This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External IP shows as internal DMZ IP when using "Remote_Host" HTTP variable

As per the subject really

On my old FW (not Sophos) I used to allow access to pages internally (to our network) by checking the remote host http variable. This would give the users external (in the case of an external IP) or the internal (192.168.0.x) of an internal user. So I could lock out pages to external users

With Sophos UTM9 installed the remote_host is always shown as the DMZ IP address - 192.168.1.1. Therefore my apparantly secure pages are now visible externally

Is there a way to make this work as it used to? I can't see that NATing will help me in anyway

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • Hi, Mike, and welcome to the UTM Community!

    I'm not following your description.  Without a proxy, the only way an External access can traverse the UTM to an internal IP is with a DNAT.  Please show a simple diagram of your topology with IPs noted, perhaps noting what was able to access what that you hadn't intended.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I couldn't have made myself clear

    I have:

    Cable Modem -> UTM -> Green Network (NIC2) and also -> DMZ Network (NIC3)

    I have a webserver on the DMZ

     

    Everything work fine, but

    I have code on that server that checks the Remote IP of someone browsing. With the Sophos UTM it always show that remote IP as the UTM's NIC address (ie 192.168.1.1). I want the server to see the ACTUAL external IP address of the browsing user, because I have code on the server that allows access to the INTERNAL network users. Because the UTM is saying everyone is coming from 192.168.1.1 this exposes secret parts of my network (some web pages) to the whole internet

    Is there a way to do this?

  • Please show a picture of your NAT rule open in Edit mode, or should we move this thread to the Webserver Protection forum?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Maybe that is where I am going wrong as I do not have any NAT rules for what I want to achieve. I can't see how they could work for want I want to do

     

    I DO have these NAT rules

    Full DNAT on Any -> POP3 SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

     

    and

    Full DNAT on Any -> SMPT SSL -> External WAN [www.mycompany.com] (Address) -> SNAT to Green Address. DNAT -> mail.mycompany.com

    This allows my e-mail to work

     

    Under masquerading I have

    Green (Network) -> External WAN -> www.mycompany.com

    DMZ (Network) -> External WAN -> www.mycompany.com

     

    What my web server (on the DMZ) is seeing, is any external request from a web browser, as coming from the DMZ NIC address - 192.168.1.1. I want the web server to see the real IP address of the external browser

  • Hi Mike,

    I think your query states that you see the traffic coming from DMZ interface IP address instead of the actual remote IP address? Show us a picture of the DNAT rule configured to host the internal server.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • There is no DNAT rule. The only rules I have are shown above

     

    I have a firewall rule for the web server

    www.mycompany.com, HTTP and HTTPS -> Any

    I also have

    www.mycompany.com, DNS -> Any

     

    I also have a web application firewall rule

    www.mycompany.com

    Type: Encrypted (HTTPS), Redirection enabled

    Domains: www.mycompany.com

    Site Path / 192.168.1.x

    Profile: Basic Protection

    Advanced: Pass Host Header

     

    I need Pass Host Header otherwise the site doesn't work

  • Mike, please show pictures.  We all work better with raw data.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Not wanting to be "funny" or anything but I don't see how pictures will help. I have told you what rules I have. I don't see how these rules affect what I want to happen anyway

    I'm obviously missing the point

    Putting it another way then, what NAT rule do I need to make, to make the UTM show the external client's IP to the webserver?

  • No problem, Mike.  I've answered thousands of questions here over the last ten years and the requested pictures would quickly fill in the missing details that you didn't realize you needed to specify.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Mike, I see now that you aren't using a NAT rule for this.  I'll move this thread to the Webserver Security forum.

    If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz).  So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection.

    When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Thanks, Mike, I see now that you aren't using a NAT rule for this.  I'll move this thread to the Webserver Security forum.

    If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz).  So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection.

    When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • That is extremely helpful. Thank you. I have now added code to my site so that header is checked, and it works beautifully

  • Looking at my existing rules, how could I make (or I should change them so) the email server "see" the actual source IP of the sender/receiver? It is currently seeing ALL users as on the 192 network

  • Is this a new question, Mike?  I'm not sure what you're asking.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sort of. You can see my NAT rules. My email server is seeing all connections as coming from the 192. network. I have IP screening on the server, but that is now not working. I'd like the server to see the real connection's IP address, so the IP screen works again

  • Mike, as I commented above, see #2 in Rulz.  Your DNAT causes inbound traffic to bypass your Virtual Server (DNATs come before Proxies).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks. But could I not have NAT rules for only these services POP3/POP3 SSL/SMTP/SMTP SSL so that the mail server could see the real originating IP Address?

  • I'm lost, Mike.  We're in the Webserver forum, but your last comment is about email.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I see now, Mike.  Yes, you want to use DNATs instead of Full NATs.  If a DNAT doesn't work, then I'll guess that "mail.xxxxx.com" violates #3 in Rulz.  Also, I don't think you want the SNAT - if it's needed as noted, then there might also be a violation of #3 through #5.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I was violating Rule 3 and I have now edited the network definitions and removed the Bound To, and now they all are Bound To <Any>

    I have rewitten the NATs to

     

    DNAT. Any -> SMTP -> External WAN (www.mycompany.com). DNAT -> mail.mycompany.com

    DNAT. Any -> SMTP SSL -> External WAN (www.mycompany.com). DNAT -> mail.mycompany.com

     

    These work (I can't see whether the email server is seeing the real IP address or not though at the moment)

    I still have this

     

    Full NAT. Any -> POP3 SSL -> External WAN (www.mycompany.com). Full NAT ->

    Source: Green (Address)

    Destination: mail.mycompany.com

     

    If I remove this Full NAT then my email server won't allow me to RECEIVE email and I get an error within Outlook. Turning it back on, and then I can receive okay again

  • I can also confirm I am now seeing the external originating IP address of the sender. Goooooooood!

    So the question really just remains about that Full NAT. Is that okay or is something wrong with it?

     

    I also now realise my original question to you was a load of rubbish! All my NATs are dealing with email, and none of them for the web! How stupid can I be?!

    Bearing in mind I do *not* have Web Filtering turned on, what NATs would I need so that my web server would see the originating brower's IP address. I am using the X-FORWARDED-FOR header as a filter, but it would nicer if I could really see the originating address instead of using that header