Solved

change WAN IP address on firewall to another IP in the block

Posted on 2013-05-17
49
429 Views
Last Modified: 2013-05-21
Greetings,

I had an external company add a DNS record for RDS. The IP I gave them is the first in my block (.34 - .38). The default gateway is .33. Well, the .34, which I gave for remote desktop services, is configured for my WAN entry on the firewall. When we enter the rds.domain.com or the public IP into Internet Explorer, we get the firewall. When entering either of those into an RDP client, we get the remote desktop server as expected.

Rather than change DNS, can I just change the WAN entry on the firewall to .38 without issue?

thanks
0
Comment
Question by:rpliner
  • 30
  • 19
49 Comments
 
LVL 7

Author Comment

by:rpliner
Comment Utility
I went ahead and changed it to .38. Still connected.

I enter both RDS.domain.com and the .34 public IP into an RDP client and get to the remote server.

I enter either of those into IE and it fails to connect showing IE cannot display the webpage.

any help appreciated.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
I changed back to .34 on the WAN and now rds.domain.com is not working from an RDP client and goes to the firewall when using the public IP in IE.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Everything you done so far is how its supposed to work...not sure what you are trying to achieve?

When you enter an ip or dns name in IE it connects to port 80 on the far side
RDP runs on port 3389

Hence when you have .38 as your firewall ip and .34 is entered into an RDP client then yes it will go to the .34 server
Browsing with IE to the same ip will result in you connecting to the RDP server on port 80 - so if you aren't running IIS on the RDP server then you will get a blank page...

Or did I miss something?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
first, thanks for responding and sorry for any confusion.

I am trying to enter rds.domain.com into an RDP client and get to my terminal server. It fails stating it can't find the computer.

when I enter the public IP address into an RDP client, I get to the terminal server. I am told that the public DNS record has been configured for some time and should work. At one point earlier, it did. I entered rds.domain.com into my RDP client and successfully connected to the terminal server. I rebooted the server and after I couldn't connect using the aforementioned URL. No idea what I did.

I was concerned when entering the public IP .34 into IE brought me to my firewall. I then noticed it was configured in the WAN setting. However, I thought entering .34 into IE would bring me to my remoteApps page of the remote server. I set up the sonicwall NSA220 to redirect the public .34 IP to the remote servers LAN IP, which it does, in an RDP client. I thought it would do the same for the remoteApps connection in IE. Guess not. As you explained, different ports for IE and RDP, so different settings I have not configured on the firewall for that I guess.

I then had the brilliant idea to change the WAN IP to public .38 so going to .34 would go to the remoteApp page of my remote server when entering .34 into IE. That obviously didn't work. So I changed it back to .34 and as before when I enter the public IP,
IE brings me to my firewall,
RDP client brings me to the remote server,
but rds.domain.com does not bring me to the remote server when entered into RDP.
 

I simply wanted to enter rds.domain.com into RDP and get to the remote server, while also entering it into IE and getting to the remoteApps page of the remote server, like when I go to FQDN/RDweb of my remote server. I don't even care at this point about IE. I just need users to be able to enter rds.domain.com and get to the remote server.

thanks again.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok lets see...

When you ping rds.domain.com from external - does it return the correct public ip?
If you can currently from an external client RDP to the correct server that means ports are setup correctly on the firewall, so it should work long as the dns name is resolving correctly...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
ping fails to rds.domain.com.

I am doing this from my desktop in the office. The remote server is at a datacenter but we have an e-line connecting the sites. I can get to the remote server by public IP, LAN IP, and domain FQDN. Cannot get to it using rds.domain.com

I ran a DNS test on two different websites and only a couple of servers found the IP address.

I will try from home later when I spend the night working on this to see if I can get to it externally. This may be a setting in remote desktop services on 2008 R2, as ooposed to a firewall issue. Not sure though.

Thanks for your help
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
I posted this question and haven't received a response.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28131616.html#a39175844

feel free to post something to give yourself extra points for helping me out with this mess.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
to note, I followed this to set up the firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7501
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
When you ping rds.domain.com and it fails - you mean you get 'ping request could not find host...' or you get 'request timed out'?

If you get the first that means its a DNS issue where you probably need to wait for dns propagation to take place(since this is public dns you are updating)

If you get the 2nd then I'd expect it to be working - since its probably just blocking ping...again depends on the settings on the other end etc...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
could not find host. A tech company that managed the network before I started here still deals with DNS. They confirmed a little while ago that they set it up about a month ago when I first asked them to. We already paid the invoice too. I've emailed to check things out. Waiting to hear back.

Still, I am pretty confused from being slammed today but I am 99% sure that one time, and only once, I connected through RDP using rds.domain.com. Maybe I am delirious though...

thanks
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok, could not find host means the DNS server(your private dns server) can't resolve to the dns name...

