CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
2. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
3. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page Transparent Proxy
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-11-01
suppo suppo is offline
Junior Member
  
Join Date: 2006-07-27
Posts: 3
Rep Power: 0
suppo has an average reputation (10+)
Default Transparent Proxy
NG (R55)

Hi

This question has been asked previously but i don't think it was conclusively resolved.

Im trying to set up a transparent proxy. I've set up a rule as previously discussed using http_mapped. In the advanced settings within http_mapped i've specified the following:

SRV_REDIRECT(80,<Proxy_IP>,8080).

The rule reads:

Test_Subnet | any | http_mapped | Accept.

I'm seeing http traffic in the logs for test_subnet being allowed by the redirect rule, but the pages aren’t being displayed. I've sniffed the traffic going to the proxy and nothing appears to be being redirected.

Any help appreciated!
Reply With Quote
  #2 (permalink)  
Old 2006-11-04
dsb.nepo dsb.nepo is offline
Senior Member
  
Join Date: 2006-04-30
Location: Europe, Germany
Posts: 143
Rep Power: 3
dsb.nepo has an average reputation (10+)
Default Re: Transparent Proxy
It is not possible to have the clients an the proxy behind the same Firewall interface.
To make things cleer a little drawing
Code:
|----|
|    |[eth0]---- LAN (proxy clients)
| FW |[eth2]---- DMZ (proxy)
|    |[eth3]---- WAN
|----|
Now you can make the ruleset: (!=negated)
Code:
---------------------------------------------
source    destination   proto         action
---------------------------------------------
proxy     !Firewall     http          accept
          !internal
-----------------------------------------------
LAN       !Firewall     http_mapped   accept
          !internal
---------------------------------------------
Reply With Quote
  #3 (permalink)  
Old 2006-11-04
Robby Cauwerts Robby Cauwerts is offline
Senior Member
  
Join Date: 2006-10-05
Location: Belgium
Posts: 108
Rep Power: 3
Robby Cauwerts has an average reputation (10+)
Default Re: Transparent Proxy
This should work.

The following is an output of the traffic where .15 is a host on the LAN and .2 is the proxy:
18:30:48.693246 I 192.168.254.15.4441 > 213.239.154.35.80: S 3468993172:3468993172(0) win 16384 <mss 1360,nop,nop,sackOK> (DF)
18:30:48.693820 O 192.168.254.15.4441 > 192.168.254.2.8080: S 3468993172:3468993172(0) win 16384 <mss 1360,nop,nop,sackOK> (DF)

So both src and dst on the same interface.
The capture filter was: tcpdump -ni internal_interface 'host 192.168.254.2 or host 192.168.254.15 and port 80 or port 8080'

The rulebase is the same as yours:
src: LAN
dst: ANY
service: http_mapped
accept

Run your test again and capture the traffic on all your interfaces.
Take into account your NAT rules.
Last edited by Robby Cauwerts; 2006-11-04 at 10:37.
Reply With Quote
  #4 (permalink)  
Old 2006-11-04
dsb.nepo dsb.nepo is offline
Senior Member
  
Join Date: 2006-04-30
Location: Europe, Germany
Posts: 143
Rep Power: 3
dsb.nepo has an average reputation (10+)
Default Re: Transparent Proxy
Yes,
as I can see it works at the same interface.
I forgot that I have ACLs at the switch, between the Clients and the Firewall.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 14:49.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0