Hi Friends,
We got peplink 380 load balancer and we got two leased lines provided as Active-Active from same ISP as one block of subnet, under x.x.x.x/27 splitting them as two block of IP’s x.x.x.x/28 and x.x.x.x/28. before placing the peplink in drop in mode all seems working as one block behind a Cisco ASA firewall, but after placing peplink 380 in drop-in mode only one block of IP’s are working for inbound traffic. Inbound Traffic couldn’t reach the servers on other block. I have configured Peplink in drop in mode and i have used a public IP from the first block as PEPLINK’s LAN/WAN1 IP address and the firewall configuration hasn’t been changed at all. How can i make sure the inbound traffic reach the Servers placed on second block of IP subnet as before?. DO i have to connect the WAN3 to the second block of Ip subnet range?don’t know what to do? the firmware on PEPLINK 380 is up to date to the latest version.
I really appreciate your help.I desperately need help here.
How many routers does ISP use to provide the service (2x lines connected to 2x routers or 2x lines connected to 1x router)?
What is the subnet mask of your ASA External/WAN interface (x.x.x.x/27 or x.x.x.x/28)? What is the Default Gateway of the ASA (from first range or second range)? Are both subnet ranges configured on your ASA?
I believe sharing your network diagram before and after deploying peplink will help illustrate your case.
Hi Mohammed,
Thanks for the reply. I have attached the network diag.
Q:How many routers does ISP use to provide the service (2x lines connected to 2x routers or 2x lines connected to 1x router)? Ans:2x lines connected to 2x routers
Q:What is the subnet mask of your ASA External/WAN interface (x.x.x.x/27 or x.x.x.x/28)?
Ans: 255.255.255.240 (x.x.x.x/28)
Q: What is the Default Gateway of the ASA (from first range or second range)?
Ans: From the first Range.
Q:Are both subnet ranges configured on your ASA?
before peplink any inbound traffic is freely flowing in based on the ACL configured on ASA firewall inbound rule. But actually no interface on ASA has been configured with the second range Ip address, but the like
“access-list outside_in permit tcp any host x.x.242.241 255.255.255.240 eq 80” works fine.
after placing the peplink in drop-in mode ( with Ip from first block x.x.242.229) , the inbound traffic on any of the second Ip range is not working.
what is the best way to configure this so that the inbound traffic works like as before.
One more question: Before installing Peplink, when a connection request arrive from Internet destined to IP address from second block, and hits the firewall, how does the firewall handle it? Are there any NAT rules configured on the firewall to translate IP addresses from second block to internal server addresses? Peplink when configured in drop-in mode, can be made to do one-to-one NAT mapping between IP addresses from first block and second block. So Assume you have an internal server with IP address 172.16.1.100 (Private IP address). This server will be having two appearances: Appearance on first block (say 20.20.20.21), as well as appearance on second block (say 20.20.20.41). Your firewall should only be configured to handle the appearance from first block. Whereas the Peplink will take care of mapping the second appearance (from second block) to the first one. In this example: Firewall Inbound Destination Address NAT rule: 20.20.20.21 to 172.16.1.100. Peplink Inbound NAT: 20.20.20.41 to host 20.20.20.21 (which is on the drop-in segment). So, Peplink will translate IP address from second block to one from first block, and then the firewall translates from first block to internal server private address. Firewall should expect all inbound connections coming to first block addresses only, whereas Peplink will map 2nd block to 1st block addresses.
thanks a ton mohamed,
Before installing Peplink, when a connection request arrive from Internet destined to IP address from second block, and hits the firewall, how does the firewall handle it? Are there any NAT rules configured on the firewall to translate IP addresses from second block to internal server addresses?
Yes. it’s NATed on Firewall.
Actually, I can understand what you are saying. But before putting the PEPLINK in place i have a NAT translation for both Ip’s from First bloack to Private Ip address on LAN( 20.20.20.21 — 172.16.1.100 and 20.20.20.41 ----- 172.16.1.120 [a different Internal server]).
So now what should i do make it work?
I really really appreciate your help.
many thanks
Rosy
First, make sure you have defined all the IP’s from your second block on the WAN2 setup page under the “Additional Public IP Settings” section.
Note that this should NOT be done for the drop-in WAN connection, as the Block1 IP’s are already passed through.
Next, under Inbound Access click on Servers and define a new one. In your case, this will be the ASA (say 20.20.20.22).
Now you need to click on Services and define whatever you want to forward to the ASA and you can select any of the WAN2 IP’s.
Remember, you do not need to define any services for WAN1 because all this traffic already goes directly to your ASA.
Total setup time should only be a couple minutes
Here is what you can do:
1- Choose a new “Private” IP Address pool (say 10.177.177.x/24). This IP Address pool should be configured on the firewall NAT rules to replace the NAT Server addresses from second block.
