RE: Q: Cannot access published web server from inte rnal network
- From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 5 Oct 2001 11:21:00 +1000
Hi Guys,
I'd like to confirm that this does work - I've now just got to get
multiple virtuals working ... *sighs*
--
Anthony Michaud
Network Administrator
Act! Certified Consultant
eLogix Corporation Pty Ltd
In theory, there is no difference between theory and practice. But in
practice, there is.
> -----Original Message-----
> From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
> Sent: Friday, 28 September 2001 10:39
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Q: Cannot access published web server from inte
> rnal network
>
>
> http://www.ISAserver.org
>
>
> This already works... With Server Publishing, anyway. I have
> not tried it
> with just Web Publishing.
>
> My www.domain.com site resolves to an external IP (DNS
> maintained by ISP).
> That IP is Server Published to an internal box. If an internal client
> (using FW client or Web Proxy) goes to www.domain.com, it does indeed
> re-route them to the internal site just like an external
> client. The only
> rub, like Jim said, is that it writes an event log saying
> that there is a
> conflict in the LAT blah blah blah. However, it does work...
> I do it all
> the time.
>
>
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, September 27, 2001 5:19 PM
> Subject: [isalist] RE: Q: Cannot access published web server
> from inte rnal
> network
>
>
> > http://www.ISAserver.org
> >
> >
> > Yes, I understood that, and even once thought that it should happen
> > "transparently", but after fighting my way through it and
> learning a bit
> > about ISA, I came to understand that it just doesn't make
> sense to ask the
> > NAT process to "double-NAT" the packet when a direct
> connection is not
> only
> > possible, but more efficient.
> >
> > Essentially, the packet travels like this:
> > 1. the client at 192.168.0.2 gets the external IP for the
> requested name,
> > say 123.123.123.123.
> > 2. the client then proceeds to ask ISA to proxy the request
> to that IP
> > address
> > 3. ISA receives the request and attempts to route the
> request to the NAT
> > editor, who then realizes that the original source IP and the new
> > destination IP are in both the LAT. At this point the ISA
> logic asks "why
> > are we even trying to do this?" and drops the communication
> while making
> an
> > event log entry.
> >
> > It's an effect I like to refer to as "isotropic IP bounce"
> (with a smirk)
> > and it's just doesn't make sense in the grand scheme of things.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> >
> > ----- Original Message -----
> > From: "Anthony Michaud" <anthonym@xxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Thursday, September 27, 2001 16:58
> > Subject: [isalist] RE: Q: Cannot access published web
> server from inte
> rnal
> > network
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Jim,
> >
> > I think what Andrew is attempting is as follows (I can see
> his logic,
> > and wouldn't mind replicating :)
> >
> > + External user connects to http://my.web.site
> > - Resolves to ISA external IP address
> > - ISA proxies the request, and passes data back to external user
> >
> > He wants to do the same, except substituting external with internal,
> > giving one url for one address - it seems logical to do it
> this way, as
> > you don't have to manage two DNS servers, and attempt to keep the
> > mappings current and up to date.
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > Sent: Thursday, 27 September 2001 23:55
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Q: Cannot access published web
> server from inte
> > > rnal network
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > You want to translate www.externalname.com to an internal IP,
> > > but you don't
> > > want to provide name resolution with that capability?
> > > Ok, you have to take the freeway to work, but you have to
> > > ride your kid's
> > > tricycle and you have to maintain the speed limit.
> > >
> > > Reality check, here; no host connects to another by using
> > > names. That's
> > > strictly for us dumb humans that can't remember a 32-bit number.
> > > Speaking of which, do you think IPv6 is going to make it
> any easier?
> > > Every TCP/IP connection that one host makes to another is
> through IP
> > > addresses and, if they're on the same routed subnet, MAC
> addresses.
> > > FQDN (DNS) resolution services allows hosts to talk to each
> > > other *_ in
> > > spite of _* the "friendly names" we use.
> > >
> > > Two choices; stop trying to "beat the system" and
> > > 1. set up an internal DNS solution
> > > or
> > > 2. quit trying to connect internally using an external name
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> thor@xxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: anthonym@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
Other related posts:
