Snapgear NAT Configuration

1) Plug in Power. Get ethernet crossover cable and Plug in snapgear LAN port to computer's extra eth port.

2) Set your secondary eth to 192.168.0.2, netmask 255.255.255.0, no gateway click OK. Then Enable the connection.

3) Bring up a command prompt and ping -t 192.168.0.1 Keep messing with the reset button until you get it to work.

4) Bring up the snapgear window by using IE http://192.168.0.1 Click Incoming Access (or any ole thing) from the Main Menu.
Then login as: root, default. It should prompt you to change the password. Do so using our password.
If not, go to Users, edit, and change password.

5) Check firmware for upgrade. Should be 2.1.3. Check the Diagnostics for exact version.

If you need to upgrade it... poor you. Do one of the following:

  1. Run the handy executable (available here https://sss-lin.dllstx2.inside.theplanet.com/files/snapgear/firmware/)
    for your specific type of firewall on desktop. (Will need the boss to run as admin to unblock the Windows Security.)
    When run as admin the first time, make sure to select the ALWAYS UNBLOCK option!
  2. Run a tftp server on your local desktop. (Not enough permissions to do so. I couldn't install one. Good luck.)
  3. Upgrade through telnet.

6) In SnapGear Main menu window click Network Setup and then select "Edit Network configuration" under LAN (1st pulldown table)

  • Change LAN IP to 10.0.0.1 (or Whatever, if SPECIAL Internal IPs are request...ie 10.10.10.1)
  • Keep same Netmask.
  • No Gateway.
  • Ensure DHCP is NOT checked!

Apply, then reboot the SG clicking the button that appears.
Note that you can goto Advanced Options to reboot the firewall also.

7) On your machine, change the appropriate ethernet port address to 10.0.0.2, keep same netmask.

8) In Browser, connect to snapgear on 10.0.0.1

9) Network Setup, change Internet connection (2nd pulldown) to Direct Internet
Enter server's !!1st usable IP!!, netmask and gateway. (dot format,not /29) (do not use the network IP here. First usable.)

  • IF ServerMatrix/non-HSRP that means +2 from network IP
  • IF HSRP then its +4 from network IP.

Use IPDB to verify if the first usable IP is +2 or +4 off from the network IP.
Enter our DNS of: 67.19.0.10,67.19.1.10,216.185.111.10

10) Goto Advanced tab, enter C#####-LOCATION-MODEL Then apply.

11) Check ALL IPs going to that server, in case they have extra blocks routed to the server.
If so, will need to run those to the firewall. Use customer page "IPDB Subnets" to verify.

12) Main Menu, Network setup, Internet(2nd pulldown), Edit Alias Configuration, add the server's SECOND usable IP with appropriate netmask (NOT 255.255.255.0) Continue to add the rest of the usable IPs, with the same netmask. NOTE: You can use the Back arrow to more easily add many IPs.

12.1) If there are additional IPs routed to the server (found in step 11), then just add these as aliases just as you would secondary server IPs. EXCEPT, use 255.255.255.0 for the netmask!

13) reboot the firewall. The Reboot Now box should appear.

14) When done, goto Rules (lefthand side), cut&paste the following into rules box: Be sure to check the Input chain and apply several times till it works and shows up onscreen.

 
iptables -I INPUT -s 67.19.0.0/24 -j ACCEPT
iptables -I INPUT -s 12.96.160.0/24 -j ACCEPT
iptables -I INPUT -s 70.84.160.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 67.19.0.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 12.96.160.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -i $INTERNET_IF -p tcp -s 70.84.160.0/24 -d $INTERNET_ADDR --dport 8888 -j ACCEPT
sysctl -w net.ipv4.ip_conntrack_max=50000
iptables -t nat -F Flood

IF this is an existing firewall with older than 1.90 firmware, do NOT use the sysctl line. Refer to http://kb.theplanet.com/viewtopic.php?t=454

15) Main Menu, Incoming Access:

  • Check the "Accept echo request" box. Apply that.
  • Hit Cyberguard Web Server tab, change to 8888 Web server port. Apply.

16) Now, change address to :8888 on browser to continue with config.

17) Main Menu, Packet filtering, Addresses subtab, add new IPs for the customer. 10.0.0.2 thru 10.0.0.XX (for all his usable IP range)

  • Can use back on browser to more quickly add extended IP ranges.
  • Only fill in the NAME section. The IP is filled in automatically
Handy Chart

Netmask Private IPs
.248 10.0.0.2 - 10.0.0.6
.240 10.0.0.2 - 10.0.0.14
.224 10.0.0.2 - 10.0.0.30

18) Goto Service Group tab for addition of service groups.

  • probably add one called Wincommon or Linuxcommon
  • add others as needed for special requests.

