Using outside DNS name to access internal server from inside the network

Discussion in 'Cisco' started by scooty@people.net.au, Mar 19, 2006.

  1. Guest

    Hi all
    A strange request from a client which I am unsure can be achived using
    NAT
    The client has a mail server, say 172.16.50.20 and it's DNS name for
    example is mail.test.com.au to the outside world
    mail.test.com.au also maps to a real IP address as one would expect,
    which is the IP address of the WAN interface on the Cisco router. The
    client wants to be able to access mail.test.com.au using the external
    DNS reference on say port 8081 (internally)
    So any user who opens a browser inside the private network, points it
    to mail.test.com.au:8081 should be able to access the mail server.
    mail.test.com.au is located inside the network but is using the outside
    IP address as dNS resolution is giving the inside user a real IP for
    mail.test.com.au.
    My question is can this be achieved? I hope I have explained myself
    well enough for this to make sense!
     
    , Mar 19, 2006
    #1
    1. Advertising

  2. BernieM Guest

    <> wrote in message
    news:...
    > Hi all
    > A strange request from a client which I am unsure can be achived using
    > NAT
    > The client has a mail server, say 172.16.50.20 and it's DNS name for
    > example is mail.test.com.au to the outside world
    > mail.test.com.au also maps to a real IP address as one would expect,
    > which is the IP address of the WAN interface on the Cisco router. The
    > client wants to be able to access mail.test.com.au using the external
    > DNS reference on say port 8081 (internally)
    > So any user who opens a browser inside the private network, points it
    > to mail.test.com.au:8081 should be able to access the mail server.
    > mail.test.com.au is located inside the network but is using the outside
    > IP address as dNS resolution is giving the inside user a real IP for
    > mail.test.com.au.
    > My question is can this be achieved? I hope I have explained myself
    > well enough for this to make sense!
    >


    If the internal dns resolves to the 'external' ip then one would assume a
    clients connection attempt would be directed to the 'internet' by internal
    routing. In that case the clients firewall should be able to redirect and
    nat back to the real internal server.

    That would be the easiest way to do it but what are they trying to achieve
    by referencing an internal host by its 'external' address.

    BernieM
     
    BernieM, Mar 19, 2006
    #2
    1. Advertising

  3. Guest

    Thx BernieM
    I am not to sure what the client is trying to achieve with this, the
    only thing I can think of would be say a sales rep who travels on the
    road. When they dial in they use an external DNS to resolve the mail
    server and when in the office they would use the private IP, but they
    would always use the FDQN rather than seperate addresses. The only
    thing I can see that will do it is either local hosts files or an
    internal DNS server pointing to the local private address. The problem
    is that some of the lower end brand routers (probably in bridge mode)
    will do this, but I don't think it's a NAT thing but more a DNS thing.
    And of course because these lower end devices do it the client thinks
    Cisco's must be able to do the same. Hence my dilemma!
    Thx for your prompt reply BernieM, especially on a weekend!
     
    , Mar 19, 2006
    #3
  4. Re: Using outside DNS name to access internal server from insidethe network

    i'm thinking of two ways getting this to work:

    if you're in control of the DNS and it is bind 9 or newer there are "Views"

    another way could be catching internal to external DNS client request and
    redirect them to a local DNS-server
     
    Matthias Gruber, Mar 19, 2006
    #4
  5. BernieM Guest

    <> wrote in message
    news:...
    > Thx BernieM
    > I am not to sure what the client is trying to achieve with this, the
    > only thing I can think of would be say a sales rep who travels on the
    > road. When they dial in they use an external DNS to resolve the mail
    > server and when in the office they would use the private IP, but they
    > would always use the FDQN rather than seperate addresses. The only
    > thing I can see that will do it is either local hosts files or an
    > internal DNS server pointing to the local private address. The problem
    > is that some of the lower end brand routers (probably in bridge mode)
    > will do this, but I don't think it's a NAT thing but more a DNS thing.
    > And of course because these lower end devices do it the client thinks
    > Cisco's must be able to do the same. Hence my dilemma!
    > Thx for your prompt reply BernieM, especially on a weekend!
    >


    Sorry but I'm confused. In your original post you said:

    "The client wants to be able to access mail.test.com.au using the external
    DNS reference. So any user who opens a browser <snipped> is using the
    outside IP address"

    which I said would be achieved by having the internal dns resolve to that
    external address but now you're suggesting to have ...

