PC Review


Reply
Thread Tools Rate Thread

can't access public website from within web server domain, need to force NAT

 
 
Will
Guest
Posts: n/a
 
      10th Jun 2004
Greetings. I have set up a cluster of 3 win2k3 machines to serve up
public websites. They are all part of one domain, with one machine
acting as the DC/DNS server.

My problem is that FROM THE MACHINES THEMSELVES I cannot access the
public websites that the servers are serving up. The reason is
because i have a firewall that uses NAT to convert public IP requests
to a non-routable subnet (e.g. 63.254.267.15 -> 192.168.10.10) and
requests from behind my firewall are not routed back out and in
through the firewall.

So I am forced to edit the system32/drivers/etc/host files to map
"mycompany.com" to 192.168.10.10 so that I can browse the websites
from within the domain. (I need to do this because we have one machine
consuming webservices from the other machine and it is doing so by
domain e.g. xml.mycompany.com/someservice.asmx/getdata).

Is this a DNS issue? Or is this perhaps a problem with my firewall
setup? Is there a way w/ DNS or other networking configurations to
force these internal http requests to go outside the firewall so they
can be NAT'ed and served up correctly? Or is the hosts file my only
solution?

Thanks for your help with this!

Will
 
Reply With Quote
 
 
 
 
Phillip Windell
Guest
Posts: n/a
 
      10th Jun 2004
"Will" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is this a DNS issue?


Yes...

> Or is this perhaps a problem with my firewall setup?


No. It is normal behavor tied to how TCP/IP combined with Ethernet (mac
addresses) works. The packet is trying to both leave and enter the same
external NIC of the Firewall at the same time,...therefore the Source MAC
address *and* the Destination MAC address in the packet's Layer2 header
have the same address. Since the Source and Destination MACs can't both be
the same (and still work) it sort of "shoots itself in the head".

The following article describes this in the context of MS's ISA running the
SecureNAT Service, but the principles are the same with any NAT-based
firewall. It is kind of hard to follow, but the data is there.

[Note: that's underscores between words, not spaces]
http://www.isaserver.org/articles/14..._Solution.html

> Is there a way w/ DNS or other networking configurations to
> force these internal http requests to go outside the firewall so they
> can be NAT'ed and served up correctly?
> Or is the hosts file my only solution?


What you want is the have a record in your own DNS Server for these sites'
"Domain Names" that resolve to the internal *Private IP#* instead of the
Public IP# and then make sure that your own DNS is the first DNS Server
requested from by these machines. This allows these web servers to
communicate directly to each other without involving the Firewall at all (it
also allows your internal users to work the same way). The only time that
the firewall should be involved is when an outside host makes a request to
those machine from the Internet. Any internal machine should *never* have
to go to the firewall to get to something that is already positioned
physically on the same side of the firewall that the requesting machine is
already on.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



 
Reply With Quote
 
 
 
 
Steven L Umbach
Guest
Posts: n/a
 
      10th Jun 2004
You can use hosts or try to add a primary domain zone to your AD domain server that
matches the domain name for your website and add a static host record to it for the
webserver name that you refer to it by in the IE address bar. Then your internal
lookups will go that zone as being authoritative while outside users will still use
"external" dns servers to find your website. -- Steve


"Will" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Greetings. I have set up a cluster of 3 win2k3 machines to serve up
> public websites. They are all part of one domain, with one machine
> acting as the DC/DNS server.
>
> My problem is that FROM THE MACHINES THEMSELVES I cannot access the
> public websites that the servers are serving up. The reason is
> because i have a firewall that uses NAT to convert public IP requests
> to a non-routable subnet (e.g. 63.254.267.15 -> 192.168.10.10) and
> requests from behind my firewall are not routed back out and in
> through the firewall.
>
> So I am forced to edit the system32/drivers/etc/host files to map
> "mycompany.com" to 192.168.10.10 so that I can browse the websites
> from within the domain. (I need to do this because we have one machine
> consuming webservices from the other machine and it is doing so by
> domain e.g. xml.mycompany.com/someservice.asmx/getdata).
>
> Is this a DNS issue? Or is this perhaps a problem with my firewall
> setup? Is there a way w/ DNS or other networking configurations to
> force these internal http requests to go outside the firewall so they
> can be NAT'ed and served up correctly? Or is the hosts file my only
> solution?
>
> Thanks for your help with this!
>
> Will



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Can't Install Delta Force, Delta Force 2 or Delta Force Land Warri Jimmy S. Windows XP Games 0 14th Aug 2004 05:51 AM
NAT to NAT Johnny Puuma Windows XP Work Remotely 1 11th Feb 2004 06:06 PM
microsoft.public.developer.outlook.addins, microsoft.public.outlook.program_addins,microsoft.public.dotnet.languages.csharp,microsoft.public.outlook.general Anushya Microsoft C# .NET 0 15th Jan 2004 07:18 AM
microsoft.public.developer.outlook.addins,microsoft.public.dotnet.languages.csharp,microsoft.public.outlook.program_addins,microsoft.public.outlook.general Anushya Microsoft Dot NET Framework Forms 0 9th Jan 2004 08:21 AM
microsoft.public.dotnet.languages.vb.data,microsoft.public.dotnet.languages.vb.controls,microsoft.public .dotnet.languages.vb,microsoft.public.dotnet.languages.vb.upgrade Gladys Microsoft VB .NET 3 2nd Jan 2004 07:14 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 04:15 AM.