Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] POP3 from inside problems

To: "'Dan Hitchcock'" <[email protected]>, "'Martin Flagg'" <[email protected]>
Subject: RE: [FW1] POP3 from inside problems
From: "Goodwin, Russell" <[email protected]>
Date: Tue, 16 Jan 2001 05:26:58 -0500
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Just for info on why cannot use the external addresses from the inside if
you are interested.

      ___
      | |Firewall-1 Running NAT
      ---
 ---	 |   ---
 | |-------| |
 ---       ---
Client    Server
10.1.1.1  10.1.1.2 (Internet IP 191.1.1.2)

When the request leaves the client it goes from 10.1.1.1 to 191.1.1.2
The firewall NAT's the Dest address to 10.1.1.2, the request now goes from
10.1.1.1 to 10.1.1.2.
The Server replies from 10.1.1.2 to 10.1.1.1.
The client recieves the response and does not recognise it (it expects it to
be from 191.1.1.2) and the packet is dropped.
The solution is really to use split DNS as others have suggested. Refer to
the Server by name and have an inside DNS resolve that to 10.1.1.2. The
outside continues to resolve it to 192.1.1.2.
Hope this helps clear up your question.

Russell

-----Original Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: 25 April 2001 10:19
To: 'Martin Flagg'; '[email protected]'
Subject: RE: [FW1] POP3 from inside problems



True true true :)

I have never heard a completely satisfying answer for this, but my empirical
experience, you cannot access a server by "bouncing off" the external IP
address and back in.  I've tried with PIX, CP4.x, and Watchguard, all with
the same results.  The answer is usually to set up internal DNS for the
machines you need to access, and educate users accordingly.  If anyone has
an explanation (or, better yet, a solution) to this conundrum, please post.

A thought:  if you disable anti-spoofing, does it work?

Dan Hitchcock
Network [email protected]
Xylo, Inc.
The work/life solution for corporate thought leaders


-----Original Message-----
From: Martin Flagg [mailto:[email protected]]
Sent: Monday, January 15, 2001 2:29 PM
To: '[email protected]'
Subject: [FW1] POP3 from inside problems



I have an Exchange 5.5 server on a private NATed network.  It send and
recieves SMTP mail fine.  POP3 clients from the outside work fine.  When
users from the inside use the "valid" IP address for the server they cannot
connect with their POP clients to the Exchange server.  


Martin D. Flagg				
Sr. Systems Engineer			


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] FW: Redirects
Next by Date: RE: [FW1] Logging question [newbie]
Previous by thread: RE: [FW1] POP3 from inside problems
Next by thread: [FW1] netmeeting - risk??
Index(es):
- Date
- Thread