asked on Trying to Publish a Sonicwall 4000 Can not view out side of my network
I have a new SonicWall SSLVPN. I am trying to publish the website to our external IP address. 63.174.109.164 I have this behind a PIX firewall 515E.
I have set the Security policy on the PIX to allow HTTP, HTTPS, FTP from destination 63.174.109.164
Also set up a NAT rule to point 63.174.109.164 to the sonicwall internal IP 162.17.7.10.
what am i missing. all my DNS records are right on the DC associating 162.17.7.10 to SSLVPN (sonicwall name)
when i ping the external IP i get no replies. i'm guessing the firewall is blocking the pings. but still https://63.174.109.164 times out.
PIX settings
access-list out extended permit tcp any host 63.174.109.164 eq https
access-list out remark Sonicwall
access-list out extended permit tcp any host 63.174.109.164 eq www
access-list out remark Sonicwall
I have set the Security policy on the PIX to allow HTTP, HTTPS, FTP from destination 63.174.109.164
Also set up a NAT rule to point 63.174.109.164 to the sonicwall internal IP 162.17.7.10.
what am i missing. all my DNS records are right on the DC associating 162.17.7.10 to SSLVPN (sonicwall name)
when i ping the external IP i get no replies. i'm guessing the firewall is blocking the pings. but still https://63.174.109.164 times out.
PIX settings
access-list out extended permit tcp any host 63.174.109.164 eq https
access-list out remark Sonicwall
access-list out extended permit tcp any host 63.174.109.164 eq www
access-list out remark Sonicwall
Cisco
Last Comment
drewha1969
ASKER
Yes, the site works when i put https://162.17.7.10 in the browser.
when i ping from the inside i get Request Timed out.
When i ping from the outside i getPinging 63.174.109.164 with 32 bytes of data: Reply from 160.81.20.77: TTL expired in transit.
I have not tried that but i don't think it will hurt. i'll give it a shot. Do changes like this take time?
when i ping from the inside i get Request Timed out.
When i ping from the outside i getPinging 63.174.109.164 with 32 bytes of data: Reply from 160.81.20.77: TTL expired in transit.
I have not tried that but i don't think it will hurt. i'll give it a shot. Do changes like this take time?
ASKER
When i do a Tracert for one of our websites that is working i get this.
Tracing route to secure.tfsi1.com [63.174.109.171]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.1.1
2 * * * Request timed out.
3 9 ms 13 ms 9 ms 172.31.12.166
4 32 ms 34 ms 35 ms 216.156.116.21.ptr.us.xo.n
5 29 ms 31 ms 28 ms sl-st31-ash-0-15-2-0.sprin
.41]
6 30 ms 31 ms 32 ms sl-crs2-dc-0-13-0-0.sprint
4]
7 33 ms 32 ms 34 ms sl-crs2-rly-0-1-2-0.sprint
5]
8 34 ms 35 ms 33 ms sl-crs1-chi-0-11-5-0.sprin
89]
9 32 ms 31 ms 31 ms sl-crs3-chi-0-1-0-0.sprint
4]
10 31 ms 30 ms 32 ms sl-gw43-chi-8-0-0.sprintli
]
11 63 ms 44 ms 44 ms sl-clarcor-8-0.sprintlink.
12 45 ms 44 ms 44 ms 63.174.109.171
Trace complete.
But when i do a tracert for the new site it just keeps going... what does this mean? Is there an issue with the DNS or A-record?
Tracing route to vpn.tfsi1.com [63.174.109.164]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.1.1
2 * * * Request timed out.
3 10 ms 15 ms 15 ms 172.31.12.166
4 11 ms 15 ms 16 ms ge-6-10-120.car2.Detroit1.
]
5 23 ms 35 ms 17 ms ae-8-8.ebr2.Chicago1.Level
6 16 ms 22 ms 24 ms ae-2-52.edge3.Chicago3.Lev
7 18 ms 25 ms 18 ms sl-st20-chi-5-0.sprintlink
8 19 ms 22 ms 21 ms sl-crs2-chi-0-12-2-0.sprin
145]
9 22 ms 18 ms 19 ms sl-crs2-chi-0-9-0-0.sprint
8]
10 18 ms 21 ms 25 ms sl-gw43-chi-8-0-0.sprintli
]
11 27 ms 30 ms 42 ms sl-clarcor-8-0.sprintlink.
12 33 ms 31 ms 36 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
13 39 ms 37 ms 42 ms sl-clarcor-8-0.sprintlink.
14 40 ms 37 ms 44 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
15 63 ms 56 ms 54 ms sl-clarcor-8-0.sprintlink.
16 56 ms 49 ms 50 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
17 61 ms 74 ms 66 ms sl-clarcor-8-0.sprintlink.
18 80 ms 60 ms 59 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
19 101 ms 77 ms 74 ms sl-clarcor-8-0.sprintlink.
