Link to home
Create AccountLog in
Avatar of readymade
readymade

asked on

server on dmz can't communicate with website hosted on the internet from the lan

From our LAN, we publish a website on the Internet.  This works fine.  Everybody on the Internet can access it.

We have a server on our dmz that is completely isolated.  It can only access the Internet.  However, it can't reach that website.  It can't reach any of the websites we've published.  The firewall must be blocking it for some reason.  Is it because this server on the dmz is coming from the same source IP?  Do I need to set up some kind of trust between the dmz and the wan interface?  Does the dmz server need a public IP?  

We are using a sonicwall nsa 2400.
SOLUTION
Avatar of arober11
arober11
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of readymade
readymade

ASKER

To make sure we are on the same page, I don't want the dmz server to access the website on the lan.  I want it to access the public ip of that website.  

We will be having non-employees connect to this dmz server from the outside and then running this website.  I don't want it to be able to communicate with the lan.  Just the public website.
In which case you'll need a hairpin NAT at your gateway, to root packets addressed at the LAN site's / the Gateways Public IP back into the LAN, if the origin is the DMZ.

See link in first post.
Seems complicated.  Is there a way I can do it with an access rule, rather than entering in the routing?
If it help's there's a video tutorial, but you will require the hairpin NAT, see: http://www.firewalls.com/videos/video/step-5-building-nat-policies.html
Looks like that would have been very helpful, but the site requires you to pay to watch.  
I already have the inbound and outbound nat policies in place.  What does the loopback policy look like?  thanks
Does this look right?

NAT policy under Network--- > NATpolicies

Original Source : Firewalles subnets
Translated Source : public IP of server
Original Dest: Public IP Server
Translated Dest : Private of Server
Original Service : services offered by server
Translated service: original
Inbound interface : any
Outbound Interface : any
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
None of these worked.  I tried many many variations.
If your sonicwall  has debug logging enable it and have a look where the requests are going.
Ok i'll try that.  Do I need a switch between the server and the firewall?  Currently I just have the esxi host connected to the firewall and the dmz vm has an ip address manually configured.  It can get to the internet and everything, i'm just wondering about the routing on the way back, after requesting the website.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I awarded some points for effort, but none of the answers solved my problem.  I posted my solution above.