Web site down

I'm trying to host our own public website. The server is sitting behind
couple of routers like below.
Internet
| (public IP)
RouterA
(10.80.x.x) / \ (10.80.x.x+1)
RouterB RouterC
| | | | | | | | | |
Private LAN Web server
(192.168.x.x) (192.168.x.x)

RouterA is set to have RouterC in DMZ.
RouterC is configured with necessary ports to allow access to the Web
server.

From the internet, the Web server seems to be up and running (all pages are
accessible). But, from the Private LAN, the Web server would show "The Page
Cannot Be Displayed".

Is this a DNS issue or a routing issue ? Please help solve this problem.

Thank you
Steve

"SP" <(E-Mail Removed)> wrote in message news:
> I'm trying to host our own public website. The server is sitting behind
> couple of routers like below.
> Internet
> | (public IP)
> RouterA
> (10.80.x.x) / \ (10.80.x.x+1)
> RouterB RouterC
> | | | | | | | | | |
> Private LAN Web server
> (192.168.x.x) (192.168.x.x)
>
> RouterA is set to have RouterC in DMZ.
> RouterC is configured with necessary ports to allow access to the Web
> server.
>
> From the internet, the Web server seems to be up and running (all pages
are
> accessible). But, from the Private LAN, the Web server would show "The
Page
> Cannot Be Displayed".
>
> Is this a DNS issue or a routing issue ? Please help solve this problem.
>
DNS but to be sure open a dos prompt on a LAN machine
and run nslookup <yourweburl>. Do you get a response?

"SP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm trying to host our own public website. The server is sitting behind
> couple of routers like below.
> Internet
> | (public IP)
> RouterA
> (10.80.x.x) / \ (10.80.x.x+1)
> RouterB RouterC
> | | | | | | | | | |
> Private LAN Web server
> (192.168.x.x) (192.168.x.x)
>
> RouterA is set to have RouterC in DMZ.
> RouterC is configured with necessary ports to allow access to the Web
> server.
>
> From the internet, the Web server seems to be up and running (all pages
are
> accessible). But, from the Private LAN, the Web server would show "The
Page
> Cannot Be Displayed".
>
> Is this a DNS issue or a routing issue ? Please help solve this problem.

I don't think the design will work to begin with.

RouterA is not a router, but is a Firewall (NAT-based).

I can't tell by your description if Routers B&C are NAT devices or not. B is
probably not, but C might be,..if so, NAT on Router C would only futher
compound the problem.

If you are attempting a Tri-Homed DMZ model, Firewall Devices typically just
do not allow access between the LAN segment and the DMZ segment, but do
allow access between the Public Segment and the DMZ segment. Check with the
Manufacture on that. Also examine the document concerining Tri-Homed DMZ
with ISA Server on www.isaserver.org to understand some of the "quirks" of
Tri-Homed DMZs,..even though you may not be using ISA, many of the priciples
would still apply.

This linkwill take you to some, but there is probably more if you just
search using DMZ as the keyword on the site's built in Search.
http://www.isaserver.org/pages/searc...query=trihomed

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

From a LAN machine, nslookup shows DNS request timed out...can't find server
name...

Steve

"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:e37P$%(E-Mail Removed)...
>
> "SP" <(E-Mail Removed)> wrote in message news:
>> I'm trying to host our own public website. The server is sitting behind
>> couple of routers like below.
>> Internet
>> | (public IP)
>> RouterA
>> (10.80.x.x) / \ (10.80.x.x+1)
>> RouterB RouterC
>> | | | | | | | | | |
>> Private LAN Web server
>> (192.168.x.x) (192.168.x.x)
>>
>> RouterA is set to have RouterC in DMZ.
>> RouterC is configured with necessary ports to allow access to the Web
>> server.
>>
>> From the internet, the Web server seems to be up and running (all pages
> are
>> accessible). But, from the Private LAN, the Web server would show "The
> Page
>> Cannot Be Displayed".
>>
>> Is this a DNS issue or a routing issue ? Please help solve this problem.
>>
> DNS but to be sure open a dos prompt on a LAN machine
> and run nslookup <yourweburl>. Do you get a response?
>
>

Well then there is your problem. Do you have AD and DNS setup
internally? If so then make sure you setup forwarders to your ISPs
DNS servers for all outside requests e.g., add your ISPs DNS servers
to the forwarders tab in DNS. If you don't have AD running then make
sure your LAN clients are configured to point towards your ISPs DNS
servers.

"SP" <(E-Mail Removed)> wrote in message news:
> From a LAN machine, nslookup shows DNS request timed out...can't find
server
> name...
>

Thanks for the reply.

A is a router (Xincom Twin Wan Router XC-DPG502).
B & C are NAT-based firewalls.

