Eliot makes a good point about DNS. This sounds like a perfect case for split DNS, to maintain isolation of both the (private) inside of the NAT point and the site local addresses from the public Internet. What people see on DNS inside should be reachable from the inside, but what they see on DNS outside should be nothing(?). It sounds like the site in question has a single DNS and it's telling outsiders about private stuff that should not be allowed to escape.
Walt Lazear -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------