lighthousekeeper
asked on
Port forwarding... twice?
Here is the situation:
Internet---> Sonicwall ---> LAN ---> PIX ---> Webserver
Sonicwall port forwards port 443 to the PIX over the LAN. The PIX port forwards port 443 to the webserver. The webserver is unreachable from the Internet. I'm not sure exactly why this isn't working but I have a feeling this isn't going to work. Does this have to do with the fact that the client machine uses a randomly high numbered port when making connections and as a result this won't translate properly from the Sonicwall to the PIX?
What options do we have on making the Webserver reachable from the Internet going through two firewalls?
Thanks!
Internet---> Sonicwall ---> LAN ---> PIX ---> Webserver
Sonicwall port forwards port 443 to the PIX over the LAN. The PIX port forwards port 443 to the webserver. The webserver is unreachable from the Internet. I'm not sure exactly why this isn't working but I have a feeling this isn't going to work. Does this have to do with the fact that the client machine uses a randomly high numbered port when making connections and as a result this won't translate properly from the Sonicwall to the PIX?
What options do we have on making the Webserver reachable from the Internet going through two firewalls?
Thanks!
By which ranges I mean (outside address=?) <--> (internal network 1 range) <--> (deeper network 2 range)
Any chance of using a dumb switch instead of a firewall as the second, specifically meaning using IP addresses gotten from the FIRST firewall and just passed through? Actually a smarter switch should be able to do this, if you give machines in the inner circle, at least, static IPs.
(first firewall --> 192.168.0.2-20 <-- 2nd firewall --> 192.168.0.21.40 static
Dunno if I'm describing this well, but if you do static you should be able to do this.
Any chance of using a dumb switch instead of a firewall as the second, specifically meaning using IP addresses gotten from the FIRST firewall and just passed through? Actually a smarter switch should be able to do this, if you give machines in the inner circle, at least, static IPs.
(first firewall --> 192.168.0.2-20 <-- 2nd firewall --> 192.168.0.21.40 static
Dunno if I'm describing this well, but if you do static you should be able to do this.
sigh, I mean 21-40, not 21.40
I'm guessing the SonicWall is acting as a NAT (Network Address Translation) and not a passthru device. The PIX more than likely is doing NAT.
You cannot double NAT. You can only translate an IP address to once. i.e. Internet IP of 1.2.3.4 -> SonicWall passing 10.10.10.2 to the PIX which is handing out 192.168.1.2 to your webserver.
Eliminate either the SonicWall or the PIX from the equation and everything should work just fine.
You cannot double NAT. You can only translate an IP address to once. i.e. Internet IP of 1.2.3.4 -> SonicWall passing 10.10.10.2 to the PIX which is handing out 192.168.1.2 to your webserver.
Eliminate either the SonicWall or the PIX from the equation and everything should work just fine.
ASKER
Yep, I think you are right--cannot double NAT--they are both performing this function. I would assume if the PIX was routing instead of acting as a NAT/firewall role that I would be able to put the route on the Sonicwall and then port translate to the routed network?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How are you doing the forwarding? i.e. what addresses are you using at each point?
I don't know about putting SSL specifically through two firewalls...might not be possible but we can certainly try.