brianrafter
asked on
Accessing Web server on LAN by internal users
I am using a Watchguard Firebox II. It has one Static Public IP address. I am using NAT to forward HTTP to a Web server on the trusted interface. Everything is fine from the outside world, but users on the LAN resolve the same IP for the website as Internet users do but cannot connect. They have to use the private IP address of the Web server to connect.
I realize a hosts file entry will resolve this for internal users, and I realize a DNS zone on an Internal DNS server could provide the private IP, but I would really like to do this on the firewall. Since a Linksys BEFSR41 with whatever NAT it uses will work, I would have to assume there would be a way to do this with the Watchguard. Any Ideas?
I realize a hosts file entry will resolve this for internal users, and I realize a DNS zone on an Internal DNS server could provide the private IP, but I would really like to do this on the firewall. Since a Linksys BEFSR41 with whatever NAT it uses will work, I would have to assume there would be a way to do this with the Watchguard. Any Ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Evaluate the usage of your firewall like the default gateway for all your (internal) LAN and add/remove some 'route' lines in firewall configuration .
ASKER
Captain, whats a decent firewal that will let me do this? Only a PIX? Its sucks that a $49 linkys will do this. I wish someone knew how the Linksys does this. I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?
Flat out forget trying to do it on the WatchGuard. It just won't do it.
As mentioned there are other solutions like using internal DNS or hosts. If it's so annoying to you that you need to change the firewall here are some that will do it:
Symantec Enterprise, Symantec Gateway, Netscreen, ISA
Since the the WG II is EOL soon you might want to look into it.
Good Luck
As mentioned there are other solutions like using internal DNS or hosts. If it's so annoying to you that you need to change the firewall here are some that will do it:
Symantec Enterprise, Symantec Gateway, Netscreen, ISA
Since the the WG II is EOL soon you might want to look into it.
Good Luck
ASKER
syn ack fin,
The WG II is temporary until a permanent firewall is purchased. Thanks for the recomendations? We are looking at Sonic wall pro and Cisco Pix 506 as well, any opions there?
The WG II is temporary until a permanent firewall is purchased. Thanks for the recomendations? We are looking at Sonic wall pro and Cisco Pix 506 as well, any opions there?
The newer model SonicWALL's that run their SonicOS are definitely worth looking into. They are very flexible with the NAT configuration. You can choose whether you want to NAT the source and/or destination addresses and in which direction (inbound/outbound). SonicWALL is very easy to configure and in my experience have been pretty rock solid in terms of stability.
Cisco PIX, on the other hand is not quite as easy to manage as a SonicWALL. One of the difficulties with PIX is configuring routing and NAT to work between their security "zones". Even Cisco agrees with the shortcomings in PIX and this is why they are actually pushing their IOS firewall more than they are pushing PIX. The good thing about PIX is that it is extremely fast...arguably the fastest firewall on the market, but you pay for that speed in other ways.
Netscreen is another solid firewall that should be considered. We're in the process of evaluating the Netscreen firewalls and so far we've found their firewalls to be the most feature rich. They seem to offer nearly everything we can throw at them, and it's generally all included in the main price. Items that are not included are virus protection, intrusion prevention, and I believe failover/redundancy. I'm not entirely sure of the items that are not included, but I definitely think Netscreen is worth taking a look at along with the SonicWALL firewalll mentioned above.
Good luck!
Cisco PIX, on the other hand is not quite as easy to manage as a SonicWALL. One of the difficulties with PIX is configuring routing and NAT to work between their security "zones". Even Cisco agrees with the shortcomings in PIX and this is why they are actually pushing their IOS firewall more than they are pushing PIX. The good thing about PIX is that it is extremely fast...arguably the fastest firewall on the market, but you pay for that speed in other ways.
Netscreen is another solid firewall that should be considered. We're in the process of evaluating the Netscreen firewalls and so far we've found their firewalls to be the most feature rich. They seem to offer nearly everything we can throw at them, and it's generally all included in the main price. Items that are not included are virus protection, intrusion prevention, and I believe failover/redundancy. I'm not entirely sure of the items that are not included, but I definitely think Netscreen is worth taking a look at along with the SonicWALL firewalll mentioned above.
Good luck!
Open source all the way! Don't buy an expensive hardware solution for a firewall. Get a Linux geek to lock down a Slackware or Redhat Linux system and install a good free firewall like homeLANsecurity 1.4.1 (http://www.unixpages.com/hls). So many companies are afraid that if its free, its not worth anything. Nothing is further from the truth.
>I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?
Can you create an additional internal subnet on the watchguard? If so, you can just put your webserver in the new internal subnet and your problem is solved - I do think sonicwall's are kind of crappy (I prefer Astaro, and you can get the home version for less than $50 I think)
Cheers,
-Jon
Can you create an additional internal subnet on the watchguard? If so, you can just put your webserver in the new internal subnet and your problem is solved - I do think sonicwall's are kind of crappy (I prefer Astaro, and you can get the home version for less than $50 I think)
Cheers,
-Jon
ASKER
garak1357,
I agree free doesnt mean worthless, but it also doesnt mean it wont cost you a lot. With hourly rates for IT services and support well over $100 a hardware product costing $2000 isnt cost prohibitive. Most companies dont care if source is open or if its free, its TCO they are concerned with. Linux is getting better in that area, but then again so is all technology.
I agree free doesnt mean worthless, but it also doesnt mean it wont cost you a lot. With hourly rates for IT services and support well over $100 a hardware product costing $2000 isnt cost prohibitive. Most companies dont care if source is open or if its free, its TCO they are concerned with. Linux is getting better in that area, but then again so is all technology.
ASKER
Captain you are right about the subnet I think. Watchguard expects you to place these kinds of servers on the optional interface, on a different subnet or at least it thinks it is. Thats probably why I cant find any options otherwise. Thanks for all your help.
Cheers,
-Jon