This could be due to a number of things
On your client machine are you using internal dns ip's in your primary/secondary dns entries of the nic? Possibly the dns server(usually your DC) can't resolve to 'domain.com'

Run this command on client

nslookup rds.domain.com

Does it return ip's? If not then your DNS server can't resolve the entry, need to see how its configured to see why...
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
Comment Utility
Go to this site - http://remote.12dt.com/lookup.php

Enter your public ip - i.e the x.x.x.34
What does it return?

If it returns rds.domain.com then on the public side everything is setup correctly

If it doesn't - then you've an issue on the public DNS side(DNS tech company) where they haven't created a host called rds correctly...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
it did not return anything. said can't find.

so this got me thinking. I tried from the datacenter on my vCenter server, different DNS servers. Still replicated from the office through AD though.

either way, I was able to get a credentials prompt to the remote server by going to rds.domain.com. definitely looking like an internal DNS issue. I have two in the office, with both in the DHCP scope settings. I see them both on my NIC but nslookup only showed one when it ran.

not sure what's up with that. I have been able to get to every website I have tried to get to and no one in the office has reported any issues.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
that website shows this

xxx-xx-33-34.static.twtelecom.net

it does not show rds.domain.com
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Cool, yes looks that way, since from another machine you are working fine...

nslookup will always use the primary dns server ip - which narrows the search down - the issue must be on that server
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
To test using your other internal dns server from nslookup run

nslookup
server <other dns server ip>
rds.domain.com

Does that resolve? If yes, then the issue is on your primary DNS server

As for the reverse lookup - that's fine, I forgot that unless you tell your ISP to create a proper reverse dns entry then it will always resolve to your ISP's domain...in this case that's not relevant...think we've got to the stage where we know this is an internal dns issue...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
seems internal. the nslookup using the other DNS server resolved rds.domain.com to the correct IP.

ARGH!! All this time fiddling with the remote server and it was my DNS on my machine!

Thanks for helping - I am going to have a tequila (or three) and call it day since I'll be back tomorrow.

Now to add some DNS issue to my list of things to do! Please look out for that question (I'll post the link here) as I'm sure I could benefit from your expertise.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Good news...always good when you get to a resolution(forgive the pun!!)

Cool, will keep an eye out for it...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
ha
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
spoke to soon. Can't resolve from home. Tried nslookup from the remote server itself and no dice. Still works by IP though. So far nslookup has only worked once on one DNS server in the office.

thanks
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Right, you said from EXTERNAL dns testing websites on the internet you can't see this 'rds.domain.com'

But from 1 internal DC you can see it...

By any chance have you(or some one else) setup a static host record in DNS console pointing to this server?

From home, if dns propagation is working on the internet in general, you should be able to ping this host...i've never heard of dns being 'blocked' from different countries(you mentioned a dns testing server in France/Turkey that can locate it) but none in the US?

Go to this site - http://www.dnsqueries.com/en/dns_lookup.php

Enter in your domain name(not rds) and select 'Type' as ALL
What is returned? Is rds listed in any of the A records from that?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Correct. One dns server in office finds it. However, earlier today the other one found it, but couldn't yesterday. Additionally, I can no longer connect rdp from the datacenter, but could yesterday.

I'll check dns but I'm the only one and I'm 99% sure I didn't do anything in dns for this server.

Can't ping IP or RDS.domain.com from home. However, nslookup found it from home using local cable ISP.  Can't rdp though.

I used Whatsmydns.net and it displayed only a handful of servers around the world That resolved it. If you refresh the page, it changes servers and still some resolve it and some don't. Only one or two per page in the US actually resolve it.

The website you sent did not list RDS. My mx did show, and the hosted website. I had to try a record for RDS and it did find the correct ip address.

I don't understand what's going on. One thing is that my RDS server name is remoteBR.domain.local but the external is RDS.domain.com. Shouldn't matter though. My current 2003 term server is named ts and external is remote.domain.com. Just wanted to mention.

Thx again.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Tried your website again and now it is not finding RDS.domain.com when set to all or A record.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
So now from home rdp connects. Pinging RDS resolves ip but ping fails. nslookup now fails. Weird I can't ping and nslookup fails but ping resolves ip and rdp connects.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Weird...

If this was just an external issue I'd say you have a routing issue(or your isp has) - where one minute you can connect - and the next you can't

From home can you run

tracert <rds public ip address> - do this complete?
Run it a few times - notice if there are similar breaking points - might highlight a routing issue...

You mentioned from your LAN network you are connecting to a Datacenter? So this is at some point going over internet to this datacenter? Or are you on a VPN connection?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Totally weird, and frustrating.

