NAT and firewall question

I have setup my network so that there is a firewall with NAT enabled. Web
and IMAP are forwarded by the firewall to a server. The firewall has a
public IP address and a DNS entry from the outside world, so when people
connect to that outside IP or public name, from the outside world, their
requests get routed properly to the web server, or the IMAP server.

The people within the office have laptops. If I configure their laptop IMAP
or pop3 clients to use the internal private IP address, then when they go
home, they can't use those configured accounts as the IP is private, but it
works great within the office. If I configure the laptops with the public
IP and/or DNS entry, then they can check mail and stuff from home, but not
from within the office.

How do I set it up so that I can have their laptops configured to work
within the network, and from outside the network without having to create
multiple mail accounts on their laptops?

Thanks a lot,
- Z -

OneSolution wrote:

> I have setup my network so that there is a firewall with NAT enabled. Web
> and IMAP are forwarded by the firewall to a server. The firewall has a
> public IP address and a DNS entry from the outside world, so when people
> connect to that outside IP or public name, from the outside world, their
> requests get routed properly to the web server, or the IMAP server.
>
> The people within the office have laptops. If I configure their laptop IMAP
> or pop3 clients to use the internal private IP address, then when they go
> home, they can't use those configured accounts as the IP is private, but it
> works great within the office. If I configure the laptops with the public
> IP and/or DNS entry, then they can check mail and stuff from home, but not
> from within the office.
>
> How do I set it up so that I can have their laptops configured to work
> within the network, and from outside the network without having to create
> multiple mail accounts on their laptops?
>
> Thanks a lot,
> - Z -
>
>
The problem sounds more like a DHCP issue (rather then Firewall or NAT)
if you configure the laptop with a DHCP address, then configure the mail
with the outside address of the firewall, it would work fine from home
or work. The question is do they have a DHCP server at home? Probably,
as the ISP will do that and if they are sharing the connection at home,
they either know how to change it or have a router type box doing this
for them.

The setup on the firewall wouldn't have to change, it's how the laptop
gets online both on the road and at the office that needs to be solved.

BTW - configuring a laptop with a public IP (world routable and world
hackable) may not be the best solution as that will introduce a gigantic
security risk/hole in the enviroment - but that's just my 2$.

OneSolution wrote:
> I have setup my network so that there is a firewall with NAT enabled. Web
> and IMAP are forwarded by the firewall to a server. The firewall has a
> public IP address and a DNS entry from the outside world, so when people
> connect to that outside IP or public name, from the outside world, their
> requests get routed properly to the web server, or the IMAP server.
>
> The people within the office have laptops. If I configure their laptop IMAP
> or pop3 clients to use the internal private IP address, then when they go
> home, they can't use those configured accounts as the IP is private, but it
> works great within the office. If I configure the laptops with the public
> IP and/or DNS entry, then they can check mail and stuff from home, but not
> from within the office.
>
> How do I set it up so that I can have their laptops configured to work
> within the network, and from outside the network without having to create
> multiple mail accounts on their laptops?
>
> Thanks a lot,
> - Z -
>
>



Ewwww, multiple mail accounts. That sounds like a messy kludge.

The problem appears that your firewall won't allow something coming from
the inside network to hit the outside-world interface and come back-in.
And when you think about it, it's probably a good idea that sort of
thing isn't enabled by default. If your firewall does support that,
it'll probably require a specific ruleset to get that working.

If your firewall doesn't support it, or you simply don't feel like
opening that can of worms, there's still another way to approach the
problem. By running an internal DNS, you can have your local network
clients get the internal network address for "mail.yourdomain.com" and
the outside world will get the outside address (assuming you have a DNS
doing that now). You'll have to make sure that your mail clients have
the hostname set to your mail server instead of IP address, and if you
statically number your network, this becomes less attractive unless
you're able to run DHCP.





--

WWJD? JWRTFM
Rot13 for email address: yvfgf @ ehqa.pbz

I think that His problem sounds more like DNAT and SNAT issue(rather than
DHCP)
This type of trouble usually occurs to the firewall that uses both DNAT and
SNAT on only one box.

The clue for solving the problem is that why you can't connect to the mail
sever through public ip within your office.
It's because connecting to the mail server at office doesnt go through the
firewall and so the packets going to mailserver from a laptop don't be
changed to public ip by DNAT firewall .

