Here's an interesting situation I've run across, and I'm curious to see if
anyone has seen anything similar.
I've got a PIX firewall that is doing static translation of several servers
in our DMZ. These servers each have one NIC, with an inside 172.16.x.x
address. On the outside, they have a 64.x.x.x address that works fine.
Normally, when people who dial into our network, or are at corporate
headquarters query DNS for these servers, they'll get the inside address,
172.16.x.x. When people outside the company query DNS for the same server,
they get the outside address 64.x.x.x. This seems to work fine.
The problem comes when a user VPN's into our network. They already have a
connection with their ISP, and are using the ISP's name servers. Therefore,
when they try to resolve our server name, they get the 64.x.x.x address.
However, since they are VPN'ed into our network, the 64.x.x.x address is not
valid.
This problem exists even if we provide them with a DNS server
internally...it seems that they resolve from their ISP's servers first.
The only thing I've thought of so far is to have two different names for
each box, but our developers are screaming about that idea.
Is there anyway for the PIX to do address translation on some boxes, but not
all? If we could leave these servers in the DMZ with only an outside
address, that would be fantastic. Is this possible with PIX? I've been
told that address translation is an all or nothing proposition.
Thanks for any suggestions yall can provide.
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
