[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Local webserver is NOT accessable from local clients u sing extern al IP
After some reading and research, I found the fix and was able to better understand the problem. Environment: 192.168.x.x network with a Webserver. Checkpoint 4.1 SP2 Windows NT4 SP6. The firewall NAT's a public IP to the internal IP of the webserver. The ISP's DNS has a record for the public address and all internal clients are using the ISP's external DNS. The Problem: When an internal client goes to www.myserver.org, the ISP's dns resolves this to the external IP address. Routing takes this packet back to the firewall where, After my Nat rule is applied(ANY,WEB-EXT,HTTP = ORIG,WEB-INT, ORIGINAL), ONLY the packet DESTINATION is translated to the internal IP of the webserver. The SOURCE (which is the internal IP of the client) never gets translated. When the webserver sends it's reply, it's destination address is the internal IP of the client and the source of is the internal IP of the webserver. Since the client is expecting a reply from the external IP of the webserver, the packet is ignored bt the client machine who sent the original request for the webpage. Solution: The problem can be fixed by using split-horizon DNS as you suggested or Dual NAT(translating both the source and destination of the packet). The idea is to hide the source address behind the firewall's IP and modify the destination IP to the internal webserver address. RULE: INTERNAL-NET,WEB-EXT,HTTP = FIREWALL(HIDDEN),WEB-INT,HTTP Antonio Valles Department of Information Technology East Coast Migrant Head Start Project -----Original Message----- From: Brad Pinkston [mailto:[email protected]] Sent: Thursday, October 09, 2003 10:34 AM To: Valles, Antonio Subject: Re: [FW-1] Local webserver is NOT accessable from local clients using extern al IP I was wondering if someone else more knowledgeable would reply to you. Hated to leave you hanging. As far as I know the only solution to this is having to DNS servers. One that is used internally, and one publicized to the internet. I tried this once, but we have a routable /24 network inside so we just put all our servers on that and the routing is done inside the firewall. What type of enforcement module are you running? OS version? Brad Pinkston Firewall/Network Administrator Checkpoint CCSA Centenary College of [email protected] ----- Original Message ----- From: "Valles, Antonio" <[email protected]> To: <[email protected]> Sent: Tuesday, October 07, 2003 10:58 AM Subject: [FW-1] Local webserver is NOT accessable from local clients using extern al IP > I have a webserver on the local network (192.168.3.24). There is NO > local DNS, only DNS from the ISP. I am running Checkpoint 4.1 with a > static NAT rule for the webserver. ALL external users can get to the > webserver, but any internal local users can not!? From an internal > client, I can ping the external IP, traceroute, and NSLOOKUP resolves > fine, but when I try to bring up the website using the external IP or > the WWW.dnsname <http://www.dnsname/> , NOTHING? The website will come > up fine if I put the internal IP in the internal client's browser. > > > > In the Checkpoint log it looks like the request is getting to the > internal side of the FW1 and forwarding that HTTP request to the VALID > webserver address, then I think it just times out and returns a search > page. > > > > Any Ideas?? > > > > > > Antonio Valles > > Department of Information Technology > > East Coast Migrant Head Start Project > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > -------------------------------------------------------------------- > This email has been scanned for viruses by Centenary College of LA > > -------------------------------------------------------------------- This email has been scanned for viruses by Centenary College of LA ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|