Re: can't access public website from within web server domain, need to force NAT
From: Phillip Windell (_at_.)
Date: 06/10/04
- Next message: Steven L Umbach: "Re: can't access public website from within web server domain, need to force NAT"
- Previous message: dmoti: "error accessing network shares"
- In reply to: Will: "can't access public website from within web server domain, need to force NAT"
- Next in thread: Steven L Umbach: "Re: can't access public website from within web server domain, need to force NAT"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 10 Jun 2004 10:46:49 -0500
"Will" <will@nootron.com> wrote in message
news:1ef40250.0406100709.a38edd8@posting.google.com...
> Is this a DNS issue?
Yes...
> Or is this perhaps a problem with my firewall setup?
No. It is normal behavor tied to how TCP/IP combined with Ethernet (mac
addresses) works. The packet is trying to both leave and enter the same
external NIC of the Firewall at the same time,...therefore the Source MAC
address *and* the Destination MAC address in the packet's Layer2 header
have the same address. Since the Source and Destination MACs can't both be
the same (and still work) it sort of "shoots itself in the head".
The following article describes this in the context of MS's ISA running the
SecureNAT Service, but the principles are the same with any NAT-based
firewall. It is kind of hard to follow, but the data is there.
[Note: that's underscores between words, not spaces]
http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html
> Is there a way w/ DNS or other networking configurations to
> force these internal http requests to go outside the firewall so they
> can be NAT'ed and served up correctly?
> Or is the hosts file my only solution?
What you want is the have a record in your own DNS Server for these sites'
"Domain Names" that resolve to the internal *Private IP#* instead of the
Public IP# and then make sure that your own DNS is the first DNS Server
requested from by these machines. This allows these web servers to
communicate directly to each other without involving the Firewall at all (it
also allows your internal users to work the same way). The only time that
the firewall should be involved is when an outside host makes a request to
those machine from the Internet. Any internal machine should *never* have
to go to the firewall to get to something that is already positioned
physically on the same side of the firewall that the requesting machine is
already on.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Next message: Steven L Umbach: "Re: can't access public website from within web server domain, need to force NAT"
- Previous message: dmoti: "error accessing network shares"
- In reply to: Will: "can't access public website from within web server domain, need to force NAT"
- Next in thread: Steven L Umbach: "Re: can't access public website from within web server domain, need to force NAT"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
