bmoffitt
asked on
Can't Access Web Server Behind DMZ with Sonicwall TZ170
I have a network setup in the following way:
WAN: Connection to internet (Sonicwall primary IP is x.x.x.251, gateway is x.x.x.254)
DMZ: Transparent range (using x.x.x.252-253)
LAN: 192.168.0.x
Problem is that computers on the LAN can't access the web server behind the DMZ. What things should I be checking for? I have two computers on the LAN NAT'ed to public IP addresses and they can reach the DMZ fine. Do I need to define a route somehow? I don't know much about routing. Thanks for your help.
WAN: Connection to internet (Sonicwall primary IP is x.x.x.251, gateway is x.x.x.254)
DMZ: Transparent range (using x.x.x.252-253)
LAN: 192.168.0.x
Problem is that computers on the LAN can't access the web server behind the DMZ. What things should I be checking for? I have two computers on the LAN NAT'ed to public IP addresses and they can reach the DMZ fine. Do I need to define a route somehow? I don't know much about routing. Thanks for your help.
Do you have a rule configured on the SonicWall allowing traffic to run from the LAN to the DMZ? You can allow all traffic or just specific ports. Sounds like you do, but it doesn't hurt to ask.
I have seen cases where the SonicWall doesn't like you dns looping on it; what I mean is that if you're typing in the FQDN of a machine (say your web server) from the LAN....the query goes out to the internet, resolves, then comes back into your DMZ --> so it's like a loop. I've seen the sonicwall have problems with that.
So maybe -as srikrishnak said- having a locak dns server resolving the names. If you don't have a local resolve for the web server, then the request will go out to the internet and back into your dmz (which creates a dns loopback that sonicwall sometimes chokes on).
I have seen cases where the SonicWall doesn't like you dns looping on it; what I mean is that if you're typing in the FQDN of a machine (say your web server) from the LAN....the query goes out to the internet, resolves, then comes back into your DMZ --> so it's like a loop. I've seen the sonicwall have problems with that.
So maybe -as srikrishnak said- having a locak dns server resolving the names. If you don't have a local resolve for the web server, then the request will go out to the internet and back into your dmz (which creates a dns loopback that sonicwall sometimes chokes on).
ASKER
I've set up the following route:
Source: LAN Primary Subnet
Destination: WAN Transparent Range
Service: Any
Gateway: 0.0.0.0
Interface: OPT
This doesn't seem to be working.
The SonicWALL is allowing all traffic from the LAN to the DMZ.
Yes, a local DNS server is setup. When the website is requested, the DNS server replies with the WAN address of the server, even though it is also accessible through the LAN. How can I have the DNS server reply with the LAN address of the server for computers on the LAN and with the WAN address for computers on the Internet? I used to have it reply with both addresses but computers that are on a 192.168.0.x subnet could misinterpret and use that addresses instead of the x.x.x.252-253. This could be fixed through DNS instead of the SonicWALL, I would guess.
Source: LAN Primary Subnet
Destination: WAN Transparent Range
Service: Any
Gateway: 0.0.0.0
Interface: OPT
This doesn't seem to be working.
The SonicWALL is allowing all traffic from the LAN to the DMZ.
Yes, a local DNS server is setup. When the website is requested, the DNS server replies with the WAN address of the server, even though it is also accessible through the LAN. How can I have the DNS server reply with the LAN address of the server for computers on the LAN and with the WAN address for computers on the Internet? I used to have it reply with both addresses but computers that are on a 192.168.0.x subnet could misinterpret and use that addresses instead of the x.x.x.252-253. This could be fixed through DNS instead of the SonicWALL, I would guess.
How I configured my sonicwall was: (I guess it's more of a DNS config at this point!)
Lets say I have a web server named DELL1 in the DMZ with an ip of 151.10.2.1.
I also have assigned a LAN address to the machine named DELL1 with an address of 192.168.1.101
So on my DNS server on the LAN I have a zone file called "mycompany.com"
I have a "www" A record in the zone pointing to IP of 192.168.1.101
So, internally, when clients go to http://www.mycompany.com is resolved locally to 192.168.1.101. The firewall does not handle the request as a result.
OUTSIDE the company, on the external DNS servers, it's a similar dns setup but the "www" record points to the external 151.10.2.1 address.
This prevents the dns loopback, which I have seen cause problems with some sonicwalls (depends on firmware revision too)
Lets say I have a web server named DELL1 in the DMZ with an ip of 151.10.2.1.
I also have assigned a LAN address to the machine named DELL1 with an address of 192.168.1.101
So on my DNS server on the LAN I have a zone file called "mycompany.com"
I have a "www" A record in the zone pointing to IP of 192.168.1.101
So, internally, when clients go to http://www.mycompany.com is resolved locally to 192.168.1.101. The firewall does not handle the request as a result.
OUTSIDE the company, on the external DNS servers, it's a similar dns setup but the "www" record points to the external 151.10.2.1 address.
This prevents the dns loopback, which I have seen cause problems with some sonicwalls (depends on firmware revision too)
Good Explanation there..Rather i just mentioned about DNS issue...I dont think so its the issue with Sonicwall but with many of the setups..A small tech issues :)
ASKER
The problem is that the DNS server (for external and internal queries) and the web server are the same computer and thus reside in the DMZ. Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I do have same problem
network configuration of mine is
======================
External connection comes in firewall "watchguard firebox -X500" then split into LAN, and DMZ.
on DMZ my mail server and web server is therer 192.11.156.XX <=> public IP
on LAN i do have one DNS server 192.168.0.XX
Firewall policies
===============
DMZ<=>External
Internal=>External
Internal=>DMZ
LAN (ethernet)
IP : 192.168.0.XX/24
Gatway: Firebox LAN interface IP
DNS:ISP DNS
so the problem is
=====================
if i mention the ISP DNS then the DNS resolves through the ISP and finally Loopback not successed and mycompany.com will not function but all web site will function
if i mention the internal DNS then the only mycompany.com will function not othere website function.
so can i split the DNS internally and externally on win2k server platform
network configuration of mine is
======================
External connection comes in firewall "watchguard firebox -X500" then split into LAN, and DMZ.
on DMZ my mail server and web server is therer 192.11.156.XX <=> public IP
on LAN i do have one DNS server 192.168.0.XX
Firewall policies
===============
DMZ<=>External
Internal=>External
Internal=>DMZ
LAN (ethernet)
IP : 192.168.0.XX/24
Gatway: Firebox LAN interface IP
DNS:ISP DNS
so the problem is
=====================
if i mention the ISP DNS then the DNS resolves through the ISP and finally Loopback not successed and mycompany.com will not function but all web site will function
if i mention the internal DNS then the only mycompany.com will function not othere website function.
so can i split the DNS internally and externally on win2k server platform
How about the routing from DMZ to LAN ? Have you configured it...If the Sonicwall acting as the gateway plz check tht