I'm also curious why one should provide access to internal DNS records thru NAT, but if you'd like to provide access to some of your internal WEB or FTP servers to external clients you'll have to setup a Split-DNS configuration. I don't know if M$ or some other commercial servers can support such configurations, but ISC BIND have such capabilities. Some info and configuration examles can be found at http://www.isc.org/sw/bind/arm95/Bv9ARM.ch04.html#id2570613
Also you allways should think about security issues that can arrise in such configurations. wbr, Artyom Davidov Mailing list for discussion of Firewall-1 <[email protected]> 15.02.2008 17:25:12: > Question is... why would an external host need to access/query your > internal DNS? > > Usually, any DNS records (that you want to publish) are already > published on your ISP DNS servers and upward from there. > > If you are using the Internal DNS server to forward any DNS changes to > the ISP then I suggest your internal domain to differ from your external > domain...while one has the external IP address on the records while the > other has the internal one. > > Myexternaldomain.com vs myinternaldomain.com > > If it is a VPN clients then, yes, it should reply with the internals IP > address since you have a tunnel to your inside networks.. > > I am not aware of any other way to do this thru NAT... > but I am sure someone will reply with a better method > > Regards > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Peter > Olsson > Sent: Friday, February 15, 2008 5:41 AM > To: [email protected] > Subject: [FW-1] Can Checkpoint firewall handle DNS through NAT? > > Our tests indicate that Checkpoint firewall has no support whatsoever > for DNS through NAT. Not for zone transfers and not even for A records. > Is this true, or am I missing something? > > An internal DNS server, with a static adress translation in the > firewall, > gives its internal IP number in responses to AXFR and A queries from > external hosts. > > I searched documentation and support but find nothing on the subject. > > Thanks! > > -- > Peter Olsson [EMAIL PROTECTED] > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
