accessing web server using external IP address from inside the lan where the web server resides

Have a netgear prosafe firewall.  Have linux web server behind fire wall.  no DNS setup Only port 80 and port 5000 open on fire wall.  when someone inside the firewall types in the external IP address they reach the firewall logon and not the web site.  if they type in the INTERNAL IP address of the web server it works fine. if someone OUTSIDE the fire wall types in the EXTERNAL IP address it works fine.  the firewall has NAT set up.  the firewall redirects all incomming port 80 requests to the internal 192.168.0.xxx web server address.  we currently do not have the domain URL pointing to the external IP address as this is a new site and the URL still points to the old site.  we want to test before redirecting the URL to the new IP (external) address
I have solved this issue before WITHOUT use of DNS with some kind of internet NAT filter redirection (or something like that) on a 3com firewall, but don't remember what and don't know how to do it on a netgear prosafe
donwinchellAsked:
Who is Participating?
 
lrmooreCommented:
This is a hazard of using external public dns servers with internal hosts. The "best" solutions is to use an internal dns server that resolves to the private IP address. Done.
Some routers will,some won't. $50 Linksys works fine, $25,000 Cisco won't work. Cisco ASA works, Cisco PIX works, but not all firewalls work.
It has everything to do with how the device handles nat and "inside" vs "outside" interfaces and the order of processing. Most firewalls/routers do source natting as a packets goes from inside to outside, and static destination natting only as packet travels from outside to inside. Packets must actually pass "through" the requisite interfaces.
If a packet originates from inside, destined for public IP, router/firewall has static from public back to private, then the source never gets changed. Even if the packet makes it to the server, the source is "private" which is on same lan as server. Server responds to this host, but host is expecting response from the public ip and drops the packet.
0
 
harbor235Commented:


If it were a entrprise class firewall you would not have this problem, i am not sur eif the netgear is capable, never looked though.

harbor235 ;}
0
 
donwinchellAuthor Commented:
Response, not solution  (I am new to this expert exchange)
Netgear certainly advertises this as if it was of enterprise class.  The 3com I did this on cost $1000 bucks, but that was over 5 years ago.  It would help to actually understand the logic of why this is happening and what a firewall solution what do.  I think I get how the DNS would work, if it is an internal DNS and is listed as the first DNS then when the actual domain name is entered, it sees it and directs it to the INTERNAL address.  but even in this case I don't know if that is the best solution, but this just has to be one of the most common issues that every small network, hosting their own site, comes up with
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
harbor235Commented:
Good luck,

harbor235 ;}
0
 
donwinchellAuthor Commented:
thanks for your help. How it works is beginning to make sense to me (as well as how it does not work). It looks like I will need to set up a dns server on the linux machine.
If I understand this correctly I set up this dns as the FIRST dns then set up 2nd and third dns as the dns provided by my ISP. Do I set this up as simply a LOCAL dns, i.e. not synchronizing with the internet dns servers and just use it for local addressing?
0
 
lrmooreCommented:
If you set up a local dns, it will be the only dns entry on the clients.
Your dns server, in turn, should have the ISP's 2 dns servers listed as forwarders, or just use root hints. I'm no linux dns guru, so can't help much there, but I do know how dns works.
If you have 3 dns servers listed in your TCP/IP properties, the first one gets querried and if you get an answer, even if the answer is "i don't know", then that is the accepted answer and the 2nd dns server is never asked. The only time the second or 3rd dns servers ever come into play is if the 1st one does not respond at all, then the 2nd one gets a chance. If neither the 1st or 2nd respond (i.e. time out), then the 3rd one gets a chance.
If your dns server gets asked for rsolution for a site that it does not know about, IT forwards the request to either its listed forwarders or to the root hints. It then forwards the response to the client.
Because it caches all responses locally, it should actually speed up your internet experience.
0
 
leonjsCommented:
I am not familar with Netgear products but this is what i do on the Cisco ASA to over come this issue.
on the ASA i create a static nat/pat where I am natting from the inside to the outside or vice versa doesnt really matter , using the same external ip address as the inside address and outside address and in your case port number. So if done correctly anyone who visits the intresting IP on port 80 will be directed to the outside ip on port 80 if they were on the inside. I hope i wrote that right . .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.