20 85 ms 77 ms 70 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
21 89 ms 85 ms 92 ms sl-clarcor-8-0.sprintlink.
22 91 ms 80 ms 87 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
23 107 ms 107 ms 94 ms sl-clarcor-8-0.sprintlink.
24 119 ms 99 ms 102 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
25 119 ms 120 ms 102 ms sl-clarcor-8-0.sprintlink.
26 168 ms 112 ms 110 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
27 168 ms 114 ms 133 ms sl-clarcor-8-0.sprintlink.
28 115 ms 112 ms 121 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
29 125 ms 156 ms 123 ms sl-clarcor-8-0.sprintlink.
30 137 ms 129 ms 129 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
Trace complete.
Tracing route to secure.tfsi1.com [63.174.109.171]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.1.1
2 * * * Request timed out.
3 9 ms 13 ms 9 ms 172.31.12.166
4 32 ms 34 ms 35 ms 216.156.116.21.ptr.us.xo.n
5 29 ms 31 ms 28 ms sl-st31-ash-0-15-2-0.sprin
.41]
6 30 ms 31 ms 32 ms sl-crs2-dc-0-13-0-0.sprint
4]
7 33 ms 32 ms 34 ms sl-crs2-rly-0-1-2-0.sprint
5]
8 34 ms 35 ms 33 ms sl-crs1-chi-0-11-5-0.sprin
89]
9 32 ms 31 ms 31 ms sl-crs3-chi-0-1-0-0.sprint
4]
10 31 ms 30 ms 32 ms sl-gw43-chi-8-0-0.sprintli
]
11 63 ms 44 ms 44 ms sl-clarcor-8-0.sprintlink.
12 45 ms 44 ms 44 ms 63.174.109.171
Trace complete.
But when i do a tracert for the new site it just keeps going... what does this mean? Is there an issue with the DNS or A-record?
Tracing route to vpn.tfsi1.com [63.174.109.164]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.1.1
2 * * * Request timed out.
3 10 ms 15 ms 15 ms 172.31.12.166
4 11 ms 15 ms 16 ms ge-6-10-120.car2.Detroit1.
]
5 23 ms 35 ms 17 ms ae-8-8.ebr2.Chicago1.Level
6 16 ms 22 ms 24 ms ae-2-52.edge3.Chicago3.Lev
7 18 ms 25 ms 18 ms sl-st20-chi-5-0.sprintlink
8 19 ms 22 ms 21 ms sl-crs2-chi-0-12-2-0.sprin
145]
9 22 ms 18 ms 19 ms sl-crs2-chi-0-9-0-0.sprint
8]
10 18 ms 21 ms 25 ms sl-gw43-chi-8-0-0.sprintli
]
11 27 ms 30 ms 42 ms sl-clarcor-8-0.sprintlink.
12 33 ms 31 ms 36 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
13 39 ms 37 ms 42 ms sl-clarcor-8-0.sprintlink.
14 40 ms 37 ms 44 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
15 63 ms 56 ms 54 ms sl-clarcor-8-0.sprintlink.
16 56 ms 49 ms 50 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
17 61 ms 74 ms 66 ms sl-clarcor-8-0.sprintlink.
18 80 ms 60 ms 59 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
19 101 ms 77 ms 74 ms sl-clarcor-8-0.sprintlink.
20 85 ms 77 ms 70 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
21 89 ms 85 ms 92 ms sl-clarcor-8-0.sprintlink.
22 91 ms 80 ms 87 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
23 107 ms 107 ms 94 ms sl-clarcor-8-0.sprintlink.
24 119 ms 99 ms 102 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
25 119 ms 120 ms 102 ms sl-clarcor-8-0.sprintlink.
26 168 ms 112 ms 110 ms sl-gw43-chi-1-0-2-25-ts0.s
20.77]
27 168 ms 114 ms 133 ms sl-clarcor-8-0.sprintlink.
28 115 ms 112 ms 121 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
29 125 ms 156 ms 123 ms sl-clarcor-8-0.sprintlink.
30 137 ms 129 ms 129 ms sl-gw43-chi-1-0-2-24-ts0.s
.70.249]
Trace complete.
I misread. I thought your network was Sonicwall -> PIX -> webserver ... way off. So, ignore the suggestion about the security policy change.
It does look like something might be wrong with DNS since your tracert doesnt even come back to the right IP. Try tracert again with the IP address instead to confirm.
Try a nslookup using your ISP nameserver.
It does look like something might be wrong with DNS since your tracert doesnt even come back to the right IP. Try tracert again with the IP address instead to confirm.
Try a nslookup using your ISP nameserver.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Glad you got it figured out!
Are you pinging 63.174.109.164 from the LAN or outside?
The 63.174.109.164 is the public IP?
Have you tried changing the policy on the PIX to allow http, https and ftp from the internal IP 162.17.7.10 instead of the 63.174.109.164?