Yes, I understood that, and even once thought that it should happen "transparently", but after fighting my way through it and learning a bit about ISA, I came to understand that it just doesn't make sense to ask the NAT process to "double-NAT" the packet when a direct connection is not only possible, but more efficient. Essentially, the packet travels like this: 1. the client at 192.168.0.2 gets the external IP for the requested name, say 123.123.123.123. 2. the client then proceeds to ask ISA to proxy the request to that IP address 3. ISA receives the request and attempts to route the request to the NAT editor, who then realizes that the original source IP and the new destination IP are in both the LAT. At this point the ISA logic asks "why are we even trying to do this?" and drops the communication while making an event log entry. It's an effect I like to refer to as "isotropic IP bounce" (with a smirk) and it's just doesn't make sense in the grand scheme of things. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 27, 2001 16:58 Subject: [isalist] RE: Q: Cannot access published web server from inte rnal network http://www.ISAserver.org Hi Jim, I think what Andrew is attempting is as follows (I can see his logic, and wouldn't mind replicating :) + External user connects to http://my.web.site - Resolves to ISA external IP address - ISA proxies the request, and passes data back to external user He wants to do the same, except substituting external with internal, giving one url for one address - it seems logical to do it this way, as you don't have to manage two DNS servers, and attempt to keep the mappings current and up to date. > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Thursday, 27 September 2001 23:55 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Q: Cannot access published web server from inte > rnal network > > > http://www.ISAserver.org > > > You want to translate www.externalname.com to an internal IP, > but you don't > want to provide name resolution with that capability? > Ok, you have to take the freeway to work, but you have to > ride your kid's > tricycle and you have to maintain the speed limit. > > Reality check, here; no host connects to another by using > names. That's > strictly for us dumb humans that can't remember a 32-bit number. > Speaking of which, do you think IPv6 is going to make it any easier? > Every TCP/IP connection that one host makes to another is through IP > addresses and, if they're on the same routed subnet, MAC addresses. > FQDN (DNS) resolution services allows hosts to talk to each > other *_ in > spite of _* the "friendly names" we use. > > Two choices; stop trying to "beat the system" and > 1. set up an internal DNS solution > or > 2. quit trying to connect internally using an external name ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')