Thanks
to another list member for answering this question for me a while back
-
The
reason the ping (and any other IP protocol) fails is that the client originating
the ping receives the reply from a different address than it
expects.
For
example, if your machine (e.g. 10.5.5.5) pings server 209.5.5.5 (external NAT
address), the firewall then translates the packet destination and forwards the
packet to the internal server (e.g. 10.5.5.1). When server 10.5.5.1
receives the ping and sees that its origin is 10.5.5.5 (on its same subnet), it
sends the reply directly back to the client (with a source of its real ip, of
course - 10.5.5.1). The client, upon receiving this packet, ignores it,
since it is waiting for a reply from 209.5.5.5.
Hope
that makes sense. You may be able to work around it by creating a NAT rule
that translates both source and destination for packets from inside headed for
NATs on the firewall. It would need to go above any other NAT rules
involving either the internal network or the public servers. Haven't had a
chance to test...
The
solution you propose (DNS) is the most common resolution to this issue. I
don't call it a "problem," since it's just the way that IP
works.
Let me
know if you have a chance to test, and what happens.
We recently moved to usiing NAT on our
firewall:
Private range: 192.168.0.0 -- 192.168.0.1-
192.168.0.100 for servers switches etc
DHCP: 192.168.0.101 - 254 DHCP
clients
We have internal web servers and mail server with
FQDNs that outside can access no problems by using static NAT.
Problem is internal client cannot connect to
these public (statically natted) ip addresses within the local
network.
They can connect to it with the private
address.
The only fix I have so far is by putting host
files in their machines so that the web and mail servers gets resolved to
the private ip address. Also using internal DNS.
Question is why are these internal clients not
being able to access the public ip address of the web server. I cannot ping
this web server by its public ip address.
I can ping the firewall both internal anfd public
ip address.
Yes the web server's statically nated
address is in the same subnet as the firewall's external
ip.
|