General discussion

Locked

Watchgaurd x700 and Win2K DNS

By courtney ·
I have a Watchguard x700 firewall and it has a trusted port and a DMZ port. The websites are on the optional (DMZ) port. The websites can be viewed from the outside (www.crestpt.com) but not inside. Watchguard says I have to setup my DNS server for that. So how do I do this. Make a FQDN name go to 10.0.0.5?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Curacao_Dejavu In reply to Watchgaurd x700 and Win2K ...

Hi

what i have sucessfuly done is to put the webserver (and other services, remote, terminal server) behind the firewall.

give the webserver a internal ip only. (i guess 10.0.05 from your post) and forward port 80 on your watchguard to 10.0.0.5.

now at name-services.com (where you registered the domain you have to point the www entry to the ip of the watchguard, and watchguard will forward the requests to the 10.0.0.5.

the external clients will resolve the website by www entry and your internal clients by the 10.0.0.5 entry.

in addition you can create in your dns server another entry for your internal users to use that instead of the ip 10.0.0.5

success

Leopold

Collapse -

by courtney In reply to

I have done all that so far. Just confused on the DNS setup as I can not add www.crestpt.com to 10.0.0.5 or I don not know how to do it. I have 2 websites on that side.

Collapse -

by Curacao_Dejavu In reply to Watchgaurd x700 and Win2K ...

re:The websites are on the optional (DMZ) port.

They have to be on the "LAN" site.

obviously you can not have to www entries with the same name.you will confuse the system if it has one with the external ip and one with the internal ip.


To reach the website from withing the lan , first try to connect with the internal ip adress, when that works wou can create a dns entry (not www) for the internal users to use.

Leopold

Collapse -

by courtney In reply to

Ok, sorry I should have explained. All clients on the trusted port can ping the 2 websites on the DMS, and get to the site by putting the iP address in the URL, but they need to use the FQDN b/c of SSL. So I guess my questin is how do I setup my DNS sever to do this for me?

Collapse -

by voldar In reply to Watchgaurd x700 and Win2K ...

By FQDN you mean :website.computername.domainname or www.website.com? You should try to add another A record named www and point it to 10.0.0.5, or if you already have a www A record in your DNS forward lookup zone, you can use www1, why not? And the users will access the site by using www1.website.com.
Or, you can create another forward lookup zone. Do the following:
- Create one more zone in your DNS. Call it site1.com
- Create a Canonical record in the new site zone (site1.com). Say... www, and use webserver AS THE REAL HOST for this canonical record; I mean... www must point to webserver.domainname.com (that is in the domainname.com zone)

Hope it helps!

Collapse -

by courtney In reply to

I tried both of these things and it didn't work. I do not know why. If I ping the website name or the IP address of the website, I get a responce, but when I put it in the URL block of IE is doesn't work. I just got this new firewall and don't understand why this is happening?

Collapse -

by voldar In reply to Watchgaurd x700 and Win2K ...

You have your internat site you say, that has problem from being accessed from LAN. Try to put the name and the port in the IE block, like: www.site.com:80 and see what you get. Try port 8080 also. Maybe the port 80 is blocked on your LAN side of the firewall. Or the DNS is not able to solve a query from your LAN. Check what you get when doing

nslookup www.site.com

Let me know, if you like.

Collapse -

by voldar In reply to

And also, check the box in the IE options, there where it says: Bypass proxy for internal addresses (in the Connection settings >> LAN settings)

Collapse -

by courtney In reply to

Thank you for helping, it still didn't work though. :80 or :8080 did not work, there is a statement saying allow anything between the 2 LAN's, I tried the IE setting too, nothing.

I did the nslookup of my site and this is what I get:

H>nslookup www.crestpt.com
Server: zues.cps.com
Address: 192.168.0.5 (the AD and DNS internal server)

Non-authoritative answer:
Name: www.crestpt.com
Address: 66.7.246.232

Collapse -

by voldar In reply to Watchgaurd x700 and Win2K ...

As I see now, your 10.0.0.5 IP address is not in the range that your main DNS server can solve (192.168.0.1/24). If so, that means to me (I may be wrong) that your DMZ has the 10.0.0.1/24 IPs. I am now positively sure that is not a DNS problem, but a firewall setting. Can't you look to your firewall and check if there is nothing like "any 10.0.0.5 address request be transmited to 192.168.0.5", or something like that?

P.S. you can contact me at vladolar@yahoo.com, is better than to communicate in here.

Back to Windows Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums