Re: Correct routing/DNS config for dual-homed 2000 svr

From: Chris Cowling (ccowling_at_questfm.co.uk)
Date: 03/19/04 

Date: Fri, 19 Mar 2004 10:11:56 -0000

Niall,
        the hole idea of having a DMZ is that the machines exist on a
seperate subnet to your LAN. The fact you have multi-homed these machines
entirely defeats the object of having a DMZ.
    Your DMZ Servers should have one NIC that is connected to your firewall
(in a three-homed configuration) or a router/hub that is connected to your
two firewalls (back-to-back configuration). Your firewall(s) should then be
configured with appropriate IP routing and IP packet filtering to allow only
specified traffic in/out of of your DMZ and LAN.

If you would like me to run you through this reply to me and i will be happy
to help.

Kind Regards

Chris Cowling, MCP

"Niall Porter" <niallporter@yahoo.co.uk> wrote in message
news:2db8d05e.0403190117.69497591@posting.google.com...
> Hi,
>
> I'm at the end of my proverbial on this one. Can someone help?
>
> SCENARIO:
> We have a number of Win2k servers in a dual homed configuration
> whereby one NIC connects to our LAN and the other to our DMZ for
> serving FTP, web etc. We have two internal DNS machines and are
> provided with addresses for two external DNS servers from our
> connectivity provider.
>
> I have set up the internal NIC's to use the internal DNS servers and
> the external NIC's to use the external DNS. This seems to work fine
> for a while (a day, few days anything up to a couple of weeks) then
> suddenly the machines cannot be reached from outwith our LAN.
>
> However, and this is the bit that strikes me as wierd, if I give the
> external (DMZ connected) NIC's the INTERNAL DNS addresses, they work
> fine. Very odd, because our firewall won't let DNS thru from the DMZ
> to the LAN so these NIC's should not be able to contact our internal
> servers for name resolution at all.
>
> Aside from that we've done nothing special with the network config (no
> static routes, no RRAS service etc). Common sense tells me that
> internal NIC's should use internal DNS and external NIC's use external
> DNS, or does common sense not apply to Windows 2000 server (silly
> question..)?

Relevant Pages

  • Re: Internal / External DNS problem.
    ... From outside the lan, mycompany.com should resolve to a public IP. ... Internal DNS setup to point to mycompany.com, www.mycompany.com, ... public servers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is there such thing as a multiple external IP to Lan IP firewall/router???
    ... >>the Pro 100 for public webservers, ftp servers etc. because of the DMZ ... >>client on a local LAN so I can do updates to the website quickly on the ... In my case my webserver is a standalone server two NICs, ...
    (comp.security.firewalls)
  • Re: Man gets nine years for spamming
    ... Here is the problem with blocklisting countries. ... away from windows if possible to anything on your DMZ. ... No. DMZ resources do not equate to LAN resources. ... The servers in the DMZ SHOULD NOT be dual homed back ...
    (alt.computer.security)
  • Re: Perimeter Firewall/UTM Suggestions?
    ... and out to/from our servers. ... Allow the internal and DMZ interfaces to work in either NAT or Route ... The basic scenario is that outbound access for our LAN users would be ...
    (comp.security.firewalls)
  • Re: Real IPs
    ... First, I'm assuming you have servers which serve incoming ... connections from the internet. ... How you configure your DMZ is up to you, ... Iptables masquerades your lan traffic for you. ...
    (linux.redhat)
Loading