So I setup an IIS Server to host a website for a company. Getting the site to display on the Server was easy. Getting to the site externally, that was another story.
Went though the typical motions in setting up the SonicWall firewall. Identified an available WAN IP to use, created firewall access rules, created NAT Policies, ensured the zone assignments are correct, ensured network connectivity of the IIS Server. So…first attempt at accessing the site externally…the site displays properly. “Piece of cake.” Well not for long. Moments later, the site was unavailable.
I started checking IIS and the Server itself first…seemed like the most logical. I was able to access the website once, so the firewall must be right? Anyway, the IIS Server is running fine. No port conflicts, no Services hosed, site works internally. Next I checked the SonicWall. I setup a packet monitor and configured the logs to show results of traffic to and from the internal IP of the IIS Server. Next, I tried to access the site externally. No traffic was coming in. Hmmmmm. Next I tested a PING command from the IIS Server to deedlbug.com. The PING replies and I see the ICMP traffic in the SonicWall. Ok…now I opened Internet Explorer on the IIS Server and went to deedlbug.com. The page will not load. No websites will load.
Wow…so now I am starting to concentrate intently. What the heck is wrong? I look at the logs in the SonicWall when accessing the websites using Internet Explorer. “TCP Handshake Violation…Connection Dropped.” Naturally I think the SonicWall is again the issue. I rebooted the device and again, verified the access rules and settings. Everything looks perfect. (All other Servers behind the firewall are accessible…just this one is not.) Finally, it dawned on me. What if the WAN IP address I used for the website was not really available? I checked prior and confirmed the WAN IP was in the static IP block from Verizon. I checked all access rules and address objects, and determined the WAN IP I selected was no where to be found. Just for kicks, I changed the address object to use a different WAN IP and I updated the A Record at the DNS provider. While waiting for DNS propagation, I tested Internet Explorer on the IIS Server. Instantly, I am right at my home page. Tested the website…the site is accessible and the firewall is logging everything.
So the WAN IP I selected was not available…but where was it? I started looking over old notes and consulting with my peers regarding the configuration of the Server Room this IIS Server was installed into. It turns out that there was another, Cisco firewall installed a year prior, for a different Server. Guess what WAN IP this firewall was using. 😉