Webserver in DMZ on 192.x
DNS for www.mydomain.com points to EXT ip
Squid on ASL
DNAT on EXT to DMZ on port HTTP
Problem:
Clients on INT using ASL Squid can't get to DMZ web site. (they can IF they don't use squid)
Theory:
DNAT from EXT to DMZ isn't handling SQUID as Squid may be trying to talk to local interface?
I was going to try a DNAT LO -> DMZ, but I don't see how to do that... Localhost is in Net Def's, but it can't be chosen in the DNAT menus. Plus, I'm not sure that's safe.
The same (maybe) problem can be seen trying to SSH from ASL to DMZ server using external DNS name and DNAT'd SSH port.
AND, oddly, I cannot SSH directly from ASL to the DMZ server's private IP even though I can from ANYWHERE else (I have ANY SSH DMZ Allow).
ISTM that ANY isn't including the ASL localhost/loopback interface!
The packet filter livelog confirms this, at least for SSH: it shows "SYN" for the attempted SSH connections from the ASL DMZ interface to the DMZ server.
However, the HTTP attempts through Squid DO NOT show up in the packetfilter log.
I'm guessing this is two different problems... SSH is trying to go out, but Squid may be trying to access the URL as if it were on the localhost interface.
How can I get Squid to go through the DNAT on EXT???
Thanks,
Barry
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
