Hi, I'm trying to come up with a firewall ruleset...
a box on a local lan serves http a firewall has static internal ip and dynamic external ip the dynamic ip is updated in dns when it changes various domains are listed as CNAME to the dynamic A record in dns vdomains all work fine when requests come from outside but when local machines use the same names, they get to the firewall interface, but either don't make it to http server, don't make it back to the client or the clients ip is lost due to 'reverse masquerading'; depending on the ruleset used (never actually tried the last one). So the question: how do I configure the firewall to enable LAN clients to use 'internet dns names' to connect to a local server via the external ip and have the the response properly routed to the client? In the course of writing this it occured to me that if I made a virtual dmz, ie put another subnet (alias ip) on the server and firewall LAN interfaces, the firewall could be configured to NAT connections there, whether they came from the regular LAN subnet or the outside, err but then LAN client responses would go via the local LAN switch and not the firewall, the client still wouldn't see them..... So the question again, is there some way to access local services via internet dns names. In the past I just had a local dns server with the domains mapped to the local static LAN ip addresses. I'm trying to avoid that and use one set of dns records. (don't want a new physical dmz either) The only way I see it as possible is through SNAT (ie 'reverse masquerading') the local ip as it leaves the firewall for the server, but then the source ip is lost in web logs.:-\ // George -- GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE>< Security Services, Web, Mail, mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]