Hello Daniel,

i have the following configuration:

LAN--------[ProxyOpenBSD]-------[FirewallOpenBSD]-----(internet)

Your configuration is similar to mine, on the Proxy machine i do not use nat (i dont need it), the proxy machine is my default gateway.On the Firewall i have a rule that allows pass all the traffic that comes from the proxy.

Just for giving you a clue, i will post my pf.conf from my firewall.

I guess you have to set up your cisco to allow pass just the traffic you want, and tells the bsd to let pass what comes from cisco to any distanation.

My proxy is just a router, with few rules that blocks source and destinations.


I hope this can help ...

# Macros

ext_if="xl0"
dmz_if="fxp0"
int_if="fxp0"
ext_ip="x.x.x.x"
#External NAME SERVERS
NsV="{ 200.75.51.132 , 200.75.51.133 ,200.21.200.2 }"
Lan="192.168.0.0/24"
#SSH from LAN
SshC="192.168.0.3"
#dmz
SdOd="192.168.10.252"
Proxy="10.4.1.3"


#OPtioins

#Don't Filter on the loopback interface
set block-policy drop
set skip on lo



scrub in all
scrub out on $ext_if all random-id

nat on $ext_if from !($ext_if) -> $ext_ip

block in on { rl0, fxp0, xl0 } all
block out on { rl0, fxp0, xl0 } all
pass out keep state

#pass quick on $int_if
antispoof quick for { lo $int_if $dmz_if}


# HTTP, HTTPS
pass in on $int_if proto tcp from $Proxy to any port {80,8880,443 ,1863} keep state
pass out on $ext_if proto tcp from $Proxy to any port {80,8880,443 ,1863}  keep state

#dns 
pass in on $int_if proto udp from $Unxs to $NsV port 53 keep state
pass out on $ext_if proto udp from $Unxs to $NsV port 53  keep state







Laptop------->Cisco1721--(gre0)---->Openbsd[doing nat]--->internet ---->
quoted text
> msn.com




-------- Original-Nachricht --------
Datum: Tue, 26 Jun 2007 21:30:52 -0600
Von: "Daniel Melameth" <daniel@melameth.com>
An: misc@openbsd.org
Betreff: Re: nat trouble accessing web

quoted text
> Sounds like a possible MTU issue...  Liberal use of tcpdump should
> help in diagnosing the problem.
> 
> On 6/25/07, Lawrence Horvath <lordsporkton@gmail.com> wrote:
> > Im having some trouble accessing certain sites from my laptop going
> > through a obsd router doing nat
> >
> > I have 2 tested configurations
> >
> > Laptop------->Cisco1721[doing nat]--->internet ----> msn.com
> > and
> > Laptop------->Cisco1721--(gre0)---->Openbsd[doing nat]--->internet ---->
> msn.com
> >
> > in the first setup, i have a local network behind a cisco1721, the
> > cisco does nat, and all works well
> >
> > in the second setup, i have an internal network that spans via gre
> > from the cisco to an Openbsd router in colo which does the nat, this
> > is not working for me at all, when i try to go to msn.com, my browser
> > just sits there, i have tried this from 1 other computer as well
> >
> >
> > OpenBSD 4.0 GENERIC.MP#936 i386
> >
> > # cat /etc/pf.conf.test
> > # Macros
> > # Tables
> > # Options
> > # Traffic Normalization(scrub)
> > # Queueing
> > # Translation(nat->binat->rdr)
> > # Packet Filtering
> >
> > ext_if="tl0"
> > tun_if="gre0"
> >
> > int_ip="{ 10/8 192.168/16 }"
> > natpool_ip="208.179.68.11"
> > local_ip="{ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }"
> >
> > set optimization high-latency
> > no nat on $ext_if from $local_ip to $local_ip
> >   nat on $ext_if from $int_ip to any -> $natpool_ip
> >
> >
> > pass in all
> > pass out all
> >
> >
> >
> > im using ospfd to route over the gre
> >
> > with either situation, i can get good name resolution, and i can
> > telnet to the msn server on 0 and issue a get request successfully  i
> > can get to almost any other website in either config, google, yahoo,
> > etc, there are only a few i cant get to
> >
> > if there is any other info requested, im happy to provide
> > thank you

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail