Taishaku
asked on
Problem with port forwarding behind DMZ
Hi,
I have a Firewall 1, 3 NIC's on it, 1 for my LAN, 1 for my DMZ and 1 to the switch wich is connected to my router.
In my LAN, only users, no servers that must be public, working perfectly.
In my DMZ, server 1 ==> webserver working perfectly, NAT from 192.168.10.* to public IP
server 2 ==> 2 ftp servers and 1 HTTPS server NAT from 192.168.10.* to public IP
ftp server trough IIS 4.0 on port 21 accessible without problem from the internet
ftp server trough WSftp server on port 10021 ... arriving on public IP but once arrived in 192.168.10.* ... lost somewhere,
From outside, he connects but when a login and password prompted, he do not recognize the login-password even if he's correct, because it works fine from the server himself (inside)??
When I check the logs, I see that the port is changed during the NAT it becomes 1121, 1122 in place of 10021 ??
HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP with the SSL, so if I do HTTP://<public IP> an error message sais Forbidden with SSL, so a connection to the server is made...
and if I do HTTPS://<public IP> error 404 etc... ??
Where is the problem knowing that the configuration works well for server1 and is the same for server2 ?
Thanks for help.
I have a Firewall 1, 3 NIC's on it, 1 for my LAN, 1 for my DMZ and 1 to the switch wich is connected to my router.
In my LAN, only users, no servers that must be public, working perfectly.
In my DMZ, server 1 ==> webserver working perfectly, NAT from 192.168.10.* to public IP
server 2 ==> 2 ftp servers and 1 HTTPS server NAT from 192.168.10.* to public IP
ftp server trough IIS 4.0 on port 21 accessible without problem from the internet
ftp server trough WSftp server on port 10021 ... arriving on public IP but once arrived in 192.168.10.* ... lost somewhere,
From outside, he connects but when a login and password prompted, he do not recognize the login-password even if he's correct, because it works fine from the server himself (inside)??
When I check the logs, I see that the port is changed during the NAT it becomes 1121, 1122 in place of 10021 ??
HTTPS server not working either, nor from inside or outside, if I try from outside to connect to the public IP with the SSL, so if I do HTTP://<public IP> an error message sais Forbidden with SSL, so a connection to the server is made...
and if I do HTTPS://<public IP> error 404 etc... ??
Where is the problem knowing that the configuration works well for server1 and is the same for server2 ?
Thanks for help.
ASKER
so if I do HTTP://<public IP> an error message sais Forbidden WIHOUT SSL, so a connection to the server is made...
What kind of firewall? What firewall software are you running?
ASKER
Firewall1 v.4.1 from CheckPoint, running on NT4 server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Concerning the FTP port :
When I try to connect to ftp port 10021, I can connect but the authentification do not succeed... ??
Concerning the HTTPS port :
It's 443 :-) and I suppose that my web configuration works fine because if I set a public IP on that server, it works fine ??
Weird isn't it ?
When I try to connect to ftp port 10021, I can connect but the authentification do not succeed... ??
Concerning the HTTPS port :
It's 443 :-) and I suppose that my web configuration works fine because if I set a public IP on that server, it works fine ??
Weird isn't it ?
Regarding ftp:
This behaviour is actually what you should expect from your configuration. I found a page that does a much better job at explaining things than I do (http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html).
If you look at the third figure (you are using pasv mode) the first thing your client does is connecting. This goes well. The next thing is sending the pasv request. As the client never recieves a positive answer, because the answer is blocked by your firewall, you will never get the chance to do the authentication.
Regarding http:
Sorry for the mindslip. You are of course correct on the port number. I don't think I really has understod all aspects of this problem. Please correct if I am misunderstanding something.
If you place the https server outside of the firewall it works (can be accessed through https://www.mysite.com)?
If you place the https server on the dmz and try to access it (through https://www.mysite.com) you get a 404?
This behaviour is actually what you should expect from your configuration. I found a page that does a much better job at explaining things than I do (http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html).
If you look at the third figure (you are using pasv mode) the first thing your client does is connecting. This goes well. The next thing is sending the pasv request. As the client never recieves a positive answer, because the answer is blocked by your firewall, you will never get the chance to do the authentication.
Regarding http:
Sorry for the mindslip. You are of course correct on the port number. I don't think I really has understod all aspects of this problem. Please correct if I am misunderstanding something.
If you place the https server outside of the firewall it works (can be accessed through https://www.mysite.com)?
If you place the https server on the dmz and try to access it (through https://www.mysite.com) you get a 404?
ASKER
Regarding FTP :
I'm reading the article :-)
Regarding HTTPS :
That's correct... still wondering why...
I'm reading the article :-)
Regarding HTTPS :
That's correct... still wondering why...
For ftp you need to change the CheckPoint INSPECT code so it realizes that ftp is running on a different port.
Modify the macros "ftp_accept_port", "ftp_accept_port_enc", and "ftp_accept_port_clear" in $FWDIR/lib/base.def on the management console so that they will watch for FTP PORT commands on the different port from that specific server.
For more, see http://www.phoneboy.com/fom/fom.pl?_highlightWords=ftp%20port&file=126
Modify the macros "ftp_accept_port", "ftp_accept_port_enc", and "ftp_accept_port_clear" in $FWDIR/lib/base.def on the management console so that they will watch for FTP PORT commands on the different port from that specific server.
For more, see http://www.phoneboy.com/fom/fom.pl?_highlightWords=ftp%20port&file=126
Oh, and for the HTTPS issue; Is the web server set only to accept requests to a certain IP (e.g. the private address, that the client is not aware of).
ASKER
Regarding FTP, I will test it on monday,
For the HTTPS there is no IP limitation, as I said, when my webserver has a public IP, let's say 81.80.81.1 there's no connection problem, nor from outside/inside my LAN, it occurs only behind my DMZ...
For the HTTPS there is no IP limitation, as I said, when my webserver has a public IP, let's say 81.80.81.1 there's no connection problem, nor from outside/inside my LAN, it occurs only behind my DMZ...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jlindq is probably correct. if the host part of the HTTP-header doesn't match the hostname that the server thinks it has the http server will ignore the request.
I suggest using ethereal to sniff at the traffic and confirm jlindq's theory. Ethereal is open source and can be found on http://www.ethereal.com.
I suggest using ethereal to sniff at the traffic and confirm jlindq's theory. Ethereal is open source and can be found on http://www.ethereal.com.
Without knowing your Domain config I will take a stab at the possibility that you are running win 2000 AD combo and there is an authentication problem not a NAT problem.
If the FTP server is outside the domain or is just a member server and you are logging in with a domain account the login from the outside must be in the format username = yourdomain.com\username with the yourdomain.com\ before the username. This account, domain or local must have log on locally rights as well or no access will be granted.
If the FTP server is outside the domain or is just a member server and you are logging in with a domain account the login from the outside must be in the format username = yourdomain.com\username with the yourdomain.com\ before the username. This account, domain or local must have log on locally rights as well or no access will be granted.
ASKER
Hello, sorry for the late answer but I had a lot of work...
I've configured the base.def file and added the statements... I can connect trough the new ftp port but I can connect only if I allow the high tcp ports from my ftp server otherwise it's dropped by my Firewall...
So incoming from internet on new ftp port OK
NAT to my ftp server OK
Outgoing from ftp server dropped, the source port is well the new ftp port I want but the logs say that for outgoing packet it's using service 1533 and then 1600 etc...
Do I have another choice ?
For the HTTPS I guess you're all right, how can I do then to avoid this problem, i'm using IIS 4.0
Thanks
I've configured the base.def file and added the statements... I can connect trough the new ftp port but I can connect only if I allow the high tcp ports from my ftp server otherwise it's dropped by my Firewall...
So incoming from internet on new ftp port OK
NAT to my ftp server OK
Outgoing from ftp server dropped, the source port is well the new ftp port I want but the logs say that for outgoing packet it's using service 1533 and then 1600 etc...
Do I have another choice ?
For the HTTPS I guess you're all right, how can I do then to avoid this problem, i'm using IIS 4.0
Thanks
Most of the issues are solved. Split?
ASKER