- Clavister Security Gateway 8.x, 9.x and 10.x.
I have a web server behind the SGW that handles our company website. I want users behind the SGW to be able to surf to our website by going to the DNS name, but it does not work from the network the web server is located.
Description:
In most scenarios this would work fine, the problem happens when you have users on the same network segment as the web server trying to go to the external IP. In order to demonstrate the packet flow direction problem, please see the following pictures. This first picture describes a scenario that works fine using the standard SAT/Allow rule combination. This second picture describes the scenario where it does not work (due to the web server being on the same network as the client): Solution:
The solution is to address translate the connection from the client to the web server. So if we use scenario-2 as example we have the following rule setup:
- SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
Allow Any All-Nets Core IP_Wan HTTP
- SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
NAT Lan Lannet Core IP_Wan HTTP
Allow Any All-Nets Core IP_Wan HTTP
An alternative solution would be to only change the allow rule to trigger for external traffic, like this:
- SAT Any All-Nets Core IP_Wan HTTP SetDest=Webserver
Allow Wan All-Nets Core IP_Wan HTTP