Can you please post the output of the following commands?
Code: Select all
ip
ip route
access
If that modification is not an option for you, just post your output as is and we will do the replacement on your behalf.
Best Regards,
Non-Transparent
Re: Non-Transparent
Hello,
Can you please post the output of the following commands?
For security reasons, I suggest that you do not reveal your real public IP addresses here. To do so you can replace public IPs by private ones (RFC1918) at your convenience. When replacing public IPs, please make sure that chosen private IPs properly reflect right network membership.
If that modification is not an option for you, just post your output as is and we will do the replacement on your behalf.
Best Regards,
Can you please post the output of the following commands?
If that modification is not an option for you, just post your output as is and we will do the replacement on your behalf.
Best Regards,
Re: Non-Transparent
Hey David
I don't have access to the console, the server is at the Colocation. I can get into the Web Admin from the External side.
Here's the fake IP layout
Internal: 192.168.0.58, 255.255.255.248. GW x.x.0.57
External: 192.168.3.18, 255.255.255.248. GW x.x.3.17
Static IP Route in Web GUI
Net Address Net Mask Gateway Weight Pinged Server
0.0.0.0 0.0.0.0 192.168.3.17 50 192.168.3.17
I don't have access to the console, the server is at the Colocation. I can get into the Web Admin from the External side.
Here's the fake IP layout
Internal: 192.168.0.58, 255.255.255.248. GW x.x.0.57
External: 192.168.3.18, 255.255.255.248. GW x.x.3.17
Static IP Route in Web GUI
Net Address Net Mask Gateway Weight Pinged Server
0.0.0.0 0.0.0.0 192.168.3.17 50 192.168.3.17
Re: Non-Transparent
Hi,
Sorry for the delayed response.
Well, it seems you are in asymmetric routing configuration. As CG acts as a stateful firewall, requests and related responses should pass by the same network interface. In your configuration Web client/browser requests pass by the internal interface while responses to them pass by the external interface, hence an asymmetric routing that breaks the communication.
When you implement CG with 2 public IP addresses, your client (public) IP addresses should be known in advance (with static IPs) and can't be dynamic. This for 2 reasons:
- Avoiding asymmetric routing
- Restricting your CG usage to allowed users only
For a client having the IP address 10.0.10.1, you will have to add the following to your configuration:
(assuming that your internal gateway is 192.168.0.57)
I hope that I was as clear as possible.
Best Regards,
Sorry for the delayed response.
Well, it seems you are in asymmetric routing configuration. As CG acts as a stateful firewall, requests and related responses should pass by the same network interface. In your configuration Web client/browser requests pass by the internal interface while responses to them pass by the external interface, hence an asymmetric routing that breaks the communication.
When you implement CG with 2 public IP addresses, your client (public) IP addresses should be known in advance (with static IPs) and can't be dynamic. This for 2 reasons:
- Avoiding asymmetric routing
- Restricting your CG usage to allowed users only
For a client having the IP address 10.0.10.1, you will have to add the following to your configuration:
Code: Select all
ip route add 10.0.10.1 255.255.255.255 192.168.0.57
access web add 10.0.10.1 255.255.255.255
applyI hope that I was as clear as possible.
Best Regards,
Re: Non-Transparent
Hi,
Thank you David,
I just wanted to add some complementary information regarding the CLI (Command Line Interface) access. If you don't have an access to the console port you can activate the SSH service on your CacheGuard appliance in order to have a remote access to the CLI using the SSH protocol.
Do to so please use the Web GUI and proceed as follows:
Go to the [GENERAL] > [Main Settings] > [Administration Services] menu option, tick SSH and then press the SUBMIT button.
Go the [SECURITY] > [Appliance Access] > [Remote Administrators] menu option, press the ADD button, enter your admin client IP and then press the SUBMIT button.
Finally press the blinking down arrow button in blue (in the top mini bar menu) and then press the SUBMIT button.
At this stage the SSH service is activated on your CacheGuard and your allowed admin client can remotely access to your CacheGuard's CLI using an SSH client (putty for instance under Windows). Please note that for security reasons it is highly recommended to do not allow the 0.0.0.0/0.0.0.0 as an admin client (which is the default configuration to facilitate the admin access during the first configuration steps).
All the Best,
Thank you David,
I just wanted to add some complementary information regarding the CLI (Command Line Interface) access. If you don't have an access to the console port you can activate the SSH service on your CacheGuard appliance in order to have a remote access to the CLI using the SSH protocol.
Do to so please use the Web GUI and proceed as follows:
Go to the [GENERAL] > [Main Settings] > [Administration Services] menu option, tick SSH and then press the SUBMIT button.
Go the [SECURITY] > [Appliance Access] > [Remote Administrators] menu option, press the ADD button, enter your admin client IP and then press the SUBMIT button.
Finally press the blinking down arrow button in blue (in the top mini bar menu) and then press the SUBMIT button.
At this stage the SSH service is activated on your CacheGuard and your allowed admin client can remotely access to your CacheGuard's CLI using an SSH client (putty for instance under Windows). Please note that for security reasons it is highly recommended to do not allow the 0.0.0.0/0.0.0.0 as an admin client (which is the default configuration to facilitate the admin access during the first configuration steps).
All the Best,
Re: Non-Transparent
Hey Charles and David
I apologize for the delay. I went on Vacation and it was a mad rush and then got back and totally forgot about checking the forum.
I will read this over and see if I can figure it out. I'll let you know if i have any questions
Thanks
Mike
I apologize for the delay. I went on Vacation and it was a mad rush and then got back and totally forgot about checking the forum.
I will read this over and see if I can figure it out. I'll let you know if i have any questions
Thanks
Mike