Page 2 of 2

Re: Non-Transparent

Posted: 03 May 2019 16:59
by david

Can you please post the output of the following commands?

Code: Select all

ip route
For security reasons, I suggest that you do not reveal your real public IP addresses here. To do so you can replace public IPs by private ones (RFC1918) at your convenience. When replacing public IPs, please make sure that chosen private IPs properly reflect right network membership.

If that modification is not an option for you, just post your output as is and we will do the replacement on your behalf.

Best Regards,

Re: Non-Transparent

Posted: 03 May 2019 17:52
by FortifyIT
Hey David

I don't have access to the console, the server is at the Colocation. I can get into the Web Admin from the External side.

Here's the fake IP layout

Internal:, GW x.x.0.57

External:, GW x.x.3.17

Static IP Route in Web GUI

Net Address Net Mask Gateway Weight Pinged Server 50

Re: Non-Transparent

Posted: 08 May 2019 08:42
by david

Sorry for the delayed response.

Well, it seems you are in asymmetric routing configuration. As CG acts as a stateful firewall, requests and related responses should pass by the same network interface. In your configuration Web client/browser requests pass by the internal interface while responses to them pass by the external interface, hence an asymmetric routing that breaks the communication.

When you implement CG with 2 public IP addresses, your client (public) IP addresses should be known in advance (with static IPs) and can't be dynamic. This for 2 reasons:

- Avoiding asymmetric routing
- Restricting your CG usage to allowed users only

For a client having the IP address, you will have to add the following to your configuration:

Code: Select all

ip route add
access web add 
(assuming that your internal gateway is

I hope that I was as clear as possible.

Best Regards,

Re: Non-Transparent

Posted: 08 May 2019 09:25
by charles

Thank you David,

I just wanted to add some complementary information regarding the CLI (Command Line Interface) access. If you don't have an access to the console port you can activate the SSH service on your CacheGuard appliance in order to have a remote access to the CLI using the SSH protocol.

Do to so please use the Web GUI and proceed as follows:

Go to the [GENERAL] > [Main Settings] > [Administration Services] menu option, tick SSH and then press the SUBMIT button.
Go the [SECURITY] > [Appliance Access] > [Remote Administrators] menu option, press the ADD button, enter your admin client IP and then press the SUBMIT button.
Finally press the blinking down arrow button in blue (in the top mini bar menu) and then press the SUBMIT button.

At this stage the SSH service is activated on your CacheGuard and your allowed admin client can remotely access to your CacheGuard's CLI using an SSH client (putty for instance under Windows). Please note that for security reasons it is highly recommended to do not allow the as an admin client (which is the default configuration to facilitate the admin access during the first configuration steps).

All the Best,

Re: Non-Transparent

Posted: 09 Jul 2019 16:02
by FortifyIT
Hey Charles and David

I apologize for the delay. I went on Vacation and it was a mad rush and then got back and totally forgot about checking the forum.

I will read this over and see if I can figure it out. I'll let you know if i have any questions