This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing INT -> EXT -> DNAT -> INT

Here is the issue I am experiencing.  We have one webmail server on our INT network that is being DNAT from an EXT address.  From the outside world, users can easily access this server by typing www.webmail.com.

Users on the INT network would like to be able to do the same thing.  www.webmail.com of course resolves to the EXT IP and the connection fails.  If users use the internal computer name mailserv then everything works fine.

Setting up an internal DNS server that resolves www.webmail.com to an internal IP would work, but it would create a lot of extra work with respect to the DNS database maintenance.

Any thoughts?  Am I missing something obvious or otherwise?

This thread was automatically locked due to age.

Parents

0 Resistance over 23 years ago

That has been a network issue forever now with NAT in general. The only way is to have an internal DNS be specified for client workstation and sepereate the external DNS server. Then setup the internal DNS server with the appropiate names and forwared anything non internal to the firewall.

I too would be interested in another way of doing this if possible

Resistance
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris2 over 23 years ago in reply to Resistance

what you can do out of setting up a DNS Server is (yes, work..) resolving the adress via hosts.conf(*nix)/lmhosts(win*).
This should be quite easy via logon script...

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris2 over 23 years ago in reply to Chris2

sorry, nor host.conf but hosts
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Ziegler over 23 years ago in reply to Chris2

hi tim,

the problem is a routing problem in general - and it is not so easy to solve. do you masquerade your internal network - this should help.
there are some other possibilities to solve this - but not without some effort.

some hacks:
- use a 'patched' dns-server
- change each client's host-file to resolve www.webmail.com to internal address
- add a dmz or service area (call it what you want) on a third fw-interface. place your proxy-server there. be sure that this network is being masqueraded to the outside wourld!

dirty (!!!) hack:
- on the webmail-server: route the internal network not via eth0, but via asl's internal interface (no guarantee!)

bye,
michael
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Michael Ziegler over 23 years ago in reply to Chris2

hi tim,

the problem is a routing problem in general - and it is not so easy to solve. do you masquerade your internal network - this should help.
there are some other possibilities to solve this - but not without some effort.

some hacks:
- use a 'patched' dns-server
- change each client's host-file to resolve www.webmail.com to internal address
- add a dmz or service area (call it what you want) on a third fw-interface. place your proxy-server there. be sure that this network is being masqueraded to the outside wourld!

dirty (!!!) hack:
- on the webmail-server: route the internal network not via eth0, but via asl's internal interface (no guarantee!)

bye,
michael
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Tim Rosenquist over 23 years ago in reply to Michael Ziegler

Thanks for the feedback.
We finally decided that a simple alias for our internal DNS server was the way to go. Users have been educated to use webmail internally rather than www.webmail.com. Externally they still use www.webmail.com. It was decided that this was the best compromise.
Cancel
Vote Up 0 Vote Down

Cancel
0 MMA over 23 years ago in reply to Tim Rosenquist

show hosts file and ..

1.2.3.4 www.webmail.com
and dns cache..?
Cancel
Vote Up 0 Vote Down

Cancel