Re: DNS and Server 2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Phillip Windell (_at_.)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 11:05:39 -0500

"CoveTom" <anonymous@discussions.microsoft.com> wrote in message
news:237a301c45ead$cb1d1350$a301280a@phx.gbl...
> Should we need a second server, like one to do secondary
> DNS or to host our web site and e-mail seperately, I could

You can get things working on the one box for now and see how it behaves.
Add others only when you know you need them. So don't try to solve problems
that you don't even have yet.

> I should also mention at this point how our Internet setup
> works. We have a T1 connection from here to a pseudo-
> government organization that supplies Internet access to
> local area schools. They give us a bunch of IP addresses
> in a non-routable range (10.x.x.x) and the address of
> their DNS server. We have a Cisco 1600 series router which
> tosses all our Internet traffic over to them, and their
> systems get everything where it needs to go. They also
> filter our Internet traffic, BTW, so that students can't
> get to anything, well, inappropriate.

I've heard of these situations in schools. I don't think they are "pretty".
If they give you enough 10.* addresses to cover all your needs, then you
simply use them on all your machines and the Cisco 1600's 10.* address
becomes the Default Gateway of the machines. This "pseudo-gov organization"
will be the ones "firewalling" and protecting your network.

If you don't have enough 10.* addresses then *ask for more* from the *same*
subnet, ..it is still the simplest model to follow. But if they won't give
more you will require a NAT Device. The Server could do it, but I don't
recommend duel-homing a DC/DNS machine, nor do I recommend adding that much
more responsibility to a Server that may already be overworked. The best bet
is to use a Hardware based Firewall for this. You could also build one with
Linux & IP Tables.

When doing this you need to wisely pick a private address range that won't
cause future problems with other private systems you may have to deal with.
These would be your "internal" addresses, while the 10.* addresses would
become your "external" address which are in the same role that a Public
Address Range would be in a "normal" network. Now the clients would use the
internal IP# of the "NAT Device" as their Default Gateway. This "pseudo-gov
organization" will *still* be the ones "firewalling" and protecting your
network, but you will be able to do additional filtering yourself, but you
will *not* be able to allow what they don't allow because it will never get
to (or from) you.

> In special cases where we need incoming traffic, such as
> our server, they "unfilter" one of our non-routable
> internal IP addresses and tie it to a real, routable
> external IP address. So, essentially, our server has two
> IP addresses: one internal that's non-routable on the
> Internet, and one external that's a real live IP address.

This is called Static NAT or One-toOne NAT depending on the filtering model.

If you have enought 10.* addresses and follow that simpler method, they will
continue to do this in this manner. But if you have to add another NAT
Device and another Address Range, this will become nearly impossible or at
least difficult. They can only Static or One-to-One NAT to the 10.* address
which are now *external* to your private system and cannot communicate
directly with your machines. You can probably Static or One-to-One NAT
betwen the 10.* address they used and one of your own internal addresses,
but things can get really complicated when things don't work and be very
hair-pulling to sort out where the problem *really* is. 

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: FAX a virus
    ... My FAX server allows me to receive faxes from my clients from Internet. ... Most machines today are hybrids and can do everything. ...
    (Security-Basics)
  • Re: NAT with 2 NICs
    ... It is a very bad idea to run a DC as a router (unless you use SBS server which is designed to run that way). ... Use a dedicated NAT device to make your Internet connection and connect all LAN machines to the switch with one NIC in the private subnet. ... All local machines should use the NAT device as default gateway but use the DC for DNS. ...
    (microsoft.public.windows.server.general)
  • Re: newbie lost in trying to setup NAT
    ... i installed RRAS through 'configure you server wizard'. ... >Is the Cable Modem also a NAT Device? ... DNS setting. ... >> How To Configure DNS for Internet Access in Windows ...
    (microsoft.public.windows.server.networking)
  • Re: NAT without DHCP? (w2k3)
    ... How does your server connect to the Internet? ... I also enabled NAT tracing - may be this can help? ... interface 65543 not found ...
    (microsoft.public.windows.server.networking)