topic Re: proxy squid in a DMZ in General Topics

proxy squid in a DMZ

adhibioussa — Wed, 29 Feb 2012 19:34:48 GMT

hello,

I put a squid proxy in the DMZ zone with address 192.168.1.2
it is connected to the PAN - 192.168.1.1
and I trust zone to the untrust lan and another to the internet
and I can not ping the proxy from the lan

interface pan to lan 10.155.10.10

my ip address 10.155.10.11

i dont know the route that i would make it

Re: proxy squid in a DMZ

kalavi — Sat, 03 Mar 2012 01:25:13 GMT

Hi,

Please correct me if I am drawing the wrong topology

Proxy (192.167.1.2)------DMZ-----(192.168.1.1) PAN ( 10.155.10.10) -------LAN-------(10.155.10.11) Client

I am expecting there is no nat configured in between and the Client has a Gateway as 10.155.10.10 i.e. PAN's trust interface

You need to check the following:

1) There should be security policy allowing the connection to go through from LAN to DMZ

2) Check if you can ping the gateway (i.e. LAN interface) from the client

3) Check if you can ping the proxy server from the PAN, use the following command on CLI:

PAN> ping source 192.168.1.1 host 192.167.1.2

4) If you are note getting any response, you should check the gateway or route on the proxy server, you can also try to ping 192.168.1.1 from the proxy server

5) Check the arp entries on both the interface

PAN> show arp ethernet1/x

Let us know the results.

Thanks,

Khubaib

Re: proxy squid in a DMZ

mikand — Sat, 03 Mar 2012 09:16:50 GMT

Some additional comments on previous points:

1) As a test (if possible) you could setup a security rule that acts just on src/dstzone such as:

srczone: LAN
dstzone: DMZ
appid: any
serviceport: any
user: any
action: allow

and then (when you identified what was incorrect and fixed it) limit it down to correct appid/serviceport.

2) If the LAN interface is on the PAN you need to setup a management profile aswell that will allow the LAN interface to be pinged at.

3) I think the following will work better 😉

ping source 192.168.1.1 host 192.168.1.2

4) In my experience this is quite common (given the symptomes presented).

Verify that the client have the LAN-interface of the PAN as defgw (10.155.10.10) and also that the proxy have the DMZ-interface of the PAN as defgw (192.168.1.1). Also verify again that you have correct ip-addresses AND netmasks on both proxy and client (so it doesnt say 192.167.1.2 instead of 192.168.1.2 or such).

Easiest is to just run "netstat -rn" to see current routing table.

Since both proxy and client are "directly attached" you wont need additional routing rules in the PAN box. However if you have linknets then you would need to add additional routes in "virtual router" in the PAN.

5) Also check the arp entries on the proxy and client itself such as "arp -a" or "arp -an".