Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG550 in front of apache in reverse proxy mode NATing??? automatically

    Posted 09-05-2012 01:33

    Hi,

     

    we have an SSG550 in front of an apache box in reverse proxy mode.  Everything is working fine, however when we look at logs to try and troubleshoot connections to the back end servers we see that the SSG is rewriting the client traffic with its own internal IP....

     

    has anybody seen or come across this before, we have two other firewalls set up in a similar manner without this problem.

     

    There are not NAT's configured on the firewall, we have done a TCPDUMP on the reverse proxy box and can see the traffic from the firewall:

     

    From the TransferLog on apache directive we get:

     

    o   10.10.10.1 - - [04/Sep/2012:17:03:39 +1000] "GET /functions.asmx HTTP/1.0" 200 4813
    o   10.10.10.1 - - [04/Sep/2012:17:07:07 +1000] "POST /Functions.asmx HTTP/1.1" 200 521
    ·       

    One of our team has checked the actual packets with tcpdump and as you can see it’s been received by proxy server with the modified source IP:
    o   17:26:16.138922 IP 10.10.10.1.31973 > 10.10.10.108.https: S 1878350834:1878350834(0) win 5840 <mss 1452,sackOK,timestamp 1451141388 0,nop,wscale 7>
    o   17:26:16.140449 IP 10.10.10.1.63889 > 10.10.10.108.https: S 1696417077:1696417077(0) win 5840 <mss 1452,sackOK,timestamp 1451141388 0,nop,wscale 7>

     

    10.10.10.1 is the internal ip of the firewall, why is the firewall doing the translation, we would expect to see the client IP.  I am happy to provide snippets of the firewall config, there are multiple virtual routers configured and the interfaces in question are in redundant mode.

     

    Any clues, suggestions welcome.

     


    #apache
    #SSG


  • 2.  RE: SSG550 in front of apache in reverse proxy mode NATing??? automatically

     
    Posted 09-05-2012 02:11

    Hi,

     

    Could you please provide the config and also mention to which interface the source and destination are connected.



  • 3.  RE: SSG550 in front of apache in reverse proxy mode NATing??? automatically
    Best Answer

    Posted 09-05-2012 07:00

    Hi,

     

    You should change the ingress interface mode from NAT to route.



  • 4.  RE: SSG550 in front of apache in reverse proxy mode NATing??? automatically

    Posted 09-05-2012 13:54

    Hi Thank you very very much for this solution.

     

    I will confrim that it is working once we have the change control in place and can make the firewall change however the discrepancy between the firewall that works and the one that does not is as you said:

     

    Config on working firewall (logging correctly):
    set interface ethernet0/0 ip x.x.x.x/30
    set interface ethernet0/0 route

    Config on not working firewall (not logging correctly):
    set interface ethernet0/1 ip x.x.x.x/30
    set interface ethernet0/1 nat

     

    Thanks again.