True, but a lot of times folks don't have a spare DNS server sitting around
or don't have the time/expertise to set one up. The procedures I outlined
are work-arounds, for sure, but they get the job done.
Split DNS is certainly the preferable and most elegant solution, however.
-MJL
-----Original Message-----
From: Paul Murphy [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, May 17, 2001 4:47 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] NAT Question
Split brain DNS. Have your internal DNS have the internal address, and
your public DNS have the translated address.
>>> MICHAEL J LAWRENCE <[EMAIL PROTECTED]> 5/16/2001 12:44:03 am >>>
There are a couple of ways to approach this. I prefer, however, not to
runt
raffic in and out of a routing device or firewall unnecessarily. That
is,I
don't like to bounce traffic off the firewall and back into the internaln
etwork when the destination host is simply a piece of wire away.
Since they're using Exchange, they're probably running NT internally. Ifp
ossible, set up hosts files to indicate the actual private address. (NTe
xperts: can you do this in a DHCP scope?)
Otherwise, use manual translation to tell the firewall to translate
trafficf
rom the internal network to the exchange server to the exchange server'sp
rivate address. Kind of clumsy, but it works.
source: internal_net
destination:Exchange_Public_Address
xlate source: internal net
xlate destination: Exchange_Private_Address.
Michael J Lawrence CISSP CCSI
-----Original Message-----
From: Kondisetty, Sudhir [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 15, 2001 9:18 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] NAT Question
Hello all,
I'm helping a company upgrade their CheckPoint firewall. They have an
Exchange server on their internal network running Outlook Web Access (OWA).
Though they have plans to move it to their DMZ, for now they have to keepi
t
on their internal network. The firewall is performing address translation
on the server. The outside world and dmz access it fine. However, the
internal hosts are having trouble accessing it. The DNS server the client
is using is returning the valid (translated) address, not the actual
(internal)address. If I traceroute the translated address, the path looks
correct - client>router>firewall>router>server. However, they are not able
to access the server via http. If I have them type in the actual addressi
n
the URL, they have no problem.
Any ideas?
Thanks!
Sudhir
========================================================================
========
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
========================================================================
========
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
------------------------------------------------------------------------
---------------------------------------------------
CRESTCo Ltd. The views expressed above are not necessarily
those
33 Cannon Street. held by CRESTCo Limited.
London EC4M 5SB (UK)
+44 (020) 7849 0000 http://www.crestco.co.uk
------------------------------------------------------------------------
---------------------------------------------------
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
