PIX DNS doctoring with 2003 server

Discussion in 'Cisco' started by Rudyard Shackleton, Jun 6, 2005.

  1. A quick question guys.

    I recently put a few firewalls in a customer premises with a static NAT
    policy. Internally the clients were 192.168.1.x but extrenally they were
    135.1.1.x statically mapped one for one. DNS always worked ok since there
    were no servers on these sites - I accepted the limitaion that the machines
    cannot ping by machine name. This worked loads of times. I then had
    another site exactly like this but had a server as well as just client PC's.
    The clients could not get their drive mappings on this server until I
    clicked the DNS option against the static transation in the PDM. I
    understand and acknowledge this. BTW the DNS servers are on the central
    site

    My problem. On the windows 2003 server - I noticed that rather than seeing
    the client PC's by their global address (135.x.x.x)- they were seeing the
    inside local address (192.168.1.x) on the browser!! How can this possibly
    be? The inside local addresses are not known at all outside the PIX's
    inside interface. Clicking on the doctor DNS tab for each individual host
    makes no difference. It's almost like there is some protocl between the
    server and PC where the real IP address on the clinet is revealed.

    Any clues or ideas guys?
    Steve
     
    Rudyard Shackleton, Jun 6, 2005
    #1
    1. Advertising

  2. "Rudyard Shackleton" <> wrote:

    > I recently put a few firewalls in a customer premises with a static NAT
    > policy. Internally the clients were 192.168.1.x but extrenally they were
    > 135.1.1.x statically mapped one for one. DNS always worked ok since there
    > were no servers on these sites - I accepted the limitaion that the machines
    > cannot ping by machine name. This worked loads of times. I then had
    > another site exactly like this but had a server as well as just client PC's.
    > The clients could not get their drive mappings on this server until I
    > clicked the DNS option against the static transation in the PDM. I
    > understand and acknowledge this. BTW the DNS servers are on the central
    > site
    >
    > My problem. On the windows 2003 server - I noticed that rather than seeing
    > the client PC's by their global address (135.x.x.x)- they were seeing the
    > inside local address (192.168.1.x) on the browser!! How can this possibly
    > be? The inside local addresses are not known at all outside the PIX's
    > inside interface. Clicking on the doctor DNS tab for each individual host
    > makes no difference. It's almost like there is some protocl between the
    > server and PC where the real IP address on the clinet is revealed.
    >
    > Any clues or ideas guys?


    I'm afraid that your description of the situation isn't clear.
    If the server is in the same LAN with the clients then the
    above behaviour is expected. If they are in different LANs so
    that the server LAN and the clients LAN are connected via
    VPN tunnel then the above is also expected because usually
    you don't NAT traffic destinated to a VPN tunnel.
     
    Jyri Korhonen, Jun 6, 2005
    #2
    1. Advertising

  3. Thanks for the reply
    NAT is being performed. The inisde local address is being seen on the
    domain controller at the other side of the NAT. Surely the DC should only
    see the outside global address?
    RS

    "Jyri Korhonen" <> wrote in message
    news:d82ccb$7bs$...
    > "Rudyard Shackleton" <> wrote:
    >
    >> I recently put a few firewalls in a customer premises with a static NAT
    >> policy. Internally the clients were 192.168.1.x but extrenally they were
    >> 135.1.1.x statically mapped one for one. DNS always worked ok since
    >> there
    >> were no servers on these sites - I accepted the limitaion that the
    >> machines
    >> cannot ping by machine name. This worked loads of times. I then had
    >> another site exactly like this but had a server as well as just client
    >> PC's.
    >> The clients could not get their drive mappings on this server until I
    >> clicked the DNS option against the static transation in the PDM. I
    >> understand and acknowledge this. BTW the DNS servers are on the central
    >> site
    >>
    >> My problem. On the windows 2003 server - I noticed that rather than
    >> seeing
    >> the client PC's by their global address (135.x.x.x)- they were seeing the
    >> inside local address (192.168.1.x) on the browser!! How can this
    >> possibly
    >> be? The inside local addresses are not known at all outside the PIX's
    >> inside interface. Clicking on the doctor DNS tab for each individual
    >> host
    >> makes no difference. It's almost like there is some protocl between the
    >> server and PC where the real IP address on the clinet is revealed.
    >>
    >> Any clues or ideas guys?

    >
    > I'm afraid that your description of the situation isn't clear.
    > If the server is in the same LAN with the clients then the
    > above behaviour is expected. If they are in different LANs so
    > that the server LAN and the clients LAN are connected via
    > VPN tunnel then the above is also expected because usually
    > you don't NAT traffic destinated to a VPN tunnel.
    >
     
    Rudyard Shackleton, Jun 7, 2005
    #3
  4. "Rudyard Shackleton" <> wrote:

    > NAT is being performed. The inisde local address is being seen on the
    > domain controller at the other side of the NAT. Surely the DC should
    > only see the outside global address?


    Not necessarily. There are some protocol implementations which
    carry the IP address in the payload of an IP packet. We don't
    do Windows networking (we have Novell) so I don't know if
    Microsoft's solution is doing that. You might want to ask
    in some of the windows discussion groups.
     
    Jyri Korhonen, Jun 7, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain

    DNS Doctoring conversion?

    Rik Bain, Nov 10, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,424
    Walter Roberson
    Nov 10, 2003
  2. Cool Guy Bri

    DNS Doctoring with a cisco router

    Cool Guy Bri, Nov 25, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,610
    Cool Guy Bri
    Nov 26, 2003
  3. Chris

    DNS Doctoring

    Chris, Dec 19, 2003, in forum: Cisco
    Replies:
    2
    Views:
    795
    Chris
    Dec 19, 2003
  4. grzybek

    DNS doctoring

    grzybek, Feb 10, 2004, in forum: Cisco
    Replies:
    0
    Views:
    547
    grzybek
    Feb 10, 2004
  5. Dan Rice

    DNS Doctoring with PIX

    Dan Rice, Feb 7, 2005, in forum: Cisco
    Replies:
    3
    Views:
    2,660
    Dan Rice
    Feb 7, 2005
Loading...

Share This Page