Routing to ARP published IPs

Security Gateway Discussions
Post Reply
vbk
Posts: 3
Joined: 15 Jan 2018, 15:40

Routing to ARP published IPs

Post by vbk » 15 Jan 2018, 15:54

Hi,

I have got 5 IPs from my ISP. They are connected to G2 on my SG. One IP is the Interface-IP and the rest are ARP published IPs.
All works fine. Portforwarding to the different server works fine too.

But when I trying to connect from an internal PC to a server in the DMZ with an ARP published IP i cant connect and i dont know why?

Anybody an idea what I am doing wong?

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Routing to ARP published IPs

Post by Peter » 16 Jan 2018, 14:08

Hi.

Maybe it is this problem?

viewtopic.php?f=8&t=5163 - Problem reaching external webserver from the inside.

Best regards
/Peter

vbk
Posts: 3
Joined: 15 Jan 2018, 15:40

Re: Routing to ARP published IPs

Post by vbk » 16 Jan 2018, 14:34

Hi Peter,

I think its not exactly the same.
From your link we use scenario 1 with different SAT and Allowrules.

Here are my rules:
SAT|any|all-nets|G2|IP_13x|allowed-services|DST:SAT(Webserver)
Allow|any|all-nets|G2|IP_13x|allowed-services|SRC:Auto

anders s
Posts: 33
Joined: 27 Sep 2011, 14:41

Re: Routing to ARP published IPs

Post by anders s » 17 Jan 2018, 16:23

If Webserver is on internal network you need SAT+NAT rules to trigger on the traffic from internal.

SAT|any|all-nets|G2|IP_13x|allowed-services|DST:SAT(Webserver)
Allow|G2|all-nets|G2|IP_13x|allowed-services|SRC:Auto
NAT|Internal|internal_net|G2|all-nets|allowed-services|SRC:Auto

Or
SAT|any|all-nets|G2|IP_13x|allowed-services|DST:SAT(Webserver)
NAT|G2|all-nets|G2|IP_13x|allowed-services|SRC:Auto
Allow|any|all-nets|G2|IP_13x|allowed-services|SRC:Auto

I prefer option 1 with specifying external as source interface the allow rule

vbk
Posts: 3
Joined: 15 Jan 2018, 15:40

Re: Routing to ARP published IPs

Post by vbk » 17 Jan 2018, 16:50

Hi anders s,

I tried both ways from you, but i doesnt work... :cry:

The webserver is in a DMZ and not in my internal network.

Peter
Posts: 665
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Routing to ARP published IPs

Post by Peter » 18 Jan 2018, 17:09

Hmmm, difficult to say what the problem is without a look at your configuration.

Can you perhaps create a support ticket and add your configuration to it? I "should" reasonable be something simple but you never know :mrgreen:

https://my.clavister.com/help-desk/regi ... rt-ticket/

Best regards
/Peter

Post Reply