Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access from LAN to LAN webservers with direct proxy not working

Hello,

our environment is as follows:

LAN with multiple webservers with multiple domains.

Public DNS is set to XG external IP. Internal DNS servers for these domains are not setup, but DNS forwarders are working correctly, resolving to XP external IP.

WAN access to LAN webservers with WAF works correctly.

LAN access to LAN webservers with direct proxy (3128) gives error 502. Network rule allowing LAN to LAN webservers seems to work, as traffic is logged as allowed.

We have tried a DNAT rule with the same 502 error, with and without MASQ.

If we create DNS records in the internal DNS server pointing to LAN webserver's IPs, everything works correctly. But as we have multiple domains, we would prefer not to create multiple zones and records in our internal dns servers.

Is there a way from LAN to access LAN webservers with direct proxy and no internal DNS records?

Thank you,

Lluís

 



This thread was automatically locked due to age.
Parents
  • Hi Lluís,

    am I understanding this right:

    You are trying to access your internal webserver from an internal address by making the firewall assume that the access is coming from outside and using the external DNS server for name resoultion?

    What is happening with the packets. Switch on logging on the involved rules; create an explicit deny. Or do an tcpdump on the wan interface/external IP address.

    Are you using the same DNS zone internally and externally (Split DNS).

    Putting the Webserver into a DMZ zone would make the configuration much clearer.

  • Hi BeEf,

     

    you are understanding it right. I would like to access my internal web servers from LAN (with multiple domains), using external name resolution, and with direct proxy.

    These domains don't have DNS zones created internally. DNS resolution from internal client to these domains works correctly pointing to our external IP.

    I know creating a DMZ zone would improve some things, including security, but we are not able to set it up soon.

    XG Web filter log shows outgoing traffic as allowed by a network rule. 

    XG Web server protection log shows no incoming traffic (for this test), as if DNAT rule is not working as expected (traffic coming from outside the LAN works well).

     

    Thank you,

     

    Lluís

     

Reply
  • Hi BeEf,

     

    you are understanding it right. I would like to access my internal web servers from LAN (with multiple domains), using external name resolution, and with direct proxy.

    These domains don't have DNS zones created internally. DNS resolution from internal client to these domains works correctly pointing to our external IP.

    I know creating a DMZ zone would improve some things, including security, but we are not able to set it up soon.

    XG Web filter log shows outgoing traffic as allowed by a network rule. 

    XG Web server protection log shows no incoming traffic (for this test), as if DNAT rule is not working as expected (traffic coming from outside the LAN works well).

     

    Thank you,

     

    Lluís

     

Children
  • I guess this is a matter of order.

    Who says that the DNAT rule is processed by the webfilter afterwards?

    This could be the reason that you only see outgoing traffic.

    In order to see whats happeing you need to go at least on the level of ssh and tcpdump of the interfaces.

  • Hi BeEf,

    I have captured some traffic with ssh and tcpdump.

    Being the test client PC-XXXX (10.0.3.120), the internal web server SV-XXXX, Sophos internal IP (10.0.0.40).

     

    tcpdump '(src host 10.0.3.120 and dst port 3128) or (src host 10.0.0.40 and dst port 80)'

    20:40:28.555018 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 2438186360, win 1024, length 0
    20:40:28.555171 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [P.], ack 1, win 1024, length 318
    20:40:28.599245 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 5841, win 1024, length 0
    20:40:28.599281 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 13141, win 1024, length 0
    20:40:28.599330 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 14601, win 1024, length 0
    20:40:28.599490 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 18981, win 1024, length 0
    20:40:28.599588 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 32121, win 1024, length 0
    20:40:28.599722 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 43801, win 1024, length 0
    20:40:28.599828 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 52561, win 1024, length 0
    20:40:28.599931 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 62781, win 1024, length 0
    20:40:28.600077 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [.], ack 73118, win 1024, length 0
    20:40:28.601519 Port1, IN: IP PC-XXXX.62621 > 10.0.0.40.3128: Flags [F.], seq 318, ack 73118, win 1024, length 0
    20:40:28.616225 Port1, OUT: IP 10.0.0.40.57519 > SV-XXXX.www: Flags [F.], seq 1788497436, ack 1210157644, win 238, length 0
    20:40:28.616740 Port1, OUT: IP 10.0.0.40.57519 > SV-XXXX.www: Flags [.], ack 2, win 238, length 0
    20:40:29.752236 Port1, OUT: IP 10.0.0.40.57530 > SV-XXXX.www: Flags [F.], seq 413163398, ack 2757117309, win 238, length 0
    20:40:29.752673 Port1, OUT: IP 10.0.0.40.57530 > SV-XXXX.www: Flags [.], ack 2, win 238, length 0
    20:40:30.486183 Port1, OUT: IP 10.0.0.40.57316 > SV-XXXX.www: Flags [P.], ack 594, win 275, length 823
    20:40:30.496058 Port1, OUT: IP 10.0.0.40.57316 > SV-XXXX.www: Flags [.], ack 1187, win 284, length 0
    20:40:31.444545 Port1, OUT: IP 10.0.0.40.55144 > SV-XXXX.www: Flags [P.], ack 594, win 479, length 823
    20:40:31.452587 Port1, OUT: IP 10.0.0.40.55144 > SV-XXXX.www: Flags [.], ack 1187, win 488, length 0
    20:40:31.716386 Port1, OUT: IP 10.0.0.40.53895 > SV-XXXX.www: Flags [P.], ack 594, win 648, length 822
    20:40:31.723059 Port1, OUT: IP 10.0.0.40.53895 > SV-XXXX.www: Flags [.], ack 1187, win 657, length 0
    20:40:33.052219 Port1, OUT: IP 10.0.0.40.57553 > SV-XXXX.www: Flags [F.], seq 822, ack 594, win 238, length 0
    20:40:33.052772 Port1, OUT: IP 10.0.0.40.57553 > SV-XXXX.www: Flags [.], ack 595, win 238, length 0
    20:40:33.172235 Port1, OUT: IP 10.0.0.40.57554 > SV-XXXX.www: Flags [F.], seq 821, ack 594, win 238, length 0
    20:40:33.172759 Port1, OUT: IP 10.0.0.40.57554 > SV-XXXX.www: Flags [.], ack 595, win 238, length 0
    20:40:34.957393 Port1, OUT: IP 10.0.0.40.54968 > SV-XXXX.www: Flags [P.], ack 594, win 507, length 823
    20:40:34.973400 Port1, OUT: IP 10.0.0.40.54968 > SV-XXXX.www: Flags [.], ack 1187, win 516, length 0
    20:40:35.083131 Port1, OUT: IP 10.0.0.40.57708 > SV-XXXX.www: Flags [S], seq 3825882708, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

    tcpdump '(src host externalIP and dst host InternalWebServerIP)'

    No result

     

    Thank you,

    Lluís