Re: Web server behind Symantec Enterprise Firewall

From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: 01/22/04 

Date: Thu, 22 Jan 2004 16:24:18 GMT

On Thu, 22 Jan 2004 13:35:58 +0100, MMDRMV spoketh

>Hi all!
>
>I wrote previous message with little data, let me be more specific.
>
>I have the tipical conf:
>
> webserver
> |
>Inet->Router->Firewall(SEF)->LAN
>
>And i'm trying to access from the Inet to an internal Web server (in the
>LAN). I've published a virtual IP at the Firewall to which i route the http
>traffic from the router. I think Router is working Ok since i can see the
>accesing attempts at the SymantecEnterpriseFirewall log... i have set a rule
>to permit the traffic, and a redirecting from the Virtual IP to the Internal
>webserver... i was seeing the attemps at the log as timeouts to the
>server... since i set an address transform to permit transparency of the
>Firewall (mainteining original IPs)... now what i see at the firewall is:
>
>NAT Warning: NAT rule AccesoServer was chosen, but client transparency is
>not possible as both the source (207.31.89.123->if=10.0.0.128) and
>destination interfaces (if=10.0.0.128->10.0.0.16) are the same. Please
>update your address mapping entry.
>
>In which 10.0.0.128 is the IP of the external NIC of the firewall... and
>10.0.0.16 is the Internal Webserver (IPs here are falseated for security)
>
>So, now i'm sure... the firewall is redirecting the http service to the same
>side it come's...
>
>I've tryed to set a fixed IP route to the webserver... setting the gateway
>value as the IP of the internal NIC of the firewall... but it gives this
>error when reconfigurating:
>
>---------------------------
>Symantec Raptor Management Console Error
>---------------------------
>ntsetroutes: fail to run route on new record
>---------------------------
>
>Please... help...
>
>Thank you very much in advance.
>

Check your rule, and make sure that the correct interfaces are selected
along with the IP addresses.

Since the web server is on the LAN, you shouldn't have to add any route
on the firewall to point to the web server.

Consider dropping the transparency temporarily while troubleshooting the
connectivity. Once you can successfully connect from the outside to the
web server, then you can re-add the transparency rule.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

Relevant Pages

  • Re: Web server behind Symantec Enterprise Firewall
    ... It seems it does not matter wich interfaces i set at the rule, ... tries to route it trought the same interface. ... firewall to the internal sever?... ... > on the firewall to point to the web server. ...
    (comp.security.firewalls)
  • Re: disconnect a hacker
    ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
    (alt.computer.security)
  • Re: Firewall on server itself
    ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: [fw-wiz] Using SSL accelerators in firewalls
    ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
    (Firewall-Wizards)
  • Re: security advice (possible hacker activity?)
    ... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
    (microsoft.public.win2000.security)