Solved

Hosting external facing website on my server and cannot view from inside the network

Posted on 2010-09-06
17
1,164 Views
Last Modified: 2012-05-10
Hi All
i've been staring at this stuff long enough.  I've read loads of posts on loads of web sites about this or simular problems.  Hopefully the experts can explain in newbie terms

Here is my setup.

Cisco router at the perimeter, port forwarding requests to our external facing web site to a web server sitting inside the network
witht he "IP NAT INSIDE" command.
Poeple out on the internet can view the pages fine.

PCs on the internal network are unable to view any web sites and get the following

The webpage "www.domain.com.au" cannot be foundDNS error occurred.
Server cannot be found. The link may be broken.

Internal domain name is domain.local
external domain is domain.com.au
It acutally does not matter what the domain is.  I host other domains that have no resemblance to the domain.local etc and they don't work internally.
if we ping www.domain.com.au from insisde the network the correct external IP is returned

1x web server running windows 2008 R2.
2x MS AD servers running windows 2008 R2 and DNS.

I have tried adding host file records, adding static DNS records everything suggested on other sites without any luck.

Can anyone help?

Regards
0
Comment
Question by:aintnoguru
  • 5
  • 3
  • 3
  • +3
17 Comments
 
LVL 6

Accepted Solution

by:
Nuttycomputer earned 500 total points
ID: 33615350
Hello,

What model Cisco Router do you have at your perimeter?
When the users type the following into the browser page from the internal network what are the results:
http:\\<public ip of web server>
http:\\<private ip of web server>

If it was a consumer based Cisco device, which I'm assuming it's not, I would state problem is that "Filter Internet NAT Traffic" was enabled. On the higher end Cisco devices this is also known as local loopback but it's usually a pain to try to setup and resolve. Essentially you are going to have to create a loopback interface. There is a forum discussion on this I found here but I'll need to see if I can find some better documentation for you. (That's where your router model will come in handy)

http://forums.whirlpool.net.au/archive/1264590

The best bet and easiest solution is to setup a zone on your internal servers domain.com.au. with the A record of www.domain.com.au. pointing to the Internal IP.
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33615352
Edit:

The website addresses for the tests should be

http://<public ip of web server>
http://<private ip of web server>

Always manage to get my slashes backwards for some reason :)
0
 
LVL 3

Expert Comment

by:MARTiN
ID: 33615386
Hi, I've had the same problem myself on various setups/brands of routers.

I believe it's a common problem with how IP-traffic is routed by the router/subnet.
Like if you've gotten assigned a range of IP-addresses by your ISP and then use one IP-address to route your LAN traffic out on internet, and then the other IP's to host web servers.

You could e.g. add "www.domain.com.au" to map to your internal IP-address on your internal DNS to make it work. Then it wouldn't try to route to the external IP-address hence getting the problem with routing.

p.s. You might need to reboot or run "ipconfig /flushdns" on your client after adding the new value to your internal DNS in case it remembers the external DNS in the cache. d.s.


0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33615390
Still looking for documentation but I also found this solution on experts-exchange I'm unsure if you're able to view it: http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_22138885.html
0
 
LVL 3

Expert Comment

by:MARTiN
ID: 33615394
Lol, took me too long to write the comment so "Nutty" posted first ;-)
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33615427
You need to access the internal webserver directly so you need to use the internal IP of that server or map to that IP using DNS or a HOST File entry, you cannot use the external IP if you are inside that network, no one can, its not you, or your setup or an issue with your router.




0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33615450
I agree with MojoTech - if you create a DNS zone for the external domain on your domain controllers and add an entry for the www.domain.com.au server but point it to the internal address your problem will be resolved.
0
 

Author Comment

by:aintnoguru
ID: 33615478
G'Day Nuttycomputer

Router is a Cisco 2821 with an ADSL wic installed for DSL link.

results for http://<public ip of web server>
Firefox = Unable to contact, Firefox can't establish a connection to the server at "public IP"
IE 8 = The webpage "public IP" cannot be found, DNS error occurred. Server cannot be found. The link may be broken.

