Web site down

Discussion in 'Server Networking' started by SP, Mar 29, 2005.

  1. SP

    SP Guest

    I'm trying to host our own public website. The server is sitting behind
    couple of routers like below.
    Internet
    | (public IP)
    RouterA
    (10.80.x.x) / \ (10.80.x.x+1)
    RouterB RouterC
    | | | | | | | | | |
    Private LAN Web server
    (192.168.x.x) (192.168.x.x)

    RouterA is set to have RouterC in DMZ.
    RouterC is configured with necessary ports to allow access to the Web
    server.

    From the internet, the Web server seems to be up and running (all pages are
    accessible). But, from the Private LAN, the Web server would show "The Page
    Cannot Be Displayed".

    Is this a DNS issue or a routing issue ? Please help solve this problem.

    Thank you
    Steve
     
    SP, Mar 29, 2005
    #1
    1. Advertisements

  2. DNS but to be sure open a dos prompt on a LAN machine
    and run nslookup <yourweburl>. Do you get a response?
     
    Michael Giorgio - MS MVP, Mar 29, 2005
    #2
    1. Advertisements

  3. I don't think the design will work to begin with.

    RouterA is not a router, but is a Firewall (NAT-based).

    I can't tell by your description if Routers B&C are NAT devices or not. B is
    probably not, but C might be,..if so, NAT on Router C would only futher
    compound the problem.

    If you are attempting a Tri-Homed DMZ model, Firewall Devices typically just
    do not allow access between the LAN segment and the DMZ segment, but do
    allow access between the Public Segment and the DMZ segment. Check with the
    Manufacture on that. Also examine the document concerining Tri-Homed DMZ
    with ISA Server on www.isaserver.org to understand some of the "quirks" of
    Tri-Homed DMZs,..even though you may not be using ISA, many of the priciples
    would still apply.

    This linkwill take you to some, but there is probably more if you just
    search using DMZ as the keyword on the site's built in Search.
    http://www.isaserver.org/pages/search.asp?query=trihomed
     
    Phillip Windell, Mar 29, 2005
    #3
  4. SP

    SP Guest

    From a LAN machine, nslookup shows DNS request timed out...can't find server
    name...

    Steve
     
    SP, Mar 29, 2005
    #4
  5. Well then there is your problem. Do you have AD and DNS setup
    internally? If so then make sure you setup forwarders to your ISPs
    DNS servers for all outside requests e.g., add your ISPs DNS servers
    to the forwarders tab in DNS. If you don't have AD running then make
    sure your LAN clients are configured to point towards your ISPs DNS
    servers.
     
    Michael Giorgio - MS MVP, Mar 29, 2005
    #5
  6. SP

    SP Guest

    Thanks for the reply.

    A is a router (Xincom Twin Wan Router XC-DPG502).
    B & C are NAT-based firewalls.

    Steve
     
    SP, Mar 29, 2005
    #6
  7. There are still things I don't know about your setup,...but here is my next
    "guess"..

    If the Private LAN Users and the Web Server are on the same segment and are
    directly connected, then the users must connect to it by going directly to
    it (not going through RouterB). If they use a FQDN to do it, then you must
    make sure it resolves to the *Internal* IP# and not the Public IP#. There
    are ways to make it go though the NAT Devices but it really isn't worth the
    trouble.

    If the network of the Private LAN and the Webserver are *not* directly
    connected to each other,..you used 192.168.x.x for both of them so I can not
    tell for sure.......then......

    The RouterC must "publish" the Web Server to the 10.80.x.x+1 network. The
    users in the Private LAN would then contact the Webserver by treating the
    RouterC as if it was the Web Server (even though it isn't).
     
    Phillip Windell, Mar 29, 2005
    #7
  8. SP

    SP Guest

    Yes, AD and DNS are set up on the LAN side. DNS is set up with forwarders
    (DNS IPs include the LAN IP of Router A and 2 other public DNS IPs).

    Again, LAN computers can access the internet; they can go to just about any
    websites...no problem. They just cannot go our own website. But, from
    outside of our private LAN, people can go to our website ... no problem.

    Steve
     
    SP, Mar 29, 2005
    #8
  9. SP

    SP Guest

    Sorry... B is 192.168.2.x , and C is 192.168.0.x . The 10.80.x.x+1 is the
    DMZ on RouterA.

    As for "publish", how is that done ?

