can't access public website from within web server domain, need to force NAT

[Will]

Greetings. I have set up a cluster of 3 win2k3 machines to serve up
public websites. They are all part of one domain, with one machine
acting as the DC/DNS server.

My problem is that FROM THE MACHINES THEMSELVES I cannot access the
public websites that the servers are serving up. The reason is
because i have a firewall that uses NAT to convert public IP requests
to a non-routable subnet (e.g. 63.254.267.15 -> 192.168.10.10) and
requests from behind my firewall are not routed back out and in
through the firewall.

So I am forced to edit the system32/drivers/etc/host files to map
"mycompany.com" to 192.168.10.10 so that I can browse the websites
from within the domain. (I need to do this because we have one machine
consuming webservices from the other machine and it is doing so by
domain e.g. xml.mycompany.com/someservice.asmx/getdata).

Is this a DNS issue? Or is this perhaps a problem with my firewall
setup? Is there a way w/ DNS or other networking configurations to
force these internal http requests to go outside the firewall so they
can be NAT'ed and served up correctly? Or is the hosts file my only
solution?

Thanks for your help with this!

Will

 

[Phillip Windell]

Is this a DNS issue?
Yes...

Or is this perhaps a problem with my firewall setup?

No. It is normal behavor tied to how TCP/IP combined with Ethernet (mac
addresses) works. The packet is trying to both leave and enter the same
external NIC of the Firewall at the same time,...therefore the Source MAC
address *and* the Destination MAC address in the packet's Layer2 header
have the same address. Since the Source and Destination MACs can't both be
the same (and still work) it sort of "shoots itself in the head".

The following article describes this in the context of MS's ISA running the
SecureNAT Service, but the principles are the same with any NAT-based
firewall. It is kind of hard to follow, but the data is there.

[Note: that's underscores between words, not spaces]
http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html

Is there a way w/ DNS or other networking configurations to
force these internal http requests to go outside the firewall so they
can be NAT'ed and served up correctly?
Or is the hosts file my only solution?

What you want is the have a record in your own DNS Server for these sites'
"Domain Names" that resolve to the internal *Private IP#* instead of the
Public IP# and then make sure that your own DNS is the first DNS Server
requested from by these machines. This allows these web servers to
communicate directly to each other without involving the Firewall at all (it
also allows your internal users to work the same way). The only time that
the firewall should be involved is when an outside host makes a request to
those machine from the Internet. Any internal machine should *never* have
to go to the firewall to get to something that is already positioned
physically on the same side of the firewall that the requesting machine is
already on.

 

[Steven L Umbach]

You can use hosts or try to add a primary domain zone to your AD domain server that
matches the domain name for your website and add a static host record to it for the
webserver name that you refer to it by in the IE address bar. Then your internal
lookups will go that zone as being authoritative while outside users will still use
"external" dns servers to find your website. -- Steve