Gauntlet source IP address re-write question
Sat, 07 Nov 1998 17:34:54 -0800
At 09:08 AM 11/4/98 -0800, esteban wrote:
>Being an APG, the proxy rewrites the source IP address of connections
>from the internal protected networks to that of the outside interface of the
Well, sort of. Actually there are two separate connections open for each
user session: One from the user on the inside to the firewall and one from
the firewall to the destination. The application proxy moves the *data*
back and forth between the two connections--not packets. So the addresses
aren't really rewritten--you're just seeing the outside connection.
>There is an option for "transparency" in Gauntlet, but from what I can tell
>from the documentation, it only works in such a way that the internal
>initiate connections directly to the outside world. Transparency in that case
>provides for not having to reconfigure internal users' machines.
Correct. The default is to have transparency enabled for the internal
interface, but it can be enabled for other interfaces, too.
>The problem is the IP address rewrite. When I connect to some external host
>with whatever application, I want to see the source IP address as the real IP
>address, not the IP address of the firewall.
Usually people want to do just the opposite. They want to hide their
Is there such a way to make
>Gauntlet do that? As far as I can tell, the only way is to use the "Plug"
>proxy, which does have an option for passing the source IP address. But there
>is no such option on the telnet proxy setup.
That's what the manual says. I suppose you might be able to do something
with NAT. I don't know that you could preserve the actual internal
addresses, but you could, I think, do a one to one mapping of internal
addresses to external.
>Raptor, on the other hand, in the last release of their software
>whole scale transparency that does accomplish maintaining the source IP
>of connections coming across the proxies. Is there really no such comparable
>option in Gauntlet? Can you turn off source IP address re-write?
Since it's not really a re-write of addresses, but a function of how
proxies work, you can't just turn it off.
You might want to post this question to the gauntlet-user list for a second
opinion. See http:\\rmsbus.com\gauntlet-user.htm for information.