we began hosting our company website today. All the necessary changes were made at the Domain Registar. You can view our website from outside our corporate network, but I'm getting a 404 timeout error when trying to the view our website from inside our network. Browsing the internet is fine to all sites but our own. I'm using an ASA5510
There are a lot of variables here so need some more information.
1) Is the web server using a public address or is it using a private address and you use NAT to present it to the Internet.
2) Is the Web server hosted on a DMZ (hope so!).
3) Do you use a proxy server to access Internet sites or do you go direct from each client.
4) If the web server is on a private address is this resolvable within your internal DNS ( do you use internal DNS for that matter ).
Really need a bit more info to help out
Okay. So from inside your network the web server will be available by it's private IP address - yes ?.
How is the web site resolved internally to this address ie. if you type
www.companyname.com into your browser then this will need to be translated to the private address for your internal clients.
In addition - lets say that it resolves to 192.168.1.10.
Do your clients know how to route to this address ?
Do you restrict traffic from your internal network to the Internet. If so have you allowed access from your clients to the DMZ on the access-list.
Sorry about all the questions but it could be quite a few things :-)
jon.marshall, I am having the same problem with one of our internal web servers, same setup as Bendotti1 in regards to NAT. We have a Pix 506E. I'm probably going to create an entry in our DNS for the internal clients to fix the problem. I'm curious to know:
- Is this a NAT limitation, or a firewall security feature?
- When you mentioned DMZ, I immediately started questioning if I have mine configured correctly. I have it on a seperate VLAN, and the f/w only allows port 80 traffic translated to the private IP, but there are a couple other devices on the same VLAN (these other devices have no OUTSIDE-->INSIDE rules created in the f/w. How would I set up a DMZ the RIGHT way?
Thanks for any help you can provide!
Not sure whether it is a limitation or not as i have never tried it. The NAT is presenting the public IP address to the outside but the problem is you are not coming in from the outside. i believe you can try DNS doctoring or using the alias feature but to me the easiest solution is just to resolve the web server to it's private IP address internally - it just makes more sense to me anyway to do this.
With a pix 506E you can't really have a DMZ as you need at least 3 interfaces - one outside facing the internet, one inside facing your internal network and one for the DMZ. The idea is that if you're web server is compromised access is still denied from the web server to your internal network. If you have the web server on your internal network and it is compromised then your are far more open.
If you have routing functionality within your LAN you could put the web server on it's own vlan and use access-lists to impose some level of security. This relies on you having spare router interfaces (or using dot1q on an existing interface) unless you have a layer 3 switch in which case you can just create a virtual interface.
The other thing you could look into is Private Vlans which allow you to impose traffic restrictions between servers on the same vlan. If the other servers on your vlan do not need to communicate with the web server and vice-versa you could utilise private vlans.
Neither the routed vlan nor layer 2 private vlans are as secure as a DMZ.
Thanks for your post. I will have to look into Private VLANs and do some research, thanks for the suggestion. I am familiar with VLAN Access-Maps so maybe that will be an option as well. I'm curious now that you said that you can restrict device to device traffic with Private VLANs, that is entirely new (but really neat) to me. I assume that you need to assign each device on their own PVLAN? Well anyway, thanks again for the help!
Just remembered on the way home
with a Pix 506E you can have virtual interfaces - it supports 2 vlans on one physical interface so you can create a DMZ this way. So you would have your outside interface using a dedicated ethernet connection on your pix and then you can use the other ethernet connection to create 2 virtual interfaces - an inside interface and a DMZ interface. You can then firewall as you would normally between all three interfaces.
For PIX 6.x code you still have to use alias, or setup DNS to point to an internal IP.