Tracert timed out on the same hop (#11) on nw01-ar3-xe-2-0-0-0.us.twtelecom.net [66.192.254.30]

Ran 3 times from home.

From the datacenter it times out immediately. No hops are successful. This is where the server is located so it shouldn't need to go out so not sure if anything should've shown anyway.

From the office it made one hop then failed. The one hop was again tw and was my office's default gateway.

No VPN. It a tw e-line (point-to-point Ethernet at 50 Mb) that connects the office with the datacenter about 120 miles north.

Crazy thing is I just connected over rdp again from home. Couldn't about 30 minutes ago. It fails more than succeeds. Tried a minute later from work and couldn't.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok, from those tests we can make some assumptions/conclusions...

'Tracert timed out on the same hop (#11)' - this shows consistency at least...almost like the issue is at that router where it can't find path to the other side to complete the link

'From datacenter times out immediately' - yes you shouldn't see any hops(since machine is already within the same network), but timed out? Again if ICMP is disabled within the network this would be normal...so hard to make a conclusion from that

'From the office it made one hop then failed. The one hop was again tw' - since this is a 'point-to-point' link that eliminates the internet from the loop, almost like its a routing issue(on the datacenter side since you've issues from home as well)

What else is in the datacenter? Can you test to another machine up there? That would at least tell us if the issue was on the server itself(rds) or if you are having issues connecting to other machines on the datacenter we can safely say its network related still...

When you say datacenter - you mean a rented service you are purchasing from someone like RackSpace?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
To be clear, the eline provides no Internet. Only access to datacenter. Our Internet at office is a15Mb tw circuit. So when I go to RDS.domain.com, it's over the Internet circuit, not the p2p. However, I guess when I go to RDS (local) in rdp, it connects and goes over p2p. Also, if I enter LAN IP it connects without issue. Lastly, regarding connecting, I always connect using the public IP (I had a couple of users test and same thing, connect with IP, not RDS.domain.com). Actually, lastly, in office if I type RDS/RDweb in IE I get the published apps and an rdp icon on the web page. I was hoping to go to RDS.domain.com/RDweb and get the same thing over the Internet. That does not work either. IP does not work in IE for published web apps.

Datacenter is a physical location where I have my own equipment. EMC San, another San, two VMware hosts, sonic wall and switches, etc. I can connect without issue. I open a console from my vsphere client to the term server -RDS- and work on it that way. I've never lost connection between office and datacenter. I have a few consoles open to vm servers there on my desktop in the office.

Thx again for sticking with this thus far. So aggravating that it doesn't just work.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Knock on wood about not losing connection. Sorry, superstitious.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Still a bit confused by your layout...

You have an office - what is in the office(machines I mean)
Datacenter - you have rds in this location yes?

So from your office you access the datacenter over this 'eline' connection - which is a p2p
So 'So when I go to RDS.domain.com, it's over the Internet circuit' - this doesn't make sense in my head...or am I missing something/mistaken in understanding your site?

Break this down into simple blocks(heck if you can attach a diagram that would be a big help, sometimes I get lost in site layouts...)
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
I'll attach something later. Out right now but this is it.

Office - 2 VMware hosts, 2 San, Sonicwall, current remote server and email server in office. Doc mgt system servers in office. All servers vm's. 70 users with mix of laptops and desktops. One TW 15 Mb Internet circuit. One cable backup Internet circuit. One TW 50 Mb p2p between office and data center. P2P is direct between sites with no Internet.

Data center - 2 VMware hosts, 2 sans, Sonicwall, etc. on different subnet. AD integrated. 2 DCs, file server, DNS. One TW 15 Mb Internet circuit, one TW 50 Mb p2p to office. Backup Internet provided by datacenter as needed. Setting it up to run new remote server and new exchange server from data center. RDS is new remote server and is here, in data center.

Since the p2p offers no Internet access, the office accesses the Internet over the 15 Mb TW Internet line. So when I go to RDS.domain.com, it's out through the 15 Mb Internet circuit, not direct to the RDS server over the Eline since I am entering external web address (RDS.domain.com). When I simply enter RDS into an RDP client in the office, it does use the Eline to connect to RDS as RDS is in the LAN, rather than going out to the Internet.

So accessing RDS.domain.com is successful over RDP within the LAN by IP or host name and over the Internet consistently by IP and in infrequently by RDS.domain.com.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
To be clear, within the LAN I can enter RDS or it's static LAN address into RDP and connect without issue because it's over the P2P.

Entering RDS.domain.com from anywhere at all into RDP works infrequently. Entering the public IP of the RDS server always works from anywhere.

