cannot view a website internally by real ip

I cannot access my webites internally by the real ip address ie 65.x.x.x  but I am able to do so on an external network .  If I provide a dns name to the address then there's no issue.  what should i look for

perm router-->pix-->lan router-->lnternal network
cogitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fettigcj07Commented:
More info please.

You say "real ip" yet reference a non-private address of 65.X.X.X and then reference the "external network" but don't give any info on what addresses those might be.

perm router = ISP router with what on the outside? what on inside?
PIX = your device or ISPs? what external/internal networks?
LAN router = ???? why the 2nd router? what networks does it seperate? is your webserver behind all 3 devices or only two?

my initial -=GUESS=- is that your trying to access an address that the LAN router NATs from exteranal to internal so the fact that your trying to go INTERNAL to EXTERNAL ADDRESS of INTERNAL resource the router doesn't support the double-back involved. but that's just a GUESS based on far too little information to call an educated guess. we need to know what does the ultimate NAT. the PIX could handle it as a rule but then again it could be one of the two routers.
0
cooljai1Commented:
Try to add a permanent route to the internal network using the route command.
 ROUTE ADD DestIP MASK DestMask PrivateIp

eg
ROUTE ADD 65.X.X.X 255.255.252.0 192.168.10.2


DO THIS ON ALL TEH CLIENT SYSTEMS.
0
kain21Commented:
ping the dns entry and verify it is giving the 65.x.x.x address and not the internal network address... if it's giving the 65.x.x.x address then you need to check your webserver and verify it is resolving websites by IP address rather than hostname... my guess is when you ping the address you are receiving an internal address... therefore, when you attempt to access the website by dns you use the internal address instead of the 65.x.x.x address...
0
cogitAuthor Commented:
Here is an overview

ISP
|
Cisco 1700
so: 65.x.x.x
eo.65.x.x.129
|
pix 506
outside: 65.x.x.130
inside. 10.9.1.131
|
Cisco 3600
eo: 10.9.1.130
fa/0: 10.12.0.x (internal lan
fa/1: 10.10.1.x


Static statements are set up on pix  and conduit ...

These are test web servers without external dns assigned to the ip.

so lets say 10.12.0.1 is map to 65.x.x.1 , you can hit on the inside with 10.12.0.1 but not 65.xx.1.

If I go on an external network I can of course hit 65.x.x.1.

I'm just helping out a friends network that needs to be flatten out and the PIX has way to many statements that need to be removed.

On perm router there is no ACLs or on the core router ...


0
fettigcj07Commented:
Then the initial guess was correct, your trying to access the public IP of a private resource from the internal network. This won't work on many devices, my personal experience has been with watchguard firewalls but the limitation seems to apply to the cisco PIX equipment as well.

My recommendation would be to have a seperate DNS server which points the name to the internal IP for internal users and a public DNS which points the name to the public IP for public users. If you only want internal DNS that works to but as a security measure it won't add to much value as simple DNS entries won't really get you found and trying to run an "anonymous, numbers only site" doesn't protect from hackers b/c they run simple port scanners to find sites.

If your truly paranoid use a non-standard port as most ppl only scan for standard ports (like 80)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.