results for http://<private ip of web server>
Fireforx = The webpage cannot be found, DNS error occurred. Server cannot be found. The link may be broken
IE 8= Not Found,  HTTP Error 404. The requested resource is not found.

i've created the zones as suggested in DNS and are just waiting for AD to replicate between dns servers.  I'll update with more information when it completes.

thanks for the tip.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33615483
Do you use host headers on your web server? (if you host multiple sites?) if so ip's will not work.
0
 
LVL 15

Expert Comment

by:Insoftservice
ID: 33615487
Hi,

Have u purchased  public ip from ur ISP.
If yes check whether ur port is open for eg for apache its 80,8080.
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33615544
Based upon the 404 error on the Private IP and the Unable to contact on the Public IP it's definitely the NAT problem.

Cisco 2821 can do loopback interfaces from what I'm seeing. The documentation on performing this is located here:

http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configuration/guide/hc3loop_ps5845_Sitewide_Hidden_Full_Length_Book.html

Also known as NAT on a stick:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
http://blogs.techrepublic.com.com/networking/?p=486


As you can see it's complicated and ultimately not worth it if you have a local dedicated DNS or if you are able to get a dedicated IP address for just that web server and your regular clients connect through an alternate one. In this case I say it's better to stick with the DNS Solution you've implemented I'm sure this will resolve your problem.

What is most frustrating is that the cheap $100 soho routers at BestBuy resolve this issue with a checkbox and the high end enterprise level routers you have to fight tooth and nail to fix it. (Assuming the particular router you drop a lot of money on can do null/loopback virtual interfaces)

0
 

Author Comment

by:aintnoguru
ID: 33615661
G'Day Guys

thanks for the feedback.

insoftservice: I do have a range of IP's.  The ports are open as I can get to the websites externally.
Mojotech: yes using hostheaders.  I have two sites running on the one web server currently and intend to have more.
So does that mean that creating zones for each site and creating A records within those zones will nto work?
Nuttycomputer: I had a look at the article for the cisco router and understand yet are hesitant to mess around with the router :( in case I break it and no traffic gets out.

Is a solution to this problem to install a firewall like a cisco pix or ASA and move the web sites off into their own network with a different IP than the internal corporate network?


0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33615686
"Mojotech: yes using hostheaders.  I have two sites running on the one web server currently and intend to have more.
So does that mean that creating zones for each site and creating A records within those zones will nto work?
Nuttycomputer: I had a look at the article for the cisco router and understand yet are hesitant to mess around with"

No it just means anything you do with the IP's will not work

All you need do is to creat a zone for each site in DNS for example

domain1.com
domain2.com

In each zone you will need to creat a Host A Record called "www" and point it to the internal IP of your web server.

This way when you type www.domain1.com your client will poll your DNS server and it will find the zone "domain1.com" and find the record for "www" and present back the correct IP, however because the domain name is complete in your browser "www.domain1.com" your host headers will work and the website will load.


0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33615701
"I had a look at the article for the cisco router and understand yet are hesitant to mess around with the router :( in case I break it and no traffic gets out."

I don't blame you as I said Cisco's choice to make this difficult and pretty much unsupported is frustrating since they make it super easy on their Linksys Consumer Devices.

"Is a solution to this problem to install a firewall like a cisco pix or ASA and move the web sites off into their own network with a different IP than the internal corporate network?"

Yes! This will work perfectly because then you will not have your client computers trying to resolve through the router back through the router to reach the same network (hence the need for loopback interface)

"I have two sites running on the one web server currently and intend to have more.
So does that mean that creating zones for each site and creating A records within those zones will nto work?"


Actually this will still work but you will need to create a zone for each website and specify the internal IP of webserver hosting it as I'm assuming your configuration (especially based on the error above) answers based upon host name in the url request (aka Host Headers)



If you plan on creating a lot of websites moving them to a separate network is going to be the way to go.
0
 

Author Comment

by:aintnoguru
ID: 33687077
Yeah Nuttycomputer is right, my mistake i missed it yesterday when going through the responses, can you award him the points?

this is the post that had the answer 09/06/10 11:42 PM, ID: 33615350
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question