As Mike stated you need to use IP Pass Through if you want the real IP addresses. The other choice would be to setup aliases on the PSN NIC and use static mapping. In this scheme you could create a one to one mapping, then setup DNS entries so the mapped IP addresses. You wouldn't have to do this for all IP addresses just the ones you cared about and the others you could group and map them into various IP aliases and the remainder could take the default.
So for example: Protected Net PSN Net 192.168.1.15 ----> 192.168.2.15 Bob 192.168.1.22 ----> 192.168.2.22 Biff 192.168.1.50-100 ---> 192.168.2.100 Marketing 192.168.1.120-175 ---> 192.168.2.120 Sales This example shows ranges but you could use IP Address Objects and group noncontiguous IP addresses. Paul >I don't think that this solves anything. Because the internal >clients are on the PRO and the Apache server is on the PSN, >requests from the internal clients are still going to be NAT'd >to the GNAT Box PSN address, regardless of where they did the >DNS lookup or whether the Apache server can do a reverse lookup >on the client's address. > >The only way for the Apache server to see the "real" IP address >that the request is coming from would be to enable IP Passthrough >between the PRO and the PSN. > >Mike Burden >Lynk Systems >http://www.lynk.com >(616)532-4985 >[EMAIL PROTECTED] > > > >> -----Original Message----- >> From: Simon Delicata [mailto:[EMAIL PROTECTED]] >> Sent: Wednesday, June 12, 2002 12:12 PM >> To: GNATBox Mailing List >> Subject: RE: [gb-users] Tunnel to PSN seems to always hide >> source address >> >> >> >> Matthew, >> >> You are right with what you say on your internal clients >> appearing to be >> coming from the GB internal IP. I have a way around this. My >> suggestion is >> to create a different "view" of the DNS domain to which the >> apache server >> belongs, for internal clients. >> >> The way I've done this is to have two copies of ISC bind >> running on one >> machine, with two different configs, and two different sets >> of DNS tables. >> The bind for external viewing is setup to listen on a >> non-standard port >> (5353 for example), and the DNS queries from external IP's >> are tunnelled >> (UDP only) from port 53 of the external IP of the GB through >> to port 5353 >> on the internal machine. The internal clients are configured >> to query the >> internal DNS IP, and as such, get the "internal" view of the domain. >> It also means I can run Dynamic DNS updates quite securely. >> >> I hope this makes sense. >> >> Simon Delicata >> >> >> >> >> >> >> "Matthew Underwood" >> >> >> <matthew.underwood@ To: >> "GNATBox Mailing List" <[EMAIL PROTECTED]> > > > > jemmac.com> cc: > > > > > > Subject: >> RE: [gb-users] Tunnel to PSN seems to always hide source >> address >> 12/06/2002 14:49 >> >> >> >> >> >> >> >> >> >> >> >> >> In reply to my own query about source addresses being logged >> by an apache >> server in our PSN always showing the IP address of the PSN interface >> regardless of the state of the 'hide source address' checkbox on the >> tunnel. >> >> >> Some progress on this front... > > >> Apache is now logging the real source IP address of requests >> that come in >> via the External interface, but is still logging the gateway >> address for >> requests that come via the Protected interface. >> >> Since I was only really concerned with logging IPs of >> cracking attempts >> from the outside world this is fine. >> >> I'm assuming the gateway interface being logged for protected >> interface >> accesses is something to do with protected interface accesses >> being NAT'ed. >> >> Thanks to Bob Reasoner for his suggestion that the 'Hide >> Source Address' >> changes didn't take affect until the filters had been >> updated. This seems >> to bear out as until I made some changes earlier today ALL IP >> addresses >> were being logged as the gateway address. >> >> So, I guess there's no query anymore.. Unless someone wants >> to confirm my >> suggestion about connections from the protected interface >> being NAT'ed. >> >> Cheers, >> >> Matt. >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> To subscribe to the digest version first unsubscribe, then >> e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> Archive of the last 1000 messages: >> http://www.mail-archive.com/[email protected] >> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> To subscribe to the digest version first unsubscribe, then >> e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> Archive of the last 1000 messages: >> http://www.mail-archive.com/[email protected] >> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] -- -------------------------------------------------------------------- Paul Emerson Tel: +1.407.380.0220 x1106 Global Technology Associates, Inc. Fax: +1.407.380.6080 3505 Lake Lynda Drive Mobile: +1.407.310.8563 Suite 109 Email: [EMAIL PROTECTED] Orlando, Florida 32817 USA Web: http://www.gta.com Mobile Email: [EMAIL PROTECTED] --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
