1 2 Previous Next 12 Replies Latest reply on May 3, 2012 11:59 AM by sliedl

    Redirect a Public IP to a Private IP

      I have a McAfee Enterprise Firewall (8.2.1).

      I am having a problem with getting "Access Denied" when trying to go to a specific public IP which is a web server. That specific public IP is hosted behind the same firewall in a DMZ that I am trying to go out on. Accessing this public IP is not a problem outside our network (on the internet). The firewall it seems doesn’t like the traffic going out and coming right back in to the DMZ. There is a rule in place that allows HTTP traffic from the internet into the web server and it redirects the public IP to the LAN IP of the web server (this workswithout issue). I am trying to create a rule (so far unsuccessfully) to try and redirect users on the LAN going to this public IP to the LAN IP in the DMZ of the web server, in order to get around the Access Denied error. However I still get Access Denied. I have the IP in the global allow list on the firewall.

      Can anyone help me tweak this rule?

       

       

      I can access web server internally from the LAN IP in the DMZ without issue.

      Internet (external users) can access the web server without issue.

      Internal users cannot access the web server by going to the public IP (get Access Denied).

      I am looking to redirect the request to the specific public IP to the LAN IP, but I am unable to get past the Access Denied error when I believe the firewall rule is correct.

       

       

      Rule states this …

      It’s an Allow Rule (above the Deny All)

      Applications: HTTP/HTTPS TCP/80;SSL/443

      Source Endpoints: Any V4 IP [Zone: Internal]

      Destination Endpoints: Public IP Address [Zone: Any]

      NAT: local host (Host)

      Redirect: LAN IP in the DMZ

      GTI Host Reputation: None

      Application Defense Group: Default group

      Audit: Standard

      Authenticator: none

      IPS Signatures / Responses : None

       

       

      On the firewall in the real time log (or Audit Viewing) filtered down and the error listed states …

      Warning …

      Event: redirect address required

      Reason: a redirect address was required but not found. This may be a configuration error, or it may be a probe attempt. Connection closed.

      Critical …

      Event: ACL Deny

      Reason: Traffic denied by policy

       

      Message was edited by: xmich on 5/3/12 9:47:20 AM CDT
        • 1. Re: Redirect a Public IP to a Private IP
          PhilM
          The firewall it seems doesn’t like the traffic going out and coming right back in to the DMZ.

           

          It never has in the 12-odd years I've been working with it, and I doubt that it ever will.

           

          The notion with this product is there should be no reason why an internal host should need to access a DMZ host via the external side of the Firewall. I do work with other vendor's Firewall solutions and I know that they do support the notion of a 'loopback' NAT policy. But because my exposure to Firewall Enterprise (and all preceding versions of "Secure Firewall" and "Sidewinder" back to version 5) I have never quite understood why you would need or want to do so.

           

          Simple split DNS entries mean that when users on the internet browse to 'www.webserver.com' it resolves to the Firewall's public IP address, but users on the internal network trying to access the same host would have it resolve to the DMZ IP address instead. A rule from internal-DMZ would then allow them to physically access it (something which you would already appear to have in place).

           

          -Phil.

          • 2. Re: Redirect a Public IP to a Private IP

            Thanks for the response.

             

            I was just hoping I could grab the request to the public IP internally with a custom rule that simply redirects the request to the DMZ LAN IP.

             

            So the only solution you see is having the Domain DNS (on the web) be the actual public IP and the Internal DNS be the DMZ LAN IP.

            • 3. Re: Redirect a Public IP to a Private IP
              sliedl

              Just make this rule:

              Source burb: internal

              Dest burb: external (because your DESTINATION IP is originally on the external side of the firewall

              Source endpoint: <Any>

              Dest. endpoint: [Public IP]

              NAT: <None>

              Redirect: [DMZ IP of this webserver]

               

              The FW will see this packet destined for an IP off the external burb.  It will change the destination IP (Redirect) and send it off the DMZ burb via routing.

               

              The BIGGEST thing you need to think of now is NAT: do you change the source IP of the packet so it looks like it's coming from the FIREWALL (NAT: localhost) or so that there is NO NAT (i.e. the packet will come from your PRIVATE/internal IP).  You need to know whether this webserver will route traffic from [Your IP] back to the firewall (where it came from).

               

              on 5/3/12 10:50:41 AM CDT
              • 4. Re: Redirect a Public IP to a Private IP
                PhilM
                I was just hoping I could grab the request to the public IP internally with a custom rule that simply redirects the request to the DMZ LAN IP.

                 

                Not that I'm aware of, I'm afraid.

                 

                So the only solution you see is having the Domain DNS (on the web) be the actual public IP and the Internal DNS be the DMZ LAN IP

                 

                In a word, yes.

                 

                But given my first exposure to Firewall's in the late 1990's was one who's DNA was related to the Sidewinder product I first started working with in 2000, behaved in the same way, I really didn't know any different until a couple of years ago. I'm not saying that one way is wrong and the other is right, but the concept of sending traffic from the internal side to the external, only to have it re-directed to a DMZ address when the DMZ address can be accessed directly is a little strange to me.

                 

                Edit - there you go, sleidl arrives and blows my theories out of the water! I'd take his word over mine any day of the week

                 

                Message was edited by: PhilM on 03/05/12 16:53:26 IST
                • 5. Re: Redirect a Public IP to a Private IP
                  sliedl

                  Are you sure you have the correct Redirect IP there?

                   

                  Edit: It might be that you have both NAT and Redirect on.  Can you please try setting NAT to <None> and see if that works?  I'm trying this out right now.

                   

                  on 5/3/12 10:57:07 AM CDT
                  • 6. Re: Redirect a Public IP to a Private IP

                    Thanks for the help sliedl but I tried that before, tried it again just now, confirmed the change was how you suggested above, no dice. Still getting access denied when I type in the public IP into my browser, comes right up if I type the DMZ IP. I am not using any proxy or anything in my browser either.

                    • 7. Re: Redirect a Public IP to a Private IP
                      sliedl

                      Hmm strange, I just tried it myself and it works both ways for me.

                       

                      I suggest opening a ticket with Support.

                       

                       

                      Edit:

                      You're probably hitting a rule which you don't think you're hitting.  That's why this is not working and you're getting that redirect error.

                       

                      Message was edited by: sliedl on 5/3/12 11:33:13 AM CDT
                      1 of 1 people found this helpful
                      • 8. Re: Redirect a Public IP to a Private IP

                        sliedl what version are you on?

                        • 9. Re: Redirect a Public IP to a Private IP
                          sliedl

                          8.2.1.  I tried it on 70103 also, worked there.

                           

                          You are hitting the wrong rule, I am sure of it.  You posted these messages:

                          Event: redirect address required

                          Reason: a redirect address was required but not found. This may be a configuration error, or it may be a probe attempt. Connection closed.

                           

                          That means you're hitting a rule that requires a redirect address.  You have a redirect address in your rule.  That says to me you're not hitting the rule you think you're hitting.  I believe that audit message you pasted has a rule_name in it and you didn't paste it (not positive though).  Look for the rule_name, or put this rule at the top of your policy.

                          1 2 Previous Next