DNS Help Needed 1

[Juandaman81]

hello technical bods,

we have a problem where by since we changed our router from a draytek 2800 to a zywall 500 we can access our webistes hosted internally without using the internal ip address. i need to be able to access our websites by using the wan ip... any ideas?



Nick
MCSA 2003

"If you try to fail, and succeed, which have you done?"

 

[IllogicallyLogical]

Let me see if I go this clear. Since changing your firewall to the Zywall, you can still access your company web pages via DNS name internally. However, you can not access the web pages from outside the network using the public IP address of the server(s)? This is not really a DNS issue, as you are just trying to access the web server(s) using their public IP address. This sounds like the NAT rules have not been configured at all, or not configured properly on the Zywall.

Joey
CCNA, MCSA 2003, MCP, A+, Network+, Wireless#

 

[ITPangaeaArchitect]

Juan-

Why would you want to use the public name internally? This will cause excess WAN bandwidth usage that is unnecessary. The reason being, you will try to access your company site, which in turn will send the request out to the internet, which then of course will point you to your public site, leading you right back to a server inside your own network.

If you really must make them respond on the WAN addresses internally though, you can do one of the following things (OF COURSE THESE PLANS CAN BE ALTERED SLIGHTLY TO FIT YOUR NEEDS):

IF INTERNAL DOMAIN NAME IS THE SAME AS EXTERNAL DOMAIN NAME:

1. invent a nice new name simple name to refer to the website internally (let's say something like HR-Web)
2. create a host record (HR-Web in my example) mapped to the external IP of the website

IF INTERNAL DOMAIN NAME IS DIFFERENT THAN PUBLIC DOMAIN NAME:

1. create a new AD integrated zone in DNS with the name of your public domain name
2. create static DNS records in the zone mapping to the external IPs of ALL resources available via your public domain name (this includes not only your web, but also potentially your MX records for mail servers, etc.)
3. remove any conditional forwarders that may be in place containing your public domain name, if any exist


These methods could also be applied to local HOST file adjustments on client machines as well, as another alternative...

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[Juandaman81]

generally we use use the local IP anyway, its just for testing an web based application, we want to see how it would behave being accessed from the web, even if that means extra traffic, if we make it quick enough that way, then we shouldnt have any problems with speed.


thank u both

Nick
MCSA 2003

"If you try to fail, and succeed, which have you done?"

 

[unclerico]

Juan, most good firewalls and/or routers will allow you to do DNS doctoring/DNS rewrite in some fashion. I've never used a Zywall before but check the documentation.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

Sorry, forgot to add that your draytek probably permitted hairpinning/tromboning if it didn't specifically state that it used DNS rewriting/doctoring.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Juandaman81]

thanks unclerico, i found a tick box which enabled NAT loopback.¬!

Nick
MCSA 2003

"If you try to fail, and succeed, which have you done?"