[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


DNS changes required to reach external WAN IP from inside network

Posted on 2011-10-12
Medium Priority
Last Modified: 2012-05-12
Hi, I cannot reach the networks external WAN IP address from inside the network - this has never been an issue up to now but we have some iPads that cannot get company email while connected to the company network (works fine from outside).
I know it is a firewall issue but we use BT Secure Services and their firewall will not allow it.
Is there any way to create a DNS entry on the DC Server (2003) that will somehow fudge it so that we can reach the external WAN IP from inside?
Question by:activateahsd
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36956186
As workaround, have you tried to create in DNS external domain name and put there hsot (A) record with internal IP address?

Just a trick but may work.

LVL 26

Expert Comment

by:Fred Marshall
ID: 36956992
I doubt that name service will get around this issue.
Can you ping the outside address from the LAN?  That might shed some light on it.

Also, why only iPads?  Why wouldn't you be having this issue in general if it's the firewall?

BT Secure Services firewall "will not allow ""IT"" ?  not allow what?  Or are you simply referring to the traffic mentioned.  If so, how do you know that's what it is?  Would be helpful information.

Accepted Solution

penguinjas earned 1000 total points
ID: 36957554
It sounds like you have ipad users connected to your local network over wireless.  You want these ipad users to be able to connect to Email locally on the internal network but when you configure the ipads they are set to use en external DNS domain name.  The firewall will not allow the ipads to go out and come back in on the external IP to connect to Email.

You need to set up DNS so when the ipads query the domain name and they are local on the network the local DNS server will send them to your internal Email server.

Are you using Exchange for Email and if so are you using ISA too?  I got around this on my network by creating a new forward lookup zone in DNS for the external domain name and an A record to point queries to my ISA server.

Example: If your external domain name is owa.contoso.com then create a forward lookup zone called contoso.com and then inside that lookup zone create an A host record called owa and set the ip address to your exchange server or ISA server.  When the ipads query DNS they will resolve the external name to the internal server.


Assisted Solution

shahravish earned 1000 total points
ID: 36962373
First you need to ensure what DNS server the ipad's are pointing to? If the yare on the internal wifi network, and assuming DNS is provided by a local DC, you could create a forward look up zone as penguinjas suggested and create a new A record with the local/internal IP address. Essentially what you need is a loopback NAT policy, but since you mention you don't have much control over the BT firewall, this may not be possible. We normally achieve this by creating a loopback NAT policy that translates requests frominternal networks for external IP address, back to the internal IP address, hence requests never go outside the firewall. They are routed back to the correct server.
In cases, when such firewall config is not possible, we achieve this by created a forward lookup zone in DNS for the external domain name, and create A record with the internal IP address. This is required to be created on the DNS server that the ipad's are pointing to. In most cases, it is the DNS on DC.

Author Comment

ID: 37182141
It turned out to be the BT Secure Services firewall blocking the traffic. Haven't tried the DNS suggestions yet but it sounds like they would work.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Screencast - Getting to Know the Pipeline
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question