Solved

Port forwarding... twice?

Posted on 2009-05-10
6
444 Views
Last Modified: 2012-05-06
Here is the situation:

Internet---> Sonicwall ---> LAN ---> PIX ---> Webserver

Sonicwall port forwards port 443 to the PIX over the LAN.  The PIX port forwards port 443 to the webserver.  The webserver is unreachable from the Internet.  I'm not sure exactly why this isn't working but I have a feeling this isn't going to work.  Does this have to do with the fact that the client machine uses a randomly high numbered port when making connections and as a result this won't translate properly from the Sonicwall to the PIX?

What options do we have on making the Webserver reachable from the Internet going through two firewalls?

Thanks!

0
Comment
Question by:lighthousekeeper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Expert Comment

by:briandunkle
ID: 24349603
Do both firewalls give out DHCP addresses? If so, what ranges are they using?
 How are you doing the forwarding? i.e. what addresses are you using at each point?

I don't know about putting SSL specifically through two firewalls...might not be possible but we can certainly try.
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 24349620
By which ranges I mean (outside address=?) <--> (internal network 1 range) <--> (deeper network 2 range)

Any chance of using a dumb switch instead of a firewall as the second, specifically meaning using IP addresses gotten from the FIRST firewall and just passed through? Actually a smarter switch should be able to do this, if you give machines in the inner circle, at least, static IPs.

(first firewall --> 192.168.0.2-20 <-- 2nd firewall --> 192.168.0.21.40 static

Dunno if I'm describing this well, but if you do static you should be able to do this.
0
 
LVL 7

Expert Comment

by:briandunkle
ID: 24349622
sigh, I mean 21-40, not 21.40
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 5

Expert Comment

by:sykojester
ID: 24349672
I'm guessing the SonicWall is acting as a NAT (Network Address Translation) and not a passthru device.  The PIX more than likely is doing NAT.

You cannot double NAT. You can only translate an IP address to once. i.e.  Internet IP of 1.2.3.4 -> SonicWall passing 10.10.10.2 to the PIX which is handing out 192.168.1.2 to your webserver.

Eliminate either the SonicWall or the PIX from the equation and everything should work just fine.
0
 

Author Comment

by:lighthousekeeper
ID: 24350357
Yep, I think you are right--cannot double NAT--they are both performing this function.  I would assume if the PIX was routing instead of acting as a NAT/firewall role that I would be able to put the route on the Sonicwall and then port translate to the routed network?

0
 
LVL 56

Accepted Solution

by:
andyalder earned 500 total points
ID: 24363520
Double NAT should work, here's a thread with several people who have got it working, If you're using NAT for inbound traffic then anyone accessing your site from behind a NAT firewall will be using double NAT because the address is translated at their firewall and at yours.

http://episteme.arstechnica.com/groupee/forums/a/tpc/f/469092836/m/4680930245

I would try testing with HTTP rather than HTTPS and it may also help to seperate the two NAT devices with a router.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question