Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

x-forward IP Address to be passed to destinations servers when using a NAT, but NAT is removing this

x-forward IP Address to be passed to destinations servers when using a NAT, but NAT is removing this information.

We have DMZ Servers on external firewalls. Our internal network users using 10.x.x.x IP are connecting to the DMZ servers and on external firewall 10.x.x.x is Natted to public IP.
DMZ servers are seeing source traffic from public Natted IP as should be.
Now our network users are using x-forwarding and we want to see user’s private IP as an source to DMZ servers; but we are still seeing Natted IP.
Is this possible to achieve in checkpoint – R80.20.

We can do with no-nat rule from 10.x.x.x to destination DMZ servers. But then we have to add route 10.x.x.x on external firewall into our network. We do not want exposed internal network on external firewall. So we are trying to achieve this with x-forwarding.

 

0 Kudos
Reply
4 Replies
Contributor

What exactly you mean with "we want to see user’s private IP as an source to DMZ servers" and where you are seeing the natted ip?
X-Forwarded is a header for http traffic to achieve some application requirements and for my understunding you can't use it to change the src field into the ip packet ie for a ssh connection.

0 Kudos
Reply
Leader
Leader

As @Francesco_P wrote, it is not really clear what you want todo.

You could install a proxy like squid or other (maybe Check Point) in your Network. Your clients can connect to this proxy and this proxy is going out to the internet. Only your proxy will be exposed as source. The proxy can add an additional header to the HTTP-request called „x-forwarded-for“. This represents the original IP address of the requesting client.

Check Point can do URL-Filter/App-control based on x-forwarded-for addresses. And at the end the gateway can strip the x-forwarded-for header from the packet if it goes out to the internet.

Wolfgang

0 Kudos
Reply
Contributor

Thanks for replying. We are doing kind of similar setup. Please note this web server is our server sitting on external side with public IP (199.2.2.2). So our internal users when go out to any public IP, they are natted with public IP (199.5.5.5). So the web server (199.2.2.2) is seeing traffic coming from the natted IP (199.5.5.5). But we want the web serve should see our internal user's private IP (10.x.x.x) not the natted IP (199.5.5.5). So we are using proxy as you mentioned and doing x-forwarding so when packet reached to web server it should see the user original IP. Can we achieve this? Sorry it is confusing and I am not explaining well.

0 Kudos
Reply
Employee+
Employee+

I think that you're mixing up the functions of X-Forward-For and network address translation.  X-Forward-For is a HTTP header that is added by proxy servers, load-balancers, etc. It is inserted into the HTTP request from the client. Since the firewall is performing NAT, the web server will always see the SRC IP of 199.5.5.5. Each HTTP request should include an added HTTP header of X-Forward-For: 10.X.X.X.

Web servers can be configured to log the IP address for X-Forward-For in logs if the server is configured to do so.

0 Kudos
Reply