FreePBX side of things. Now onto the Cisco stuff.

Cisco Unified Call Manager Configuration

Create an SIP Trunk

Device -> Trunk -> Add New

Trunk Type: SIP Trunk

Device Protocol: SIP

Device Name: TrixboxPBX

Call Classification: OnNet

Check the “Media Termination Point Required” checkbox (this is to handle transfers, hold music, etc…)

Check “Remote-Party-Id”

Check “Asserted-Identity”

SIP Information

Destination Address: IP.address.of.trixboxfreepbx

Uncheck “Destination Address is an SRV”

Destination Port: 5060

MTP Preferred Originating Code: 711ulaw

SIP Trunk Security Profile: Non-Secure SIP Trunk Profile

Change the “Non-Secure SIP Trunk Profile” security profile from TCP to UDP

System -> Security Profile -> SIP Trunk Security Profile

Hit the “Find” button

Select “Non Secure SIP Trunk Profile”

Incoming Transport Type: TCP+UDP

Outgoing Transport Type: UDP

Uncheck “Enable Digest Authentication”

Incoming Port: 5060

Out of the last 6 checkboxes, all should be checked except the First and Last.

Create a Route Pattern to route calls from the Cisco Call Manager to Trixbox

Call Routing -> Route/Hunt -> Route Pattern

Create New

Route Pattern: 1XX

Gateway/Route List: TrixboxPBX

Route Option: Route this pattern

Call Classification: OnNet

Enable Required Services on CUCM

I’m not too sure which ones are actually required, however the below configuration works great. To get to the CUCM services go to the “Cisco Unified Serviceability” section (Top right of web interface).

Enable Services

Tools -> Serviceability

Enable the following:

CM Services

Cisco CallManager

Cisco Tftp

Cisco Messaging Interface

Cisco Unified Mobile Voice Access Service

Cisco IP Voice Media Streaming App

CTI Services

Cisco CallManager Attendant Console Server

Cisco IP Manager Assistant

Cisco WebDialer Web Service

Select “Save”, afterwards select “Set to Default”. Please note that it may take some time to bring the services up.

It’s always a good idea to restart both the Trixbox/FreePBX PBX and the CUCM PBX.

After you have configured the above, configure phones in the 1XX range for the trixbox, configure phones on the CUCM for the 3XX range and they should be able to call each other. Please remember that if you have a PSTN line on your Trixbox or FreePBX you will need to create another route pattern for how to transfer 9XXXXXXXXXX from your CUCM -> Trixbox, then configure the applicable route in Trixbox -> PSTN.

Feedback is welcome, leave a comment!

Reviving a failed flash of DD-WRT on a Linksys WRT610n V2.0 – Gaining Console Access

 DD-WRT, Linux  16 Responses »
Apr 112010
 

As with most geeks, I’m a HUGE fan of custom firmware on embedded routers.

Recently I heard about Linksys releasing their new WRT610n. This sucker had 2 radios (First operating 2.4Ghz, the second running 5Ghz). In the past I have done alot of work with WDS mesh nets, etc… so I HAD to get my hands on a few of these. I went to the local tech retailer and picked up two of the V2.0s.

Since these are new devices, most of the 3rd party firmware development is fairly fresh. I don’t know too much about the specifics but from what I understand these units use the 2.6 kernel, whereas most of the past custom development has been done on the 2.4 kernels.

Anyways, I had quite a bit of fun messing around with these, testing some firmware, until finally at one point I accidently flashed the incorrect firmware and bricked the device.

Typically with these new routers, they actually have a built in “Recovery Mode” if you’d want to call it that. Typically if you have a good firmware installed and just accidently messed something up, you can:

1) Unplug power to device, disconnect all network cables.

2) Plug in Power to device

3) Wait a few seconds (2 seconds), and then press the reset button with a paperclip, I’d hold it for about 3 seconds and release.

4) Plug in computer to device, computer will receive an IP from a DHCP Server. Point browser to http://192.168.1.1

5) Use the “Management Firmware update” site that pops up to install the normal linksys firmware.

The above method helped me out a few times, however as stated earlier in this blog entry eventually I overwrote everything and flashed an incorrect image on to the device. (I was freaking out since the method above would NOT work)

Typically in the past you could TFTP a firmware image on boot and it would accept it, however this is no longer the case with the WRT610n. It will accept the firmware file, however it will NOT flash it to the flash on the device.

Here is how I recovered it:

Please note: If you do not know what you are doing, or do something wrong you could fry your device. The serial voltages on the device DO NOT match the voltages on your computer.

You’ll notice there are serial port pins inside of the internet port on the router. This port can provide serial terminal communications to the device and it’s CFE boot loader. Unfortunately I didn’t have the electronics to chip up a voltage regulator to hook it up to my PC, so instead I came up with a different solution. I used a WRT54GS to establish a serial console on the WRT610n.

As some of you know, most of the linksys device serial ports run on 3.3v. I have a bunch of WRT54GS’s lying around so I pulled one out, installed DD-WRT. After installing DD-WRT, I went ahead and used ipkg to install picocom, which is a serial terminal communications application. I essentially could SSH in to the router, then use picocom to initate serial communications (using 3.3v ofcourse).

Unfortunately there is no special connector for the serial port inside of the internet port on the WRT610n. This is where I had to get creative…

Linksys WRT610n Serial Port

You’ll notice above that I simply just used a stripped telephone cable, and simply “touched” the RX and TX pins to the contacts on the board. Maybe you can figure out a better solution, I couldn’t!

Here is the other end:

Linksys WRT54GLinksys WRT54GS

The serial connection requires RX, TX, and ground. To establish the ground, I simply plugged a USB cable into the USB port on the WRT610n, and had the WRT54G ethernet housing touch it on the other end (ghetto, I know!).

After troubleshooting the contact points (kept having trouble with the wires staying on the board contacts, I finally got it to work. I SSH’ed into the WRT54G, opened up a picocom session on the serial port, and plugged in the power to the WRT610N, instantly I saw the CFE boot loader initializing and trying to run the firmware. I FINALLY had access to the bootloader on the WRT610n.

Now was the annoying part, it has been a while since I have done this so it may be flawed:

After confirming your serial connect is working, restart the device and tap “ctrl+c” numerous times to gain access to the CFE prompt. Issue the “flash -ctheader : flash1.trx” (without quotations) command, and then initiate a TFTP upload to the router using your desktop computer. The device should accept it, and boot the image. In my experiences I noticed that after doing this, and restarting the router it would go back to being bricked after first reboot. After performing the above flash, goto the web interface and use the “Firmware Upgrade” to re-flash the image. After completing this, all should be good!

Again, please note that I’m not sure if I used that command in the CFE. Other users have reported that it works. If not, google is your friend and you should be able to figure it out. The hard portion is getting serial access! Please feel free to post the commands you used in the comments so I can update this article.

 Newer Entries