cannot view a website internally by real ip

Posted on 2004-11-16
Medium Priority
Last Modified: 2013-11-30
I cannot access my webites internally by the real ip address ie 65.x.x.x  but I am able to do so on an external network .  If I provide a dns name to the address then there's no issue.  what should i look for

perm router-->pix-->lan router-->lnternal network
Question by:cogit

Expert Comment

ID: 12601783
More info please.

You say "real ip" yet reference a non-private address of 65.X.X.X and then reference the "external network" but don't give any info on what addresses those might be.

perm router = ISP router with what on the outside? what on inside?
PIX = your device or ISPs? what external/internal networks?
LAN router = ???? why the 2nd router? what networks does it seperate? is your webserver behind all 3 devices or only two?

my initial -=GUESS=- is that your trying to access an address that the LAN router NATs from exteranal to internal so the fact that your trying to go INTERNAL to EXTERNAL ADDRESS of INTERNAL resource the router doesn't support the double-back involved. but that's just a GUESS based on far too little information to call an educated guess. we need to know what does the ultimate NAT. the PIX could handle it as a rule but then again it could be one of the two routers.

Expert Comment

ID: 12602965
Try to add a permanent route to the internal network using the route command.
 ROUTE ADD DestIP MASK DestMask PrivateIp



Expert Comment

ID: 12603660
ping the dns entry and verify it is giving the 65.x.x.x address and not the internal network address... if it's giving the 65.x.x.x address then you need to check your webserver and verify it is resolving websites by IP address rather than hostname... my guess is when you ping the address you are receiving an internal address... therefore, when you attempt to access the website by dns you use the internal address instead of the 65.x.x.x address...

Author Comment

ID: 12607077
Here is an overview

Cisco 1700
so: 65.x.x.x
pix 506
outside: 65.x.x.130
Cisco 3600
fa/0: 10.12.0.x (internal lan
fa/1: 10.10.1.x

Static statements are set up on pix  and conduit ...

These are test web servers without external dns assigned to the ip.

so lets say is map to 65.x.x.1 , you can hit on the inside with but not 65.xx.1.

If I go on an external network I can of course hit 65.x.x.1.

I'm just helping out a friends network that needs to be flatten out and the PIX has way to many statements that need to be removed.

On perm router there is no ACLs or on the core router ...


Accepted Solution

fettigcj07 earned 2000 total points
ID: 12619408
Then the initial guess was correct, your trying to access the public IP of a private resource from the internal network. This won't work on many devices, my personal experience has been with watchguard firewalls but the limitation seems to apply to the cisco PIX equipment as well.

My recommendation would be to have a seperate DNS server which points the name to the internal IP for internal users and a public DNS which points the name to the public IP for public users. If you only want internal DNS that works to but as a security measure it won't add to much value as simple DNS entries won't really get you found and trying to run an "anonymous, numbers only site" doesn't protect from hackers b/c they run simple port scanners to find sites.

If your truly paranoid use a non-standard port as most ppl only scan for standard ports (like 80)

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question