Solved

accessing web server using external IP address from inside the lan where the web server resides

Posted on 2008-09-30
8
764 Views
Last Modified: 2012-06-27
Have a netgear prosafe firewall.  Have linux web server behind fire wall.  no DNS setup Only port 80 and port 5000 open on fire wall.  when someone inside the firewall types in the external IP address they reach the firewall logon and not the web site.  if they type in the INTERNAL IP address of the web server it works fine. if someone OUTSIDE the fire wall types in the EXTERNAL IP address it works fine.  the firewall has NAT set up.  the firewall redirects all incomming port 80 requests to the internal 192.168.0.xxx web server address.  we currently do not have the domain URL pointing to the external IP address as this is a new site and the URL still points to the old site.  we want to test before redirecting the URL to the new IP (external) address
I have solved this issue before WITHOUT use of DNS with some kind of internet NAT filter redirection (or something like that) on a 3com firewall, but don't remember what and don't know how to do it on a netgear prosafe
0
Comment
Question by:donwinchell
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


If it were a entrprise class firewall you would not have this problem, i am not sur eif the netgear is capable, never looked though.

harbor235 ;}
0
 

Author Comment

by:donwinchell
Comment Utility
Response, not solution  (I am new to this expert exchange)
Netgear certainly advertises this as if it was of enterprise class.  The 3com I did this on cost $1000 bucks, but that was over 5 years ago.  It would help to actually understand the logic of why this is happening and what a firewall solution what do.  I think I get how the DNS would work, if it is an internal DNS and is listed as the first DNS then when the actual domain name is entered, it sees it and directs it to the INTERNAL address.  but even in this case I don't know if that is the best solution, but this just has to be one of the most common issues that every small network, hosting their own site, comes up with
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
Good luck,

harbor235 ;}
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
Comment Utility
This is a hazard of using external public dns servers with internal hosts. The "best" solutions is to use an internal dns server that resolves to the private IP address. Done.
Some routers will,some won't. $50 Linksys works fine, $25,000 Cisco won't work. Cisco ASA works, Cisco PIX works, but not all firewalls work.
It has everything to do with how the device handles nat and "inside" vs "outside" interfaces and the order of processing. Most firewalls/routers do source natting as a packets goes from inside to outside, and static destination natting only as packet travels from outside to inside. Packets must actually pass "through" the requisite interfaces.
If a packet originates from inside, destined for public IP, router/firewall has static from public back to private, then the source never gets changed. Even if the packet makes it to the server, the source is "private" which is on same lan as server. Server responds to this host, but host is expecting response from the public ip and drops the packet.
0
 

Author Comment

by:donwinchell
Comment Utility
thanks for your help. How it works is beginning to make sense to me (as well as how it does not work). It looks like I will need to set up a dns server on the linux machine.
If I understand this correctly I set up this dns as the FIRST dns then set up 2nd and third dns as the dns provided by my ISP. Do I set this up as simply a LOCAL dns, i.e. not synchronizing with the internet dns servers and just use it for local addressing?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
Comment Utility
If you set up a local dns, it will be the only dns entry on the clients.
Your dns server, in turn, should have the ISP's 2 dns servers listed as forwarders, or just use root hints. I'm no linux dns guru, so can't help much there, but I do know how dns works.
If you have 3 dns servers listed in your TCP/IP properties, the first one gets querried and if you get an answer, even if the answer is "i don't know", then that is the accepted answer and the 2nd dns server is never asked. The only time the second or 3rd dns servers ever come into play is if the 1st one does not respond at all, then the 2nd one gets a chance. If neither the 1st or 2nd respond (i.e. time out), then the 3rd one gets a chance.
If your dns server gets asked for rsolution for a site that it does not know about, IT forwards the request to either its listed forwarders or to the root hints. It then forwards the response to the client.
Because it caches all responses locally, it should actually speed up your internet experience.
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
I am not familar with Netgear products but this is what i do on the Cisco ASA to over come this issue.
on the ASA i create a static nat/pat where I am natting from the inside to the outside or vice versa doesnt really matter , using the same external ip address as the inside address and outside address and in your case port number. So if done correctly anyone who visits the intresting IP on port 80 will be directed to the outside ip on port 80 if they were on the inside. I hope i wrote that right . .
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now