    "the internal DNS server pointing to the local private address.

    What is actuallt wanted?

    When their sales people 'dial in' why would they be using an external dns?

    BernieM
     
    BernieM, Mar 19, 2006
    #5
  6. Guest

    OK I am unsure exactly what the client wants as they haven't been
    forthcoming about it. This was just a guess as I can't see any reason
    why you would want to do this also.
    But in a nutshell, they want to be able to open a browser locally
    (inside private IP) that points to their mail server on port 8081. The
    mail server is resolved using the external DNS so I would have to
    assume there is no internal DNS server. So with that they would have to
    run a DNS server internally or use local host files! Correct?
    I'm sorry for the vagueness but this is 3rd party information passed to
    me by the IT consuling firm on behalf of the client! (I am from the
    ISP)
    If their clients were dialling in it would be to the ISP's POP, hence
    the need to use both the internal address and the external address, but
    like I say this is just a guess.
    Thx again BernieM and also to Matthias, sorry for any confoozion :)
     
    , Mar 19, 2006
    #6
  7. BernieM Guest

    <> wrote in message
    news:...
    > OK I am unsure exactly what the client wants as they haven't been
    > forthcoming about it. This was just a guess as I can't see any reason
    > why you would want to do this also.
    > But in a nutshell, they want to be able to open a browser locally
    > (inside private IP) that points to their mail server on port 8081. The
    > mail server is resolved using the external DNS so I would have to
    > assume there is no internal DNS server. So with that they would have to
    > run a DNS server internally or use local host files! Correct?
    > I'm sorry for the vagueness but this is 3rd party information passed to
    > me by the IT consuling firm on behalf of the client! (I am from the
    > ISP)
    > If their clients were dialling in it would be to the ISP's POP, hence
    > the need to use both the internal address and the external address, but
    > like I say this is just a guess.
    > Thx again BernieM and also to Matthias, sorry for any confoozion :)
    >


    I see why dial in clients are using an external dns ... in isn't actually
    'dial in' as such in that the clients only dial into an ISP and would then
    hit your customers internet front end ... like any other Internet-based
    client. The fact they've dialled in to an ISP is transparent to your
    customer.

    It makes sense that an 'external' client resolves the mail servers external
    address but is this a server they host?

    Odd to assume there's no internal dns. Remove the assumptions about how
    everything hangs together and it will make it a lot easier for people to
    make recommendations.

    BernieM
     
    BernieM, Mar 20, 2006
    #7
  8. chris Guest

    <> wrote in message
    news:...
    > Hi all
    > A strange request from a client which I am unsure can be achived using
    > NAT
    > The client has a mail server, say 172.16.50.20 and it's DNS name for
    > example is mail.test.com.au to the outside world
    > mail.test.com.au also maps to a real IP address as one would expect,
    > which is the IP address of the WAN interface on the Cisco router. The
    > client wants to be able to access mail.test.com.au using the external
    > DNS reference on say port 8081 (internally)
    > So any user who opens a browser inside the private network, points it
    > to mail.test.com.au:8081 should be able to access the mail server.
    > mail.test.com.au is located inside the network but is using the outside
    > IP address as dNS resolution is giving the inside user a real IP for
    > mail.test.com.au.
    > My question is can this be achieved? I hope I have explained myself
    > well enough for this to make sense!
    >


    This can be done if the gateway is just a router. Using either external or
    internal DNS, if this resolves to the global IP address then some devices
    allow traffic to be sent to the gateway with a destination of the live IP
    address, NATed and then sent back into the network. Some devices such as the
    Cisco Pix do not allow this as with the Pix any traffic entering one network
    interface has to exit from a different interface. You can't NAT "on a stick"
    so to speak.

    I *think* that with a router this might be okay. However, the best option is
    always internal DNS and "views".

    Chris.
     
    chris, Mar 21, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bonnesen
    Replies:
    9
    Views:
    7,315
    chris
    Apr 8, 2006
  2. none
    Replies:
    5
    Views:
    3,208
  3. Yogz
    Replies:
    1
    Views:
    3,091
  4. HangaS
    Replies:
    2
    Views:
    976
    HangaS
    Apr 19, 2007
  5. Jack
    Replies:
    0
    Views:
    703
Loading...

Share This Page