cannot view a website internally by real ip

Posted on 2004-11-16
Last Modified: 2013-11-30
I cannot access my webites internally by the real ip address ie 65.x.x.x  but I am able to do so on an external network .  If I provide a dns name to the address then there's no issue.  what should i look for

perm router-->pix-->lan router-->lnternal network
Question by:cogit
    LVL 4

    Expert Comment

    More info please.

    You say "real ip" yet reference a non-private address of 65.X.X.X and then reference the "external network" but don't give any info on what addresses those might be.

    perm router = ISP router with what on the outside? what on inside?
    PIX = your device or ISPs? what external/internal networks?
    LAN router = ???? why the 2nd router? what networks does it seperate? is your webserver behind all 3 devices or only two?

    my initial -=GUESS=- is that your trying to access an address that the LAN router NATs from exteranal to internal so the fact that your trying to go INTERNAL to EXTERNAL ADDRESS of INTERNAL resource the router doesn't support the double-back involved. but that's just a GUESS based on far too little information to call an educated guess. we need to know what does the ultimate NAT. the PIX could handle it as a rule but then again it could be one of the two routers.
    LVL 8

    Expert Comment

    Try to add a permanent route to the internal network using the route command.
     ROUTE ADD DestIP MASK DestMask PrivateIp

    ROUTE ADD 65.X.X.X

    LVL 8

    Expert Comment

    ping the dns entry and verify it is giving the 65.x.x.x address and not the internal network address... if it's giving the 65.x.x.x address then you need to check your webserver and verify it is resolving websites by IP address rather than hostname... my guess is when you ping the address you are receiving an internal address... therefore, when you attempt to access the website by dns you use the internal address instead of the 65.x.x.x address...

    Author Comment

    Here is an overview

    Cisco 1700
    so: 65.x.x.x
    pix 506
    outside: 65.x.x.130
    Cisco 3600
    fa/0: 10.12.0.x (internal lan
    fa/1: 10.10.1.x

    Static statements are set up on pix  and conduit ...

    These are test web servers without external dns assigned to the ip.

    so lets say is map to 65.x.x.1 , you can hit on the inside with but not 65.xx.1.

    If I go on an external network I can of course hit 65.x.x.1.

    I'm just helping out a friends network that needs to be flatten out and the PIX has way to many statements that need to be removed.

    On perm router there is no ACLs or on the core router ...

    LVL 4

    Accepted Solution

    Then the initial guess was correct, your trying to access the public IP of a private resource from the internal network. This won't work on many devices, my personal experience has been with watchguard firewalls but the limitation seems to apply to the cisco PIX equipment as well.

    My recommendation would be to have a seperate DNS server which points the name to the internal IP for internal users and a public DNS which points the name to the public IP for public users. If you only want internal DNS that works to but as a security measure it won't add to much value as simple DNS entries won't really get you found and trying to run an "anonymous, numbers only site" doesn't protect from hackers b/c they run simple port scanners to find sites.

    If your truly paranoid use a non-standard port as most ppl only scan for standard ports (like 80)

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now