Thx again.
0
 
LVL 24

Assisted Solution

by:smckeown777
smckeown777 earned 500 total points
Comment Utility
Great...much clearer now, thanks for that...

So at this point I think this is still a DNS issue...specifically in relation to the dns name rds.domain.com...

Since you can always access using IP address we know its not a connectivity issue at least...also don't think its a routing issue

Quick question - I assume you need to get this working from EXTERNAL sites, reason I ask is if you are able to access rds internally using the INTERNAL address is this not something you can work with?

So assuming this is purely an external config you want to get working for clients on the outside I still think its a DNS config issue(since connecting to RDS from internal and by IP works) we still need to check with your DNS management hosting company to see what is configured/not configured correctly

My logic here is - you can connect fine with
Internal dns name
Internal ip
External ip

Can't connect - external dns name(from within your site OR from external)...

For the record - you can connect fine to OTHER servers(using dns external name) fine from OUTSIDE your network? I see you have an exchange server - is it accessible(has a public ip in your block)?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Just want to say thanks again for your help with this.

Yes, the point is to use this as a means of external access, as well as internal access to published apps. Once authenticated, I see published apps internally through IE. I am unable to access these published apps through IE by going to RDS.domain.com/RDweb, externally over the Internet.

Your logic is spot on.

My exchange server is not yet up there. I have no other externally accessible servers there. At least none with a DNS record.

I'm going to contact the company that manages this for us and see what they can find.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Was just able to access from home, can't from office. Crazy.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Yep, sounds like a hard one to put an answer to...

I'd def get the DNS experts in on this to see what they can see, since DNS lookups fail on PUBLIC test sites that isn't normal for sure...mind if I ask who the hosting company is?

But at end of the day since its DNS related(i.e. ip always works) I think we've managed to narrow it down and now just need input from the hosts themselves to see what is up with their end...

Last way to confirm this(although I think this step is redundant really)
Create a record in your hosts file on pc (C:\Windows\System32\Drivers\etc folder)
Enter
<public ip address> rds.domain.com

Test now using that dns name - it will connect every time I would guess...and confirm that the issue is with the dns hosting side
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
So I was going to try this from my work machine since its working from home. As you may have guessed, it worked without needing to edit the hosts file. I mean, unbelievable. Worst thing is that I know it's not magically resolved (forgive my pun as well) so I'll wait until it doesn't work then edit the hosts file.

Thx
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Check the tracert command again just to see that it completes all the way(now that its working)

tracert rds.domain.com...

Just to see it complete...
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Now it does not work from home or work. When it does again I'll run the tracert and post the results.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Even with the host addition?
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
No. I wanted to wait on that to capture a tracert when it works without editing hosts. I'll add it though and see what it reports back.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
with hosts file edited from home it gives error that it can't connect to remote computer stating remote access is not enabled, computer is turned off, or computer not available on network when using rds.domain.com. IP still works though.

tracert still fails at the aforementioned TW hop (.30)
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok this makes absolutely no sense...

You've added the entry to hosts - when you now ping rds.domain.com it resolves to the correct ip - yes?

Yet RDP will not connect using 'rds.domain.com' but it DOES connect with the public ip?

I've seen a lot in the IT world over a lot of years...this doesn't compute...

Does tracert complete if you run
tracert <public ip>
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Tell me about it.

Ping times out but does display correct IP.

RDP does not connect with error message in previous post using .com. It does connect with public IP.

Tracert times out at level3 Atlanta 4.69.150.77 using public IP

There is still the issue of public DNS resolving websites unable to find the entries for this. Also, occasionally it works.

Thx
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Ok, so the trace times out at 2 different points depending on if its a dns trace or a direct ip trace...again might be something to that but not sure...

Yes the public testing sites having issues usually means this is a problem with the hosting dns records, see what they have to say first and then we might get something

The timeouts on the trace I normally say is a routing issue(on the router where things time out) but if there IS an issue with DNS hosting then that could explain that as well...

I'm off for the night now, pick this up tomorrow, hopefully you'll get an answer from someone!
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
Have a good one. Really appreciate the help in troubleshooting this.
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
outside company stated there was an issue with the record propagating / caching in the secondary DNS server there. It was updated and since we haven't had an issue connecting using rds.domain.com. Will continue to monitor over the next day or so before telling users about the new server being in production.

thanks again for sticking with this.
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Sweet...glad you got it sorted...least we were on the right path ;)
0
 
LVL 7

Author Comment

by:rpliner
Comment Utility
totally. just kinda sucks that it was on their end and we spent a lot of time on it for nothing (well, I learned some stuff, so I guess it wasn't exactly for nothing).

Anyway, I will look over your posts and award points in a manner that may help someone else get to the troubleshooting steps you mentioned.

thanks again
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now