• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Problem with port forwarding behind DMZ

Hi,

I have a Firewall 1, 3 NIC's on it, 1 for my LAN, 1 for my DMZ and 1 to the switch wich is connected to my router.

In my LAN, only users, no servers that must be public, working perfectly.

In my DMZ, server 1 ==> webserver working perfectly, NAT from 192.168.10.* to public IP
           server 2 ==> 2 ftp servers and 1 HTTPS server NAT from 192.168.10.* to public IP

                        ftp server trough IIS 4.0 on port 21 accessible without problem from the internet

                        ftp server trough WSftp server on port 10021 ... arriving on public IP but once arrived in 192.168.10.* ... lost somewhere,
From outside, he connects but when a login and password prompted, he do not recognize the login-password even if he's correct, because it works fine from the server himself (inside)??
When I check the logs, I see that the port is changed during the NAT it becomes 1121, 1122 in place of 10021 ??

                        HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP with the SSL, so if I do HTTP://<public IP> an error message sais Forbidden with SSL, so a connection to the server is made...
and if I do HTTPS://<public IP> error 404 etc... ??

Where is the problem knowing that the configuration works well for server1 and is the same for server2 ?

Thanks for help.
           

0
Taishaku
Asked:
Taishaku
  • 7
  • 4
  • 3
  • +2
2 Solutions
 
TaishakuAuthor Commented:
HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP WITHOUT the SSL...
0
 
TaishakuAuthor Commented:
so if I do HTTP://<public IP> an error message sais Forbidden WIHOUT SSL, so a connection to the server is made...
0
 
lrmooreCommented:


What kind of firewall? What firewall software are you running?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
TaishakuAuthor Commented:
Firewall1 v.4.1 from CheckPoint, running on NT4 server

0
 
_musashi_Commented:
The ftp problem is because of the nature of the ftp protocol:

1. Ftp client contacts ftp-host on port 21
2. Ftp hosts sends a data transfer port, which can be any free port, to the client.
3. The client contacts the server on the port given in #2
4. The server answers and the ftp-session can start.

The reason for not sending both the data and the control stream on port 21 is to make sure that control traffic doesn't drown in the data traffic.

Your firewall is very intelligent and when it sees that an ftp session is started (= a session on port 21) it automatically opens up the correct port so that the ftp data transfer can take place.

When you place the ftp daemon on 10021 the firewall has is not able to understand that you are using ftp. I would check the manual and see if there is any possibility to configure other ports as ftp-ports.

HTTPS uses port 636 instead of port 80. If you try to connect using HTTP the web server will probably say something like "You must use HTTPS to contact me". When you use HTTPS the firewall should block because you have not opened the correct port. In this case it seems like the port is open, but you try to contact a page that is not available. Check you web site configuration.
 
0
 
TaishakuAuthor Commented:
Concerning the FTP port :

When I try to connect to ftp port 10021, I can connect but the authentification do not succeed... ??

Concerning the HTTPS port :

It's 443 :-) and I suppose that my web configuration works fine because if I set a public IP on that server, it works fine ??

Weird isn't it ?
0
 
_musashi_Commented:
Regarding ftp:

This behaviour is actually what you should expect from your configuration. I found a page that does a much better job at explaining things than I do (http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html).

If you look at the third figure (you are using pasv mode) the first thing your client does is connecting. This goes well. The next thing is sending the pasv request. As the client never recieves a positive answer, because the answer is blocked by your firewall, you will never get the chance to do the authentication.

Regarding http:

Sorry for the mindslip. You are of course correct on the port number. I don't think I really has understod all aspects of this problem. Please correct if I am misunderstanding something.

If you place the https server outside of the firewall it works (can be accessed through https://www.mysite.com)?

If you place the https server on the dmz and try to access it (through https://www.mysite.com) you get a 404?
0
 
TaishakuAuthor Commented:
Regarding FTP :

I'm reading the article :-)

Regarding HTTPS :

That's correct... still wondering why...
0
 
jlindqCommented:
For ftp you need to change the CheckPoint INSPECT code so it realizes that ftp is running on a different port.

Modify the  macros "ftp_accept_port", "ftp_accept_port_enc", and "ftp_accept_port_clear" in $FWDIR/lib/base.def on the management console so that they will watch for FTP PORT commands on the different port from that specific server.

For more, see http://www.phoneboy.com/fom/fom.pl?_highlightWords=ftp%20port&file=126
0
 
jlindqCommented:
Oh, and for the HTTPS issue; Is the web server set only to accept requests to a certain IP (e.g. the private address, that the client is not aware of).
0
 
TaishakuAuthor Commented:
Regarding FTP, I will test it on monday,

For the HTTPS there is no IP limitation, as I said, when my webserver has a public IP, let's say 81.80.81.1 there's no connection problem, nor from outside/inside my LAN, it occurs only behind my DMZ...
0
 
jlindqCommented:
For https: I suggest you set up a sniffer on the DMZ/web server to see what traffic actually gets there.

Also, my comment about restricted IP is still valid, I think. When you are running on a public IP, the client requests "https://81.80.81.1". ÍT then uses 81.80.81.1 as the server to connect to, but also sends a Host header to the server containing "81.80.81.1". THis is fine, since the server has this address.

However, if you NAT the server so it is now really on 10.0.0.1 but NATed to the same public IP, the client connects to what it thinks is 81.80.81.1, which the FW translates to 10.0.0.1. So far the connection works. But then the Host header still tries to get a page from 81.80.81.1, and the server know it's not it's IP address.

THis all depends on the setup of the server, of course.

I suggest you activate HTTP on the server and see if it works. If not, sniff the traffic to determine what's sent and received. If http works and https doesn't, then it's a server setting (unless you have some content filtering in the FW).

Oh, do you use the security servers for web traffic in the CP FW?
0
 
_musashi_Commented:
jlindq is probably correct. if the host part of the HTTP-header doesn't match the hostname that the server thinks it has the http server will ignore the request.

I suggest using ethereal to sniff at the traffic and confirm jlindq's theory. Ethereal is open source and can be found on http://www.ethereal.com.
0
 
msiceCommented:
Without knowing your Domain config I will take a stab at the possibility that you are running win 2000 AD combo and there is an authentication problem not a NAT problem.

If the FTP server is outside the domain or is just a member server and you are logging in with a domain account the login from the outside must be in the format username = yourdomain.com\username with the yourdomain.com\ before the username. This account, domain or local must have log on locally rights as well or no access will be granted.
0
 
TaishakuAuthor Commented:
Hello, sorry for the late answer but I had a lot of work...

I've configured the base.def file and added the statements... I can connect trough the new ftp port but I can connect only if I allow the high tcp ports from my ftp server otherwise it's dropped by my Firewall...

So incoming from internet on new ftp port OK
NAT to my ftp server OK
Outgoing from ftp server dropped, the source port is well the new ftp port I want but the logs say that for outgoing packet it's using service 1533 and then 1600 etc...

Do I have another choice ?

For the HTTPS I guess you're all right, how can I do then to avoid this problem, i'm using IIS 4.0

Thanks
0
 
jlindqCommented:
Most of the issues are solved. Split?
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 7
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now