[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] POP3 from inside problems
Just for info on why cannot use the external addresses from the inside if you are interested. ___ | |Firewall-1 Running NAT --- --- | --- | |-------| | --- --- Client Server 10.1.1.1 10.1.1.2 (Internet IP 191.1.1.2) When the request leaves the client it goes from 10.1.1.1 to 191.1.1.2 The firewall NAT's the Dest address to 10.1.1.2, the request now goes from 10.1.1.1 to 10.1.1.2. The Server replies from 10.1.1.2 to 10.1.1.1. The client recieves the response and does not recognise it (it expects it to be from 191.1.1.2) and the packet is dropped. The solution is really to use split DNS as others have suggested. Refer to the Server by name and have an inside DNS resolve that to 10.1.1.2. The outside continues to resolve it to 192.1.1.2. Hope this helps clear up your question. Russell -----Original Message----- From: Dan Hitchcock [mailto:[email protected]] Sent: 25 April 2001 10:19 To: 'Martin Flagg'; '[email protected]' Subject: RE: [FW1] POP3 from inside problems True true true :) I have never heard a completely satisfying answer for this, but my empirical experience, you cannot access a server by "bouncing off" the external IP address and back in. I've tried with PIX, CP4.x, and Watchguard, all with the same results. The answer is usually to set up internal DNS for the machines you need to access, and educate users accordingly. If anyone has an explanation (or, better yet, a solution) to this conundrum, please post. A thought: if you disable anti-spoofing, does it work? Dan Hitchcock Network [email protected] Xylo, Inc. The work/life solution for corporate thought leaders -----Original Message----- From: Martin Flagg [mailto:[email protected]] Sent: Monday, January 15, 2001 2:29 PM To: '[email protected]' Subject: [FW1] POP3 from inside problems I have an Exchange 5.5 server on a private NATed network. It send and recieves SMTP mail fine. POP3 clients from the outside work fine. When users from the inside use the "valid" IP address for the server they cannot connect with their POP clients to the Exchange server. Martin D. Flagg Sr. Systems Engineer ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|