External IP shows as internal DMZ IP when using "Remote_Host" HTTP variable

Hi, Mike, and welcome to the UTM Community!

I'm not following your description.  Without a proxy, the only way an External access can traverse the UTM to an internal IP is with a DNAT.  Please show a simple diagram of your topology with IPs noted, perhaps noting what was able to access what that you hadn't intended.

Cheers - Bob

I couldn't have made myself clear

I have:

Cable Modem -> UTM -> Green Network (NIC2) and also -> DMZ Network (NIC3)

I have a webserver on the DMZ

Everything work fine, but

I have code on that server that checks the Remote IP of someone browsing. With the Sophos UTM it always show that remote IP as the UTM's NIC address (ie 192.168.1.1). I want the server to see the ACTUAL external IP address of the browsing user, because I have code on the server that allows access to the INTERNAL network users. Because the UTM is saying everyone is coming from 192.168.1.1 this exposes secret parts of my network (some web pages) to the whole internet

Is there a way to do this?

Please show a picture of your NAT rule open in Edit mode, or should we move this thread to the Webserver Protection forum?

Cheers - Bob

Maybe that is where I am going wrong as I do not have any NAT rules for what I want to achieve. I can't see how they could work for want I want to do

I DO have these NAT rules

Full DNAT on Any -> POP3 SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

and

Full DNAT on Any -> SMPT SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

This allows my e-mail to work

Under masquerading I have

Green (Network) -> External WAN -> www.mycompany.com

DMZ (Network) -> External WAN -> www.mycompany.com

What my web server (on the DMZ) is seeing, is any external request from a web browser, as coming from the DMZ NIC address - 192.168.1.1. I want the web server to see the real IP address of the external browser

Hi Mike,

I think your query states that you see the traffic coming from DMZ interface IP address instead of the actual remote IP address? Show us a picture of the DNAT rule configured to host the internal server.

Thanks

There is no DNAT rule. The only rules I have are shown above

I have a firewall rule for the web server

www.mycompany.com, HTTP and HTTPS -> Any

I also have

www.mycompany.com, DNS -> Any

I also have a web application firewall rule

www.mycompany.com

Type: Encrypted (HTTPS), Redirection enabled

Domains: www.mycompany.com

Site Path / 192.168.1.x

Profile: Basic Protection

Advanced: Pass Host Header

I need Pass Host Header otherwise the site doesn't work

Mike, please show pictures.  We all work better with raw data.

Cheers - Bob

Mike, please show pictures.  We all work better with raw data.

Cheers - Bob

Not wanting to be "funny" or anything but I don't see how pictures will help. I have told you what rules I have. I don't see how these rules affect what I want to happen anyway

I'm obviously missing the point

Putting it another way then, what NAT rule do I need to make, to make the UTM show the external client's IP to the webserver?

No problem, Mike.  I've answered thousands of questions here over the last ten years and the requested pictures would quickly fill in the missing details that you didn't realize you needed to specify.

Cheers - Bob

Okay does this help?

Thanks, Mike, I see now that you aren't using a NAT rule for this.  I'll move this thread to the Webserver Security forum.

If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz).  So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection.

When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for.

Cheers - Bob

That is extremely helpful. Thank you. I have now added code to my site so that header is checked, and it works beautifully

Looking at my existing rules, how could I make (or I should change them so) the email server "see" the actual source IP of the sender/receiver? It is currently seeing ALL users as on the 192 network

Is this a new question, Mike?  I'm not sure what you're asking.

Cheers - Bob

Sort of. You can see my NAT rules. My email server is seeing all connections as coming from the 192. network. I have IP screening on the server, but that is now not working. I'd like the server to see the real connection's IP address, so the IP screen works again

Mike, as I commented above, see #2 in Rulz.  Your DNAT causes inbound traffic to bypass your Virtual Server (DNATs come before Proxies).

Cheers - Bob

Thanks. But could I not have NAT rules for only these services POP3/POP3 SSL/SMTP/SMTP SSL so that the mail server could see the real originating IP Address?