    Steve
     
    SP, Mar 30, 2005
    #9
  10. That is actually a "proxy server" term. When using NAT Devices it would be
    correctly called "Staic NAT" or "Reverse NAT" (One-toOne NAT in some cases).
    The exact way depends on your specific Devices,..check the documentation.
    Some documentation may call it "IP Forwarding",...which is not accurate
    terminology,..but there are some battles you just can't win. Terminology is
    misued all the time today,..even in product documentation.

    IP Forwarding actually is just plain old every-day Layer3 routing. You can
    see that in the old NT4.0 where you simply turned routing on or off by
    turning "IP Forwarding" on or off. It had nothing to do with Firewalls,
    Proxys, or the Internet.
     
    Phillip Windell, Mar 30, 2005
    #10
  11. SP

    SP Guest

    Could you walk me through this routing process ? Where would I start ? A,
    B, or C ? The routing settings look simple. There are destination IP,
    gateway IP, and net mask, but I couldn't make out which IP is supposed to be
    which.

    I just found out that, not only the LAN PCs cannot get to the web server,
    the web server itself is doing the same thing. But from a public PC, any
    PC can.

    Steve
     
    SP, Mar 31, 2005
    #11
  12. SP

    Todd J Heron Guest

    If the internal Active Directory domain name is the same as the real
    Internet domain name then add a www record on your internal DNS server for
    the real internet IP of the hosted website. As both servers believe that
    they are the SOA for both, then you will have to manually replicate them
    (create them yourself and update them when necessary). What happens here is
    that your DNS believes it is the authority for domain.com (it believes it
    knows everything about domain.com) and so when it gets a request for a host
    for which a record does not exist (i.e.www) it basically reports "sorry no
    such host here" and ends the query (it doesn't have to ask anyone forward
    since it is the authority for domain.com).

    URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html
     
    Todd J Heron, Mar 31, 2005
    #12
  13. SP

    SP Guest

    Thanks very much for the reply.

    The internal domain name is not the same as the real internet domain name.

    As far as internet DNS setup goes, it's done at the hosting company. I
    believe there is an A record mapping the internet domain name to the public
    IP where RouterA is. And, this works fine in terms of accessing the website
    from outside of my office.

    Right now, even on the server, if I enter the public domain name into the
    browser, it would show that the page cannot be displayed. I guess there
    must be a record in the local DNS to map the public domain name to the local
    domain name, right ?? And how is it done ?

    Thanks
    Steve
     
    SP, Mar 31, 2005
    #13
  14. You cannot make a "u-turn" through a NAT device that is "publishing" the
    webserver. It is the way NAT works,...it just can not do it. You have to
    arrange your DNS so that users from in your LAN have the FQDN resolved to
    the Internal Private IP# of the website, thereby allowing them to go
    directly to it instead of trying to go out to the Internet then "u-turn"
    back in.

    You could avoid the issue all together if the users use the Netbios Name of
    the Server in the URL.
     
    Phillip Windell, Mar 31, 2005
    #14
  15. SP

    SP Guest

    Thanks Philip

    You mentioned from the beginning that you don't think the design will work.
    What changes (I suppose in terms of router arrangement) do I need to make
    the design better ?

    Steve

     
    SP, Mar 31, 2005
    #15
  16. You won't like it.

    Assuming less than 250 machines on the network:

    1. One single subnet on the private side.

    2. One single NAT Firewall or Proxy Server on the network "edge". Use it to
    make the webserver available to the Public.

    3. None of the "computers/servers" will have any role in making the Internet
    available to anything else.

    The simpler the design, the simpler to maintain and "secure", and the harder
    it is to break into. Most security flaws come from over-complicating the
    system, not from simplifying it.
     
    Phillip Windell, Mar 31, 2005
    #16
  17. SP

    SP Guest

    Thanks for the tips. I sure like any suggestion that works.

    What do think of requesting ISP for another public IP along side the
    existing IP ?
     
    SP, Mar 31, 2005
    #17
  18. Well it doesn't hurt to have a few extras, but you only really need the one.
    Making it all work won't depend on having any more than just one Public IP#.

    We have 32 Public IP#s but I only use them for devices that sit
    independently out on the Internet, but I never have more than one on our
    Proxy Server that sits on the "edge". I have a Hub between our Proxy and
    the T1 Router, so it is on the Public network, and that is where my Public
    machines connect that use those other Public IP#s.
     
    Phillip Windell, Mar 31, 2005
    #18
  19. SP

    SP Guest

    right on...thanks again for all your help.

    Steve

     
    SP, Mar 31, 2005
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.