General discussion

Locked

DNS setup for website redirect

By courtney ·
I have a Watchguard x700 firewall it is not allowing internal clients to access websites on my DMZ. This is an article explaining the problem:

A caution about static-NAT

There is a limitation in the Firebox NAT implementation where clients behind the Firebox cannot access the public IP address of a statically-NATted server which is on the same Firebox.

Imagine your Firebox is configured with an external IP address and assigned the name www.mycompany.com. There are many clients behind the Firebox. These clients use an external DNS server provided by your ISP. The Firebox has a static-NAT rule that forwards incoming port 80 (HTTP) requests from the Firebox's external interface to a privately addressed Web server on the optional network.

Now a user on the trusted network decides to browse your company Web site and points his browser to http://www.mycompany.com. The ISP's external DNS server correctly resolves this name to the external IP address of the Firebox. Unfortunately, the client is never able to make the Web connection.

Workarounds to dynamic NAT outbound and static NAT inbound situations


Configure an internal caching DNS server and point internal clients to it. Create a host entry on this DNS server that resolves the name of your company web site to the internal IP address of the Web server.


..............It is the work around that I am having problems with. I do not know how to setup my internal Win2K DNS server to do this? How do I setup DNS to do this?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Greybeard770 In reply to DNS setup for website red ...

Don't NAT between your LAN and DMZ. You don't need it and it just adds overhead. Your internal DNS needs to have the real address of the server instead of the public address. I would guess you can PING the web server but just can't IExplore it.
Here is what happens. Your LAN client at 192.168.2.3 tries to go to your server at the public address of 123.1.2.3 but the firewall redirects that to 10.100.2.3 on your DMZ. Then 10.100.2.3 responds to the request but since that was not who you requested the website from, it rejects it as a security breach.
Firewalls NAT. Clients have no knowledge about having been NATed.

Collapse -

by courtney In reply to

Poster rated this answer.

Collapse -

by ChrisDent In reply to DNS setup for website red ...

Use these steps to set up a zone on your DNS server to deal with these requests:

1. Open the DNS console
2. Right Click on Forward Lookup Zones and press New Zone...
3. Create a new primary zone called mydomain.com (which should match your public domain name).
4. Finish..
5. Right click on mydomain.com (in the DNS console) and New Host (A).
6. Name should be www. IP address should be the internal IP address of your web server.
7. Repeat for any other services necessary such as ftp (for example).

And that's it. Now whenever an internal client requests an IP address for www.mydomain.com your internal DNS server will respond with the internal IP address.

Since this DNS server is (hopefully) not the public one this will have no impact on any external user.

Hope this helps.

Collapse -

by courtney In reply to

Poster rated this answer.

Collapse -

by courtney In reply to DNS setup for website red ...

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums