• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

DNS update problem

Our network is 192.168.11.x, now we want to separate into two subnets by checkpoint firewall.


192.168.11.100 - 200 (Clients PC)   --->  Checkpoint         <---- 192.168.22.1 DC1 (w/ DNS)
                                                              (NAT)              <---- 192.168.22.2 MAIL
                                                                                     <-----192.168.22.3 FILE1

(NAT)
192.168.11.1  <-> 192.168.22.1
192.168.11.2  <-> 192.168.22.2
192.168.11.3  <-> 192.168.22.3

(Checking)
1. Ping 192.168.11.1 from client PC (OK)
2. Ping 192.168.11.100 from server side (OK)
3. Get mail from MAIL server through OUTLOOK (OK)

In case, the scenario is working...  but just missed AD DNS service..
- Ping server name e.g. DC1 from client PC ==> Result: 192.168.22.1  Time out
- We tried to manually add 192.168.11.1 into DNS server, but it will be disappeared after DNS updated. It only remains 192.168.22.1 record in there.

So how to solve it to keep both IP addresses DNS record in DNS server side ? One more, we would not like to stop "dns security update" to affect normally domain DNS update.

Any idea ? Thanks !


0
rhinoceros
Asked:
rhinoceros
  • 5
  • 4
1 Solution
 
Redwulf__53Commented:
The only solution I see would be to NOT use NAT between the subnets, but a direct route. I cannot understand why you would use NAT in that situation.... Only use NAT if you have to share a limited number of Public IP addresses with a large number of Hosts.
0
 
rhinocerosAuthor Commented:
Put the checkpoint firewall to provide one more protection on server side  between two subnet under one LAN.

If not use NAT, what's suggestion we can do in chceckpoint ?

Thanks !
0
 
Netman66Commented:
I don't think you need one-to-one mapping on those NAT addresses.  Just let the firewall do the job.

Of course, you need to make sure all domain-functional ports are open (138, 139, 445, 389, 53, etc)

http://support.microsoft.com/kb/179442/en-us

As mentioned, you'll need DNS and DHCP ports opened too.

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
rhinocerosAuthor Commented:
192.168.11.100 - 200 (Clients PC)   --->  Checkpoint         <---- 192.168.22.1 DC1 (w/ DNS)
                                                              (NAT)              <---- 192.168.22.2 MAIL
                                                                                     <-----192.168.22.3 FILE1


If no NAT addresses, 192.168.11.x subnet client how to route to 192.168.22.x in checkpoint ?

0
 
Netman66Commented:
You don't need to manually route anything.  Checkpoint will route it for you.

The NIC on the .11 network should be in the LAT and not contain a gateway.  Once this is configured, Checkpoint will know how to route based on that information.
0
 
rhinocerosAuthor Commented:
friend...

What's LAT ? Overall can tell me more how to do as you said ?


Thanks !
0
 
Netman66Commented:
LAT is Local Address Table.  It's how the firewall knows what addresses are considered local (LAN) and what are considered External.  Without this the firewall wouldn't know what NICs to apply filters to and how to route.

As long as the LAT is correct and the internal NIC has no gateway and the external NIC is properly configured then Checkpoint should have no problems routing packets to the outside NIC (.22.x network).

0
 
rhinocerosAuthor Commented:
Thanks !

>As long as the LAT is correct and the internal NIC has no gateway and the external NIC is properly
>configured then Checkpoint should have no problems routing packets to the outside NIC (.22.x
>network).

As before, we have WAN<->LAN checkpoint experience only. Therefore, can tell me more how to use LAT to do it as my expected.


Many thanks !

0
 
Netman66Commented:
The same methods apply to LAN<->LAN connections as do LAN<->WAN connections with Checkpoint in the middle.  The principal still holds true - you need each side of Checkpoint on separate networks.  The internal side (which would be your 11.x network would be included in the LAT (don't forget the internal NIC address too) and everything else would be considered outside the protected area because it is not in the LAT.

If you know how to setup Checkpoint to protect the edge of the network from the Internet, then there is little difference setting it up as you describe above.  The only other things you may need to do is create some filters/rules for domain communication so that computers on the 11.x network can communicate properly with the servers on the 22.x network and vice-versa.

0
 
rhinocerosAuthor Commented:
Thanks for your information...

(* but I have still not solved it)
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now