Solved

Firebox 700 fire wall DNS issue

Posted on 2004-10-21
3
466 Views
Last Modified: 2010-08-05
I host a few websites locally.  My fire wall (watchgaurd firebox III 700) is configured to forward forward the public IPs to private IPs.  It works fine, but the computers inside the network can't access the site.

I searched WatchGaurd's knowlegde base and came up with this work around
There is a limitation in the Firebox NAT implementation where clients behind the Firebox cannot access the public IP address of a statically-NATted server which is on the same Firebox. Fortunately, this is not a serious handicap for most networks and there are workarounds.

*******************************************************************
Workarounds to dynamic NAT outbound and static NAT inbound situations

Configure an internal caching DNS server and point internal clients to it. Create a host entry on this DNS server that resolves the name of your company web site to the internal IP address of the Web server.
Configure the Firebox for drop-in mode and configure the Web server with the appropriate public IP address directly, instead of assinging the Firebox the address. Then, create a privately-addressed secondary network for the clients on the trusted interface to use.

*****************************************************************
I have a 2003 server box hosting dns, all computers are pointed to it.
All I have to do is edit the host file?
0
Comment
Question by:Sglennlmb
3 Comments
 

Author Comment

by:Sglennlmb
ID: 12367685
full WatchGaurd KB article:

When would this be an issue? Consider the following example:

Imagine your Firebox is configured with an external IP address and assigned the name www.mycompany.com. There are many clients behind the Firebox. These clients use an external DNS server provided by your ISP. The Firebox has a static-NAT rule that forwards incoming port 80 (HTTP) requests from the Firebox's external interface to a privately addressed Web server on the optional network.

Now a user on the trusted network decides to browse your company Web site and points his browser to http://www.mycompany.com. The ISP's external DNS server correctly resolves this name to the external IP address of the Firebox. Unfortunately, the client is never able to make the Web connection.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
ID: 12367880

That's the cause of your problem yes.

Just edit the Internal DNS to be Start of Authority for mycompany.com (if it isn't already) and add a www record pointing at the Internal IP of your site.

The Hosts file will work if you don't want to use DNS, but if you have laptop users that access the page from both sides of the Firewall then it's not very helpful (it's also more difficult to update than DNS).
0
 
LVL 2

Expert Comment

by:stevemjp
ID: 12368550
chris-dent has hit it.

add the zone information on your local DNS server and create an A (host) record for www (assuming that is the external DNS hostname) and point it towards the internal IP of your web server.

I had this issue and did exactly this.

One thing to bear in mind, you will have to recreate all the DNS records for that zone in order for you to be able to access the from the internal network. e.g. mail.mycompany.com, pop3.mycompany.com.

The creation of this zone internally will stop your DNS forwarder from ever doing an external lookup - so beware.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now