> By doing all of the above when users from Internet go to
> http://www.companyname.com the rule is working fine and the users are going to the
>appropriate web server (My dns for the web is pointing to the in band ip address
>1.2.3.4.)
> But when users from inside the fw (who are on the segment 10.2.3.x) trying
> to connect to the website the DNS is resolving to IP 1.2.3.4 and they are
> trying to connect to webserver and it is FAILING. On the other hand if they
> put IP of 10.2.3.3 in there URL it's working fine. Any idea? thoughts? May
> be there should be some special trick for DNS side or something?
The correct way to solve your problems is to have an dns server for the
outside, and a dns server for the inside. The server for the outside
(commercial internet) will only have entries that are necessary for
services on the outside.. (Basically mail MX rules, ip addresses and
cnames for your web server(s), and any other machines you will want to be
able to address directly from the commercial internet. Other things
that are good ideas to do to your outside DNS server are (assuming you're
using bind 8.x)
- squash the version
version "Surely you jest.";
- make sure you don't let everyone do zone transfers
allow-transfer { none; };
- don't let everyone use your dns server, make 'em use their own..
allow-recursion { none; };
On the internal DNS server, you will want to have all the internal
numbering and such. All the addresses for your machines in the 10.x.x.x
network and anything else.. (i like putting an empty zone for
doubleclick.net) You will want to keep your DNS entries for the same
machine very close to the same on both sides of the firewall.. This
includes MX records and cnames.. mail can do some funny things if you're
too creative or careless with MX records..
This has been my solution for the question posed.. I haven't seen FW-1 NAT
packets off the internal network and then NAT them back to it yet. It may
not be the most elegant solution, but it seems to work well.
// chris
[EMAIL PROTECTED]
*************************************************************************
Chris Tobkin [EMAIL PROTECTED]
Java and Web Services - Academic and Distributed Computing Services - UMN
Shep. Labs 190 Minneapolis, MN 55455
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"Nothing great was ever achieved without enthusiasm."
- Ralph Waldo Emerson, poet, writer, and philosopher
*************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
