We are hosting our own website. From our internal network our website is
resolved to it's internal IP. I can kind of understand for our Domain DNS,
which the server is a part of.....ok no I can't(but it works).
I don't have a record for it in my forward look up zone and to my knowledge
our ISP only holds the resolution for the public IP I gave them for it. If I
was browsing to the server name then I would understand, but not the www that
I hold no internal record for....anyways the real question is:
I've configured a second subnet for public internet access. This subnet is
configured on our Cisco 2811 router and passed out thru a router based DHCP
scope with our ISP's DNS settings.
When a computer on the public access subnet tries to access our website, it
resolves to our internal IP and they are denied access. I have temporarily
allowed this traffic but would prefer they be force out to our ISP's DNS and
return as true external traffic and resolve to the external IP.
We do host the DNS for our domain, but there is no traffic allowed between
these two subnets and I would prefer to keep all of my internal ip's hidden
from these workstations and this subnet.
Am I worring too much, or is there something different I need to do or this
'Public Access' subnet to resolve to the public IP of our webserver.
Thanks for your time,
Tom

In news:143DDC2C-AA19-4D24-8289-A95C685BA54A@microsoft.com,
okon3 <okon3@discussions.microsoft.com> typed:
> We are hosting our own website. From our internal network our
> website is resolved to it's internal IP. I can kind of understand
> for our Domain DNS, which the server is a part of.....ok no I
> can't(but it works).
> I don't have a record for it in my forward look up zone and to my
> knowledge our ISP only holds the resolution for the public IP I gave
> them for it. If I was browsing to the server name then I would
> understand, but not the www that I hold no internal record
> for....anyways the real question is:
> I've configured a second subnet for public internet access. This
> subnet is configured on our Cisco 2811 router and passed out thru a
> router based DHCP scope with our ISP's DNS settings.
> When a computer on the public access subnet tries to access our
> website, it resolves to our internal IP and they are denied access.
> I have temporarily allowed this traffic but would prefer they be
> force out to our ISP's DNS and return as true external traffic and
> resolve to the external IP.
> We do host the DNS for our domain, but there is no traffic allowed
> between these two subnets and I would prefer to keep all of my
> internal ip's hidden from these workstations and this subnet.
> Am I worring too much, or is there something different I need to do
> or this 'Public Access' subnet to resolve to the public IP of our
> webserver.
> Thanks for your time,
> Tom

If the internal and external domain names are the same, and assuming you
mean that when a client connects, they are using a VPN, then you need them
to use the internal DNS server to resolve names otehrwise they will have
problems authenticating to AD, access resources, etc. If this is the case, I
can understand why it is resolving to the internal name as so it should be.
This is one of the issues of same internal/external names.

Also if I understand you correctly (you somewhat 'hinted' at stuff and
didn't specify specifics figuring we would all assume correctly), assuming
you had manually created a 'www' record and provided the internal IP), my
suggestion is to keep the webserver on the internal network and just allow
it to resolve the "www" record to the the internal IP that you manually
created (assuming you said because you hinted at it but didn't specifically
it).

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Ace,
Thanks for your reply, you have been very ful in all groups!!!
I wasn't sure how much detail I needed to provide.
The internal domain(.local) is different than the external domain(.com) and
the pubic access subnet is different than both of these however all are local
(behind the same router).
The internal domain uses our internal DNS server, the public access subent
uses our ISP's DNS and our wesite is NAT to an external IP while on our
internal network.
That is where my concern lies, Is our router mapping all this traffic
because of the NAT? if so is there a way around it, to force the public
subnet traffic out to the internet and back in? Or is my concern about
internal ips being revealed a non-issue?
These are all thru local connections, no VPN, all wired(and wireless) behind
the same router.
You suggest what I have done, adding to the ACL to allow port 80 and 443
traffic from our public subnet to our internal subnet that houses the we
server. I am concerned that allowing this with offer user our internal ips,
narrowing any attacks they may present to us?
Thanks again.

"Ace Fekay [MVP]" wrote:

> In news:143DDC2C-AA19-4D24-8289-A95C685BA54A@microsoft.com,
> okon3 <okon3@discussions.microsoft.com> typed:
> > We are hosting our own website. From our internal network our
> > website is resolved to it's internal IP. I can kind of understand
> > for our Domain DNS, which the server is a part of.....ok no I
> > can't(but it works).
> > I don't have a record for it in my forward look up zone and to my
> > knowledge our ISP only holds the resolution for the public IP I gave
> > them for it. If I was browsing to the server name then I would
> > understand, but not the www that I hold no internal record
> > for....anyways the real question is:
> > I've configured a second subnet for public internet access. This
> > subnet is configured on our Cisco 2811 router and passed out thru a
> > router based DHCP scope with our ISP's DNS settings.
> > When a computer on the public access subnet tries to access our
> > website, it resolves to our internal IP and they are denied access.
> > I have temporarily allowed this traffic but would prefer they be
> > force out to our ISP's DNS and return as true external traffic and
> > resolve to the external IP.
> > We do host the DNS for our domain, but there is no traffic allowed
> > between these two subnets and I would prefer to keep all of my
> > internal ip's hidden from these workstations and this subnet.
> > Am I worring too much, or is there something different I need to do
> > or this 'Public Access' subnet to resolve to the public IP of our
> > webserver.
> > Thanks for your time,
> > Tom
>
> If the internal and external domain names are the same, and assuming you
> mean that when a client connects, they are using a VPN, then you need them
> to use the internal DNS server to resolve names otehrwise they will have
> problems authenticating to AD, access resources, etc. If this is the case, I
> can understand why it is resolving to the internal name as so it should be.
> This is one of the issues of same internal/external names.
>
> Also if I understand you correctly (you somewhat 'hinted' at stuff and
> didn't specify specifics figuring we would all assume correctly), assuming
> you had manually created a 'www' record and provided the internal IP), my
> suggestion is to keep the webserver on the internal network and just allow
> it to resolve the "www" record to the the internal IP that you manually
> created (assuming you said because you hinted at it but didn't specifically
> it).
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
>
>

In news174C80F-80D8-4B16-B123-CA9D8F06D502@microsoft.com,
okon3 <okon3@discussions.microsoft.com> typed:
> Ace,
> Thanks for your reply, you have been very ful in all groups!!!
> I wasn't sure how much detail I needed to provide.

I try to do my best, but sometimes not always successful.

> The internal domain(.local) is different than the external
> domain(.com) and the pubic access subnet is different than both of
> these however all are local (behind the same router).
> The internal domain uses our internal DNS server, the public access
> subent uses our ISP's DNS and our wesite is NAT to an external IP
> while on our internal network.

Then as configured, if an external machine (not VPN'd in) queries your web
site, it gets the external NAT address and is translated internally. Normal
setup.

> That is where my concern lies, Is our router mapping all this traffic
> because of the NAT? if so is there a way around it, to force the
> public subnet traffic out to the internet and back in?

NAT cannot do a "U-Turn." When internal, you MUST use the private IPs. THere
is no other solution for this.

> Or is my
> concern about internal ips being revealed a non-issue?

Non-issue.

> These are all thru local connections, no VPN, all wired(and wireless)
> behind the same router.
> You suggest what I have done, adding to the ACL to allow port 80 and
> 443 traffic from our public subnet to our internal subnet that houses
> the we server. I am concerned that allowing this with offer user our
> internal ips, narrowing any attacks they may present to us?
> Thanks again.

No problem whatsoever. Relax, clean it up and go have a cold beer.

Ace