This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External IP shows as internal DMZ IP when using "Remote_Host" HTTP variable

As per the subject really

On my old FW (not Sophos) I used to allow access to pages internally (to our network) by checking the remote host http variable. This would give the users external (in the case of an external IP) or the internal (192.168.0.x) of an internal user. So I could lock out pages to external users

With Sophos UTM9 installed the remote_host is always shown as the DMZ IP address - 192.168.1.1. Therefore my apparantly secure pages are now visible externally

Is there a way to make this work as it used to? I can't see that NATing will help me in anyway

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • Hi, Mike, and welcome to the UTM Community!

    I'm not following your description.  Without a proxy, the only way an External access can traverse the UTM to an internal IP is with a DNAT.  Please show a simple diagram of your topology with IPs noted, perhaps noting what was able to access what that you hadn't intended.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I couldn't have made myself clear

    I have:

    Cable Modem -> UTM -> Green Network (NIC2) and also -> DMZ Network (NIC3)

    I have a webserver on the DMZ

     

    Everything work fine, but

    I have code on that server that checks the Remote IP of someone browsing. With the Sophos UTM it always show that remote IP as the UTM's NIC address (ie 192.168.1.1). I want the server to see the ACTUAL external IP address of the browsing user, because I have code on the server that allows access to the INTERNAL network users. Because the UTM is saying everyone is coming from 192.168.1.1 this exposes secret parts of my network (some web pages) to the whole internet

    Is there a way to do this?

  • Please show a picture of your NAT rule open in Edit mode, or should we move this thread to the Webserver Protection forum?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Maybe that is where I am going wrong as I do not have any NAT rules for what I want to achieve. I can't see how they could work for want I want to do

     

    I DO have these NAT rules

    Full DNAT on Any -> POP3 SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

     

    and

    Full DNAT on Any -> SMPT SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

    This allows my e-mail to work

     

    Under masquerading I have

    Green (Network) -> External WAN -> www.mycompany.com

    DMZ (Network) -> External WAN -> www.mycompany.com

     

    What my web server (on the DMZ) is seeing, is any external request from a web browser, as coming from the DMZ NIC address - 192.168.1.1. I want the web server to see the real IP address of the external browser

Reply
  • Maybe that is where I am going wrong as I do not have any NAT rules for what I want to achieve. I can't see how they could work for want I want to do

     

    I DO have these NAT rules

    Full DNAT on Any -> POP3 SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

     

    and

    Full DNAT on Any -> SMPT SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

    This allows my e-mail to work

     

    Under masquerading I have

    Green (Network) -> External WAN -> www.mycompany.com

    DMZ (Network) -> External WAN -> www.mycompany.com

     

    What my web server (on the DMZ) is seeing, is any external request from a web browser, as coming from the DMZ NIC address - 192.168.1.1. I want the web server to see the real IP address of the external browser

Children
  • Hi Mike,

    I think your query states that you see the traffic coming from DMZ interface IP address instead of the actual remote IP address? Show us a picture of the DNAT rule configured to host the internal server.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • There is no DNAT rule. The only rules I have are shown above

     

    I have a firewall rule for the web server

    www.mycompany.com, HTTP and HTTPS -> Any

    I also have

    www.mycompany.com, DNS -> Any

     

    I also have a web application firewall rule

    www.mycompany.com

    Type: Encrypted (HTTPS), Redirection enabled

    Domains: www.mycompany.com

    Site Path / 192.168.1.x

    Profile: Basic Protection

    Advanced: Pass Host Header

     

    I need Pass Host Header otherwise the site doesn't work

  • Mike, please show pictures.  We all work better with raw data.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Not wanting to be "funny" or anything but I don't see how pictures will help. I have told you what rules I have. I don't see how these rules affect what I want to happen anyway

    I'm obviously missing the point

    Putting it another way then, what NAT rule do I need to make, to make the UTM show the external client's IP to the webserver?

  • No problem, Mike.  I've answered thousands of questions here over the last ten years and the requested pictures would quickly fill in the missing details that you didn't realize you needed to specify.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Mike, I see now that you aren't using a NAT rule for this.  I'll move this thread to the Webserver Security forum.

    If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz).  So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection.

    When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That is extremely helpful. Thank you. I have now added code to my site so that header is checked, and it works beautifully

  • Looking at my existing rules, how could I make (or I should change them so) the email server "see" the actual source IP of the sender/receiver? It is currently seeing ALL users as on the 192 network

  • Is this a new question, Mike?  I'm not sure what you're asking.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA