|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] NAT Question
True, but a lot of times folks don't have a spare DNS server sitting around or don't have the time/expertise to set one up. The procedures I outlined are work-arounds, for sure, but they get the job done. Split DNS is certainly the preferable and most elegant solution, however. -MJL -----Original Message----- From: Paul Murphy [SMTP:[email protected]] Sent: Thursday, May 17, 2001 4:47 AM To: [email protected]; [email protected]; [email protected] Subject: RE: [FW1] NAT Question Split brain DNS. Have your internal DNS have the internal address, and your public DNS have the translated address. >>> MICHAEL J LAWRENCE <[email protected]> 5/16/2001 12:44:03 am >>> There are a couple of ways to approach this. I prefer, however, not to runt raffic in and out of a routing device or firewall unnecessarily. That is,I don't like to bounce traffic off the firewall and back into the internaln etwork when the destination host is simply a piece of wire away. Since they're using Exchange, they're probably running NT internally. Ifp ossible, set up hosts files to indicate the actual private address. (NTe xperts: can you do this in a DHCP scope?) Otherwise, use manual translation to tell the firewall to translate trafficf rom the internal network to the exchange server to the exchange server'sp rivate address. Kind of clumsy, but it works. source: internal_net destination:Exchange_Public_Address xlate source: internal net xlate destination: Exchange_Private_Address. Michael J Lawrence CISSP CCSI -----Original Message----- From: Kondisetty, Sudhir [SMTP:[email protected]] Sent: Tuesday, May 15, 2001 9:18 AM To: '[email protected]' Subject: [FW1] NAT Question Hello all, I'm helping a company upgrade their CheckPoint firewall. They have an Exchange server on their internal network running Outlook Web Access (OWA). Though they have plans to move it to their DMZ, for now they have to keepi t on their internal network. The firewall is performing address translation on the server. The outside world and dmz access it fine. However, the internal hosts are having trouble accessing it. The DNS server the client is using is returning the valid (translated) address, not the actual (internal)address. If I traceroute the translated address, the path looks correct - client>router>firewall>router>server. However, they are not able to access the server via http. If I have them type in the actual addressi n the URL, they have no problem. Any ideas? Thanks! Sudhir ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ======================================================================== ======== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ======== ------------------------------------------------------------------------ --------------------------------------------------- CRESTCo Ltd. The views expressed above are not necessarily those 33 Cannon Street. held by CRESTCo Limited. London EC4M 5SB (UK) +44 (020) 7849 0000 http://www.crestco.co.uk ------------------------------------------------------------------------ --------------------------------------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
