?
Solved

Accessing Web server on LAN by internal users

Posted on 2004-10-20
12
Medium Priority
?
1,256 Views
Last Modified: 2010-04-10
I am using a Watchguard Firebox II. It has one Static Public IP address. I am using NAT to forward HTTP to a Web server on the trusted interface. Everything is fine from the outside world, but users on the LAN resolve the same IP for the website as Internet users do but cannot connect. They have to use the private IP address of the Web server to connect.

I realize a hosts file entry will resolve this for internal users, and I realize a DNS zone on an Internal DNS server could provide the private IP, but I would really like to do this on the firewall. Since a Linksys BEFSR41 with whatever NAT it uses will work, I would have to assume there would be a way to do this with the Watchguard. Any Ideas?
0
Comment
Question by:brianrafter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
12 Comments
 
LVL 7

Accepted Solution

by:
gnegrota earned 1500 total points
ID: 12356003
There is some 'tricks' about it or you can use 2 DNS servers for address resolution .

1) no DNS
[...]./hosts file contains all desired internal (real) IP for name resolution and the default DNS user by clients is one in INTERNET or your external DNS.
This because the order is : HOSTS file --- WINS service --- DNS querry
A firewall doesn't provide name resolution service . One of the reasons is that : a NameResolution service are using TCP&UPD 53 port and the protocol is 'telnet' compatible, so this can be a "big" security hole .
A 'trick' is always available: you can 'redirect' the HTTP requests that are coming from inside for a fixed destination to another IP. Sure, that is possible if the firewall does have this kind of 'service' .
2) 1 DNS solution
DNS internal :
- authoritative for all domains owned
- zone transfer not allowed.
- any external DNS like forwarder (i.e. ISP DNS,etc.)
- all records reflect the real IP addresses
3) 2 DNS solution
DNS internal :
- authoritative for all domains owned
- zone transfer not allowed.
- external DNS like forwarder .
- all records reflect the real IP addresses
DNS External :
- internet authoritative for public zones
- zone transfer allowed from trusted
- forwardes: provider DNS and/or any valid DNS server in Internet

Enjoy !
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12356656
The problem is that the firewall is translating the destination address (the public IP of your webserver) to the private IP of your webserver, and then your webserver tries to respond directly to the LAN machine using it's internal address, but the LAN machine is expecting packets from the webserver's external IP address, and ignores the packets from the internal address.  You can fix this using DNS hacks (see above), or by just creating a different internal subnet for the webserver (if the firebox will let you do that), or by getting a decent firewall that lets you translate source addresses.

Cheers,
-Jon
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12356763
Evaluate the usage of your firewall like the default gateway for all your (internal) LAN and add/remove some 'route' lines in firewall configuration .
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:brianrafter
ID: 12357278
Captain, whats a decent firewal that will let me do this? Only a PIX? Its sucks that a $49 linkys will do this. I wish someone knew how the Linksys does this. I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?
0
 
LVL 4

Expert Comment

by:syn_ack_fin
ID: 12359902
Flat out forget trying to do it on the WatchGuard. It just won't do it.

As mentioned there are other solutions like using internal DNS or hosts. If it's so annoying to you that you need to change the firewall here are some that will do it:
Symantec Enterprise, Symantec Gateway, Netscreen, ISA

Since the the WG II is EOL soon you might want to look into it.

Good Luck
0
 
LVL 1

Author Comment

by:brianrafter
ID: 12362805
syn ack fin,

The WG II is temporary until a permanent firewall is purchased. Thanks for the recomendations? We are looking at Sonic wall pro and Cisco Pix 506 as well, any opions there?
0
 

Expert Comment

by:joshuascott94
ID: 12367061
The newer model SonicWALL's that run their SonicOS are definitely worth looking into.  They are very flexible with the NAT configuration.  You can choose whether you want to NAT the source and/or destination addresses and in which direction (inbound/outbound).  SonicWALL is very easy to configure and in my experience have been pretty rock solid in terms of stability.  

Cisco PIX, on the other hand is not quite as easy to manage as a SonicWALL.  One of the difficulties with PIX is configuring routing and NAT to work between their security "zones".  Even Cisco agrees with the shortcomings in PIX and this is why they are actually pushing their IOS firewall more than they are pushing PIX.  The good thing about PIX is that it is extremely fast...arguably the fastest firewall on the market, but you pay for that speed in other ways.  

Netscreen is another solid firewall that should be considered.  We're in the process of evaluating the Netscreen firewalls and so far we've found their firewalls to be the most feature rich.  They seem to offer nearly everything we can throw at them, and it's generally all included in the main price.  Items that are not included are virus protection, intrusion prevention, and I believe failover/redundancy.  I'm not entirely sure of the items that are not included, but I definitely think Netscreen is worth taking a look at along with the SonicWALL firewalll mentioned above.

Good luck!
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12372759
Open source all the way!  Don't buy an expensive hardware solution for a firewall.  Get a Linux geek to lock down a Slackware or Redhat Linux system and install a good free firewall like homeLANsecurity 1.4.1  (http://www.unixpages.com/hls).  So many companies are afraid that if its free, its not worth anything.  Nothing is further from the truth.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12378117
>I have tons of options and configs on the Watchguard but have not found one that works like a linkys. Any ideas?

Can you create an additional internal subnet on the watchguard?  If so, you can just put your webserver in the new internal subnet and your problem is solved - I do think sonicwall's are kind of crappy (I prefer Astaro, and you can get the home version for less than $50 I think)

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:brianrafter
ID: 12384935
garak1357,

I agree free doesnt mean worthless, but it also doesnt mean it wont cost you a lot. With hourly rates for IT services and support well over $100 a hardware product costing $2000 isnt cost prohibitive. Most companies dont care if source is open or if its free, its TCO they are concerned with. Linux is getting better in that area, but then again so is all technology.
0
 
LVL 1

Author Comment

by:brianrafter
ID: 12384973
Captain you are right about the subnet I think. Watchguard expects you to place these kinds of servers on the optional interface, on a different subnet or at least it thinks it is. Thats probably why I cant find any options otherwise. Thanks for all your help.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question