I have a web server that I am unable to access via its public IP address while I am on my internal network. If I am on an external network I can access the server via its public address. Also I am able to login to the server using its private IP while on the internal network.
The proper ports are open (80 and 443).
I am leaning toward it being an issue with my internal DNS server. My DNS server resides on different server and all of the client computers are pointed to it.
Any ideas of why I cant access this server via a public address while on the internal network.
Best Answer
There's usually two solutions to this problem:
split horizon DNS: your internal DNS server on your LAN resolves
yourwebsite.comto the server's internal IP address. The real authoritative public DNS server resolves the external public IP address ofyourwebsite.com.NAT reflection (called many things by other firewall vendors like NAT loopback, hairpinning, etc.): when enabled, if the firewall/router sees it's own IP as the destination IP in the packet from an inside machine, it rewrites the source as itself (it's WAN address) before adhering to the DNAT (port forwarding) rules.
I'm guessing that you do not have either of these solutions in place.
If you have the option of choosing, I usually favour split DNS because it allows you greater flexibility internally for testing different sub-domain mappings to URLs (i.e.
*.dev.mycompany.com) without having to expose that to the outside by way of real DNS entries and/or additional port forwarding rules on the outside. With NAT reflection, you still need to add any/all port forwarding rules for the loopback to work, and you might not want that.I would highly recommend you setup a DMZ for your web server; most business grade router/firewalls feature a DMZ port with rules already setup to permit LAN-to-DMZ, outside-to-DMZ, but deny DMZ-to-LAN.