Solved

Need help with VPN NAT (kind of confusing)

Posted on 2011-03-23
5
301 Views
Last Modified: 2012-05-11
I'll do my best to explain this. We (CompanyA) have a site to site VPN tunnel with CompanyB.  Because CompanyB is a large, public company, there are lots of policies and red tape to deal with.  For instance, even though we have a VPN configured, they require that each of CompanyA's resources be NAT'd on CompanyA's firewall and that all traffic that comes from CompanyA's resources appear to come from this public IP address, NOT the internal LAN address.  I got over that one...It was a pain, but easy enough.  The problem that has me banging my head against the wall is this:

 - CompanyA provides an internal webpage that hosts all our content on a SQL back end.  
 - CompanyB can access this resource as requested, by using the public IP I used in the
    NAT   policy for this resource.
- The webpage has thousands of links to other documents hosted in the database.  
  These links all point to http://internal_server_name_/blah/blah/blah.pdf
- Because they require the public address, they cannot resolve "internal_server_name" to  
  anything, therefore cannot open the links.  The same applies when CompanyA
  employees  want to send links to the webpage via email.

Anytime a link is sent to CompanyB, the employees at CompanyA must manually change the link to read:  http://servers_public_ip_address/blah/blah/blah.pdf.  Like I said, there are thousands of links, which all point to the servers internal name, so changing everyone of those is out of the question.

If anyone can help me figure this one out, I'll owe you big time.

We are at a stalemate at this point.  They refuse (or are just too large a company) to agree to just be done with the public IP and use the internal IP, which would solve all the problems.  I've exahusted all my resources trying to come up with a resolution for this, but I'm just banging my head against the wall.  
0
Comment
Question by:tenover
  • 3
  • 2
5 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 35200535
How if you see it the other way round - only use "external" links? You can resolve that on CompanyA site to be the same as the internal IP - if you can use a name for the public IP at CompanyB, that is.
If they refuse to do any DNS resolution (which would even allow "internal name" to be resolved to the public IP on their network), you have to change all links to the public IP. A NAT for internal traffic would be required, or having both private and public IP on the Web Server. Your options depend on your device, your knowledge, and what other conditions need to be met in addition.
0
 

Author Comment

by:tenover
ID: 35200578
The problem with that is going in and manually changing thousands of links.....
If we DID decide to do that though, you're saying to have make a DNS alias at CompanyA that would match a public DNS entry, that way the links would all be accessible?

For instance:
internal server name:  ServerA
Internal DNS entry:  CN > ServerA>ServerAlias

Public DNS entry:  A>ServerAlias
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35200773
As far as I understood your example, yes, that should work.
0
 

Author Comment

by:tenover
ID: 35200800
Well, let me throw this out there then.  I already DID have our ISP create an entry that uses the same name as the internal server (ServerA) and have it resolve to the public IP address.  The problem now, is that my internal domain name is company, and my external domain name is company.com.  So there is some issue in that external parties still don't resolve the name....?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35201032
Bad luck then. You need to rewrite the web address to be complete. If all you need to care about are HTML links, there are many free editors out there able to go thru all textfiles replacing simple texts.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now