Re: Web server behind Symantec Enterprise Firewall

From: MMDRMV (news_at_arkion.es)
Date: 01/22/04

• Next message: kurt wismer: "Re: Threat of running a web server?"
• Previous message: Duane Arnold: "Re: ZA Not Detecting Adapter"
• In reply to: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Next in thread: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Reply: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 22 Jan 2004 18:37:31 +0100

I've checked evething twice (or more) and cannot find the error...

It seems it does not matter wich interfaces i set at the rule, 'cause if i
set the rule for the correct ones... then it blocks the traffic cause it
tries to route it trought the same interface.

Let me ask you one thing:

Is it correct practice to public a virutal ip outside the firewall for
routing the traffic from the router... and then redirecting it at the
firewall to the internal sever?... or is it possible to route the traffic
from the router to the internal server (with a static route trought the
firewall or something similar)... but with no virtual IP?...

Thanks.

"Lars M. Hansen" <badnews@hansenonline.net> escribió en el mensaje
news:lvtv00tff943mu5dlmg8cqhe7rh5e9cvon@4ax.com...
> On Thu, 22 Jan 2004 13:35:58 +0100, MMDRMV spoketh
>
> >Hi all!
> >
> >I wrote previous message with little data, let me be more specific.
> >
> >I have the tipical conf:
> >
> > webserver
> > |
> >Inet->Router->Firewall(SEF)->LAN
> >
> >And i'm trying to access from the Inet to an internal Web server (in the
> >LAN). I've published a virtual IP at the Firewall to which i route the
http
> >traffic from the router. I think Router is working Ok since i can see the
> >accesing attempts at the SymantecEnterpriseFirewall log... i have set a
rule
> >to permit the traffic, and a redirecting from the Virtual IP to the
Internal
> >webserver... i was seeing the attemps at the log as timeouts to the
> >server... since i set an address transform to permit transparency of the
> >Firewall (mainteining original IPs)... now what i see at the firewall is:
> >
> >NAT Warning: NAT rule AccesoServer was chosen, but client transparency is
> >not possible as both the source (207.31.89.123->if=10.0.0.128) and
> >destination interfaces (if=10.0.0.128->10.0.0.16) are the same. Please
> >update your address mapping entry.
> >
> >In which 10.0.0.128 is the IP of the external NIC of the firewall... and
> >10.0.0.16 is the Internal Webserver (IPs here are falseated for security)
> >
> >So, now i'm sure... the firewall is redirecting the http service to the
same
> >side it come's...
> >
> >I've tryed to set a fixed IP route to the webserver... setting the
gateway
> >value as the IP of the internal NIC of the firewall... but it gives this
> >error when reconfigurating:
> >
> >---------------------------
> >Symantec Raptor Management Console Error
> >---------------------------
> >ntsetroutes: fail to run route on new record
> >---------------------------
> >
> >Please... help...
> >
> >Thank you very much in advance.
> >
>
> Check your rule, and make sure that the correct interfaces are selected
> along with the IP addresses.
>
> Since the web server is on the LAN, you shouldn't have to add any route
> on the firewall to point to the web server.
>
> Consider dropping the transparency temporarily while troubleshooting the
> connectivity. Once you can successfully connect from the outside to the
> web server, then you can re-add the transparency rule.
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.

• Next message: kurt wismer: "Re: Threat of running a web server?"
• Previous message: Duane Arnold: "Re: ZA Not Detecting Adapter"
• In reply to: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Next in thread: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Reply: Lars M. Hansen: "Re: Web server behind Symantec Enterprise Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Web server behind Symantec Enterprise Firewall ... I've published a virtual IP at the Firewall to which i route the http ... NAT rule AccesoServer was chosen, but client transparency is ... Since the web server is on the LAN, you shouldn't have to add any route ... (comp.security.firewalls) Re: AIX routing ... this sounds like a networking problem external to the rs/6000. ... have external users accessing the webserver NOT through the firewall, ... which of the 3 interfaces to route it to. ... If I add a static route for a user coming in the other interfaces, ... (AIX-L) Re: load balancing with a failover ... The tunnel interfaces have addresses ... from other network though ... Enter configuration commands, one per line. ... 1w0d: RT: delete subnet route to 192.168.128.20/30 ... (comp.dcom.sys.cisco) Re: Linking wireless and ethernet network adapters ... You can give both interfaces the same ... > address, on the same subnet, and tell the kernel to route packets ... > ip link set dev eth0 up name preferred ip link set dev wlan0 up name ... (uk.comp.os.linux) Re: Urgent RRAS wont work Help! ... plus it worked before without a route on the FW. ... > Where you need the extra routing is on the firewall. ... > port access rights to clients on the 184.155.0.0 network. ... (microsoft.public.win2000.ras_routing)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint