06-01-2007 04:17 AM - edited 03-11-2019 03:23 AM
Hello,
I need help to the following problem:
I have a Windows Small Business Server running Exchange with OWA. Users need to access the OWA from the Internet by the following DNS name webmail.company.com wich points to an offical ip-address defined in their 501 pix and nat'ed to the SBS server on the inside inteface.
Everything works perfectly from the Internet/outside interface, but when my users try to connect to webmail.company.com at from the inside interface they are trying to reach the offical ip-address defined in the pix.
I have done this with Cisco pix's with more interfaces, were I natted the webserver from the DMZ interface to the Inside interface with an offical ip-address and it worked.
Here it is a little bit different since I only have two intefaces and the webserver resides on the same interface.
Please, anyone, any suggestions?
Thanks!
06-01-2007 04:34 AM
I assume internal users are using an external dns server? If so, you can use dns doctoring in the pix with 2 interfaces.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
06-05-2007 10:43 PM
Hello,
I have tried dns doctoring before, but couldn't get it to work.
After you mentioned it again, I tried it at another customer with same configuration except that webmail.company.com is an A-record (not cname) and the entire offical ip-address is nated to the same server (not portforwarding were only 80 and 443 are nated).
Do you guys know of any issue using dns doctoring with cname-records or using portforwarding in pix?
06-06-2007 04:36 AM
If you look through the document it does mention that port forwarding is not supported using this method :(
06-01-2007 04:35 AM
Hi,
You have yourself a problem. If I understand you correctly, you need trafic leaving from the same interface it came from. This feature was introduce in version 7 if I remember correctly and the 501 does not support that version.
06-05-2007 06:55 AM
Another easy solution is to setup a 'fake' internal DNS zone file for company.com. Since the SBS server is the internal DNS server for the users you can configure a company.com zone file on it and have that zone file have the internal IP addresses for the users. External Internet resolution points to a different DNS server and thus everyone else gets External IPs which work for them.
A Split DNS server config gets around the problems the PIXes have with 'same interface' traffic. It does require more configuration and maintenance though.
06-06-2007 09:51 AM
We are facing the same problem. We are hosting the webserver on internal LAN and using the PAT. Everything works fine from outside but users from inside are not able to goto the website using the public domain name. I tried using the DNS Doctorine did not work and later found out that DNS Doctorine works only for NAT. I also tried using the alias http://www.cisco.com/warp/public/110/alias.html
did not work either. We do not host internal DNS so I can not use fake DNs zone. the only solution I have implemented is to update the hosts file on indvidual desktop.
We have so many guest visitors who try to use their laptops and not able to goto our website, shame...!!!.
There should be a better solution for this. I am sure so many poeple must be facing the same problem.
06-06-2007 10:00 AM
It is much easier with 3 interfaces or with asa/pix version 7 as you can hairpin. Their is no great solution for pix 6.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: