Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Operation mode/single nic - behind router/firewall?
« previous next »
Pages: [1]   Go Down

Operation mode/single nic - behind router/firewall?

  • 6 Replies
  • 485 Views

Patrick

Operation mode/single nic - behind router/firewall?
« on: December 11, 2001, 11:15:07 PM »
Hey everyone,

I have setup SME V5; however, at this point I'd like to review my setup and make some changes if advised.

I have a T1 circuit connected to a Cisco 1720 router (which currently has firewalling and VPN built in and setup).  My SME server is setup in "server and gateway" mode with two NICS, the external NIC to the router and the internal NIC to a 24 port switch.

Router IP's:
External is 216.178.65.xxx
Internal is 192.168.0.25

SME IP's:
External is 192.168.0.50
Internal is 192.168.0.23

I am publishing services to the Internet, ie. WebMail via IMP and web sites.  ALSO I am using the SME server as a proxy/gateway for internal clients.  BUT, since I have the router/firewall I doubt there is a reason to have my SME server setup with 2 NICS and in "server and gateway" mode.  In order to proxy/gateway I assume I will need to setup in "Private server and gateway" mode?  I am also wondering if I can setup this server with a single NIC?

Ideas? Suggestions?  Thanks.

Patrick
Logged

Craig

Re: Operation mode/single nic - behind router/firewall?
« Reply #1 on: December 12, 2001, 04:32:59 AM »
Patrick

I personally would leave it in its current configuration. Cisco 1720 routers will do VPN if you have the module installed and as far as firewalling goes it's not like a true firewall eg: CISCO PIX Firewall offers true firewall, DMZ, statefull packet filtering functions.

If you have no real reason to change it I wouldn't. Besides there is no harm in running your E-Smith server in 'Server/Gateway' mode as this will also increase your security from hacks from the outside world.

Make sure your router has the 'Anti Nimda' config patch applied to it.

Regards
Craig
Logged

Patrick

Re: Operation mode/single nic - behind router/firewall?
« Reply #2 on: December 13, 2001, 11:53:26 PM »
Craig,

Thanks for your response.  I have a couple of follow up questions.

1.  Our Cisco 1720's do have the hardware encryption VPN module, and my remote offices are setup in similar fashion.  The router-to-router VPN is setup and works fine; HOWEVER, when I have the SME server setup in 'Server and gateway' mode and the router is connected to the external NIC - the VPN access doesn't work.  I assume there is some security setting which is blocking the remote office IP's from the 172.24.89.x network from coming across.  Any ideas?  When I take the router and plug it into my switch (removing the SME server) the VPN traffic flows fine.

2.  I wasn't aware that the Cisco routers were in danger from the Nimda worm?  I thought Nimda only could infect M$FT IIS servers?  Or are you saying make sure the router is "ignoring" the Nimda attacks?

Regards,
Patrick
Logged

Craig

Re: Operation mode/single nic - behind router/firewall?
« Reply #3 on: December 14, 2001, 01:55:39 PM »
Point 1

When in server/gateway mode E-Smith blocks all inbound traffic. You can install port forwarding from your VPN connections to your internal network by installing the port forwarding rpm. You can find it and the instructions here http://myezserver.com/docs/mitel/ipportfw-howto.html . All you will need to know is what port you are coming in on and open the port up to be forwarded to your internal network.

If this is not suitable then you could change your E-Smith server to standalone. But remember that your system is then wide open ie: if you don't run a really good firewall you could easily be hacked.

Once you have a VPN connection to your router you then have full access to whatever you have on your internal network. But E-Smith is blocking it. IF I wanted to get access to say a Metaframe server behind the e-smith box I could make my VPN connection to my router then load up my Citrix Client to talk to the outside NIC then the ipchains port forward rules kick in, I may have an entry that sends all requests from port 1409 through to an internal address of 192.168.1.1. Port 1409 is what Citrix Metaframe client uses to connect to a server and my Citrix server for example is 192.168.1.1

I hope this makes sense but you really must always stick to the side of security first. If you are satisfied that your 1720 is firewalled and protected with enough rules blocking every kind of sync, xmas, ports scans etc that are around then run the server in stand alone mode.

Point 2

Yes, basically you can get your 1720 to ignore the Nimda signature and blocks its attempts to penetrate your network and screw your IIS servers.

If you need anymore advice please let me know.

Regards
Craig Farrier
Logged

Patrick

Re: Operation mode/single nic - behind router/firewall?
« Reply #4 on: December 14, 2001, 10:08:06 PM »
Craig,

Thanks for giving a detailed explanation of how this will work and what I need to do.  Since I'm still a bit "green" in the Linux environment would you be able to provide me with instructions (in addition to the ones at myezserver) to allow the following:

I have two router-to-router VPN connections from remote locations:

Location A - 172.24.89.x
Location B - 172.24.90.x

These locations connect to the 1720 router here in my main office on port (yet to be determined, but for example 4000) 4000.  I'm not a router expert, so I don't know if both VPN connections "share" the same port?  If not let's say they connect on 4000 and 4001.

What will I need to setup in port forwarding to allow those two VPN networks to access my internal LAN, which is 192.168.0.x ?  Is there a way to setup the port forwarding rules so that ALL traffic to/from any of my 192.168.0x IP's gets through?

Sorry for the follow-up, but I'm still learning Linux and I want to make sure I do not mess up my security by doing this.

Regards,
Patrick
Logged

Patrick

wait, this is (Re: Operation mode/single nic - behind router
« Reply #5 on: December 14, 2001, 11:09:21 PM »
Craig,

Wait, this is probably not a port issue, this is simply an IP issue.  I simply need the firewall to allow ALL network traffic from the 172.24.89.x and 172.24.90.x networks to flow through into my internal 192.168.0.x LAN.  Isn't that the case here?

The Cisco routers establish the VPN across whatever ports they determine, but once that's done I just need to allow ALL traffic on those networks regardless of port.

Please correct me if I'm wrong, and if you would be so kind provide me with the most secure (but easy) way of setting up my SME firewall to allow this.  Thanks.

Regards,
Patrick
Logged

Craig

Re: wait, this is (Re: Operation mode/single nic - behind ro
« Reply #6 on: December 17, 2001, 06:02:41 AM »
Patrick

Yes you are correct. Port forwarding is not exactly what you require for your situation. I am not a full bottle on how E-Smith  allows different subnet addresses to pass through to your internal network.

But, have a look at this post and see if this helps point you in the right direction. http://forums.contribs.org/index.php?topic=12259.msg46044#msg46044
http://forums.contribs.org/index.php?topic=12259.msg46044#msg46044

Basically you want to setup your E-Smith IPCHAINS rules to allow everything from subnet 1.1.1.1 and everything from 2.2.2.2 to pass through your E-Smith server to your internal network. I think the URL's above will shed some light on the subject for you.

I will endevour to spend some time looking into this further for you as I am sure I will have to do this at some stage myself.

If you find anything in the meantime please let me know.

Regards
Craig
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Operation mode/single nic - behind router/firewall?