I
I
Ivan2016-03-28 19:47:43
Computer networks
Ivan, 2016-03-28 19:47:43

Why is ssl not working?

I ask the question out of curiosity, it does not interfere with the work. There is an owa server, inside the network, there is a cisco gateway to the Internet, from the outside, the same cisco forwards 443 to the owa server. So, if you connect from the inside to the internal ip owa, then everything works. From the Internet to external ip cisco - also works. But if you connect to an external ip from the inside, then ssl error. And this is not a name error, but an ssl connection is not established in principle. It turns out that the packet goes to the gateway, then to the provider's gateway and returns to the network. So I think that it spoils along the way?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
V
Vladimir Dubrovin, 2016-03-28
@z3apa3a

In this case, the packet does not go to the provider's gateway if you have a single connection and NAT is configured on your gateway.
Most likely the following happens - you send a packet to an external address (gateway), the gateway NATs it to the server's internal address, the server sees that the packet is local and responds directly, bypassing the gateway, so the packet is not NATed back and comes from the local interface address. Since the address of the response is different from the one to which the packet was sent, the response is rejected by the initiator of the connection.
To prevent this from happening, servers are usually placed in a separate zone (DMZ) that is routed through the gateway.

A
alegzz, 2016-03-28
@alegzz

it is necessary to look at the owa server.
1. the packet goes to the external address, but the forwarding does not work, because the rule is sent to the external interface
2. the packet is successfully forwarded, but the packet came to the internal interface, the destination ip does not change. i.e. something like this 192.168.1.10 -> xxxx:443 -> 192.168.1.3:443 (source ip=192.168.1.10, damn it, I set up a tcp connection with xxxx, but it came from 192.168.1.3, hackers, hang up)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question