 |
06-06-2009, 02:41 PM
|
|
Super Moderator
|
|
Join Date: Feb 2009
Location: In a galaxy far far away
Posts: 857
|
|
opendns
Hi All
I 've just edit the DNS settings of my ASG to use opendns (set as forwarders and untick "forwarders assigned by ISP"). However , I am now unable to access a specific client by RDP on the DMZ zone.I am able to share files and view the shared drives on that client.
It's not a IPS/ pf issue as I've checked both of them. I can't see anything on the logs indicating that the traffic is blogged
Could you please advice?
__________________
Running Astaro ASG virtual appliance | Home power user 100 IP license
Intel Dual Core 2.4GHz (800MHz) | 4GB (2 x 2GB) PC2-6400 800Mhz 5-5-5-18 | WD 160GB |3 x Intel Pro/1000
|
06-06-2009, 10:59 PM
|
|
Moderator
|
|
Join Date: Jul 2001
Location: southern California
Posts: 5,139
|
|
Are you trying to use RDP to the IP or the hostname?
Do you have an internal DNS server? If so, you can tell Astaro to use it, on the DNS request routing page.
Barry
__________________
http://DealBert.net
Home & business end-user since v1.x - ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
- ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
- ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb
|
06-07-2009, 12:37 PM
|
|
Super Moderator
|
|
Join Date: Feb 2009
Location: In a galaxy far far away
Posts: 857
|
|
I am using RDP to connect to the IP
I don't have an internal DNS server. It's strange cause when I was using my ISP's DNS by ticking the "isp forwaders" everything was working fine. Could it be something related to openDNS?
__________________
Running Astaro ASG virtual appliance | Home power user 100 IP license
Intel Dual Core 2.4GHz (800MHz) | 4GB (2 x 2GB) PC2-6400 800Mhz 5-5-5-18 | WD 160GB |3 x Intel Pro/1000
|
06-07-2009, 04:01 PM
|
 |
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,388
|
|
Just to confirm, when you run Desktop Connection, into the box for the 'Computer', you are putting a numeric IP address, not a name or FQDN?
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
06-07-2009, 04:11 PM
|
|
Super Moderator
|
|
Join Date: Feb 2009
Location: In a galaxy far far away
Posts: 857
|
|
yes. The connection is to 172.16.1.2. I press connect and instantaneously it drops (no error).
__________________
Running Astaro ASG virtual appliance | Home power user 100 IP license
Intel Dual Core 2.4GHz (800MHz) | 4GB (2 x 2GB) PC2-6400 800Mhz 5-5-5-18 | WD 160GB |3 x Intel Pro/1000
|
06-07-2009, 05:48 PM
|
|
Moderator
|
|
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,388
|
|
Barry, this sounds impossible to me. What could this be?
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
|
06-07-2009, 08:03 PM
|
|
Super Moderator
|
|
Join Date: Feb 2009
Location: In a galaxy far far away
Posts: 857
|
|
I just tried it today and indeed is not DNS is not related. I 've logged the relevant rule (allowing traffic from zone to DMZ ) and the following traffic is allowed:
Code:
20:00:10 Packetfilter rule #13 TCP
192.168.2.31 : 10861
→
172.16.1.2 : 3389
[SYN] len=48 ttl=127 tos=0x00 srcmac=00:1f:d0:0a:9a:89
however, RDP still doesn't connect.I can't see any drops on the log. Interesting enough, IPS detects that as follows:
Code:
2009:06:07-20:00:09 Astaro barnyard[6591]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MISC MS Terminal server request" group="450" srcip="192.168.2.31" dstip="172.16.1.2" proto="6" srcport="10861" dstport="3389" sid="1448" class="Generic Protocol Command Decode" priority="3" generator="1" msgid="0"
2009:06:07-20:08:18 Astaro barnyard[6591]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MISC MS Terminal server request" group="450" srcip="192.168.2.31" dstip="172.16.1.2" proto="6" srcport="11227" dstport="3389" sid="1448" class="Generic Protocol Command Decode" priority="3" generator="1" msgid="0"
2009:06:07-20:08:20 Astaro barnyard[6591]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MISC MS Terminal server request" group="450" srcip="192.168.2.31" dstip="172.16.1.2" proto="6" srcport="11228" dstport="3389" sid="1448" class="Generic Protocol Command Decode" priority="3" generator="1" msgid="0"
2009:06:07-20:09:20 Astaro barnyard[6591]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="MISC MS Terminal server request" group="450" srcip="192.168.2.31" dstip="172.16.1.2" proto="6" srcport="11248" dstport="3389" sid="1448" class="Generic Protocol Command Decode" priority="3" generator="1" msgid="0"
I've tried disabling the rule/ disabling IPS but same issue exists
__________________
Running Astaro ASG virtual appliance | Home power user 100 IP license
Intel Dual Core 2.4GHz (800MHz) | 4GB (2 x 2GB) PC2-6400 800Mhz 5-5-5-18 | WD 160GB |3 x Intel Pro/1000
Last edited by wingman; 06-07-2009 at 08:13 PM.
|
06-07-2009, 10:09 PM
|
|
Moderator
|
|
Join Date: Jul 2001
Location: southern California
Posts: 5,139
|
|
I assume you're connecting from an internal LAN to an internal DMZ.
Try running tcpdump on both interfaces and see if the traffic is going through the firewall correctly.
Are you doing any NAT/MASQ between these two networks?
Barry
__________________
http://DealBert.net
Home & business end-user since v1.x - ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
- ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
- ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb
|
06-08-2009, 12:02 AM
|
|
Super Moderator
|
|
Join Date: Feb 2009
Location: In a galaxy far far away
Posts: 857
|
|
NAT/MASQ
--------------------
both zone 1 and DMZ point to WAN interface
I've attached the tcpdump for both interfaces. Eth1 is the Zone 1 interface so I've attached only the relevant log (tcp 3389 port).
__________________
Running Astaro ASG virtual appliance | Home power user 100 IP license
Intel Dual Core 2.4GHz (800MHz) | 4GB (2 x 2GB) PC2-6400 800Mhz 5-5-5-18 | WD 160GB |3 x Intel Pro/1000
Last edited by wingman; 06-08-2009 at 12:04 AM.
|
06-08-2009, 04:28 AM
|
|
Wizard
|
|
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
|
|
you have to set the vpn exception side of opendns up for your ip address of the vpn server.
__________________
50 user home license:ASL 7.5x p-4 celey 2.53 2 gigs ram 80 gig hdd intel/3com nics
50 user home license:ASL 7.5x p-4 xeon 2.8 ghz HT, 2 gigs ram, 250 gig HDD, 2 x Intel gig-e, 3com 3c905B
Registered Microsoft Partner
Emmanuel Computer Consulting, L.L.C.
http://www.emmanuelcomputerconsulting.com
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 05:35 AM.
| |  |
