Accessing public web site from inside firewall

We've got a SonicWall firewall and a public web site on a server on the inside of the firewall.  When users on our LAN (inside) try to browse to our own public web site, they get the SonicWall administration login page.  They can bring up the web site if they point their browser directly at the web server by its internal name, but secure pages and functions don't work correctly.  I don't think it's a DNS issue because even if I point the browser at the external IP address, I get the same login page.

I've tried to figure whether I need to enter a rule or static route or something, but no luck.  What do I need to do to bring up the public web site from inside?
CoderNotITAsked:
Who is Participating?
 
bluetabCommented:
You know what, I misread what you said about ATT.  I thought they said you didn't need to take the modem out of bridge mode.  

I don't know if resetting the modem will take it out of bridge mode, even if it does you'll have to enter the correct router info.  What ATT has done for me in the past is walk me through the steps necessary to configure the modem from bridge to router mode.  I have at other times asked them to configure the modem from router to bridge mode and they have connected to it in the past.  
0
 
bluetabCommented:
Because you are using the same WAN IP for your SonicWALL and website the SW ports 80 and 443 are being redirected to the SW so that you can manage it externally.  You are going to need to setup another one of your Public IPs to map to your webserver.  Then setup two rules to forward ports 80 & 443 to the webserver.  
0
 
rsivanandanCommented:
Easy solution would be to create a A record in your DNS (if you have an internal DNS).

Say your internal domain is company.com and your public web address is www.company.com, then go to your internal dns server, create an A record for www.company.com and point it to the internal ip address. This facilitates all the internal users and external users to be using the same url but the ip used would be different based on whether you're internal or external - transparent to the user.

Cheers,
Rajesh
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
CoderNotITAuthor Commented:
I can't add an A record that way because the windows domain name and Internet domain name are not the same.  Unless I'm just not understanding.

bluetab, I do have a half-dozen public IPs I am not using, but unfortunately, they are on a different subnet.  For some reason, my ISP gave me one usable IP on one subnet and six others on a completely different subnet.  I guess I blew it when I decided to put my DSL modem in bridge mode and terminate the 1 IP on the SW WAN port.

Can the SW handle IPs from different subnets on the single WAN interface?  What can I do short of changing the publicly published IP address to use the other IPs?  I was thinking...take the DSL modem out of bridge mode, turn off NAT in the DSL modem, and get another SW and configure it for the other bank of IPs.  An I thinking right?

0
 
rsivanandanCommented:
Still you could do it. Create a new forward lookup zone for your internet domain in local dns server and add the record in that.

Cheers,
Rajesh
0
 
CoderNotITAuthor Commented:
A primary zone, secondary zone, or stub zone?  I tried all three and couldn't make it work.
0
 
bluetabCommented:
CoderNotIT, I'm assuming you have the DNS for your external domain hosted by the company you registered the domain through.  If this is the case adding an A record won't solve the problem.  

The SW can't do public IPs in different subnets on a single WAN port.  It' not uncommon for your ISP to give you two different blocks of IPs.  The idea is that the single IP will go on the WAN port of your DSL modem.  Your block of five or six will go on the LAN port of the modem.  It's a real pain when they do that.  SBC/ATT is notorious for this.  

What I would recommend doing is calling your ISP and tell them that you want to take your modem out of bridged mode so that it turns back into a router.  This will allow you to use all of your IP addresses on the inside.  Your ISP should be able to remotely connect to the modem and do this for you or at least walk you through step by step.  I've had to do this with ATT several times and it takes about an hour from the initial phone call.  The hardest part is getting through to second level support to someone that can do this for you.  

Once you take the modem out of bridged mode you can reconfigure the SW with one of the Public IPs and then use another one of the IPs to point to the server.
0
 
CoderNotITAuthor Commented:
bluetab, you are correct that the DNS for my public domain/IPs is external.  And I'm agreeing that an A record or any other kind of record I can create in my internal DNS won't solve this.

This ISP was SBC (is ATT) and that's exactly what they did.

If I do what you recommend, though, I think I'm going to have at least some disruption to my business as I will have to change the public DNS pointer to my web/mail server (not to mention the email filtering company).  I may still do this, because the disruption might be worth it, but what about my idea of taking the DSL modem out of bridge mode myself and putting another SW behind it to handle the second subnet?  (I called AT&T and they claim that there is nothing I (or they) need to do but take the modem out of bridge mode to be able to handle the second block of IPs.)  

0
 
bluetabCommented:
If you take the modem out of bridged mode and configure it as a router it's going to need to use that single IP address that is currently on the SW.  So you will have to change the WAN IP of the SW to one of the IPs on the other subnet.  (ATT is wrong, you have to take the modem out of bridged mode to use the second subnet)

Make sure you get through to ATT second tier support. Tell first tier that you need to reconfigure the router and hopefully they'll transfer you, if not you just have to keep being insistent upon it. I've had to use almost every trick in the book but when you get to second tier life is easy.

I would schedule to do this on Friday afternoon.  That way you will have the least amount of disruption as the DNS can propogate over the weekend.  
0
 
CoderNotITAuthor Commented:
bluetab, what you say makes sense --  I just want to clear up what you meant by ATT is wrong.  They said the modem needed to be taken out of bridge mode.  I think their point though was that I had to do it because when the modem is in bridge mode it has no IP to manage it with.  So if I reset it to the factory defaults and can manage to get the WAN port configured with the old single IP, then the other subnet should be able to just flow through to the SW.  When I said they said there was nothing else to do, that did not include reconfiguring the DSL modem.  Is that what you say they are wrong about?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.