Solved

Accessing Web server on LAN by internal users

Posted on 2004-10-20
12
1,249 Views
Last Modified: 2010-04-10
I am using a Watchguard Firebox II. It has one Static Public IP address. I am using NAT to forward HTTP to a Web server on the trusted interface. Everything is fine from the outside world, but users on the LAN resolve the same IP for the website as Internet users do but cannot connect. They have to use the private IP address of the Web server to connect.

I realize a hosts file entry will resolve this for internal users, and I realize a DNS zone on an Internal DNS server could provide the private IP, but I would really like to do this on the firewall. Since a Linksys BEFSR41 with whatever NAT it uses will work, I would have to assume there would be a way to do this with the Watchguard. Any Ideas?
0
Comment
Question by:brianrafter
  • 4
  • 2
  • 2
  • +3
12 Comments
 
LVL 7

Accepted Solution

by:
gnegrota earned 500 total points
Comment Utility
There is some 'tricks' about it or you can use 2 DNS servers for address resolution .

1) no DNS
[...]./hosts file contains all desired internal (real) IP for name resolution and the default DNS user by clients is one in INTERNET or your external DNS.
This because the order is : HOSTS file --- WINS service --- DNS querry
A firewall doesn't provide name resolution service . One of the reasons is that : a NameResolution service are using TCP&UPD 53 port and the protocol is 'telnet' compatible, so this can be a "big" security hole .
A 'trick' is always available: you can 'redirect' the HTTP requests that are coming from inside for a fixed destination to another IP. Sure, that is possible if the firewall does have this kind of 'service' .
2) 1 DNS solution
DNS internal :
- authoritative for all domains owned
- zone transfer not allowed.
- any external DNS like forwarder (i.e. ISP DNS,etc.)
- all records reflect the real IP addresses
3) 2 DNS solution
DNS internal :
- authoritative for all domains owned
- zone transfer not allowed.
- external DNS like forwarder .
- all records reflect the real IP addresses
DNS External :
- internet authoritative for public zones
- zone transfer allowed from trusted
- forwardes: provider DNS and/or any valid DNS server in Internet

Enjoy !
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
The problem is that the firewall is translating the destination address (the public IP of your webserver) to the private IP of your webserver, and then your webserver tries to respond directly to the LAN machine using it's internal address, but the LAN machine is expecting packets from the webserver's external IP address, and ignores the packets from the internal address.  You can fix this using DNS hacks (see above), or by just creating a different internal subnet for the webserver (if the firebox will let you do that), or by getting a decent firewall that lets you translate source addresses.

Cheers,
-Jon
0
 
LVL 7

Expert Comment

by:gnegrota
Comment Utility
Evaluate the usage of your firewall like the default gateway for all your (internal) LAN and add/remove some 'route' lines in firewall configuration .
0
 
LVL 1

Author Comment

by:brianrafter
Comment Utility
Captain, whats a decent firewal that will let me do this? Only a PIX? Its sucks that a $49 linkys will do this. I wish someone knew how the Linksys does this. I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?
0
 
LVL 4

Expert Comment

by:syn_ack_fin
Comment Utility
Flat out forget trying to do it on the WatchGuard. It just won't do it.

As mentioned there are other solutions like using internal DNS or hosts. If it's so annoying to you that you need to change the firewall here are some that will do it:
Symantec Enterprise, Symantec Gateway, Netscreen, ISA

Since the the WG II is EOL soon you might want to look into it.

Good Luck
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:brianrafter
Comment Utility
syn ack fin,

The WG II is temporary until a permanent firewall is purchased. Thanks for the recomendations? We are looking at Sonic wall pro and Cisco Pix 506 as well, any opions there?
0
 

Expert Comment

by:joshuascott94
Comment Utility
The newer model SonicWALL's that run their SonicOS are definitely worth looking into.  They are very flexible with the NAT configuration.  You can choose whether you want to NAT the source and/or destination addresses and in which direction (inbound/outbound).  SonicWALL is very easy to configure and in my experience have been pretty rock solid in terms of stability.  

Cisco PIX, on the other hand is not quite as easy to manage as a SonicWALL.  One of the difficulties with PIX is configuring routing and NAT to work between their security "zones".  Even Cisco agrees with the shortcomings in PIX and this is why they are actually pushing their IOS firewall more than they are pushing PIX.  The good thing about PIX is that it is extremely fast...arguably the fastest firewall on the market, but you pay for that speed in other ways.  

Netscreen is another solid firewall that should be considered.  We're in the process of evaluating the Netscreen firewalls and so far we've found their firewalls to be the most feature rich.  They seem to offer nearly everything we can throw at them, and it's generally all included in the main price.  Items that are not included are virus protection, intrusion prevention, and I believe failover/redundancy.  I'm not entirely sure of the items that are not included, but I definitely think Netscreen is worth taking a look at along with the SonicWALL firewalll mentioned above.

Good luck!
0
 
LVL 2

Expert Comment

by:garak1357
Comment Utility
Open source all the way!  Don't buy an expensive hardware solution for a firewall.  Get a Linux geek to lock down a Slackware or Redhat Linux system and install a good free firewall like homeLANsecurity 1.4.1  (http://www.unixpages.com/hls).  So many companies are afraid that if its free, its not worth anything.  Nothing is further from the truth.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
>I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?

Can you create an additional internal subnet on the watchguard?  If so, you can just put your webserver in the new internal subnet and your problem is solved - I do think sonicwall's are kind of crappy (I prefer Astaro, and you can get the home version for less than $50 I think)

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:brianrafter
Comment Utility
garak1357,

I agree free doesnt mean worthless, but it also doesnt mean it wont cost you a lot. With hourly rates for IT services and support well over $100 a hardware product costing $2000 isnt cost prohibitive. Most companies dont care if source is open or if its free, its TCO they are concerned with. Linux is getting better in that area, but then again so is all technology.
0
 
LVL 1

Author Comment

by:brianrafter
Comment Utility
Captain you are right about the subnet I think. Watchguard expects you to place these kinds of servers on the optional interface, on a different subnet or at least it thinks it is. Thats probably why I cant find any options otherwise. Thanks for all your help.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now