For example, suppose that the ip of firewall is 211.1.1.1, the ip of subnet
is 192.168.1.0/24 , DNAT table forwards 211.1. 1.1:110 to 192.168.1.2:110
,and the ip of laptop and mailserver is 192.168.1.20 and 192.168.1.2 , and
the device eth0(211.1.1.1) is connected with ADSL line and the device
eth1(192.168.1.1) is connected with subnet lan..

If a laptop within the office tries to connect to mail server as 192.168.1.2
, since the packets go to the server directly not go through firewall, the
connection between 192.168.1.20 and 2 happens.
But if a laptop within the office tries to connect to mail server as
211.1.1.1 , In this case, the packet from the laptop goes to the
firewall(gateway), and the firewall changes destination address to
192.168.1.2 on the PREROUTIONG table , and then Routing table in linux box
indicates that it shall go via dev eth1. Now, it makes trouble. The laptop
sended a packet to 211.1.1.1 but received it from 192.168.1.2, so the
connection between the two is not able to exist.

Now, you can solve this problem easily. The idea for solving the problem is
that you will make the firewall change the ip even when it go via eth1.

Maybe you have had iptables-ruleset as below.
iptables -t nat -A PREROUTING -d 211.1.1.1 -i eth0 -p tcp --dport 110 -j
DNAT --to 192.168.1.2:110
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to
211.1.1.1

Now, you should add some rule to nat tables of iptables.
iptables -t nat -A PREROUTING -d 211.1.1.1 -i eth1 -p tcp --dport 110 -j
DNAT --to 192.168.1.2:110
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to
211.1.1.1

Then, connecting to server from a laptop within your office can exist as the
all conneting ip looks like public ip and then all the packets will go via
firewall.
My office firewall have had such a rule-set and is working out perfectly.

ps. My english is poor. If you can't understand that sentence or word,
please inform me of it. Maybe it makes my english better.(My ICQ: 200030453)







"Paco Jones" <(E-Mail Removed)> wrote in message
news:F_WdnZ3iNIYnVhPdRVn-(E-Mail Removed)...
> OneSolution wrote:
>
> > I have setup my network so that there is a firewall with NAT enabled.
Web
> > and IMAP are forwarded by the firewall to a server. The firewall has a
> > public IP address and a DNS entry from the outside world, so when people
> > connect to that outside IP or public name, from the outside world, their
> > requests get routed properly to the web server, or the IMAP server.
> >
> > The people within the office have laptops. If I configure their laptop
IMAP
> > or pop3 clients to use the internal private IP address, then when they
go
> > home, they can't use those configured accounts as the IP is private, but
it
> > works great within the office. If I configure the laptops with the
public
> > IP and/or DNS entry, then they can check mail and stuff from home, but
not
> > from within the office.
> >
> > How do I set it up so that I can have their laptops configured to work
> > within the network, and from outside the network without having to
create
> > multiple mail accounts on their laptops?
> >
> > Thanks a lot,
> > - Z -
> >
> >
> The problem sounds more like a DHCP issue (rather then Firewall or NAT)
> if you configure the laptop with a DHCP address, then configure the mail
> with the outside address of the firewall, it would work fine from home
> or work. The question is do they have a DHCP server at home? Probably,
> as the ISP will do that and if they are sharing the connection at home,
> they either know how to change it or have a router type box doing this
> for them.
>
> The setup on the firewall wouldn't have to change, it's how the laptop
> gets online both on the road and at the office that needs to be solved.
>
> BTW - configuring a laptop with a public IP (world routable and world
> hackable) may not be the best solution as that will introduce a gigantic
> security risk/hole in the enviroment - but that's just my 2$.

Ok guys, let me clarify.

First of all, from within my private network, the laptop will request a
domain name, let's call it Foo.Bar.com. Foo.Bar.com has been associated in
the DNS of my provider to point to my firewall, which has the public IP
address. The firewall has been instructed to forward IMAP and HTTP ports to
servers within the private network. So the laptop and the servers are on
the same side of the network.

Now ... the laptop, as I stated, requests Foo.Bar.com, and Foo.Bar.com
points to the firewall, and you would think that regardless of where you ask
for Foo.Bar.com, when the firewall gets the request, it would just forward
the packets onto the appropriate host.

However, when the request for Foo.Bar.com comes from within the private
network, it seems that the NAT doesn't happen and the stupid firewall sits
there not knowing where to send the packets.

