Unable to ping internal interface from beyond the router

Discuss and get help to implement a CacheGuard Gateway into your networks
Post Reply
dda23
Posts: 2
Joined: 28 Oct 2015 00:51

Unable to ping internal interface from beyond the router

Post by dda23 »

Hi I'm not sure if we can make this work in our environment or if it is only meant for small home networks and must be in the same broadcast domain.

I want to see if we can use the forward proxying function so that systems in our network can browse through the proxy so we can add private non-routable subnets to our internal routers.

We have a class C address space and it is split between multiple sites. Where I am setting up the CG is at our largest block of space (I'm going to use non-real IPs for example below, but the last two octets are the same as my network) I currently use an F5 with SNAT pools assigned for use by my non-routable segments but many of them don't need source nat'ing but rather a simple forward web proxy cache server.



External Network: 10.100.171.0/24
Internal Networks: 10.100.160.0/24 & 10.100.161.0/24

ip internal/Eth0: 10.100.160.102 255.255.255.0
ip external/Eth1: 10.100.171.6 255.255.255.0
ip auxiliary (I wasn't sure what this was so I set it to 10.0.0.254 255.255.255.255)
ip internal.0 (I wasn't sure what this was so I set it to 10.0.0.253 255.255.255.255)
DefGW: 10.100.171.1 (our firewall)
ip route default 10.100.171.1

From the console I can ping the firewall and router for both networks 10.100.160.1 and 10.100.171.1.

The firewall & router can ping the CG on it's same subnet, from outside those two subnets I can ping the external ip 10.100.171.6, but not the internal 10.100.160.102. (typical I am assuming because the system does not have a gateway for the internal network)

I've attached an example diagram of our network the computer at 10.100.161.134 is unable to contact the internal IP at 10.100.160.102
Drawing1.jpg
Drawing1.jpg (216.11 KiB) Viewed 17451 times
This goes to my previous point at the beginning where I wonder if this system only works for users in the same broadcast domain?


Is there a way to make the system function with a single address? Does the system only forward proxy if the requests come to the internal IP or can we use the external IP and just disable the internal NIC?
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Unable to ping internal interface from beyond the router

Post by david »

Hello dda23

Thank you for your clear post; the diagram is simply the cherry on the cake :-) You facilitate my work...

In response to your questions:

- Even if our solution is free (for up to 100 end-users) and open source, it remains an enterprise grade solution. Of course it can be implemented for users located in other networks than its internal broadcast domain. In your case I suspect that you forgot to add an IP route on CG for the network 10.100.161.0/24. To do so and if you use the CLI you can use the following commands to add the required route:

Code: Select all

ip route add 10.100.161.0 255.255.255.0 10.100.160.1
apply
To go even further you can configure ACLs using the command "access web...". But keep in mind that for security reasons only end-users placed behind its internal interface can use CG as a forwarding proxy.

- CG is not only a forwarding Web proxy but also a reverse proxy, an antivirus, a URL filter a traffic shaper a network firewall... So it's cabled to hide internal networks from the external world (we dfine CG as a Web gateway - Refer to the http://www.cacheguard.com/index.php/cac ... -features/ page for further information). That's why its internal interface can't be reached by traffic incoming from its external interface. However you can configure it in order to allow traffic incoming from its external interface and outgoing to protected networks (see the command "firewall").

- As CG acts as a firewall it's cabled to be used with at least two NIC (a configuration with a single IP address is not supported). CG has three logical interfaces: the internal, the external and the auxiliary (to be used for a DMZ or a BOZ (Back Office Zone) at your convenience). On it's internal interface it supports 802.1Q tagged VLANs (that's the purpose of the internal.0 interface you mentioned).

Let me know if you have any further questions.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
dda23
Posts: 2
Joined: 28 Oct 2015 00:51

Re: Unable to ping internal interface from beyond the router

Post by dda23 »

Ok that makes sense, I'll try adding the routes and see if I can get it work.

Thanks for getting back to me.
Post Reply