split dns trouble cant use external addresses to get to internal resources

our internal domain has a different dns name, internalsite.org, than our external, externalsite.org.  our website (hosted elsewhere) uses www.externalsite.org, our email addresses use @externalsite.org

we have external dns entries set up for our web, mail and terminal servers, the external entries used to work from both on and off campus until we put in a new firewall today.  now webserver.externalsite.org works off campus, but not on!  same for mail and ts.

the firewall folks (watchguard) say we need to reconfigure our setup and put our mail and webservers into a dmz.  I'd rather not do that considering the time and work it would require.  any thoughts?  how much would it require to change the fqdn of our internal dns scheme?

any thoughts or help is much appreciated.
jhaffAsked:
Who is Participating?
 
jhaffConnect With a Mentor Author Commented:
i just fixed my own problem... i added another primary dns zone to my internal dns... so now i have internal.org and external.org as zones on my domain.  the external.org zone points our clients to the internal address before they can hit the interwebs dns.

this works for me because of my limited external presence.  dpk... i'm interested in your solution, because i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done.  

thanks for your help.
0
 
dpk_walCommented:
As I understand you have web, mail and TS configured on the trusted network; and you already have a DNS server which redirects the requests from the internal machines to the these servers on the externalsite.org URL.

If this is the case, then with watchguard you would not be able to reach the servers from the internal network; the reason is the WG along with many vendors cannot have the ingress interface same as the egress interface for a packet and thus the problem; many vendors like cisco allows something they implement as hairpin which allows you to do this!

With watchguard you can configure your DNS Server to rather direct the internal machines to the internal IP than the external IP which would solve the issue.

Thank you.
0
 
dpk_walCommented:
Good to know that the problem is solved! :)

>> i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done

Sorry but I did not understand what you could not configure; frankly on WG there is no configuration which is required; the only configuration what is needed is on the DNS Server; which you have already done [by adding one more zone].
Please correct me if I misunderstood.

Thank you.
0
 
PugglewuggleCommented:
My recommendation is to setup another DNS zone on your internal DNS server that matches your external zone.
Then setup zone transfers from the external zone (public) to the external zone (local) to keep DNS records in sync.
This is a straight forward solution that will solve your problem without having to reconfigure all you servers.
Cheers! Let me know if you have any more questions!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.