Always make sure ICMP is checked.

Ports Opened Guide:

  • IF Disksync, then open: TCP 808 for all.
  • IF Urchin tcp 9999
  • IF Cpanel tcp 2082,2083,2086,2087,2095,2096
  • IF NAS backup then ???? beats me ????
  • If Plesk, then tcp 8443
  • IF DNS, Port 53 UDP and TCP
  • IF VPN(PPTP), TCP 1723 port
  • IF ISS, 903, 2998 TCP
  • IF Virtuozza, 4643
  • IF IP monitoring, port 1040 to planet servers. (shouldn't need)
  • IF coldfusion, http://www.macromedia.com/go/tn_18336
  • IF Passall, just add 1-65535 for TCP and UDP, and allow ICMP. Or setup DNAT rules with "Any" service group.

19) Goto NAT Translation, Destination NAT subtab. Add rules for ALL server IP translations.

  • Enable: checked
  • Descriptive Name: Internal - External (i.e 10.0.0.2 - 67.19.22.32)
  • Incoming Interface: "Any Internet Interface"
  • Source Address: Any
  • Destination Address: Internet Port - Direct Internet (for the FIRST ONE)
  • Internet Port Alias ... (for the remainder)
  • Destination Services: choose the appropriate service group.
  • Alter the packet,
  • To Destination Address: Choose the Local IP (10.0.0.X)
  • To Destination Service: Unchanged
  • Create a Corresponding incoming ACCEPT rule: Checked

Repeat for all remaining server IPs, changing three things:

  • The Descriptive name increments by 1
  • The Destination Address Port Alias increments.(67.19.22.33)
  • The Altar the Packet Destination Address increments (10.0.0.3)

20) After all of the incoming traffic rules have been defined, we have been adding an egress rule "just in case".

  • Select the NAT tab,Source NAT sub-tab.
  • Name: egress
  • Source Address: LAN (only thing that needs changing)
  • Outgoing: Any
  • Destination Address: Any
  • Destination Services: Any
  • To Source Address: Outgoing Interface Address
  • To Source Service: Any

21) Finishing touches:

  • Select Date&Time. Select Locality (bottom of page): US,Central. Apply.
  • Under NTP, "Set Time"=checked, enter: time.nist.gov Apply
  • Under Advanced tab, System Log, System Logger Options. ENABLE Remote Logging 12.96.160.125 then Apply.

22) stuff:

  • Login to the target server(s) and mention Password Verified on the ticket internal. If you cannot login, be sure to ask the customer to update the password.
  • Fill out canned response in ticket. See below. Ask for deployment time.
  • Associate the FW with the customer and fill out IP, location,etc.

The firewall is now ready to deploy. Refer to: http://kb.theplanet.com/viewtopic.php?t=761

DEPLOYMENT:

 


1) Acquire the Firewall, Power Converter, Power Cord, and two cables.

2) Make sure you updated ticket telling customer you are about to install.

3) Grab a sticky, write down: -Server IP and netmask -Location -SwitchPort -Server Serial Number -Server login and Password - Firewall SERIAL number (if HW object not already modified)

4) Go hook up a console to the server.

5) Go ahead and wire up the power nicely and ziptie it,etc.

6) Unplug the Server's ethernet connection (verify on switch that it is right port)

7) Plug the red switch wire into the INTERNET port on the snapgear if possible. NOTE: On rare occasions you may need to run a passthru cable from firewall to switch port instead, if the red switch wire will not reach.

8) Plug a crossover cable into the Firewall's LAN port and plug other end into the server. NOTE: They seem to be autosensing, so any cable will work.

9) Change the customer's server IPs from public to private. Windows: Settings, Network Connections, modify (watch for multiple connections), Use: 10.0.0.2 for IP, 255.255.255.0 netmask, 10.0.0.1 gateway.

Linux: edit /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth0-range (watch for multiple eth interfaces, modify correct one) use vi's "4yy" and "p" cut&paste to keep old config backed up. Modify IP, Gateway, Netmask as above. service network restart then ifconfig to verify it looks ok.

10) Back to the desk. Goto server's HW object. Click the VLAN XXX link at top of page. Goto that router (NOT the switch for the server), enter the following: conf t int VLAN XXX (where XXX is the VLAN for that server) shut no shut ctrl z

11) See if you can hit the firewall. http://IPofServer:8888

12) See if you can login to the server. If Windows server, add the rest of his IPs now.

13) Goto external server such as 64.5.44.18 (ask JPoletes for access) nmap -T Insane -P0 -p 1-65535 XX.XX.XX.XX (where XX is IP of server of course) Verify that the right ports are open and it looks good.

14) Update Firewall Hardware Object appropriately.

15) VPN stuff here....

16) Give customer the appropriate post-install verbage: