Accessing inside webserver with external ip-address

Unanswered Question
Jun 1st, 2007
User Badges:


I need help to the following problem:

I have a Windows Small Business Server running Exchange with OWA. Users need to access the OWA from the Internet by the following DNS name wich points to an offical ip-address defined in their 501 pix and nat'ed to the SBS server on the inside inteface.

Everything works perfectly from the Internet/outside interface, but when my users try to connect to at from the inside interface they are trying to reach the offical ip-address defined in the pix.

I have done this with Cisco pix's with more interfaces, were I natted the webserver from the DMZ interface to the Inside interface with an offical ip-address and it worked.

Here it is a little bit different since I only have two intefaces and the webserver resides on the same interface.

Please, anyone, any suggestions?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
kekarlsen Tue, 06/05/2007 - 22:43
User Badges:


I have tried dns doctoring before, but couldn't get it to work.

After you mentioned it again, I tried it at another customer with same configuration except that is an A-record (not cname) and the entire offical ip-address is nated to the same server (not portforwarding were only 80 and 443 are nated).

Do you guys know of any issue using dns doctoring with cname-records or using portforwarding in pix?

acomiskey Wed, 06/06/2007 - 04:36
User Badges:
  • Green, 3000 points or more

If you look through the document it does mention that port forwarding is not supported using this method :(

dominic.caron Fri, 06/01/2007 - 04:35
User Badges:
  • Silver, 250 points or more


You have yourself a problem. If I understand you correctly, you need trafic leaving from the same interface it came from. This feature was introduce in version 7 if I remember correctly and the 501 does not support that version.

Another easy solution is to setup a 'fake' internal DNS zone file for Since the SBS server is the internal DNS server for the users you can configure a zone file on it and have that zone file have the internal IP addresses for the users. External Internet resolution points to a different DNS server and thus everyone else gets External IPs which work for them.

A Split DNS server config gets around the problems the PIXes have with 'same interface' traffic. It does require more configuration and maintenance though.

san_jivus Wed, 06/06/2007 - 09:51
User Badges:

We are facing the same problem. We are hosting the webserver on internal LAN and using the PAT. Everything works fine from outside but users from inside are not able to goto the website using the public domain name. I tried using the DNS Doctorine did not work and later found out that DNS Doctorine works only for NAT. I also tried using the alias

did not work either. We do not host internal DNS so I can not use fake DNs zone. the only solution I have implemented is to update the hosts file on indvidual desktop.

We have so many guest visitors who try to use their laptops and not able to goto our website, shame...!!!.

There should be a better solution for this. I am sure so many poeple must be facing the same problem.

acomiskey Wed, 06/06/2007 - 10:00
User Badges:
  • Green, 3000 points or more

It is much easier with 3 interfaces or with asa/pix version 7 as you can hairpin. Their is no great solution for pix 6.


This Discussion