No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Unable to resolve the Domain Name of Internal Webserver from Internal LAN

Publication Date:  2018-03-20 Views:  116 Downloads:  0
Issue Description

Software Version: Any
Issue Description: While trying connect to Internal Web Server from Internal LAN unable to resolve the Domain Name, in spite of resolving for Internet users “External Network” normally.
Network Topology: 

Handling Process

1. Check the network topology information, we can find the Internal users and Internal Web Server in the same network segment, and same Security Zone “Trust”.
2. Check the USG configuration (Security policy, NAT, Routes ....), in order to make sure the configuration is ok.
3. Check the Domain Name of the Web Server, we found it related to Server’s Public IP Address.
4. Capture the outbound traffic from Internal user PC to the Internal Web server and analyze it, to find the issue in the traffic flow since it leave the PC until reach the Web Server.
5. Check the reachability to DNS server.
6. Check the Internal PC configuration.

Root Cause

1. The outbound traffic from inside network "Internal users" unable to reach the Internal Web server based on its public IP address, below condition should achieved:
   i.The destination IP address of Internal user's request packet need to translate into the Intranet IP address of the Internal Web server.
   ii.The source address need to translate into a public IP address.  
   ii.The source address of the response packet sent by the Internal server "Web Server" need to translate into a Public IP address. 
   iv.The destination IP address need to translate into the user's intranet IP address.
2. External users can reach Internal Web Server normally as the External traffic match Server Mapping Policy.

Solution

Configure Source NAT Policy from Trust-Zone to Trust-Zone in order to translate the user’s source address into public IP address, and translate the destination address of the server’s response packet into the user's intranet IP.



Firewall Session Table will be as below:
http VPN:public --> public 10.1.1.100:4182[1.1.1.100:1972] -->  1.1.1.10:8080[10.1.1.10:80]

END