This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

eDirectory, NAT and RED

Hello,
Just got our first RED. To test if it is useful in our organization.
We are using a ASG 220 in a Novell Netware 6.5 network. eDirectory SSO is used to authenticate the users.
I've configured the RED. When I connect a pc from behind the RED, I am able to log in into the network. I can access the network, use Groupwise, etc.
When I try to access the internet, a loginscreen appears.

I've set up NAT between the remote network (10.140.0.0/16) and the office network (10.120.0.0/16). The remote traffic is NAT-ed to the address 10.120.240.81.
In the authentication log this address is shown when the remote user logs in.

But the remote pc has address 10.140.252.254. And that address is used when the internet browser is started (as is shown in the http log when the users logs in with the authentication login screen).

Seems to me not really a RED issue, but anyway: can anyone tell me what I'm doing wrong?

This thread was automatically locked due to age.

0 Scott_Klassen over 14 years ago

Since I don't user eDir, I'm spitballing here, but here are the first couple of things that come to mind:

Have you added a packetfilter rule on your ASG allowing traffic from the virtual RED interface network to the internet?
Did you add this same network to the Allowed Networks list for the HTTP proxy?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to Scott_Klassen

I'm pretty sure this has to do with how e-directory SSO works ... my understanding is that e-directory stores the IP of the logged in user; when you NAT the remote IPs to one single IP, it's going to get confused, as e-directory will be returning an IP that the proxy doesn't see.

This is something I'd start an official astaro support case on; I suggest you take this path for a swifter resolution.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 maygyver over 14 years ago in reply to BrucekConvergent

question, why using NAT?

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to maygyver

Maygyver's question is a good one... why use NAT? You should only need to setup packet filters... not using NAT may fix the problem.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 lvandijk over 14 years ago in reply to BrucekConvergent

Thank you for your response and hints.
The solutions was SLP. The Directory Agent had no route to the new network 10.140.0.0. That's why there was no tree visible with only packet filters active. Using NAT, the remote pc got a local ip-address. So the DA could be reached, and logging in to the Netware tree was possible. But then the described problem occured.
@may_gyver: you were right. NAT is not needed. A packet filter (and good routing [;)] ) will do!
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 14 years ago

I haven't touched one yet, but I understood that a RED is a virtual interface, and that there shouldn't be any need for routing. For example, if you have two local LANs, one on an Astaro interface and the other on a RED, 10.1.0.0/24 and 10.1.1.0/24, I understand that you need a PF rule like '{10.1.0.0/23} -> Any {10.1.0.0/23} : Allow', but I think the necessary routes to the subnets are created automatically as a consequence of configuring the interfaces.

WHat have I misunderstood?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel