Unable to ping internal interface from beyond the router
Posted: 28 Oct 2015 01:30
Hi I'm not sure if we can make this work in our environment or if it is only meant for small home networks and must be in the same broadcast domain.
I want to see if we can use the forward proxying function so that systems in our network can browse through the proxy so we can add private non-routable subnets to our internal routers.
We have a class C address space and it is split between multiple sites. Where I am setting up the CG is at our largest block of space (I'm going to use non-real IPs for example below, but the last two octets are the same as my network) I currently use an F5 with SNAT pools assigned for use by my non-routable segments but many of them don't need source nat'ing but rather a simple forward web proxy cache server.
External Network: 10.100.171.0/24
Internal Networks: 10.100.160.0/24 & 10.100.161.0/24
ip internal/Eth0: 10.100.160.102 255.255.255.0
ip external/Eth1: 10.100.171.6 255.255.255.0
ip auxiliary (I wasn't sure what this was so I set it to 10.0.0.254 255.255.255.255)
ip internal.0 (I wasn't sure what this was so I set it to 10.0.0.253 255.255.255.255)
DefGW: 10.100.171.1 (our firewall)
ip route default 10.100.171.1
From the console I can ping the firewall and router for both networks 10.100.160.1 and 10.100.171.1.
The firewall & router can ping the CG on it's same subnet, from outside those two subnets I can ping the external ip 10.100.171.6, but not the internal 10.100.160.102. (typical I am assuming because the system does not have a gateway for the internal network)
I've attached an example diagram of our network the computer at 10.100.161.134 is unable to contact the internal IP at 10.100.160.102 This goes to my previous point at the beginning where I wonder if this system only works for users in the same broadcast domain?
Is there a way to make the system function with a single address? Does the system only forward proxy if the requests come to the internal IP or can we use the external IP and just disable the internal NIC?
I want to see if we can use the forward proxying function so that systems in our network can browse through the proxy so we can add private non-routable subnets to our internal routers.
We have a class C address space and it is split between multiple sites. Where I am setting up the CG is at our largest block of space (I'm going to use non-real IPs for example below, but the last two octets are the same as my network) I currently use an F5 with SNAT pools assigned for use by my non-routable segments but many of them don't need source nat'ing but rather a simple forward web proxy cache server.
External Network: 10.100.171.0/24
Internal Networks: 10.100.160.0/24 & 10.100.161.0/24
ip internal/Eth0: 10.100.160.102 255.255.255.0
ip external/Eth1: 10.100.171.6 255.255.255.0
ip auxiliary (I wasn't sure what this was so I set it to 10.0.0.254 255.255.255.255)
ip internal.0 (I wasn't sure what this was so I set it to 10.0.0.253 255.255.255.255)
DefGW: 10.100.171.1 (our firewall)
ip route default 10.100.171.1
From the console I can ping the firewall and router for both networks 10.100.160.1 and 10.100.171.1.
The firewall & router can ping the CG on it's same subnet, from outside those two subnets I can ping the external ip 10.100.171.6, but not the internal 10.100.160.102. (typical I am assuming because the system does not have a gateway for the internal network)
I've attached an example diagram of our network the computer at 10.100.161.134 is unable to contact the internal IP at 10.100.160.102 This goes to my previous point at the beginning where I wonder if this system only works for users in the same broadcast domain?
Is there a way to make the system function with a single address? Does the system only forward proxy if the requests come to the internal IP or can we use the external IP and just disable the internal NIC?