2- On the firewall: Each NAT rule mapping internal Server address to an address from second block, replace this second block address with an address from the new “Private” range (i.e. 10.177.177.x). Example: Currently on the firewall you have: 172.16.1.120 — 20.20.20.41. You should make it: 172.16.1.120 — 10.177.177.120.
3- On the Peplink configuration: LAN > Static Routes: Add a static route for 10.177.177.x with the gateway as the firewall address (i.e. the one from first block).
4- On the Peplink create NAT mapping between the second block IP addresses and the new “Private” range. NAT Mappings > Host address= 10.177.177.120, WAN2 inbound= 20.20.20.41, WAN2 outbound= 20.20.20.41.
5- Repeat above for each server currently having an address from second range.
I hope this will work!
Hi Mohamed,
thank you very much for your extremely good explanation.So, that means i need to change the ACL’s on firewall to to replace the second block Ip’s with the private Ip address range(10.177.177.x/24)?
Also is it still OK to have peplink in Drop-in mode with WAN1 and LAN on public IP address? and does this still allow me to create a static route pointing to the public Ip address(in this case gateway - Firewall Public Ip address)?
Thank you very much for your help.I really appreciate your time and effort…
Many thanks
Rosy…
Hi Rosy,
If the ACL’s are the place where you configure NAT between Server Internal IP Address and the 2nd block public IP address, then Yes, you need to do the described change in these ACLs. Peplink in drop-in mode, will place Peplink LAN and WAN1 interfaces into the network segment with 1st block of public IP addresses, so yes it is OK that the Peplink LAN IP address (which will auto reflect to WAN1 interface) will be a public IP from the 1st block. Sure you can create any static route under LAN interface, and point it towards your firewall public IP address (just remember that any change on LAN interface when in drop-in mode, will reset some of the configurations of the WAN1 interface, so you have to reconfigure WAN1 manually after configuring the LAN static route).
You are welcome.
Hi Mohamed,
One last thing. ACL’s only specify the traffic inbound/outbound polocies sunch as
access-list outside_in permit tcp any host 20.20.20.41 eq 80 ( this is allowing inbound traffic on ip add 20.20.20.41 from second block on firewall)
and a static one-to-one NAT is already in place ex: static(inside,outside) 20.20.20.41 10.10.10.10
now it means i need to first create new Private block of ip’s as described, then change the one-one NAT as described above and an ACL to reflect this??? this is what i don’t get it
because the peplink is natting between public and new private address and as a result i change the NAT on my firewall to reflect the same, do i also need to update ACL’s on firewall?
My proposed config as per my understanding from what you have described above will look like:
On peplink:
take a new Private block: 10.177.177.x/24
2).On the Peplink configuration: LAN > Static Routes: Add a static route for 10.177.177.x with the gateway as the firewall address (i.e. the one from first block).
3).On the Peplink create NAT mapping between the second block IP addresses and the new “Private” range. NAT Mappings > Host address= 10.177.177.120, WAN2 inbound= 20.20.20.41, WAN2 outbound= 20.20.20.41.
** Question:Do i have to add the new Private range under LAN configuration as “Additional Hosts” to use then in step-3 ???**
On firewall:
1).change the NAT from example: 20.20.20.41 (Ip from second block) ---- 192.168.0.1(internal Server) to: new NAT: 10.177.177.20 ------to---- 192.168.0.1
2) change the ACL from example: **access-list outside_in permit tcp any host 20.20.20.41 eq 80 ** – to – **access-list outside_in permit tcp any host 10.177.177.20 eq 80 **
Am i correct? please clarify me. once again thank you very much all your time.
Many thanks
Rosy
Hi all,
I think it’ll be much easier if Rosy put here the net diagram with imaginary values as problem then everyone can discuss each other with ease, like below:
(I’ve got excited with your interesting discussion and Sabbah, Simdorn. Somebody like me couldn’t figure out very clearly via those plain texts ).
Regards.
Peplink will NAT from Public 2nd block address to transit address, whereas firewall will NAT from transit address to internal address. Yes, you need to update ACLs on the firewall.
No Need to add this. Just follow the described procedure.
Your described configuration is correct. My advice, before changing all your configuration, you may want to start with one server and see how it works. Once that is successful, you may proceed with rest of the servers. Good Luck
Mohamed,
Thank you very much for your explanation, time, effort and for your prompt reply.I’ll try this configuration this weekend and update you all.I’m very pleased that at least i could get some help in forums, so i wouldn’t hesitate to buy peplink any more. the device looks solid.Thanks a million.
