I agree with you. BUT.

History:

We have a province wide domain, interconnected with VPN's. There is no routing enabled on the servers running the VPN's. Since DNS is active directory integrated, all locations receive the private IP address for the web server. Since there is no routing between locations, we need them to receive the public IP address via DNS.

So we have three options:

1. Change the host entry on all our computers (several hundred) to point to the public IP address. (this posses a problem with users with laptops as sometimes they are in the same office as the web server).

2. Some how get the router to forward the requests as laid out in the question.

3. Some how get our active directory integrated DNS to spit out a public IP address if the request is from one of the remote locations, but the private IP address if the request is from the location with the web server in it. (Not sure if this is even possible)

PS. Thanks for the reply :-)

Do you have a quick topology of how you're laid out?

I've attached a very quick diagram of our network. I hope it is detailed enough for what you are looking for. It is pretty basic. One note, the VPN's are tunneled through the cisco. The cisco is not supplying the VPN connection.

Thanks.

Okay,

You're topology doesn't really show me what I was looking for, and it's probably because I may not have been clear enough.

"interconnected with VPN's. There is no routing enabled on the servers running the VPN's." Where are these VPNs terminating? Provider's router, server, your router, etc.

You said that the VPNs are tunneled through the cisco, but the cisco isn't the termination point, so what is?

You said that the remote sites are DNS integrated, but do they run their own servers, or are their DNS settings on your server?

My understanding of your goal, and please correct me if I'm wrong, is the following:

You want to be able to provide the DNS clients on the other side of the tunnel your public address for your web server? Forgive me if I'm a little lost.

You also said that VPN wasn't routed. Does that mean that you're not using NAT, or you're split tunneling?

Sorry to confuse you. Here are the answers to your questions:

"interconnected with VPN's. There is no routing enabled on the servers running the VPN's." Where are these VPNs terminating? Provider's router, server, your router, etc.

You said that the VPNs are tunneled through the cisco, but the cisco isn't the termination point, so what is?

The PDC Emulator (The domain controller in the main site - this is the same site as the web server).

You said that the remote sites are DNS integrated, but do they run their own servers, or are their DNS settings on your server?

The run their own servers (they are domain controllers), which pull the DNS settings from the main site Domain Controller through Active Directory.

My understanding of your goal, and please correct me if I'm wrong, is the following:

You want to be able to provide the DNS clients on the other side of the tunnel your public address for your web server? Forgive me if I'm a little lost.

Yes. Keeping in mind that the DNS settings made in one location propogates to the other locations via Active Directory because it is Active Directory integrated DNS.

You also said that VPN wasn't routed. Does that mean that you're not using NAT, or you're split tunneling?

(This might confuse you more). Each location is natted to the Internet. The VPN is a single tunnel from one server to the PDC emulator server. No other computers, routers or servers can access this VPN. Pretty much a one to one tunnel. (I suppose you could call it split tunneling, but with access to only one network resource). The whole point of the VPN is to allow Active Directory Synchronization.

Hopefully that answers your questions :-)

So what side are you having the problem with? The hosts on the other side of the tunnel can't get to your internal website? Can the hosts on your side see your website? Does this website have a public or private address?

I'm thinking of you pushing HOSTS files to the clients on the one's that need to see the public address.

Well, we've tried two things.

1. If we put the DNS entry for the website in the internal DNS as the private IP, then all the clients in the locations other than the main office can't access it.

2. If we put the DNS entry for the website in the internal DNS as the public IP, then all the clients in the main office can't access the website.

Can you post your config from your main router and a client router? Take out the live addresses.

Here is the main router config. Since the client locations are not hosting any publicly accessible services, they have a small Linksys rvl200 router. I don't think that I can give a config for it. It isn't configured for anything except the admin password and some port forwarding for administrative access to the domain controller.

Note: public IP's have been replaced with 1.1.1.1 and 1.1.1.2.

Note 2: This router was configured mainly with the SDM webpage.

Are your client side networks on:

10.10.10.0

10.10.30.0

10.10.60.0

10.10.20.0

Do they get to you through the VPN?

Only 10.10.10.0 is used on the client side in the main office. The other three are old configurations that should have been deleted, but are currently not being used. The were previously being used as VLANs

So, what is the private address for the other side? Will I see them in this config, or do they use the dialer profile to come in on?

You said that they have all of their own servers, so are they always connected to the VPN? Do they access other resources on your network?

So, what is the private address for the other side? 10.10.130.0

Will I see them in this config? No

Do they use the dialer profile to come in on? Yes

You said that they have all of their own servers, so are they always connected to the VPN? Yes

Do they access other resources on your network? Yes, Exchange Server which has the same problem.