Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firebox X500 - can't access internal servers

Status
Not open for further replies.
ericpeters

ericpeters

Technical User
May 13, 2006
3
DE
Hi!

I'm new to this forum (and also to the Firebox ;-)) and I've got a small question.
I have a problem accessing our internal servers (FTP, HTTP) via internet from an internal client. If I am trying to connect to the servers from an external client, everything works just fine.
Somehow the Firebox is blocking the internal client connecting to the servers, although I have created a policy which allows any external AND any trusted to access the servers.
May it be that it has something to do with 1to1-NAT?

Any help would be appreciated :))

Thanks,

Eric
 
Sort by date Sort by votes
If you want to access the servers using the public ip address, this is only possible if you put the firebox in the drop in mode. Because of the split horizon rule....

If you are trying to access using internal ip address then what kind of logs you get in the traffic monitor? And on which port these servers are located? From where(port) you are trying to access them?

Regards
Pankaj



 
Upvote 0 Downvote
I'm not real clear on how your network is configured but I assume that the FTP server is on the external port of the firewall. In that case it is probably easier to Nat the internal hosts otherwise you will need routes on the FTP box for the packets to find there way back to the trusted port. By default the Firebox is not going to let a private IP range into the external port.
 
Upvote 0 Downvote
Hi everybody!

The Firebox is in drop in mode. Anyway, I am not sure what to do anymore. The FTP-Server is within the internal network and has a static IP routed to it. As I wrote before, it is no problem to access the server from outside, but from inside - no chance. I am not sure about this split horizon rule.
You can find a screenshot of the current configuration here:


Eric
 
Upvote 0 Downvote
according to watchguard when you do static nat and map the external ip to the internal server in the service itself then the machenes sitting inside the network will not be able to access the public ip address of that server which you can use from outside succesfully.

Because when the request goes out from internal machene it gets natted on external of the firebox and takes the external ip address of the firebox to go out. When you are accessing one of your own public ip address from your external public subnet. The source and the destination of the packet become of the same subnet.

This is the reason the firebox will deny the packet.
 
Upvote 0 Downvote
Thanks pankajchawla. So I guess it means that I can forget solving this problem...

Thanks anyway,

Eric
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
85
Russtoleum
Russtoleum
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
115
hairlessupportmonkey
hairlessupportmonkey
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
65
Garbear
Garbear
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top