This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

proxy squid in a DMZ

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

proxy squid in a DMZ

adhibioussa
Not applicable

‎02-29-2012 11:34 AM

hello,

I put a squid proxy in the DMZ zone with address 192.168.1.2
it is connected to the PAN - 192.168.1.1
and I trust zone to the untrust lan and another to the internet
and I can not ping the proxy from the lan

interface pan to lan 10.155.10.10

my ip address 10.155.10.11

i dont know the route that i would make it

0 Likes Likes
2 REPLIES 2

kalavi
L4 Transporter

‎03-02-2012 05:25 PM

Hi,

Please correct me if I am drawing the wrong topology

Proxy (192.167.1.2)------DMZ-----(192.168.1.1) PAN ( 10.155.10.10) -------LAN-------(10.155.10.11) Client

I am expecting there is no nat configured in between and the Client has a Gateway as 10.155.10.10 i.e. PAN's trust interface

You need to check the following:

1) There should be security policy allowing the connection to go through from LAN to DMZ

2) Check if you can ping the gateway (i.e. LAN interface) from the client

3) Check if you can ping the proxy server from the PAN, use the following command on CLI:

PAN> ping source 192.168.1.1 host 192.167.1.2

4) If you are note getting any response, you should check the gateway or route on the proxy server, you can also try to ping 192.168.1.1 from the proxy server

5) Check the arp entries on both the interface

PAN> show arp ethernet1/x

Let us know the results.

Thanks,

Khubaib

0 Likes Likes

mikand
L6 Presenter
In response to kalavi

‎03-03-2012 01:16 AM

Some additional comments on previous points:

1) As a test (if possible) you could setup a security rule that acts just on src/dstzone such as:

srczone: LAN
dstzone: DMZ
appid: any
serviceport: any
user: any
action: allow

and then (when you identified what was incorrect and fixed it) limit it down to correct appid/serviceport.

2) If the LAN interface is on the PAN you need to setup a management profile aswell that will allow the LAN interface to be pinged at.

3) I think the following will work better 😉

ping source 192.168.1.1 host 192.168.1.2

4) In my experience this is quite common (given the symptomes presented).

Verify that the client have the LAN-interface of the PAN as defgw (10.155.10.10) and also that the proxy have the DMZ-interface of the PAN as defgw (192.168.1.1). Also verify again that you have correct ip-addresses AND netmasks on both proxy and client (so it doesnt say 192.167.1.2 instead of 192.168.1.2 or such).

Easiest is to just run "netstat -rn" to see current routing table.

Since both proxy and client are "directly attached" you wont need additional routing rules in the PAN box. However if you have linknets then you would need to add additional routes in "virtual router" in the PAN.

5) Also check the arp entries on the proxy and client itself such as "arp -a" or "arp -an".

0 Likes Likes
  • 2546 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks