cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
5
Helpful
7
Replies

Accessing inside webserver with external ip-address

kekarlsen
Level 1
Level 1

Hello,

I need help to the following problem:

I have a Windows Small Business Server running Exchange with OWA. Users need to access the OWA from the Internet by the following DNS name webmail.company.com wich points to an offical ip-address defined in their 501 pix and nat'ed to the SBS server on the inside inteface.

Everything works perfectly from the Internet/outside interface, but when my users try to connect to webmail.company.com at from the inside interface they are trying to reach the offical ip-address defined in the pix.

I have done this with Cisco pix's with more interfaces, were I natted the webserver from the DMZ interface to the Inside interface with an offical ip-address and it worked.

Here it is a little bit different since I only have two intefaces and the webserver resides on the same interface.

Please, anyone, any suggestions?

Thanks!

7 Replies 7

acomiskey
Level 10
Level 10

I assume internal users are using an external dns server? If so, you can use dns doctoring in the pix with 2 interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hello,

I have tried dns doctoring before, but couldn't get it to work.

After you mentioned it again, I tried it at another customer with same configuration except that webmail.company.com is an A-record (not cname) and the entire offical ip-address is nated to the same server (not portforwarding were only 80 and 443 are nated).

Do you guys know of any issue using dns doctoring with cname-records or using portforwarding in pix?

If you look through the document it does mention that port forwarding is not supported using this method :(

dominic.caron
Level 5
Level 5

Hi,

You have yourself a problem. If I understand you correctly, you need trafic leaving from the same interface it came from. This feature was introduce in version 7 if I remember correctly and the 501 does not support that version.

cmcbride
Level 1
Level 1

Another easy solution is to setup a 'fake' internal DNS zone file for company.com. Since the SBS server is the internal DNS server for the users you can configure a company.com zone file on it and have that zone file have the internal IP addresses for the users. External Internet resolution points to a different DNS server and thus everyone else gets External IPs which work for them.

A Split DNS server config gets around the problems the PIXes have with 'same interface' traffic. It does require more configuration and maintenance though.

We are facing the same problem. We are hosting the webserver on internal LAN and using the PAT. Everything works fine from outside but users from inside are not able to goto the website using the public domain name. I tried using the DNS Doctorine did not work and later found out that DNS Doctorine works only for NAT. I also tried using the alias http://www.cisco.com/warp/public/110/alias.html

did not work either. We do not host internal DNS so I can not use fake DNs zone. the only solution I have implemented is to update the hosts file on indvidual desktop.

We have so many guest visitors who try to use their laptops and not able to goto our website, shame...!!!.

There should be a better solution for this. I am sure so many poeple must be facing the same problem.

It is much easier with 3 interfaces or with asa/pix version 7 as you can hairpin. Their is no great solution for pix 6.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: