Snapgear Pub2Pub Configuration

Public to Public:

 


1) First of all, the customer needs to purchase an additional IP address block. Work with sales to get that done before proceeding.

2) Try to get someone else to create the new IP block for plausible deniability if something goes wrong. If you get stuck with it, do the following:

a) Check the customer's Server HW object to determine the VLAN.

b) Goto Customer Page, click the appropriate "View sm-car1.dllstx5 VLAN 144" link.

c) Click "Auto-assign another subnet to this VLAN"

d) Enter Customer Number Select the appropriate CAR/VLAN from the pulldown. (should be default) Choose correct location which should be default. Same for the "block routed to" For notes: Primary for Firewall. Then pick any ole block that they give you.

e) Go back to the VLAN page and refresh. IF the server subnet was a secondary everything is cool. IF it was a primary, this is a problem. Because we want Orbit to think the NEW block is the primary, and the original block is the secondary. Do the following: - Click on the new secondary that you made. - Edit This Subnet - Click the "Make this the primary subnet for the selected vlan" and apply.

f) Back to the VLAN page and refresh again. Edit the original server IP subnet and change the notes to say routed to Firewall.

 

3) I HIGHLY recommend that you cut&paste this procedure to notepad and do a global Find/ReplaceAll and replace my example numbers below with the real ones for your install. This guide is written with this intention in mind and will make life much easier.

70.85.175.186 = Original Server IP (The 1st usable IP normally for the server) 70.85.175.185 = Original gateway IP 70.85.175.184 = Original network IP. 255.255.255.240(varies) = Original Server Netmask. vlan123 = vlan for customer. Found at top of HW object of server.

70.86.121.2 = New block Firewall IP. (3rd IP in block) 70.86.121.1 = New block Gateway IP 70.86.121.0 = New Block network IP (1st usable) 255.255.255.248 = New Block Netmask.

actual build:

1) Plug in Power Get ethernet crossover cable and Plug in snapgear LAN port to computer's extra eth port.

2) set your secondary eth to 192.168.0.2 255.255.255.0 no gateway click OK. then Enable the connection.

3) Bring up a command prompt and ping -t 192.168.0.1 Keep messing with the reset button until you get it to work.

4) Bring up the snapgear window by using IE http://192.168.0.1 Click Incoming Access (or any ole thing) from the Main Menu. login as: root,default It should prompt you to change the password. Do so using our password. If not, goto Users, edit, change password.

5) Check firmware for upgrade. Should be 2.1.3. Check the Diagnostics for exact version.

If you need to upgrade it... poor you. Do one of the following:

A) Run the handy executable for your specific type of firewall on desktop. - Will need the boss to run as admin to unblock the Windows Security. When run as admin, make sure to select the ALWAYS UNBLOCK option! - Available at the following site: https://sss-lin.dllstx2.inside.theplanet.com/files/snapgear/firmware/

B) Run a tftp server on your local desktop. - Not enough permissions to do so. I couldn't install one.

C) Upgrade through telnet. - Plug in cable to Internet Port, unplug someone elses comp and plug it in. - Network Setup,modify Direct Internet to use DHCP. - Telnet into firewall. Ping www.google.com to ensure connection works. - netflash -k http://67.18.76.242/sg5XX-2.1.3.sgu (awood) OR netflash -k http://files.japman.com/sg/sg5XX-2.1.3.sgu (jpoletes) - Wait about 5 minutes and then try the web interface again.

6) In SG Main menu window, Network Setup. Then "Edit Network configuration" under LAN (1st pulldown table) Change LAN IP to Original Gateway IP (70.85.175.185) Use Original Server Netmask. Ensure DHCP is NOT checked. No Gateway needed. Apply, then reboot the SG.

7) On your machine, change the appropriate ethernet port address to Original Server IP (70.85.175.186), with original Server Netmask.

