IP address keeps bouncing
I’m hoping someone can point me in the right direction. The problem we are having is for some reason, the company’s IP is bouncing between out internal and external web addresses, and when that happens, the user at the workstation has to perform repair on the network connection to re-establish connectivity on the network.
For example, the internal address 10.6.2.9 to the webserver will shift to 67.X.X.X (which grants access into the company) at the workstation. After repair, it goes back to normal. This doesn’t happen to everyone at the same time, but will happen 5 or 6 times a day. On our internal network, you can’t come in from an external address, so the shift to 67 networks will stop Internet access.
A little background info: Outside world comes in via Cisco 3600 to PIX firewall; Windows 2003 server environment; three DNS servers; two WINS; seven sub-nets.
Extra info: recently moved FSMO roles Schema, Domain naming, PDC Emulator from one domain controller to another and ran DCPROMO to downgrade former boss server.
For example, the internal address 10.6.2.9 to the webserver will shift to 67.X.X.X (which grants access into the company) at the workstation. After repair, it goes back to normal. This doesn’t happen to everyone at the same time, but will happen 5 or 6 times a day. On our internal network, you can’t come in from an external address, so the shift to 67 networks will stop Internet access.
A little background info: Outside world comes in via Cisco 3600 to PIX firewall; Windows 2003 server environment; three DNS servers; two WINS; seven sub-nets.
Extra info: recently moved FSMO roles Schema, Domain naming, PDC Emulator from one domain controller to another and ran DCPROMO to downgrade former boss server.
I'm thinking you have the same hostname resolving to the inside and the outside address on your DNS servers. where are your hosts supposed to get that 10.6.2.9 address? Is it possible that one DNS server has that one and another has the outside one?
But yes, please clarify- is the user's address changing, or is the web server's name resolving to a changing address changing?
I agree to xuserx2000. It does seems like multiple DHCP server.
Do one test, Pause your DHCP server for sometime.
Then from one of the machines,
ipconfig /release
ipconfig /renew
See, it it get any IP address. If it does, then you have multiple DHCP servers running in your LAN.
And because of it, your client receive that IP address from it. Check your router or firewall, if they are running DHCP services.
Do one test, Pause your DHCP server for sometime.
Then from one of the machines,
ipconfig /release
ipconfig /renew
See, it it get any IP address. If it does, then you have multiple DHCP servers running in your LAN.
And because of it, your client receive that IP address from it. Check your router or firewall, if they are running DHCP services.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>On our internal network, you can’t come in from an external address
You know that you can fix that with source NATting, right?
Cheers,
-Jon
You know that you can fix that with source NATting, right?
Cheers,
-Jon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You guys are going to have to forgive me, I’m new to this company, and I’m still trying to understand the setup around here.
Both addresses are valid, the internal and external. Internally, users access the webserver via 10.6.2.9 (recorded in DNS as www and ftp).
The 67 network, external users access the website (not an entry in DNS)
You are saying that, if I navigate to www.MYCOMPANY.com it will point to 10.6.x.x, then for some reason it will eventually start navigating users to the 67.x.x.x address, which they cannot access, because it is the EXTERNAL address for the server, but when you repair their connection, it resolves to the INTERNAL address again 10.6.x.x.....let me know if this is correct
----Yes this is absolutely correct and “www” under Forward Lookup Zones points 10.6.2.9
As rindi has described, after performing an ipconfig /all on my workstation, it look as though a third dns server is pointing to an external address.
On the server itself, the DNS server has a third, but completely different external DNS server address bound. Also, the alternate DNS server has two completely different external IP address bound as DNS server. Not sure why they’ve done this. Researching right now.
Both addresses are valid, the internal and external. Internally, users access the webserver via 10.6.2.9 (recorded in DNS as www and ftp).
The 67 network, external users access the website (not an entry in DNS)
You are saying that, if I navigate to www.MYCOMPANY.com it will point to 10.6.x.x, then for some reason it will eventually start navigating users to the 67.x.x.x address, which they cannot access, because it is the EXTERNAL address for the server, but when you repair their connection, it resolves to the INTERNAL address again 10.6.x.x.....let me know if this is correct
----Yes this is absolutely correct and “www” under Forward Lookup Zones points 10.6.2.9
As rindi has described, after performing an ipconfig /all on my workstation, it look as though a third dns server is pointing to an external address.
On the server itself, the DNS server has a third, but completely different external DNS server address bound. Also, the alternate DNS server has two completely different external IP address bound as DNS server. Not sure why they’ve done this. Researching right now.
You should setup DNS internally, do not use outside DNS servers anywhere. Setup DNS on a MS Server (if not already done), then setup DNS forwarders, which forward any external requests to the External ISP DNS servers...this way you control all of the DNS, and then you will not have the issue of resolving to outside IP addresses etc......
http://www.petri.co.il/install_and_configure_w2k_dns_server.htm <-- setup Windows DNS Server
http://www.petri.co.il/install_and_configure_w2k_dns_server.htm <-- setup Windows DNS Server
>which they cannot access, because it is the EXTERNAL address for the server
Once you turn on source NATting they can almost certainly access it - maybe you might want to do that so folks stop complaining, and *then* track down the actual source of the problem.
