Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2031
  • Last Modified:

Can't Access Web Server Behind DMZ with Sonicwall TZ170

I have a network setup in the following way:

WAN: Connection to internet (Sonicwall primary IP is x.x.x.251, gateway is x.x.x.254)
DMZ: Transparent range (using x.x.x.252-253)
LAN: 192.168.0.x

Problem is that computers on the LAN can't access the web server behind the DMZ.  What things should I be checking for?  I have two computers on the LAN NAT'ed to public IP addresses and they can reach the DMZ fine.  Do I need to define a route somehow?  I don't know much about routing.  Thanks for your help.
0
bmoffitt
Asked:
bmoffitt
  • 2
  • 2
  • 2
  • +2
1 Solution
 
srikrishnakCommented:
Do you have a dns locally to resolve the names...
How about the routing from DMZ to LAN ? Have you configured it...If the Sonicwall acting as the gateway plz check tht
0
 
ZabagaRCommented:
Do you have a rule configured on the SonicWall allowing traffic to run from the LAN to the DMZ? You can allow all traffic or just specific ports.  Sounds like you do, but it doesn't hurt to ask.

I have seen cases where the SonicWall doesn't like you dns looping on it;  what I mean is that if you're typing in the FQDN of a machine (say your web server) from the LAN....the query goes out to the internet, resolves, then comes back into your DMZ --> so it's like a loop. I've seen the sonicwall have problems with that.

So maybe -as srikrishnak said- having a locak dns server resolving the names. If you don't have a local resolve for the web server, then the request will go out to the internet and back into your dmz (which creates a dns loopback that sonicwall sometimes chokes on).


0
 
bmoffittAuthor Commented:
I've set up the following route:

Source: LAN Primary Subnet
Destination: WAN Transparent Range
Service: Any
Gateway: 0.0.0.0
Interface: OPT

This doesn't seem to be working.

The SonicWALL is allowing all traffic from the LAN to the DMZ.

Yes, a local DNS server is setup.  When the website is requested, the DNS server replies with the WAN address of the server, even though it is also accessible through the LAN.  How can I have the DNS server reply with the LAN address of the server for computers on the LAN and with the WAN address for computers on the Internet?  I used to have it reply with both addresses but computers that are on a 192.168.0.x subnet could misinterpret and use that addresses instead of the x.x.x.252-253.  This could be fixed through DNS instead of the SonicWALL, I would guess.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ZabagaRCommented:
How I configured my sonicwall was:  (I guess it's more of a DNS config at this point!)

Lets say I have a web server named DELL1 in the DMZ with an ip of 151.10.2.1.
I also have assigned a LAN address to the machine named DELL1 with an address of 192.168.1.101

So on my DNS server on the LAN I have a zone file called "mycompany.com"
I have a "www" A record in the zone pointing to IP of 192.168.1.101

So, internally, when clients go to http://www.mycompany.com is resolved locally to 192.168.1.101.  The firewall does not handle the request as a result.

OUTSIDE the company, on the external DNS servers, it's a similar dns setup but the "www" record points to the external 151.10.2.1 address.

This prevents the dns loopback, which I have seen cause problems with some sonicwalls (depends on firmware revision too)
0
 
srikrishnakCommented:
Good Explanation there..Rather i just mentioned about DNS issue...I dont think so its the issue with Sonicwall but with many of the setups..A small tech issues :)



0
 
bmoffittAuthor Commented:
The problem is that the DNS server (for external and internal queries) and the web server are the same computer and thus reside in the DMZ.  Any thoughts?
0
 
magicommincCommented:
You need a split dns. quote from below article: "A split DNS infrastructure is a solution to the problem of using the same domain name for internally and externally accessible resources."
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

>" Yes, a local DNS server is setup.  When the website is requested, the DNS server replies with the WAN address of the server, even though it is also accessible through the LAN.  How can I have the DNS server reply with the LAN address of the server for computers on the LAN and with the WAN address for computers on the Internet?"
--single DNS server can't do the job like that, you need to have ONE internal DNS server for your inside LAN query and ANOTHER external DNS server for outside (Internet).

>"The problem is that the DNS server (for external and internal queries) and the web server are the same computer and thus reside in the DMZ.  Any thoughts?"
--Easy way to get around is to have your ISP or other outsource DNS service, such as www.ultradns.com, to host your external DNS records (www.mycompany.com==> x.x.x.252), and use your internal DNS server for your inside queries only ( www.mycompany.com ==> 192.168.0.x). Of course, you would still need to properly configure your firewll to forward (NAT)traffic to your DMZ though.
I am assuming that you understand InterNIC or networksolutions have to do something to allow this happen. if not, please ask.
0
 
anupambairagiCommented:
I do have same problem

network configuration of mine is
======================
External connection comes in firewall "watchguard firebox -X500" then split into LAN, and DMZ.
on DMZ my mail server and web server is therer 192.11.156.XX <=> public IP
on LAN i do have one DNS server 192.168.0.XX

Firewall policies
===============
DMZ<=>External
Internal=>External
Internal=>DMZ

LAN (ethernet)
IP : 192.168.0.XX/24
Gatway: Firebox LAN interface IP
DNS:ISP DNS

so the problem is
=====================
if i mention the ISP DNS then the DNS resolves through the ISP and finally Loopback not successed and mycompany.com will not function but all web site will function

if i mention the internal DNS then the only mycompany.com will function not othere website function.

so can i split the DNS internally and externally on win2k server platform




0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now