Firebox 700 fire wall DNS issue

Posted on 2004-10-21
Medium Priority
Last Modified: 2010-08-05
I host a few websites locally.  My fire wall (watchgaurd firebox III 700) is configured to forward forward the public IPs to private IPs.  It works fine, but the computers inside the network can't access the site.

I searched WatchGaurd's knowlegde base and came up with this work around
There is a limitation in the Firebox NAT implementation where clients behind the Firebox cannot access the public IP address of a statically-NATted server which is on the same Firebox. Fortunately, this is not a serious handicap for most networks and there are workarounds.

Workarounds to dynamic NAT outbound and static NAT inbound situations

Configure an internal caching DNS server and point internal clients to it. Create a host entry on this DNS server that resolves the name of your company web site to the internal IP address of the Web server.
Configure the Firebox for drop-in mode and configure the Web server with the appropriate public IP address directly, instead of assinging the Firebox the address. Then, create a privately-addressed secondary network for the clients on the trusted interface to use.

I have a 2003 server box hosting dns, all computers are pointed to it.
All I have to do is edit the host file?
Question by:Sglennlmb

Author Comment

ID: 12367685
full WatchGaurd KB article:

When would this be an issue? Consider the following example:

Imagine your Firebox is configured with an external IP address and assigned the name www.mycompany.com. There are many clients behind the Firebox. These clients use an external DNS server provided by your ISP. The Firebox has a static-NAT rule that forwards incoming port 80 (HTTP) requests from the Firebox's external interface to a privately addressed Web server on the optional network.

Now a user on the trusted network decides to browse your company Web site and points his browser to http://www.mycompany.com. The ISP's external DNS server correctly resolves this name to the external IP address of the Firebox. Unfortunately, the client is never able to make the Web connection.
LVL 71

Accepted Solution

Chris Dent earned 500 total points
ID: 12367880

That's the cause of your problem yes.

Just edit the Internal DNS to be Start of Authority for mycompany.com (if it isn't already) and add a www record pointing at the Internal IP of your site.

The Hosts file will work if you don't want to use DNS, but if you have laptop users that access the page from both sides of the Firewall then it's not very helpful (it's also more difficult to update than DNS).

Expert Comment

ID: 12368550
chris-dent has hit it.

add the zone information on your local DNS server and create an A (host) record for www (assuming that is the external DNS hostname) and point it towards the internal IP of your web server.

I had this issue and did exactly this.

One thing to bear in mind, you will have to recreate all the DNS records for that zone in order for you to be able to access the from the internal network. e.g. mail.mycompany.com, pop3.mycompany.com.

The creation of this zone internally will stop your DNS forwarder from ever doing an external lookup - so beware.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question