Cheers,
-Jon
Once you turn on source NATting they can almost certainly access it - maybe you might want to do that so folks stop complaining, and *then* track down the actual source of the problem.
Cheers,
-Jon
ASKER
Well, The--Captain, they have it set this way by design and they do not want to be able to come back in externally. Who am I to argue, I'm just a small HUB in a world of ROUTERS (just connecting a few gaps here).
12 hours ago, removed all external IP, and made sure the DNS servers pointed at themselves. So far, seems to be working perfectly. Just giving things time to settle down a bit before I shout JOY! JOY!
12 hours ago, removed all external IP, and made sure the DNS servers pointed at themselves. So far, seems to be working perfectly. Just giving things time to settle down a bit before I shout JOY! JOY!
Sounds good there Soothin, that should work.
BTW The-Captain...NAT'ing has NOTHING to do with this situation, and not being able to access the server via its EXTERNAL address....if you are internal to your firewall it will not let you navigate to its own outside address and then come back in....thats like saying you can VPN into your company from you Desk at work....its just doesn't work, by design
BTW The-Captain...NAT'ing has NOTHING to do with this situation, and not being able to access the server via its EXTERNAL address....if you are internal to your firewall it will not let you navigate to its own outside address and then come back in....thats like saying you can VPN into your company from you Desk at work....its just doesn't work, by design
>its just doesn't work, by design
>NAT'ing has NOTHING to do with this situation
It may not be causing the problem, but it can certainly be used to work around it until the real problem can be addressed (although maybe it already has been)
ricky - just curious - do you know exactly why it doesn't work when you try to access an internal server from an internal client via a NATted external IP?
I do, and it makes you look very silly to say it just doesn't work by design.
It doesn't work because the firewall translates the destination IP back to an internal IP, and then, when the server responds back (sourced from its internal IP), the initial client says "go to hell <internal IP>, I'm trying to talk to <external IP>".
The way to fix this is by turning on source NATting on the firewall (do you even know what source NATting is?) Source NATting will re-write the *source* of the packets, so that when internal client tries to access internal server via its external IP, the firewall also translates the source of the packet to make it look like the firewall originated the packet - then the server tries to talk exclusively to what it thinks is the firewall, while the firewall merely reverses the translation again and send the packets back to the client.
So, yes, it will work if you know how to configure your equipment properly - please stop asserting things are impossible just because you do not understand, or have only seen things done a certain way.
>thats like saying you can VPN into your company from you Desk at work
I can.
Cheers,
-Jon
>NAT'ing has NOTHING to do with this situation
It may not be causing the problem, but it can certainly be used to work around it until the real problem can be addressed (although maybe it already has been)
ricky - just curious - do you know exactly why it doesn't work when you try to access an internal server from an internal client via a NATted external IP?
I do, and it makes you look very silly to say it just doesn't work by design.
It doesn't work because the firewall translates the destination IP back to an internal IP, and then, when the server responds back (sourced from its internal IP), the initial client says "go to hell <internal IP>, I'm trying to talk to <external IP>".
The way to fix this is by turning on source NATting on the firewall (do you even know what source NATting is?) Source NATting will re-write the *source* of the packets, so that when internal client tries to access internal server via its external IP, the firewall also translates the source of the packet to make it look like the firewall originated the packet - then the server tries to talk exclusively to what it thinks is the firewall, while the firewall merely reverses the translation again and send the packets back to the client.
So, yes, it will work if you know how to configure your equipment properly - please stop asserting things are impossible just because you do not understand, or have only seen things done a certain way.
>thats like saying you can VPN into your company from you Desk at work
I can.
Cheers,
-Jon
i didn't notce the SOURCE in front of NATING thats the reason I respnded to what you had said, I didn't want him to get thrown off of the true path of the solution by throwing NATING into the mix, it would jsut complicate the situaiton rather than just fixing DNS and DHCP, which was the most direct way to resolve the issue...
You are definitely a firewall expert compared to me, thats not my gig, so glad you knew all about source nating an d VPN'ing from you desktop, if anyone needs to VPN from their desktop, into their own company...call The Captain ;-)
You are definitely a firewall expert compared to me, thats not my gig, so glad you knew all about source nating an d VPN'ing from you desktop, if anyone needs to VPN from their desktop, into their own company...call The Captain ;-)
>if anyone needs to VPN from their desktop, into their own company...call The Captain ;-)
LOL!
Cheers,
-Jon
LOL!
Cheers,
-Jon
NOTE: You could statically assign multiple subnets to a single nic on your webserver...so that it would serve requests to both subnets.
not really a best practices scenario though...lol
please be clear what you mean by ip addresses "shifting".
67.x.x.x............I think you mean 169.x.x.x This means that a dhcp server could not be reached. Check your dhcp server and see how many addresses are available. You may need to adjust your lease times.