Re: website resolves to internal DNS IP

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

In news:D174C80F-80D8-4B16-B123-CA9D8F06D502@xxxxxxxxxxxxx,
okon3 <okon3@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Ace,
Thanks for your reply, you have been very helpful in all groups!!!
I wasn't sure how much detail I needed to provide.

I try to do my best, but sometimes not always successful.

The internal domain(.local) is different than the external
domain(.com) and the pubic access subnet is different than both of
these however all are local (behind the same router).
The internal domain uses our internal DNS server, the public access
subent uses our ISP's DNS and our wesite is NAT to an external IP
while on our internal network.

Then as configured, if an external machine (not VPN'd in) queries your web
site, it gets the external NAT address and is translated internally. Normal
setup.

That is where my concern lies, Is our router mapping all this traffic
because of the NAT? if so is there a way around it, to force the
public subnet traffic out to the internet and back in?

NAT cannot do a "U-Turn." When internal, you MUST use the private IPs. THere
is no other solution for this.

Or is my
concern about internal ips being revealed a non-issue?

Non-issue.

These are all thru local connections, no VPN, all wired(and wireless)
behind the same router.
You suggest what I have done, adding to the ACL to allow port 80 and
443 traffic from our public subnet to our internal subnet that houses
the we server. I am concerned that allowing this with offer user our
internal ips, narrowing any attacks they may present to us?
Thanks again.

No problem whatsoever. Relax, clean it up and go have a cold beer.

Ace


.

Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
    ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
    (comp.dcom.sys.cisco)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... Hosts on the LAN successfully acquire IP addresses from the NAT SERVER ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)