Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 22261 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External IP shows as internal DMZ IP when using "Remote_Host" HTTP variable

Mike Huggins

As per the subject really

On my old FW (not Sophos) I used to allow access to pages internally (to our network) by checking the remote host http variable. This would give the users external (in the case of an external IP) or the internal (192.168.0.x) of an internal user. So I could lock out pages to external users

With Sophos UTM9 installed the remote_host is always shown as the DMZ IP address - 192.168.1.1. Therefore my apparantly secure pages are now visible externally

Is there a way to make this work as it used to? I can't see that NATing will help me in anyway

 

 

 

 

 



This thread was automatically locked due to age.
  • +1 in reply to Mike Huggins

    Thanks, Mike, I see now that you aren't using a NAT rule for this.  I'll move this thread to the Webserver Security forum.

    If you did have a NAT rule like 'DNAT : Internet -> Web Surfing -> External [www.company.com] (Address) : to 192.168.1.x', you would see the originating IP, but this would cause the bypassing of your Virtual Server for HTTP/S (see #2 in Rulz).  So you were right that a NAT rule wouldn't help you if you want to use Webserver Protection.

    When traffic passes through the WAF, it adds the "X-FORWARDED-FOR" header, so that's what you'll need to look for.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    That is extremely helpful. Thank you. I have now added code to my site so that header is checked, and it works beautifully

  • 0 in reply to Mike Huggins

    Looking at my existing rules, how could I make (or I should change them so) the email server "see" the actual source IP of the sender/receiver? It is currently seeing ALL users as on the 192 network

  • 0 in reply to Mike Huggins

    Is this a new question, Mike?  I'm not sure what you're asking.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sort of. You can see my NAT rules. My email server is seeing all connections as coming from the 192. network. I have IP screening on the server, but that is now not working. I'd like the server to see the real connection's IP address, so the IP screen works again

  • 0 in reply to Mike Huggins

    Mike, as I commented above, see #2 in Rulz.  Your DNAT causes inbound traffic to bypass your Virtual Server (DNATs come before Proxies).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks. But could I not have NAT rules for only these services POP3/POP3 SSL/SMTP/SMTP SSL so that the mail server could see the real originating IP Address?

  • 0 in reply to Mike Huggins

    I'm lost, Mike.  We're in the Webserver forum, but your last comment is about email.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I see now, Mike.  Yes, you want to use DNATs instead of Full NATs.  If a DNAT doesn't work, then I'll guess that "mail.xxxxx.com" violates #3 in Rulz.  Also, I don't think you want the SNAT - if it's needed as noted, then there might also be a violation of #3 through #5.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I was violating Rule 3 and I have now edited the network definitions and removed the Bound To, and now they all are Bound To <Any>

    I have rewitten the NATs to

     

    DNAT. Any -> SMTP -> External WAN (www.mycompany.com). DNAT -> mail.mycompany.com

    DNAT. Any -> SMTP SSL -> External WAN (www.mycompany.com). DNAT -> mail.mycompany.com

     

    These work (I can't see whether the email server is seeing the real IP address or not though at the moment)

    I still have this

     

    Full NAT. Any -> POP3 SSL -> External WAN (www.mycompany.com). Full NAT ->

    Source: Green (Address)

    Destination: mail.mycompany.com

     

    If I remove this Full NAT then my email server won't allow me to RECEIVE email and I get an error within Outlook. Turning it back on, and then I can receive okay again

Unfiltered HTML