PIX DNS, NAT, DMZ

Guru's

We have 6 office across the globe, with various PIX's (506, 501, 515), VPNs between offices and Active Directory Integrated DNS.  I'll be installing a new web server into the head office network on the ASA 5510's DMZ port and adding the server name to DNS which will be replicated to all offices.

Network info:
Head office 192.168.10.0/24
Web server DMZ 172.16.1.10
US office 192.168.11.0/24

My question relates to DNS; if an international user connects to his local office with his Cisco client and attempts to connect to the web server he won't be able to reach it as 'his' PIX gives out DNS servers on his network.  As such he wouldn't be able to route to it.

Previosuly I have evaded this issue with hosts file entries and gotten away with it as the server was externally hosted to all offices (inc head office) but now the server is moving I can't use hosts files since a US visitor to the head office could not readch the web server on its external address from inside head office.

I trust this makes sense...?

Thanks muchly
jasonhamlettAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Chris DentPowerShell DeveloperCommented:

Hi,

Before continuing I'd like to make sure I understand properly.

  - Head Office: Access Web Server on Internal IP. Cannot reach server on External
  - Branch Offices: Access Web Server on External IP. Cannot reach server on Internal

If that's correct then we need to look at your DNS infrastructure slightly.

Is the Domain Name for the Web Site different from the Active Directory Domain Name?

Each Branch Office uses a DNS Server local to it? And the Head Office uses it's own local DNS server as well?

If we're doing well so far then there's fortunately a fairly simple answer to the problem.

1. On DNS Server for Head Office:
 - Create a Forward Lookup Zone with the name of the website (e.g. www.yourdomain.com).
 - Set as Primary, but not AD Integrated
 - Do Not Enable Dynamic Updates
 - Delete any Host(A) Records
 - Add a Host(A) Record with a Blank Name pointing to the Internal IP Address of the Web Server

2. On DNS Servers for Branch Offices:
 - Create a Forward Lookup Zone with the name of the website (e.g. www.yourdomain.com).
 - Set as Primary, but not AD Integrated
 - Do Not Enable Dynamic Updates
 - Delete any Host(A) Records
 - Add a Host(A) Record with a Blank Name pointing to the External IP Address of the Web Server

The reason for using the full name of the web site is that it allows you to create an internal record for a single name. Avoiding any issues for resolution of any other hosts within the Domain.

HTH

Chris
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
jasonhamlettAuthor Commented:
Chris - You da man... points on their way...
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome :)

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.