Page 1 of 1

Problem reaching external webserver from the inside.

Posted: 27 Dec 2013, 12:16
by Peter
This How-to applies to:
  • Clavister Security Gateway 8.x, 9.x and 10.x.

I have a web server behind the SGW that handles our company website. I want users behind the SGW to be able to surf to our website by going to the DNS name, but it does not work from the network the web server is located.


In most scenarios this would work fine, the problem happens when you have users on the same network segment as the web server trying to go to the external IP. In order to demonstrate the packet flow direction problem, please see the following pictures. This first picture describes a scenario that works fine using the standard SAT/Allow rule combination.
SAT_Scenario_1.png (74.88 KiB) Viewed 5341 times
This second picture describes the scenario where it does not work (due to the web server being on the same network as the client):
SAT_Scenario_2.png (75.93 KiB) Viewed 5341 times

The solution is to address translate the connection from the client to the web server. So if we use scenario-2 as example we have the following rule setup:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    Allow Any All-Nets Core IP_Wan HTTP
We then create a NAT rule between the SAT and the Allow rule that triggers for traffic from the Lan interface like this:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    NAT Lan Lannet Core IP_Wan HTTP
    Allow Any All-Nets Core IP_Wan HTTP
This way, when traffic arrives on the web server, it will see that the sender is it's own gateway address ( and will reply to this IP, then the packet flow will be intact as the SGW handles the entire conversation. The reply is sent back to the client by the SGW based on the connection being formed earlier.

An alternative solution would be to only change the allow rule to trigger for external traffic, like this:
  • SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
    Allow Wan All-Nets Core IP_Wan HTTP
This way the Allow rule will not trigger if you connect from the Lan interface. The ruleset will the continue through the ruleset to try find a matching Allow or NAT rule for the SAT rule. And in most cases the administrator has created an outgoing NAT rule somewhere in his ruleset, he just must make sure that the SAT rule is above the NAT so it triggers first in this particular scenario.

Note: When using an IP policy, you simply set the source translation to be NAT instead of default <auto>.