Solved

Firebox 700 fire wall DNS issue

Posted on 2004-10-21
3
470 Views
Last Modified: 2010-08-05
I host a few websites locally.  My fire wall (watchgaurd firebox III 700) is configured to forward forward the public IPs to private IPs.  It works fine, but the computers inside the network can't access the site.

I searched WatchGaurd's knowlegde base and came up with this work around
There is a limitation in the Firebox NAT implementation where clients behind the Firebox cannot access the public IP address of a statically-NATted server which is on the same Firebox. Fortunately, this is not a serious handicap for most networks and there are workarounds.

*******************************************************************
Workarounds to dynamic NAT outbound and static NAT inbound situations

Configure an internal caching DNS server and point internal clients to it. Create a host entry on this DNS server that resolves the name of your company web site to the internal IP address of the Web server.
Configure the Firebox for drop-in mode and configure the Web server with the appropriate public IP address directly, instead of assinging the Firebox the address. Then, create a privately-addressed secondary network for the clients on the trusted interface to use.

*****************************************************************
I have a 2003 server box hosting dns, all computers are pointed to it.
All I have to do is edit the host file?
0
Comment
Question by:Sglennlmb
3 Comments
 

Author Comment

by:Sglennlmb
ID: 12367685
full WatchGaurd KB article:

When would this be an issue? Consider the following example:

Imagine your Firebox is configured with an external IP address and assigned the name www.mycompany.com. There are many clients behind the Firebox. These clients use an external DNS server provided by your ISP. The Firebox has a static-NAT rule that forwards incoming port 80 (HTTP) requests from the Firebox's external interface to a privately addressed Web server on the optional network.

Now a user on the trusted network decides to browse your company Web site and points his browser to http://www.mycompany.com. The ISP's external DNS server correctly resolves this name to the external IP address of the Firebox. Unfortunately, the client is never able to make the Web connection.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
ID: 12367880

That's the cause of your problem yes.

Just edit the Internal DNS to be Start of Authority for mycompany.com (if it isn't already) and add a www record pointing at the Internal IP of your site.

The Hosts file will work if you don't want to use DNS, but if you have laptop users that access the page from both sides of the Firewall then it's not very helpful (it's also more difficult to update than DNS).
0
 
LVL 2

Expert Comment

by:stevemjp
ID: 12368550
chris-dent has hit it.

add the zone information on your local DNS server and create an A (host) record for www (assuming that is the external DNS hostname) and point it towards the internal IP of your web server.

I had this issue and did exactly this.

One thing to bear in mind, you will have to recreate all the DNS records for that zone in order for you to be able to access the from the internal network. e.g. mail.mycompany.com, pop3.mycompany.com.

The creation of this zone internally will stop your DNS forwarder from ever doing an external lookup - so beware.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NIC set to static, but still pulls DHCP address 8 34
Forest and doamin tree 3 27
How to know if DNS name is  record A or if is ZONE 2 20
BIND9 - DNS redirect? 4 23
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question