When the request comes from outside the private network, then the firewall
NAT rules kick in and the servers get their packets.

So that's the problem - not DHCP at all. How do I get my firewall to
forward packets to the designated servers regardless of where the packets
are coming from?

Fundamentally, I think the reason for the problem is that the NAT rules only
apply to incoming packets, with outgoing packets never having the rules
applied to them. So if there is a way for me to make the outgoing packets
have to go through the NAT rules, then it would be possible for my problem
to disappear.

Clues????

Thanks,

-Z-


"OneSolution" <(E-Mail Removed)> wrote in message
news:OFzjc.2604$(E-Mail Removed). ..
> I have setup my network so that there is a firewall with NAT enabled. Web
> and IMAP are forwarded by the firewall to a server. The firewall has a
> public IP address and a DNS entry from the outside world, so when people
> connect to that outside IP or public name, from the outside world, their
> requests get routed properly to the web server, or the IMAP server.
>
> The people within the office have laptops. If I configure their laptop
IMAP
> or pop3 clients to use the internal private IP address, then when they go
> home, they can't use those configured accounts as the IP is private, but
it
> works great within the office. If I configure the laptops with the public
> IP and/or DNS entry, then they can check mail and stuff from home, but not
> from within the office.
>
> How do I set it up so that I can have their laptops configured to work
> within the network, and from outside the network without having to create
> multiple mail accounts on their laptops?
>
> Thanks a lot,
> - Z -
>
>

OneSolution wrote:

> However, when the request for Foo.Bar.com comes from within the private
> network, it seems that the NAT doesn't happen and the stupid firewall sits
> there not knowing where to send the packets.

As I stated in my previous post, you need to either instruct your
firewall what to do with it, enable this if it's a commercial product or
use the later of my work-arounds.


> Fundamentally, I think the reason for the problem is that the NAT rules only
> apply to incoming packets, with outgoing packets never having the rules
> applied to them. So if there is a way for me to make the outgoing packets
> have to go through the NAT rules, then it would be possible for my problem
> to disappear.
>
> Clues????
>
> Thanks,
>

The outgoing packets already go through rules, if only by the nature
that there are no rules that apply to them except to forward them to the
outside world.

Seems to me that you could write an outbound rule to redirect packets to
foo back to the inside interface. Even better would be to implement
that rule on the inside interface and just send them right to the local
mail server address.

--

WWJD? JWRTFM
Rot13 for email address: yvfgf @ ehqa.pbz

I think that you have not understood NAT rule.

Do your firewall have two NICs? Maybe the firewall have them.

Then, you should know through which NIC the packets are going. This is a
kernel of the problem.

If you would read a below article carefully, you could find a solution of
your trouble.


====================================

I think that His problem sounds more like DNAT and SNAT issue(rather than
DHCP)
This type of trouble usually occurs to the firewall that uses both DNAT and
SNAT on only one box.

The clue for solving the problem is that why you can't connect to the mail
sever through public ip within your office.
It's because connecting to the mail server at office doesnt go through the
firewall and so the packets going to mailserver from a laptop don't be
changed to public ip by DNAT firewall .

For example, suppose that the ip of firewall is 211.1.1.1, the ip of subnet
is 192.168.1.0/24 , DNAT table forwards 211.1. 1.1:110 to 192.168.1.2:110
,and the ip of laptop and mailserver is 192.168.1.20 and 192.168.1.2 , and
the device eth0(211.1.1.1) is connected with ADSL line and the device
eth1(192.168.1.1) is connected with subnet lan..

If a laptop within the office tries to connect to mail server as 192.168.1.2
, since the packets go to the server directly not go through firewall, the
connection between 192.168.1.20 and 2 happens.
But if a laptop within the office tries to connect to mail server as
211.1.1.1 , In this case, the packet from the laptop goes to the
firewall(gateway), and the firewall changes destination address to
192.168.1.2 on the PREROUTIONG table , and then Routing table in linux box
indicates that it shall go via dev eth1. Now, it makes trouble. The laptop
sended a packet to 211.1.1.1 but received it from 192.168.1.2, so the
connection between the two is not able to exist.

Now, you can solve this problem easily. The idea for solving the problem is
that you will make the firewall change the ip even when it go via eth1.