Hi Rosy,
Glad to help. Knowing Peplink since they started, I am very loyal to this vendor and the solution. Whether you look for Price, reliability, professional support, or extra customer oriented attention, Peplink excel in all that, and more. Most of the time every employee of Peplink was ready to understand our special requirement and go do firmware changes to bring our setup to successful operation. I fully recommend Peplink for all that. Waiting to hear the good news about your setup
Hi Mohamed,
Brilliant. that worked like a charm. i have tried the configuration as discussed with you last week and it worked.thank you very very much…But i have noticed that now DNS doctoring is not working. that means if i try to connect to any of internal services trying connect from the same public Ip is not allowed now. It used to work. suppose if we want to test a VPN connection coming from a user connected to a external wireless connection(say here ISP(one of our Leasedline) — SWITCH – SONICWALL-- WIRELESS ACCESSPOINT(subnet 192.168.11.0/24), here we are bypassing the external guest network from LAN. then the user connected to ‘external’ wireless couldn’t connect to the VPN server behind ASA firewall. Any idea???
Glad to hear it worked.
Regarding this “DNS doctoring”, I did not get what does it mean. Do you conclude that failure to establish the VPN connection (as described) is a DNS problem? I am not an expert in VPN, but I do not know what will be the relation between the DNS and VPN setup: Please explain.
What type of VPN are you trying to establish (IPSec, PPTP, etc)? Maybe you want to enable some of the “Service Passthrough” features on the Peplink (i.e. IPSec NAT-Traversal). If you face DNS issues, maybe you want to Enable DNS Proxy (under LAN configuration), and configure DNS Forwarding to local DNS Proxy (under “Service Forwarding” configuration).
I got some information about the “DNS doctoring” feature: It is a feature of the firewall analyzing DNS requests and replies (request coming from inside LAN and reply coming from outside). If the firewall detects DNS reply with an IP address that has a static NAT rule, it will manipulate the DNS reply and change the IP address to the internal address. If so, then the issues you are describing are related to an “Internal” user trying to establish connection to an “Internal” server using DNS url, right? You will be facing this issue only with servers NATted to the previously set transit IP address-pool because the DNS reply will have public IP address instead of the transit IP address. If that is the case, then you can configure the Peplink DNS Proxy (under LAN), and add entries with all your servers DNS urls pointing to the internal private addresses (example: Server FQDN: www.mycomany.com Address: 172.16.1.100 –> this is the private address not the public one), just remember to configure Peplink Service Forwarding to forward outgoing DNS requests to local DNS proxy. This will delegate the “DNS Doctoring” function to the Peplink itself instead of the firewall performing it. However, regarding your VPN issue, I am not yet sure how does the DNS affect your VPN setup. Are you trying to establish connection using FQDN instead of Public IP?
Hi Mohamed,
once agin thank you very much for your reply.
However, regarding your VPN issue, I am not yet sure how does the DNS affect your VPN setup. Are you trying to establish connection using FQDN instead of Public IP?
Ans:Yes the VPN is citrix access gateway SSL/WebVPN solution, users always connect using FQDN instead of Public IP.
The guest network is a wireless connection behind a sonicwall firewall and sonicwall is connected to a leased line(in this case the Second Router[BT]). this is one of the two routers we have, from our previous discussion.Now i don’t really know why it doesn’t allow resolve the FQDN to IP for users coming from a Sonicwall/Wireless AP which is on a public Ip Address from the second block of PUBLIC IP’s to resolve to the Citrix access gateway(behind a ASA firewall/Peplink) Public Ip address from the the First block of IP?
Thanks for your time…
Rosy
I imagine your connection is like this:
First Leg> Citrix SSLVPN Server-><-inside (ASA)- NAT -outside (ASA)-> (1st block public ip)-LAN (Peplink)- Drop-in -WAN1 (Peplink)- First ISP Router.
Second Leg> VPN-User - wireless AP -LAN (Sonicwall)- NAT - WAN (Sonicwall) –> (2nd block public ip) - Second ISP router
The Peplink WAN2 along with the Sonicwall WAN should be connected to the same network segment (that connects both to the second router [BT]).
First: The IP address assigned to sonicwall should be removed from the Additional Public IP Addresses List configured on Peplink WAN2.
If that is done: Try to ping peplink WAN2 address from the guest machine which sits behind the sonicwall just to make sure things are OK on this segment.
Next: we need to know the default gateway setting of the sonicwall: is it the ip address (from 2nd block) of the second router?
Also: we need to know where the DNS records pointing to Citrix SSLVPN Server get resolved?
Finally, check any static routes on the sonicwall possibly pointing to the ASA ip address or the 1st isp router address.
In case the sonicwall WAN is behind the ASA, then you may want to configure the Peplink DNS proxy as described in my earlier reply. That should solve all your DNS issues arose because of broken DNS Doctoring.
Hi Mohamed,
Sorry for the delayed reply. You are right, that’s the way i setup the network but actually the SonicWALL’s Ip address is from First block not from the second block. sorry…my mistake
SONICWALL gateway is pointing at First Router ( First Block IP’s Default Gateway).
Q: we need to know where the DNS records pointing to Citrix SSLVPN Server get resolved?
Ans: it’s setup on external DNS server (Dyndns.org) to point to the IP address from the first block
-No static routes on Sonicwall.
