Networking conundrum- security appliance

Got an allied telesys AR450S security appliance, basically a firewall router, has eth0[wan] and eth1[DMZ] in back, 5 ethernet ports, each one can be a vlan so it's layer 3, by default they are all part of the same vlan, I have not divided them up yet.
My Cable modem here will issue two public IP's, one goes to my SMC barricade, the other to the AT, both get public IP's. I can ping the publc IP on the AT from behind my SMC barricade so I know that works. When serial connected to my laptop and logged into the CLI I can ping outside to the world and I can ping the inside port which I setup as 192.168.1.1 I can also see my public IP on the AT's web interface.
Whats driving me crazy is I can't get out from the 192.168.1.1, cannot ping that public IP or any DNS or other servers out on the net and I don't know what I'm missing here. I also have a 410 [smaller version sans the dmz port] and it's really big brother a AT Raptor that does the same thing. Driving me nucken futz, I have also had no success in finding any groups out there that I can normally look thru for common problems with my cisco or other stuff.:rattle: I know I must be missing something simple but cannot find it in the documentation.
Any Allied Telesys gurus out there ?????

Oh, I see your problem.

You need to run a jumper from the ABC123 to the LMNOP4. That should take care of it. If you happen to have the ability to run DOS, just a simple format c: will take care of it.

HTH


Hale

Yehaaa, got it working.

Haleyes said:

Oh, I see your problem.

You need to run a jumper from the ABC123 to the LMNOP4. That should take care of it. If you happen to have the ability to run DOS, just a simple format c: will take care of it.

HTH


Hale

Click to expand...

hehe, hale brought the funny.

What was wrong with it Rich?

I've been doing cisco's for years. I have about 60 configs for pix's that allows me to have one up and running in under 5 minutes once I change the ip's, that include failover bundles. I keep them on TWO usb sticks as well as probably 200 router configs on the same sticks.
As for the AT stuff, it's another learning and having in my bag of tricks. AT actually makes some nice stuff and price is similar, you just don't run into it too often in the US as their major market is outside the US, they are a japanese company. I have one of their 1TB NAS boxes here at the house, a 1U box with 4 drives in it, works well, took 10 minutes to setup once I got the right cables for the serial port.
For this one I found I needed to bind one of the Vlans and add a firewall policy for public on the eth0 [wan] and private on the vlan , like the pix once the FW is turned on nothing goes in or out.
Now I have to work on the new cisco 2811 I have on the bench for a customer that goes in next weekend now that I'm not going to calif this week. Need to run up to the raceway and grab the config from the 1800 they have now. I'd put it in today but I want to play with it for a few days.

I did find AT support groups, too bad I don't speak polish, russian, french or some of the asian languages, I woulda been all set otherwise. Finally found the part I was missing in the docs that came with it AFTER spending 4 hours last nite reading the PDF's.

well that makes sense.

kinda figured it was some sort of binding issue, but I've never worked with one of those, so I wasn't going to start making suggestions.

I was merely curious.

87manche said:

well that makes sense.

kinda figured it was some sort of binding issue, but I've never worked with one of those, so I wasn't going to start making suggestions.

I was merely curious.

Click to expand...

They are actually not bad, the web gui sucks but then so does cisco's. Much prefer the cli and direct editing the files. The issue is finding the canned configs like cisco has on their site, for AT they don't exist. Now I will start building a canned config on the USB sticks and go from there.

Here is what a basic get it running and connected one looks like for a DHCP enabled wan like a cable modem. As you can see there are still alot of unconfigured toys to play with

#
# SYSTEM configuration
#
set system name="AT-450S"
set system location="PoconoInternationalRaceway"
set system contact="Rich Pierson"

#
# LOAD configuration
#

#
# USER configuration
#
set user=manager pass=3af00c6cad11f7ab5db4467b66ce503eff priv=manager lo=yes
set user=manager telnet=yes desc="Manager Account"

#
# TTY configuration
#

#
# ASYN configuration
#

#
# ETH configuration
#

#
# SWITCH (pre-VLAN) configuration
#

#
# PPP templates configuration
#

#
# ACC configuration
#

#
# L2TP configuration
#

#
# SA configuration
#

#
# GRE configuration
#

#
# VLAN general configuration
#
create vlan="vlan3" vid=3
create vlan="vlan4" vid=4
create vlan="vlan5" vid=5

#
# VLAN port configuration
#
add vlan="3" port=1
add vlan="4" port=2
add vlan="5" port=3

#
# SWITCH (post-VLAN) configuration
#

#
# PPP configuration
#

#
# DHCP configuration - Pre IP
#

#
# IP configuration
#
enable ip
enable ip remote
add ip int=eth0 ip=dhcp
add ip int=vlan3 ip=192.168.3.1
add ip int=vlan4 ip=192.168.4.1
add ip int=vlan5 ip=192.168.5.1