Maybe you have had iptables-ruleset as below.
iptables -t nat -A PREROUTING -d 211.1.1.1 -i eth0 -p tcp --dport 110 -j
DNAT --to 192.168.1.2:110
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to
211.1.1.1

Now, you should add some rule to nat tables of iptables.
iptables -t nat -A PREROUTING -d 211.1.1.1 -i eth1 -p tcp --dport 110 -j
DNAT --to 192.168.1.2:110
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to
211.1.1.1

Then, connecting to server from a laptop within your office can exist as the
all conneting ip looks like public ip and then all the packets will go via
firewall.
My office firewall have had such a rule-set and is working out perfectly.

================================================== =======================

"OneSolution" <(E-Mail Removed)> wrote in message
news:mDJjc.2361$(E-Mail Removed) m...
> Ok guys, let me clarify.
>
> First of all, from within my private network, the laptop will request a
> domain name, let's call it Foo.Bar.com. Foo.Bar.com has been associated
in
> the DNS of my provider to point to my firewall, which has the public IP
> address. The firewall has been instructed to forward IMAP and HTTP ports
to
> servers within the private network. So the laptop and the servers are on
> the same side of the network.
>
> Now ... the laptop, as I stated, requests Foo.Bar.com, and Foo.Bar.com
> points to the firewall, and you would think that regardless of where you
ask
> for Foo.Bar.com, when the firewall gets the request, it would just forward
> the packets onto the appropriate host.
>
> However, when the request for Foo.Bar.com comes from within the private
> network, it seems that the NAT doesn't happen and the stupid firewall sits
> there not knowing where to send the packets.
>
> When the request comes from outside the private network, then the firewall
> NAT rules kick in and the servers get their packets.
>
> So that's the problem - not DHCP at all. How do I get my firewall to
> forward packets to the designated servers regardless of where the packets
> are coming from?
>
> Fundamentally, I think the reason for the problem is that the NAT rules
only
> apply to incoming packets, with outgoing packets never having the rules
> applied to them. So if there is a way for me to make the outgoing packets
> have to go through the NAT rules, then it would be possible for my problem
> to disappear.
>
> Clues????
>
> Thanks,
>
> -Z-
>
>
> "OneSolution" <(E-Mail Removed)> wrote in message
> news:OFzjc.2604$(E-Mail Removed). ..
> > I have setup my network so that there is a firewall with NAT enabled.
Web
> > and IMAP are forwarded by the firewall to a server. The firewall has a
> > public IP address and a DNS entry from the outside world, so when people
> > connect to that outside IP or public name, from the outside world, their
> > requests get routed properly to the web server, or the IMAP server.
> >
> > The people within the office have laptops. If I configure their laptop
> IMAP
> > or pop3 clients to use the internal private IP address, then when they
go
> > home, they can't use those configured accounts as the IP is private, but
> it
> > works great within the office. If I configure the laptops with the
public
> > IP and/or DNS entry, then they can check mail and stuff from home, but
not
> > from within the office.
> >
> > How do I set it up so that I can have their laptops configured to work
> > within the network, and from outside the network without having to
create
> > multiple mail accounts on their laptops?
> >
> > Thanks a lot,
> > - Z -
> >
> >
>
>

OneSolution wrote:
> I have setup my network so that there is a firewall with NAT enabled. Web
> and IMAP are forwarded by the firewall to a server. The firewall has a
> public IP address and a DNS entry from the outside world, so when people
> connect to that outside IP or public name, from the outside world, their
> requests get routed properly to the web server, or the IMAP server.
>
> The people within the office have laptops. If I configure their laptop IMAP
> or pop3 clients to use the internal private IP address, then when they go
> home, they can't use those configured accounts as the IP is private, but it
> works great within the office. If I configure the laptops with the public
> IP and/or DNS entry, then they can check mail and stuff from home, but not
> from within the office.
>
> How do I set it up so that I can have their laptops configured to work
> within the network, and from outside the network without having to create
> multiple mail accounts on their laptops?
>
> Thanks a lot,
> - Z -
>
>

Quick & dirty solution:

Create two server entries for the email client, one has internal ip's
the other external ip's, both are set to retreive emails. When the user
is onsite the external one times out, when offsite the internal one
times out. They just have to ignore the timeouts.

Other solutiom: use a vpn, then only internal ip's required. OpenVPN
works well.

Dave