01-26-2012 08:12 AM
I have a SSG 5 Firewall for my company internet connection. I have another (from nom called secondary) office with a static public IP.
My firewall is configured without any policy restriction and with some VIP services on the ethernet 0/0 untrust zone. In my main connection LAN I have an internal web server.
I need to have access to my web server from computers connected behind the "secondary" office. Could someone please tell me step by step what have I to configure in the firewall?
Any help would be appreciated. Thanks in advance!
Solved! Go to Solution.
01-29-2012 11:09 AM
I can't follow the connection streams from the text description. If you can post a diagram or indicate the zones and connection paths we would be better able to help.
For example, What is the secondary office with a static public ip?
A VPN connection to the SSG
A router private connection and in what zone
A public address you want to connect to over the internet
Also you say "My firewall is configured without any policy restriction". But bear in mind that if there are no policies then the traffic is dropped not permitted. By default only traffic within the same zone is allowed. Any connection across zones is blocked unless you specifically allow it.
01-30-2012 12:16 AM
Hi! Thanks for answering
That public IP is 80.34.x.y like and actually has no configuration in my firewall. It's just a remote address of another internet connection where I want to have access to my internal internet server behind the firewall.
Sorry for that unclear explanation with the policies. What I mean is that I have two policies (I don't know if they were configured by default or not): One from untrust to trust and other the inverse, both with all services permitted for any source and destination.
If you need more details, just tell me!
01-30-2012 06:37 PM
You can create a vip that forwards one of your public addresses to the web server. The basic procedure is in kb4740.
In your case, you will modify step 13, instead of allowing "any" address on the internet to hit the web server, you create an address object in the untrust zone for your public ip on the remote site. Then use this object instead of "any" for the policy in step 13.
This will secure the access to the server to only your remote site.
01-31-2012 01:30 AM
I can't follow these steps since in the VIP menu of this interface I have already some VIP services configured, set with my public IP address. I can't have It cloned there.
01-31-2012 03:25 AM
To allow access by the public address you would need an address with the right port available.
If your remote site has a vpn capable firewall then you can setup then you can setup a VPN tunnel between the two sites and access the server by the private ip address just like the local computers do.The instructions for this are in kb8533 just pick the scenario that matches your operating system and ip assignments.
01-31-2012 04:31 AM
Yes, I know it's a similar idea as a VPN and that's the point: I've already configured a 80 port fowarding for another IP of my LAN, but I need not only for one but for more servers to have the same port opened for some remote IP addresses. Some services I need to be working doesn't allow to change it.
I initally thought that I could get to have remote access to a LAN server by some other way than configuring VIP services inside my ethernet 0/0 interface.
01-31-2012 05:46 AM
01-31-2012 03:53 PM
If you have only one ip address than the http port can only forward to one server. There is no way around this basic limitation.
Your options for getting to this internal web server from the remote site are as follows:
Change the access port from 80 to some other number like 880 and forward this port using vip. Your users would then need to add that port to the URL to access server. http://domain.com:880.
Create a site-to-site vpn as noted above and access this on the internal ip address.
Create a dynamic vpn and install software on the client. Connect using the software from the remote site and access the server by the internal address. See this example using the open source Shrew Soft package.