#
# IPv6 configuration
#


#
#PIM4 configuration
#

#
#PIM6 configuration
#

#
#DVMRP configuration
#

#
# OSPF configuration
#
#
# CLNS Configuration
#

#
# SNMP configuration
#

#
# INTERFACE configuration
#

#
# UPNP configuration
#

#
# FIREWALL configuration
#
enable firewall
create firewall policy="lans"
enable firewall policy="lans" icmp_f=ping
add firewall policy="lans" int=vlan5 type=private
add firewall policy="lans" int=vlan4 type=private
add firewall policy="lans" int=vlan3 type=private
add firewall policy="lans" int=eth0 type=public
add firewall poli="lans" nat=enhanced int=vlan5 gblin=eth0
add firewall poli="lans" nat=enhanced int=vlan4 gblin=eth0
add firewall poli="lans" nat=enhanced int=vlan3 gblin=eth0

#
# RADIUS configuration
#

#
# TELNET configuration
#

#
# BOOTP configuration
#

#
# NTP configuration
#
enable ntp
set ntp utc=+04:00:00
add ntp peer=128.118.25.53

# PING configuration

#
# DHCP configuration - Post IP
#

#
# DHCPv6 configuration
#

#
# IPX configuration
#

#
# APPLETALK configuration
#

#
# BRIDGE configuration
#

#
# ENCO configuration
#

#
# Secure Shell configuration
#

#
# SSL Configurations
#

#
# LOG module configuration
#


#
# RSVP module configuration
#

#
# MAIL configuration
#

#
# IPSEC configuration
#


#
# ISAKMP Configurations
#

#
# PKI configuration
#

#
# HTTP configuration
#

#
# VRRP configuration
#

#
# GUI configuration
#

# BGP configuration

#
# LB configuration
#

#
# TACP configuration
#

#
# SKEY configuration
#
#
# TRIGGER Configuration
#

That is cool stuff, Rich. I hate GUI mode when configuring stuff, Plus it is faster to type.

For websites that are in foreign languages I use http://babelfish.altavista.com/

You are the network admin for Pocono Raceway. :worship:

moparmatt said:

That is cool stuff, Rich. I hate GUI mode when configuring stuff, Plus it is faster to type.

For websites that are in foreign languages I use http://babelfish.altavista.com/

You are the network admin for Pocono Raceway. :worship:

Click to expand...

Not yet, they just built a new corporate headquarters building, I'm doing the systems and whole setup from start to finish then we will see how it goes from there. Interesting thing about that track, it is busy 7 days a week 52 weeks a year, between races, driving schools and clubs that race both cars and bikes up there, the two nascar races are a pretty small part but do bring the most people in at one time and piss off the locals with road closures and one way roads for the whole 3 days . The Porsche club was up there last weekend when we were punching down the patch panels, for two whole days they had the track. I don't know how many cars were there but they went by the building the entire two days from 9am till we left at around 5pm. Once this is in I need to start setting up the new ticketing system and start getting their workstations up to date, they are still running 98 and 2000 up there. Then the aeronets come next. I've been doing work for them for about 5 years now. It's fun stuff for me, plus I like the people up there.

Anybody know of any good granny boxes out there, they want to cut down on the ebay surfing and stuff during working hours but they still need internet access. Perhaps the AT box will do it I just have not figured out how yet but I'm looking...

RichP said:

Anybody know of any good granny boxes out there, they want to cut down on the ebay surfing and stuff during working hours but they still need internet access. Perhaps the AT box will do it I just have not figured out how yet but I'm looking...

Click to expand...

static or dynamic filtering?
Network Appliance or a PC running Linux/windoze acting as a proxy?

I've got some experience with those little bastards because we do some work at some schools.

the front runner for the proxy/filtering at schools is Bess, but that's probably a little overkill.

I'm sure that you can do a simple dissallow list in that AT box, but static filtering is such a PITA because you have to update the list constantly.
Of course, dynamic filtering is not 100% perfect either.

Most businesses find that if you get rid of the webmail sites and ebay/youtube and the like that it's all they need. Just killing off the biggest timewasters anyway.

RichP said:

Anybody know of any good granny boxes out there, they want to cut down on the ebay surfing and stuff during working hours but they still need internet access. Perhaps the AT box will do it I just have not figured out how yet but I'm looking...

Click to expand...

I have been getting around granny boxes since they came out. I cannot recommend any because I have not managed any yet. The one at my old high school used Dansguardian, then they upgraded to lightspeed TTC, (got a detention for shutting that one down ) lightspeed was good for the "average user" but I was to 1337. To bad it is used for education systems.

Yea, I can probably filter the urls but I'm looking for something I can hang on the network, not another pass thru. I'm hunting thru sourceforge to see what they have. If I find what I hope to I'll hang a linux 1u server to sniff packets as they go by, something similar to the way you can use the black hole list on domains for mail servers. I got a feeling they exist, just never needed one before though it may be a proxy setup, I just don't want to do any more translations and I sure don't want to do a MS solution either .

you can do that with Linux, I'm pretty sure I even saw a Livecd with that on it, already setup for intel/3com nics.

I'll see if I can't find that again.

http://freshmeat.net/projects/censornet/

censornet.

that's the software, I could have sworn I saw it packaged on a livecd, but I can't find that.
anyway, opensource packet filtering appliance, sounds just like what you're looking for.
I had investigated it for a school.