?
Solved

Accessing public web site from inside firewall

Posted on 2007-07-30
10
Medium Priority
?
221 Views
Last Modified: 2013-11-16
We've got a SonicWall firewall and a public web site on a server on the inside of the firewall.  When users on our LAN (inside) try to browse to our own public web site, they get the SonicWall administration login page.  They can bring up the web site if they point their browser directly at the web server by its internal name, but secure pages and functions don't work correctly.  I don't think it's a DNS issue because even if I point the browser at the external IP address, I get the same login page.

I've tried to figure whether I need to enter a rule or static route or something, but no luck.  What do I need to do to bring up the public web site from inside?
0
Comment
Question by:CoderNotIT
  • 4
  • 4
  • 2
10 Comments
 
LVL 13

Expert Comment

by:bluetab
ID: 19598012
Because you are using the same WAN IP for your SonicWALL and website the SW ports 80 and 443 are being redirected to the SW so that you can manage it externally.  You are going to need to setup another one of your Public IPs to map to your webserver.  Then setup two rules to forward ports 80 & 443 to the webserver.  
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19600094
Easy solution would be to create a A record in your DNS (if you have an internal DNS).

Say your internal domain is company.com and your public web address is www.company.com, then go to your internal dns server, create an A record for www.company.com and point it to the internal ip address. This facilitates all the internal users and external users to be using the same url but the ip used would be different based on whether you're internal or external - transparent to the user.

Cheers,
Rajesh
0
 

Author Comment

by:CoderNotIT
ID: 19605539
I can't add an A record that way because the windows domain name and Internet domain name are not the same.  Unless I'm just not understanding.

bluetab, I do have a half-dozen public IPs I am not using, but unfortunately, they are on a different subnet.  For some reason, my ISP gave me one usable IP on one subnet and six others on a completely different subnet.  I guess I blew it when I decided to put my DSL modem in bridge mode and terminate the 1 IP on the SW WAN port.

Can the SW handle IPs from different subnets on the single WAN interface?  What can I do short of changing the publicly published IP address to use the other IPs?  I was thinking...take the DSL modem out of bridge mode, turn off NAT in the DSL modem, and get another SW and configure it for the other bank of IPs.  An I thinking right?

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 19605911
Still you could do it. Create a new forward lookup zone for your internet domain in local dns server and add the record in that.

Cheers,
Rajesh
0
 

Author Comment

by:CoderNotIT
ID: 19606232
A primary zone, secondary zone, or stub zone?  I tried all three and couldn't make it work.
0
 
LVL 13

Expert Comment

by:bluetab
ID: 19606248
CoderNotIT, I'm assuming you have the DNS for your external domain hosted by the company you registered the domain through.  If this is the case adding an A record won't solve the problem.  

The SW can't do public IPs in different subnets on a single WAN port.  It' not uncommon for your ISP to give you two different blocks of IPs.  The idea is that the single IP will go on the WAN port of your DSL modem.  Your block of five or six will go on the LAN port of the modem.  It's a real pain when they do that.  SBC/ATT is notorious for this.  

What I would recommend doing is calling your ISP and tell them that you want to take your modem out of bridged mode so that it turns back into a router.  This will allow you to use all of your IP addresses on the inside.  Your ISP should be able to remotely connect to the modem and do this for you or at least walk you through step by step.  I've had to do this with ATT several times and it takes about an hour from the initial phone call.  The hardest part is getting through to second level support to someone that can do this for you.  

Once you take the modem out of bridged mode you can reconfigure the SW with one of the Public IPs and then use another one of the IPs to point to the server.
0
 

Author Comment

by:CoderNotIT
ID: 19606309
bluetab, you are correct that the DNS for my public domain/IPs is external.  And I'm agreeing that an A record or any other kind of record I can create in my internal DNS won't solve this.

This ISP was SBC (is ATT) and that's exactly what they did.

If I do what you recommend, though, I think I'm going to have at least some disruption to my business as I will have to change the public DNS pointer to my web/mail server (not to mention the email filtering company).  I may still do this, because the disruption might be worth it, but what about my idea of taking the DSL modem out of bridge mode myself and putting another SW behind it to handle the second subnet?  (I called AT&T and they claim that there is nothing I (or they) need to do but take the modem out of bridge mode to be able to handle the second block of IPs.)  

0
 
LVL 13

Expert Comment

by:bluetab
ID: 19606369
If you take the modem out of bridged mode and configure it as a router it's going to need to use that single IP address that is currently on the SW.  So you will have to change the WAN IP of the SW to one of the IPs on the other subnet.  (ATT is wrong, you have to take the modem out of bridged mode to use the second subnet)

Make sure you get through to ATT second tier support. Tell first tier that you need to reconfigure the router and hopefully they'll transfer you, if not you just have to keep being insistent upon it. I've had to use almost every trick in the book but when you get to second tier life is easy.

I would schedule to do this on Friday afternoon.  That way you will have the least amount of disruption as the DNS can propogate over the weekend.  
0
 

Author Comment

by:CoderNotIT
ID: 19613949
bluetab, what you say makes sense --  I just want to clear up what you meant by ATT is wrong.  They said the modem needed to be taken out of bridge mode.  I think their point though was that I had to do it because when the modem is in bridge mode it has no IP to manage it with.  So if I reset it to the factory defaults and can manage to get the WAN port configured with the old single IP, then the other subnet should be able to just flow through to the SW.  When I said they said there was nothing else to do, that did not include reconfiguring the DSL modem.  Is that what you say they are wrong about?
0
 
LVL 13

Accepted Solution

by:
bluetab earned 1000 total points
ID: 19614527
You know what, I misread what you said about ATT.  I thought they said you didn't need to take the modem out of bridge mode.  

I don't know if resetting the modem will take it out of bridge mode, even if it does you'll have to enter the correct router info.  What ATT has done for me in the past is walk me through the steps necessary to configure the modem from bridge to router mode.  I have at other times asked them to configure the modem from router to bridge mode and they have connected to it in the past.  
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question