Wireless Access

The network has 1 router, 1 firewall, 1 DNS and 1 web server.
The domain is domain.com.
The network is 192.168.1.0
The web server is web.domain.com, 192.168.1.7(private) and 66.218.71.90 (public).

When I am in local network, I can go to web server by using private IP, but cannot by public IP and web.domain.com.
After adding DNS 192.168.1.7 -> web.domain.com, i can go to web server by domain name, but still cannot by pulic IP.

What is the problem? Which device is needed to set? Router / Firewall / DNS / ISP?

It's either the firewall or the router but I am having a little trouble drawing out your network. Which talks directly to the Internet the router or the firewall? When a packet leaves your PC does it go first to the firewall or to the router? Does the router have two ethernet connections? One on the private LAN and one on the Web Server's public?

From your PC which I assume is a window box open a DOS window (start/run/cmd or start/run/command) and type

tracert -d 66.218.71.90

This should show the path that a packet takes. You would expect it to go to your default gateway which I assume is your router and then be sent to your server. Instead it will probably be sent out to your ISP's router. The ISP router might send it back to you but since it would look to the firewall like someone was spoofing the address it would be dropped.

If it doesn't go to the ISP then it might actually be delivered to the webserver but when the webserver tries to reply the traffic may automatically be sent to the ISP where the same thing could happen.

You can run the same command from the webserver if it is a window box or if not try
traceroute ipaddressofboxdoingtheNAT

sometimes you have to say

/usr/sbin/traceroute ipaddressofboxdoingtheNAT


Another possibility is that the routing works correctly but the interface to the webserver is not declared as "NAT outside" so that packets coming from it are not examined to see if the destination address is in the external NAT pool and thus subject to having the destination changed back to an internal private address.

Finally the firewall or router filters may not allow such traffic. (They may also not allow traceroute replies either.)

Ron

I'm always amused by people who want to ask for help, yet are so close with the information they are willing to make available that they make the process difficult.

Obviously web.domain.com is either not a registered domain name or it's the internal domain and the public address provided points to a Yahoo site.

SO - based on the information you have given - let me add a few more possibilities

the default gateway on your client PC, the public IP belongs to some one else and your domain hasn't been registered

If you're serious about getting help - you need to give us more information. If you're going to host a publicly availabe web server then both the URL and the ip are going to be known so there's no point in not providing them

One more comment - if that is in fact the domain name AND ip address you're using - then you need to learn a lot more about what you're trying to achieve than is reasonable to expect from a forum of this nature

You can place a policy in the router to make him redirect all IP packets that arrive to port 80 (http) to 192.168.1.7.
With that policy and from public addresses you should be able to access web server.