Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#1 (permalink)  
Old 08-18-2008, 04:45 PM
Default DNAT woes with Web server - internal access

I have created the DNAT rules and packet filter rules (and tried with auto packet rules) - <any> to webserver http and https allow

My services seem accessible from outside now as expected which is great!

Problem is users on my LAN cannot access either the website or Outlook Web Access.

Nothing displays in the filter as blocked but something I guess is not right anything from 192.168.1.0 going to the webserver outside address (which then DNATs back to an internal address) does not work.

Is it disappearing up its own *** :-) with the DNAT from an internal address? I tried to create a Stub zone on my internal DNS to point the www.domainname.com to the local address but I cannot create a stub zone for my domain as it will not download from my hosts DNS who has SOA for our domain.

Anyone got any suggestions before I go bald

Thanks,

Chris
Reply With Quote
Jack Daniel's Avatar
Wizard
Join Date: Jul 2008
Location: Cape Cod, Mass, US
Posts: 701
#2 (permalink)  
Old 08-18-2008, 05:15 PM
Default

You probably need to create static DNS entries on the Astaro pointing to the internal IPs of the relevant hosts. KB article 242661 addresses this (text of article below)


Symptom:
Unable to access any site on the internal web server from workstations located within the network using the http proxy.
Access from external locations through DNAT of external address works correctly.

Cause:
DNS resolutions will reference the external interface address (given by the external DNS). When the http proxy is enabled this results in a loop as the external address of the ASG is trying to access itself.

Resolution:
By setting a static DNS entry in the ASG all references for the internal webserver will point to the correct internal address rather than the public address.

ASG changes required:
Go to Network >> DNS >> Static Entry
This setting must be set For internal websites not working through the ASG proxy so that the DNS name is forwarded to the internal IP address instead of going to the external interface.

Example:
Hostname: www.mywebserver.com
IP: 10.0.0.10
__________________
Co-founder, Security BSides
Technical Product Manager, Tenable Network Security
Random Rants from an InfoSec Curmudgeon, Uncommon Sense Security Blog http://blog.uncommonsensesecurity.com
Reply With Quote
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#3 (permalink)  
Old 08-18-2008, 06:28 PM
Talking

Thanks Jack, you saved me from turning to the other JD :-)

Works a treat now.

All the best,

Chris
Reply With Quote
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#4 (permalink)  
Old 08-18-2008, 06:34 PM
Default

Agh spoke too soon.

HTTP works fine but I cannot open any HTTPS pages on my webserver.

Rule for HTTPS is set, nothing appearing in the log. I guess it is because the proxy can't handle HTTPS?

I do not have our network listed in the DNS Global page as we run AD DNS on our site and have local DNS servers.
Reply With Quote
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#5 (permalink)  
Old 08-18-2008, 06:39 PM
Default

Should add I have changed port for user portal so that 443 is okay for regular https traffic. My OWA server works fine on 443 as does the webserver externally.
Reply With Quote
Jack Daniel's Avatar
Wizard
Join Date: Jul 2008
Location: Cape Cod, Mass, US
Posts: 701
#6 (permalink)  
Old 08-18-2008, 06:39 PM
Default

Your web proxy is in transparent mode? Then the DNS the client uses needs to have an appropriate entry referring to the internal IP.

Can you access the HTTPS site by IP from the LAN?
__________________
Co-founder, Security BSides
Technical Product Manager, Tenable Network Security
Random Rants from an InfoSec Curmudgeon, Uncommon Sense Security Blog http://blog.uncommonsensesecurity.com
Reply With Quote
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#7 (permalink)  
Old 08-18-2008, 06:42 PM
Default

The web proxy is on Transparent mode. https works fine via IP address so it is how to get the local DNS reference for the webserver. I tried via a Stub zone to do this but my ISP seems not to support my DNS server loading the zone so that I can then modify the www record.
Reply With Quote
Jack Daniel's Avatar
Wizard
Join Date: Jul 2008
Location: Cape Cod, Mass, US
Posts: 701
#8 (permalink)  
Old 08-18-2008, 06:51 PM
Default

You could point your clients to the Astaro for DNS resolution, just make sure the request routing points to your internal DNS for the appropriate domain(s).
__________________
Co-founder, Security BSides
Technical Product Manager, Tenable Network Security
Random Rants from an InfoSec Curmudgeon, Uncommon Sense Security Blog http://blog.uncommonsensesecurity.com
Reply With Quote
Member
Join Date: Apr 2006
Location: VA
Posts: 68
#9 (permalink)  
Old 08-18-2008, 06:56 PM
Default

So DNS should be Astaro assigned via DHCP and then the forwarders be my internal servers which will then forward to our ISP?
Reply With Quote
Jack Daniel's Avatar
Wizard
Join Date: Jul 2008
Location: Cape Cod, Mass, US
Posts: 701
#10 (permalink)  
Old 08-18-2008, 09:46 PM
Default

That is one option- try it with a couple of clients first.
__________________
Co-founder, Security BSides
Technical Product Manager, Tenable Network Security
Random Rants from an InfoSec Curmudgeon, Uncommon Sense Security Blog http://blog.uncommonsensesecurity.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 07:44 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.