8) In Browser, connect to snapgear on http://Original Gateway IP ( http://70.85.175.185 )

9) Network Setup, change Internet connection (2nd pulldown) to Direct Internet Enter the New IP block's Firewall IP (70.86.121.2). Netmask is always 255.255.255.248 for the New IP block. For Gateway Address, enter New Block Gateway IP. (70.86.121.1) Enter our DNS of: 67.19.0.10,67.19.1.10,216.185.111.10

10) Goto Advanced tab, enter CXXXXX-location-model (ex: C12345-AM21-SG570) Then apply.

11) Note that No Aliases are needed for the new IP block (unlike NAT)

12) Main Menu, Incoming Access: - Check the "Accept echo request" box. Apply that. - Hit Cyberguard Web Server tab, change to 8888 Web server port. Apply

13) Now, change address to :8888 on browser to continue with config.

14) Main Menu, Packet filtering, Addresses subtab: Add the Original Server IP (70.85.175.186) Then add ALL the Original Server SECONDARY IPs. All usable public IPs for the Original Server Block should be entered.

15) Goto Service Group tab for addition of service groups. - probably add one called Wincommon or Linuxcommon - add others as needed for special requests. ! Always make sure ICMP is checked.

Ports Opened Guide: IF Disksync, then open: TCP 808 for all. 807,2546 ONLY for 70.85.125.18, 70.85.125.19 IPs. IF Urchin tcp 9999 IF Cpanel tcp 2082,2083,2086,2087,2095,2096 IF NAS backup then nothing should be needed as it uses FTP. If Plesk, then tcp 8443 IF DNS, Port 53 UDP and TCP IF VPN(PPTP), TCP 1723 port IF ISS, 903, 2998 TCP IF Virtuozza, 4643 IF IP monitoring, port 1040 to planet servers. (shouldn't need) IF coldfusion, http://www.macromedia.com/go/tn_18336 IF Passall, just add 1-65535 for TCP and UDP, and allow ICMP.

16) Goto NAT Translation, Destination NAT subtab. Add rules for ALL server IP translations. Fields defined as follows:

Enable: checked Descriptive Name: Type in the Original Server IP (70.85.175.186) Incoming Interface: "Any Internet Interface" Source Address: Any Destination Address: Internet Port - Direct Internet (New Block Firewall IP(70.86.121.2)) (for ALL the rules!) Destination Services: choose the appropriate service group (i.e. wincommon,etc)

Under Alter the packet, To Destination Address: Choose the Original Server IP from the pulldown. (70.85.175.186) To Destination Service: Unchanged Create a Corresponding incoming ACCEPT rule: Checked

Repeat for all remaining Original Server Secondary IPs. You will use the same settings as above EXCEPT change the following: a) Descriptive Name increments by +1 IP (thru all the secondary IPs) b) Alter Packet, Destination Address increments by +1IP (thru all secondary IPs) DO NOT CHANGE the Internet Port - Direct Internet!

17) When done, goto Main Rules (lefthand side), cut&paste the following into rules box: Be sure to check the Input chain and apply several times till it works and shows up below.

iptables -I INPUT -s 67.19.0.0/24 -j ACCEPT iptables -I INPUT -s 12.96.160.0/24 -j ACCEPT iptables -I INPUT -s 70.84.160.0/24 -j ACCEPT iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 67.19.0.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 12.96.160.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 70.84.160.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT sysctl -w net.ipv4.ip_conntrack_max=30000 iptables -t nat -F Flood

18) Finishing touches:

- Select Date&Time. Select Locality (bottom of page): US,Central. Apply. Under NTP, "Set Time"=checked, enter: time.nist.gov Apply

- Under Advanced tab, System Log, System Logger Options. ENABLE Remote Logging 12.96.160.125 then Apply.

19) stuff:

- Login to the target server(s) and mention Password Verified on the ticket internal. If you cannot login, be sure to ask the customer to update the password.

- Fill out canned response in ticket. Ask for deployment time.