Steve

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> "SP" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I'm trying to host our own public website. The server is sitting behind
>> couple of routers like below.
>> Internet
>> | (public IP)
>> RouterA
>> (10.80.x.x) / \ (10.80.x.x+1)
>> RouterB RouterC
>> | | | | | | | | | |
>> Private LAN Web server
>> (192.168.x.x) (192.168.x.x)
>>
>> RouterA is set to have RouterC in DMZ.
>> RouterC is configured with necessary ports to allow access to the Web
>> server.
>>
>> From the internet, the Web server seems to be up and running (all pages
> are
>> accessible). But, from the Private LAN, the Web server would show "The
> Page
>> Cannot Be Displayed".
>>
>> Is this a DNS issue or a routing issue ? Please help solve this problem.
>
> I don't think the design will work to begin with.
>
> RouterA is not a router, but is a Firewall (NAT-based).
>
> I can't tell by your description if Routers B&C are NAT devices or not. B
> is
> probably not, but C might be,..if so, NAT on Router C would only futher
> compound the problem.
>
> If you are attempting a Tri-Homed DMZ model, Firewall Devices typically
> just
> do not allow access between the LAN segment and the DMZ segment, but do
> allow access between the Public Segment and the DMZ segment. Check with
> the
> Manufacture on that. Also examine the document concerining Tri-Homed DMZ
> with ISA Server on www.isaserver.org to understand some of the "quirks"
> of
> Tri-Homed DMZs,..even though you may not be using ISA, many of the
> priciples
> would still apply.
>
> This linkwill take you to some, but there is probably more if you just
> search using DMZ as the keyword on the site's built in Search.
> http://www.isaserver.org/pages/searc...query=trihomed
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

"SP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the reply.
>
> A is a router (Xincom Twin Wan Router XC-DPG502).
> B & C are NAT-based firewalls.

There are still things I don't know about your setup,...but here is my next
"guess"..

If the Private LAN Users and the Web Server are on the same segment and are
directly connected, then the users must connect to it by going directly to
it (not going through RouterB). If they use a FQDN to do it, then you must
make sure it resolves to the *Internal* IP# and not the Public IP#. There
are ways to make it go though the NAT Devices but it really isn't worth the
trouble.

If the network of the Private LAN and the Webserver are *not* directly
connected to each other,..you used 192.168.x.x for both of them so I can not
tell for sure.......then......

The RouterC must "publish" the Web Server to the 10.80.x.x+1 network. The
users in the Private LAN would then contact the Webserver by treating the
RouterC as if it was the Web Server (even though it isn't).


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Yes, AD and DNS are set up on the LAN side. DNS is set up with forwarders
(DNS IPs include the LAN IP of Router A and 2 other public DNS IPs).

Again, LAN computers can access the internet; they can go to just about any
websites...no problem. They just cannot go our own website. But, from
outside of our private LAN, people can go to our website ... no problem.

Steve


"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Well then there is your problem. Do you have AD and DNS setup
> internally? If so then make sure you setup forwarders to your ISPs
> DNS servers for all outside requests e.g., add your ISPs DNS servers
> to the forwarders tab in DNS. If you don't have AD running then make
> sure your LAN clients are configured to point towards your ISPs DNS
> servers.
>
> "SP" <(E-Mail Removed)> wrote in message news:
>> From a LAN machine, nslookup shows DNS request timed out...can't find
> server
>> name...
>>
>
>
>

Sorry... B is 192.168.2.x , and C is 192.168.0.x . The 10.80.x.x+1 is the
DMZ on RouterA.

As for "publish", how is that done ?

Steve


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "SP" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks for the reply.
>>
>> A is a router (Xincom Twin Wan Router XC-DPG502).
>> B & C are NAT-based firewalls.
>
> There are still things I don't know about your setup,...but here is my
> next
> "guess"..
>
> If the Private LAN Users and the Web Server are on the same segment and
> are
> directly connected, then the users must connect to it by going directly to
> it (not going through RouterB). If they use a FQDN to do it, then you
> must
> make sure it resolves to the *Internal* IP# and not the Public IP#.
> There
> are ways to make it go though the NAT Devices but it really isn't worth
> the
> trouble.
>
> If the network of the Private LAN and the Webserver are *not* directly
> connected to each other,..you used 192.168.x.x for both of them so I can
> not
> tell for sure.......then......
>
> The RouterC must "publish" the Web Server to the 10.80.x.x+1 network. The
> users in the Private LAN would then contact the Webserver by treating the
> RouterC as if it was the Web Server (even though it isn't).
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

"SP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Sorry... B is 192.168.2.x , and C is 192.168.0.x . The 10.80.x.x+1 is the
> DMZ on RouterA.
>
> As for "publish", how is that done ?

That is actually a "proxy server" term. When using NAT Devices it would be
correctly called "Staic NAT" or "Reverse NAT" (One-toOne NAT in some cases).
The exact way depends on your specific Devices,..check the documentation.
Some documentation may call it "IP Forwarding",...which is not accurate
terminology,..but there are some battles you just can't win. Terminology is
misued all the time today,..even in product documentation.

IP Forwarding actually is just plain old every-day Layer3 routing. You can
see that in the old NT4.0 where you simply turned routing on or off by
turning "IP Forwarding" on or off. It had nothing to do with Firewalls,
Proxys, or the Internet.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com