Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andre91
Explorer
Jump to solution

Natting Proxy-Traffic to internal IP

Hello,

we have the following problem, regarding HTTP-/HTTPS-Proxy on our CheckPoint ClusterXL R81.10:

The cluster is configured as a non-transparent http/https-proxy on one cluster-vip-ip port 8080. We even host some websites on internal webservers, that are available via a external NAT on the cluster-xl, redirecting to internal webservers / reverse proxies:

External Client -----> www -----> public Cluster-IP -----> NAT to Webserver -----> Webserver

 

Now when our internal clients want to view a webpage, that is hosted on our internal servers, the page is not available.

So the process is:

1. Client resolves the dns-name of the webpage to the public ip.

2. Client opens a proxy-session with the checkpoint-cluster

At this point we want to have a NAT-Rule that redirects traffic, originally sent to our public Cluster-IP (original Dst) to our internal Webserver (translated Dst).

The standard NAT-Rule doesn´t work:

Internal Clients -----> public Cluster-IP:https -----> Original Src. -----> Internal Webserver

Is there a trick, so we can redirect http-/https-proxy-traffic to an internal server?

Thanks and best regards

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Do you use WPAD / PAC file for your proxy configuration and are local domains excluded ?

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee

Do you use WPAD / PAC file for your proxy configuration and are local domains excluded ?

CCSM R77/R80/ELITE
0 Kudos
Andre91
Explorer

Thanks for the tips, we excluded our domain-names in our PAC file. That works so far

0 Kudos
PhoneBoy
Admin
Admin

I am assuming both the internal clients and your webserver are accessible through the same physical interface.
That means you basically need a hairpin NAT rule, something similar to what I described here: https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-Ho... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events