- Associate the FW with the customer and fill out IP, location,etc.

The firewall is now ready to deploy.

 

 

DEPLOYMENT of Public to Public:

 


1) Acquire the Firewall, Power Converter, Power Cord, and two cables.

2) Make sure you updated ticket telling customer you are about to install.

3) Grab a sticky, write down: -Server IP and netmask -Location -SwitchPort -Server Serial Number -Firewall SERIAL number (if HW object not already modified)

4) Now, we must route the IPs. Using the definitions above, we will do the following: a) Bring up their server HW object. Click on the link at the top that says VLAN 123 (or whatever)

b) Connect to the router. (NOT the switch for that server).

c) Time to do some funky routing stuff:

70.85.175.186 = Original Server IP (The 1st usable IP normally for the server) 70.85.175.185 = Original gateway IP 70.85.175.184 = Original network IP. 255.255.255.240(varies) = Original Server Netmask.

70.86.121.2 = New block Firewall IP. (3rd IP in block) 70.86.121.1 = New block Gateway IP 70.86.121.0 = New Block network IP (1st usable) 255.255.255.248 = New Block Netmask. vlan123 = Your VLAN for this server.

sho run int vlan123, look for "ip address 70.85.175.185 255.255.255.240 secondary" or whatever.

conf t (enter configure mode) int Vlan123

no ip address 70.85.175.185 255.255.255.240 secondary (unroutes the original Gateway IP ) exit

no ip route 70.86.121.0 255.255.255.248 Vlan427 70.85.175.186 This MAY OR MAY NOT WORK. If someone else created the New IP Block, then they might have routed the Block to the Original Public IPs. We want to remove this. Go ahead and type the line. If it works, great. If it does not, then it means that the line was not necessary and continue on. You can: exit, show run int vlan123 to verify, then conf t again to resume.

int Vlan123 ip address 70.86.121.1 255.255.255.248 (This sets up the New Block Gateway IP as our gateway for this VLAN) exit ip route 70.85.175.184 255.255.255.240 Vlan123 70.86.121.2 (routes entire Original IP Block to the New Block Firewall IP, change .240 as needed) int Vlan123 shut (Shut/noshut flushes the ARP cache so it works immediately instead of hours later) no shut (note that you will do this again later, so not really needed here.)

If you have not already, goto IPDB and modify the New Block Network IP as follows: Add customer number: C12345 Add the router/VLAN that you used, tp-car6.dllstx5 VLAN 123 on pulldown menu. same for Block Routed To Make a Note: Primary for firewall. Manually Assigned: N

5) No changes are needed on the target server, so no need to login.

6) Go ahead and wire up the power. Since the customer is already down, you can do the cleanup later as far as zipties,etc.

7) Unplug the Server's ethernet connection (verify on switch that it is right port)

8) Plug the red switch wire into the INTERNET port on the snapgear if possible. NOTE: On rare occasions you may need to run a passthru cable from firewall to switch port instead, if the red switch wire will not reach.

9) Plug a crossover cable into the Firewall's LAN port and plug other end into the server. NOTE: They seem to be autosensing, so any cable will work.

10) Back to the desk. Goto server's HW object. Click the VLAN XXX link at top of page. Goto that router (NOT the switch for the server), enter the following: conf t int VLAN 123 (where XXX is the VLAN for that server) shut no shut ctrl z

11) See if you can hit the firewall. http://IPofServer:8888

12) See if you can login to the server.

13) Goto external server such as 64.5.44.18 (theplanet, nud13b4r) nmap -T Insane -P0 -p 1-65535 XX.XX.XX.XX (where XX is IP of server of course) Verify that the right ports are open and it looks good.

14) Update Firewall Hardware Object appropriately. MAKE SURE that you give the firewall HW object the NEW BLOCK FIREWALL IP(3rd one in block). It will NOT be the customer's public IP address.

15) Give customer the appropriate post-install verbage.