This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver Protection for Host behind IP tunnel

Hello everybody,

I'm currently trying to establish the WAF setup for the current confirguration:

Two sites are connected via IP Tunnel and everything is properly working with the static routes  set-up. Now we have the need to setup Webserver Protection for a host that is located behind the IP tunnel.

I've had several attempts with using NAT rules (Masquerading / SNAT), but I still see error 503 in the browser when checking the connection.

Any idea if this can work at all? Meanwhile I'm afraid that the packets cannot find the way back, since there is no routing definition for the "WAN" request, coming from the other side of the Ip tunnel.

Many thanks for any hint!



This thread was automatically locked due to age.
Parents
  • Using WAF, the WAF-Firewall initiates the connection to the webserver.

    Are you able to reach the webserver from this firewall via traceroute?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks Dirk,

    Unfortunately I'm unable to either ping or traceroute the IP of the webserver from the firewall via "Diagnostics". It does no matter if i chose "select interface", nor if I use the one via where I'm 100% able to access the webserver from the on-site client in the same VLAN.

    However, from the mentioned VLAN, I'm able to ping & traceroute the server without any issues. In addition, there are no special FW rules where I could see the issue.

    Strange topic, I expected to be able to execute the ping at least by choosing the corresponding interface in diagnostics.

    Have you been ever able to make such setup work, by using IP tunnel connection in one of your setups?

  • Hello Linus,

    I suspect a routing problem here. Could be the route back from the host where the webserver is running.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Linus,

    the "IP Tunnel" ...

    - is a VPN? (SSL / IPSec / RED / other)

    - created by your Firewall or another device?

    if so, possible you have to configure routing from Firewall generated traffic through VPN

    Greetings


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Dirk,

    It's a "Route-Based VPN" connection, as described below:

    Route-based VPN - Sophos Firewall

    And routing is configured, the tunnel works as expected, except from the routing when configuring the WAF for a host on the other side of the tunnel. BTW, both FW are XGS.
    As I mentioned in my first post, I'm wondering if this can be established at all, because the "route back" to the system where the WAF is configured, how should it look like?

Reply
  • Hello Dirk,

    It's a "Route-Based VPN" connection, as described below:

    Route-based VPN - Sophos Firewall

    And routing is configured, the tunnel works as expected, except from the routing when configuring the WAF for a host on the other side of the tunnel. BTW, both FW are XGS.
    As I mentioned in my first post, I'm wondering if this can be established at all, because the "route back" to the system where the WAF is configured, how should it look like?

Children