Problem reaching external webserver from the inside.

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 620
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Problem reaching external webserver from the inside.

Post by Peter » 27 Dec 2013, 12:16

This How-to applies to:
  • Clavister Security Gateway 8.x, 9.x and 10.x.
Problem:

I have a web server behind the SGW that handles our company website. I want users behind the SGW to be able to surf to our website by going to the DNS name, but it does not work from the network the web server is located.

Description:

In most scenarios this would work fine, the problem happens when you have users on the same network segment as the web server trying to go to the external IP. In order to demonstrate the packet flow direction problem, please see the following pictures. This first picture describes a scenario that works fine using the standard SAT/Allow rule combination.
SAT_Scenario_1.png
SAT_Scenario_1.png (74.88 KiB) Viewed 2376 times
This second picture describes the scenario where it does not work (due to the web server being on the same network as the client):
SAT_Scenario_2.png
SAT_Scenario_2.png (75.93 KiB) Viewed 2376 times
Solution:

The solution is to address translate the connection from the client to the web server. So if we use scenario-2 as example we have the following rule setup:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    Allow Any All-Nets Core IP_Wan HTTP
We then create a NAT rule between the SAT and the Allow rule that triggers for traffic from the Lan interface like this:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    NAT Lan Lannet Core IP_Wan HTTP
    Allow Any All-Nets Core IP_Wan HTTP
This way, when traffic arrives on the web server, it will see that the sender is it's own gateway address (192.168.100.1) and will reply to this IP, then the packet flow will be intact as the SGW handles the entire conversation. The reply is sent back to the client by the SGW based on the connection being formed earlier.

An alternative solution would be to only change the allow rule to trigger for external traffic, like this:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    Allow Wan All-Nets Core IP_Wan HTTP
This way the Allow rule will not trigger if you connect from the Lan interface. The ruleset will the continue through the ruleset to try find a matching Allow or NAT rule for the SAT rule. And in most cases the administrator has created an outgoing NAT rule somewhere in his ruleset, he just must make sure that the SAT rule is above the NAT so it triggers first in this particular scenario.

Post Reply