Non-Transparent

Discuss and get help configuring CacheGuard to protect Web end-users
User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Non-Transparent

Post by david » 03 May 2019 16:59

Hello,

Can you please post the output of the following commands?

Code: Select all

ip
ip route
access
For security reasons, I suggest that you do not reveal your real public IP addresses here. To do so you can replace public IPs by private ones (RFC1918) at your convenience. When replacing public IPs, please make sure that chosen private IPs properly reflect right network membership.

If that modification is not an option for you, just post your output as is and we will do the replacement on your behalf.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

User avatar
FortifyIT
Posts: 21
Joined: 10 Apr 2018 19:07
Contact:

Re: Non-Transparent

Post by FortifyIT » 03 May 2019 17:52

Hey David

I don't have access to the console, the server is at the Colocation. I can get into the Web Admin from the External side.


Here's the fake IP layout

Internal: 192.168.0.58, 255.255.255.248. GW x.x.0.57

External: 192.168.3.18, 255.255.255.248. GW x.x.3.17


Static IP Route in Web GUI

Net Address Net Mask Gateway Weight Pinged Server

0.0.0.0 0.0.0.0 192.168.3.17 50 192.168.3.17

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Non-Transparent

Post by david » 08 May 2019 08:42

Hi,

Sorry for the delayed response.

Well, it seems you are in asymmetric routing configuration. As CG acts as a stateful firewall, requests and related responses should pass by the same network interface. In your configuration Web client/browser requests pass by the internal interface while responses to them pass by the external interface, hence an asymmetric routing that breaks the communication.

When you implement CG with 2 public IP addresses, your client (public) IP addresses should be known in advance (with static IPs) and can't be dynamic. This for 2 reasons:

- Avoiding asymmetric routing
- Restricting your CG usage to allowed users only

For a client having the IP address 10.0.10.1, you will have to add the following to your configuration:

Code: Select all

ip route add 10.0.10.1 255.255.255.255 192.168.0.57
access web add 10.0.10.1 255.255.255.255 
apply
(assuming that your internal gateway is 192.168.0.57)

I hope that I was as clear as possible.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Non-Transparent

Post by charles » 08 May 2019 09:25

Hi,

Thank you David,

I just wanted to add some complementary information regarding the CLI (Command Line Interface) access. If you don't have an access to the console port you can activate the SSH service on your CacheGuard appliance in order to have a remote access to the CLI using the SSH protocol.

Do to so please use the Web GUI and proceed as follows:

Go to the [GENERAL] > [Main Settings] > [Administration Services] menu option, tick SSH and then press the SUBMIT button.
Go the [SECURITY] > [Appliance Access] > [Remote Administrators] menu option, press the ADD button, enter your admin client IP and then press the SUBMIT button.
Finally press the blinking down arrow button in blue (in the top mini bar menu) and then press the SUBMIT button.

At this stage the SSH service is activated on your CacheGuard and your allowed admin client can remotely access to your CacheGuard's CLI using an SSH client (putty for instance under Windows). Please note that for security reasons it is highly recommended to do not allow the 0.0.0.0/0.0.0.0 as an admin client (which is the default configuration to facilitate the admin access during the first configuration steps).

All the Best,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com

User avatar
FortifyIT
Posts: 21
Joined: 10 Apr 2018 19:07
Contact:

Re: Non-Transparent

Post by FortifyIT » 09 Jul 2019 16:02

Hey Charles and David


I apologize for the delay. I went on Vacation and it was a mad rush and then got back and totally forgot about checking the forum.


I will read this over and see if I can figure it out. I'll let you know if i have any questions

Thanks
Mike

Post Reply