External and internal Access to Webserver

Hello,

I have to following problem:

I have a webserver running behind my Firebox (10.0.1.45:8008), I want to be able to access from inside and outside.

To get external access, I created this SNAT entry:
Any-External --> 10.0.1.45: 8008

Additionally I created a firewall rule
From: Any
To: SNAT (Any-External --> 10.0.1.45: 8008)
Port: 8008
Protocol: TCP

Additionally I have created a subdomain and a DNS entry for our domain:
subdomain.domain.tld -> our static IP.

If I now call the address subdomain.domain.tld:8008 from the road, I am forwarded to the web server without problems, but this no longer works as soon as I am back in the internal network.

Have I forgotten something?

Thanks in advance.

Kind regards
Lars

Comments

  • Does internal access work OK if you access the external IP addr instead of the DNS entry?
    Does internal access work OK if you access the internal IP addr of the server?

    On what interface is the server? The same as a device which is trying to access the server?

    For the record, what firewall model and XTM version do you have?

  • @Bruce_Briggs said:
    Does internal access work OK if you access the external IP addr instead of the DNS entry?

    No. Also not working.

    Does internal access work OK if you access the internal IP addr of the server?

    Yes, that is working.

    On what interface is the server? The same as a device which is trying to access the server?

    Correct.

    For the record, what firewall model and XTM version do you have?

    It is a T30 with 12.5.2 (Build 609628)

    Thanks in advance.

    Regards
    Lars

  • I think that this is being caused by asymmetrical routing.
    Path:
    Sent packet: Client -> Firewall -> server
    Reply: server -> Client

    Solution #1:
    Add a new policy: From: Trusted (or whatever the interface name is)
    To: SNAT (Any-External --> 10.0.1.45: 8008)
    Port: 8008
    Protocol: TCP
    Advanced options: Select "All traffic in this policy"
    select "Set source IP" check box; enter the firewall interface IP addr to which the server and workstations are connected.
    The result is that the packet from the client will have the source IP addr changed to the firewall interface IP addr when being sent to the server, and thus the server will send the reply packet back to the firewall, and then the firewall will forwrd that packet back to the client.

    Make sure that this policy ends up above your existing policy.

    Solution #2:
    Add a new unused subnet to the firewall interface as a Secondary.
    Change the IP addr of the server to one from this new subnet.
    Change your policies to reflect the new IP addr of the server.
    Now your clients are on a different subnet from the server so all client <-> server packets will go via the firewall.

  • Hello Bruce,

    first of all, thanks for your answer!

    @Bruce_Briggs said:
    I think that this is being caused by asymmetrical routing.

    Does this mean, that another rule is causing this error?

    Path:
    Sent packet: Client -> Firewall -> server
    Reply: server -> Client

    Solution #1:
    Add a new policy: From: Trusted (or whatever the interface name is)
    To: SNAT (Any-External --> 10.0.1.45: 8008)
    Port: 8008
    Protocol: TCP
    Advanced options: Select "All traffic in this policy"
    select "Set source IP" check box; enter the firewall interface IP addr to which the server and workstations are connected.
    The result is that the packet from the client will have the source IP addr changed to the firewall interface IP addr when being sent to the server, and thus the server will send the reply packet back to the firewall, and then the firewall will forwrd that packet back to the client.

    Unfortunately I am not able to create this policy, as the option "All traffic in this policy" is not available for SNAT actions ("You cannot enable dynamic NAT for all traffic in this policy because this policy uses a static NAT action.").

    Make sure that this policy ends up above your existing policy.

    Solution #2:
    Add a new unused subnet to the firewall interface as a Secondary.
    Change the IP addr of the server to one from this new subnet.
    Change your policies to reflect the new IP addr of the server.
    Now your clients are on a different subnet from the server so all client <-> server packets will go via the firewall.

    Solution #2 is not an option right now, as this is the main application & database server and all clients connect to it via the original IP...

    Do you perhaps have another idea?

    Thanks in advance.

    Regards
    Lars

  • A. no. Look at the traffic flow. The firewall does not see the reply packets, so it gets confused.

    Try this as a replacement to option #1:
    Add a NAT -> Dynamic NAT entry
    From: Trusted To: public IP addr of server
    Set Source IP: the firewall interface IP addr to which the server and workstations are connected

  • option #3 - if you have an internal DNS server, add an entry for the web server using the private IP addr of the web server

Sign In to comment.