Allow internal IP to pass through the DMZ?

Question

Is their any way to allow individual 'internal' IP addresses (10.0.0.x) to pass from the LAN to the server on the DMZ of my firewall? 

I have a firewall (SonicWall Pro100) and a server I built which does website filtering.  The server is connected to the DMZ port of the firewall.  Whenever it logs websites that have been blocked from the LAN computers, it always shows the offending IP address as the firewall's IP address, rather than the individual computer's IP addresses behind the firewall on the LAN side.  

I'd like to be able to pinpoint specifically which LAN computer was attempting to bring up a bad site, but can't because it always shows the firewall's IP in the server's log file.

Any thoughts?  Thanks...

Edmund L · Accepted Answer

i am assuming your webfiltering server on the DMZ does a proxy http service for your internal pcs ? If that's the case what the problem is that your sonicwall is translating the headers of your internal traffic before it hits your DMZ so you see it's IP instead of internal IPs.

if your sonicwall can change the DMZ filter rules to allow your internal range to pass traffic on port 80 to your DMZ zone without NATing the address then you would be able to see the offending address.
so on your sonic you would create a rule like this if your internal range was 192.168.1.1 - 254 and your DMZ was 10.1.1.1

Allow source IP range of 192.168.1.1 - 192.168.1.254 destination port 80 non NAT thru to your webproxy filter.

use ethereal to get a peek at your network traffic to see what your sonic wall is doing by putting two sniffers on both sides of the DMZ and internal range.

? · Answer

you want to keep your dmz closed because if you open it then your router is not a firewall anymore that means all your ports are open

Trending News

Allow internal IP to pass through the DMZ?

2 Answers