can't access public website from within web server domain, need to force NAT

Discussion in 'Microsoft Windows 2000 Networking' started by Will, Jun 10, 2004.

  1. Will

    Will Guest

    Greetings. I have set up a cluster of 3 win2k3 machines to serve up
    public websites. They are all part of one domain, with one machine
    acting as the DC/DNS server.

    My problem is that FROM THE MACHINES THEMSELVES I cannot access the
    public websites that the servers are serving up. The reason is
    because i have a firewall that uses NAT to convert public IP requests
    to a non-routable subnet (e.g. 63.254.267.15 -> 192.168.10.10) and
    requests from behind my firewall are not routed back out and in
    through the firewall.

    So I am forced to edit the system32/drivers/etc/host files to map
    "mycompany.com" to 192.168.10.10 so that I can browse the websites
    from within the domain. (I need to do this because we have one machine
    consuming webservices from the other machine and it is doing so by
    domain e.g. xml.mycompany.com/someservice.asmx/getdata).

    Is this a DNS issue? Or is this perhaps a problem with my firewall
    setup? Is there a way w/ DNS or other networking configurations to
    force these internal http requests to go outside the firewall so they
    can be NAT'ed and served up correctly? Or is the hosts file my only
    solution?

    Thanks for your help with this!

    Will
     
    Will, Jun 10, 2004
    #1
    1. Advertisements

  2. "Will" <> wrote in message
    news:...
    > Is this a DNS issue?


    Yes...

    > Or is this perhaps a problem with my firewall setup?


    No. It is normal behavor tied to how TCP/IP combined with Ethernet (mac
    addresses) works. The packet is trying to both leave and enter the same
    external NIC of the Firewall at the same time,...therefore the Source MAC
    address *and* the Destination MAC address in the packet's Layer2 header
    have the same address. Since the Source and Destination MACs can't both be
    the same (and still work) it sort of "shoots itself in the head".

    The following article describes this in the context of MS's ISA running the
    SecureNAT Service, but the principles are the same with any NAT-based
    firewall. It is kind of hard to follow, but the data is there.

    [Note: that's underscores between words, not spaces]
    http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html

    > Is there a way w/ DNS or other networking configurations to
    > force these internal http requests to go outside the firewall so they
    > can be NAT'ed and served up correctly?
    > Or is the hosts file my only solution?


    What you want is the have a record in your own DNS Server for these sites'
    "Domain Names" that resolve to the internal *Private IP#* instead of the
    Public IP# and then make sure that your own DNS is the first DNS Server
    requested from by these machines. This allows these web servers to
    communicate directly to each other without involving the Firewall at all (it
    also allows your internal users to work the same way). The only time that
    the firewall should be involved is when an outside host makes a request to
    those machine from the Internet. Any internal machine should *never* have
    to go to the firewall to get to something that is already positioned
    physically on the same side of the firewall that the requesting machine is
    already on.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
     
    Phillip Windell, Jun 10, 2004
    #2
    1. Advertisements

  3. You can use hosts or try to add a primary domain zone to your AD domain server that
    matches the domain name for your website and add a static host record to it for the
    webserver name that you refer to it by in the IE address bar. Then your internal
    lookups will go that zone as being authoritative while outside users will still use
    "external" dns servers to find your website. -- Steve


    "Will" <> wrote in message
    news:...
    > Greetings. I have set up a cluster of 3 win2k3 machines to serve up
    > public websites. They are all part of one domain, with one machine
    > acting as the DC/DNS server.
    >
    > My problem is that FROM THE MACHINES THEMSELVES I cannot access the
    > public websites that the servers are serving up. The reason is
    > because i have a firewall that uses NAT to convert public IP requests
    > to a non-routable subnet (e.g. 63.254.267.15 -> 192.168.10.10) and
    > requests from behind my firewall are not routed back out and in
    > through the firewall.
    >
    > So I am forced to edit the system32/drivers/etc/host files to map
    > "mycompany.com" to 192.168.10.10 so that I can browse the websites
    > from within the domain. (I need to do this because we have one machine
    > consuming webservices from the other machine and it is doing so by
    > domain e.g. xml.mycompany.com/someservice.asmx/getdata).
    >
    > Is this a DNS issue? Or is this perhaps a problem with my firewall
    > setup? Is there a way w/ DNS or other networking configurations to
    > force these internal http requests to go outside the firewall so they
    > can be NAT'ed and served up correctly? Or is the hosts file my only
    > solution?
    >
    > Thanks for your help with this!
    >
    > Will
     
    Steven L Umbach, Jun 10, 2004
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Bartholomew

    Cant get Nat or ICS to share

    Robert Bartholomew, Oct 25, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    163
    Herb Martin
    Oct 26, 2003
  2. Keith W. McCammon

    NAT 1:1 and NAT 1:N

    Keith W. McCammon, Dec 17, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    254
  3. filix
    Replies:
    2
    Views:
    397
    Marc Reynolds [MSFT]
    Dec 22, 2003
  4. Ashwin Philar

    Joining NT Domain Behind NAT

    Ashwin Philar, Feb 19, 2004, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    392
    Jeff Cochran
    Feb 19, 2004
  5. Guest

    nat & notes web server

    Guest, Oct 17, 2004, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    138
    Roland Hall
    Oct 19, 2004
Loading...

Share This Page