Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Local webserver is NOT accessable from local clients u sing extern al IP

To: [email protected]
Subject: Re: [FW-1] Local webserver is NOT accessable from local clients u sing extern al IP
From: "Valles, Antonio" <[email protected]>
Date: Thu, 9 Oct 2003 15:19:01 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

After some reading and research, I found the fix and was able to
better understand the problem.

Environment: 192.168.x.x network with a Webserver. Checkpoint 4.1 SP2
Windows NT4 SP6. The firewall NAT's a public IP to the internal IP of
the webserver. The ISP's DNS has a record for the public address and
all internal clients are using the ISP's external DNS.

The Problem: When an internal client goes to www.myserver.org, the
ISP's dns resolves this to the external IP address. Routing takes this
packet back to the firewall where, After my Nat rule is
applied(ANY,WEB-EXT,HTTP = ORIG,WEB-INT, ORIGINAL), ONLY the packet
DESTINATION is translated to the internal IP of the webserver. The
SOURCE (which is the internal IP of the client) never gets translated.
When the webserver sends it's reply, it's destination address is the
internal IP of the client and the source of is the internal IP of the
webserver. Since the client is expecting a reply from the external IP
of the webserver, the packet is ignored bt the client machine who sent
the original request for the webpage.

Solution: The problem can be fixed by using split-horizon DNS as you
suggested or Dual NAT(translating both the source and destination of
the packet). The idea is to hide the source address behind the
firewall's IP and modify the destination IP to the internal webserver
address. RULE:
INTERNAL-NET,WEB-EXT,HTTP = FIREWALL(HIDDEN),WEB-INT,HTTP

Antonio Valles
Department of Information Technology
East Coast Migrant Head Start Project



-----Original Message-----
From: Brad Pinkston [mailto:[email protected]]
Sent: Thursday, October 09, 2003 10:34 AM
To: Valles, Antonio
Subject: Re: [FW-1] Local webserver is NOT accessable from local
clients using extern al IP

I was wondering if someone else more knowledgeable would reply to you.
Hated to leave you hanging.  As far as I know the only solution to
this is
having to DNS servers.  One that is used internally, and one
publicized to
the internet.  I tried this once, but we have a routable /24 network
inside
so we just put all our servers on that and the routing is done inside
the
firewall.  What type of enforcement module are you running? OS
version?

Brad Pinkston
Firewall/Network Administrator
Checkpoint CCSA
Centenary College of [email protected]

----- Original Message -----
From: "Valles, Antonio" <[email protected]>
To: <[email protected]>
Sent: Tuesday, October 07, 2003 10:58 AM
Subject: [FW-1] Local webserver is NOT accessable from local clients
using
extern al IP


> I have a webserver on the local network (192.168.3.24). There is NO
> local DNS, only DNS from the ISP. I am running Checkpoint 4.1 with a
> static NAT rule for the webserver. ALL external users can get to the
> webserver, but any internal local users can not!? From an internal
> client, I can ping the external IP, traceroute, and NSLOOKUP
resolves
> fine, but when I try to bring up the website using the external IP
or
> the WWW.dnsname <http://www.dnsname/> , NOTHING? The website will
come
> up fine if I put the internal IP in the internal client's browser.
>
>
>
> In the Checkpoint log it looks like the request is getting to the
> internal side of the FW1 and forwarding that HTTP request to the
VALID
> webserver address, then I think it just times out and returns a
search
> page.
>
>
>
> Any Ideas??
>
>
>
>
>
> Antonio Valles
>
> Department of Information Technology
>
> East Coast Migrant Head Start Project
>
>
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
> --------------------------------------------------------------------
> This email has been scanned for viruses by Centenary College of LA
>
>



--------------------------------------------------------------------
This email has been scanned for viruses by Centenary College of LA

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Active Directory Authentication
Next by Date: Re: [FW-1] Smartview tracker Log is 1hr behind
Previous by thread: Re: [FW-1] Radius query encryption?
Next by thread: [FW-1] Secure Platform with Intel Pro 1000 Quad port?
Index(es):
- Date
- Thread