DNS changes required to reach external WAN IP from inside network

Posted on 2011-10-12
Last Modified: 2012-05-12
Hi, I cannot reach the networks external WAN IP address from inside the network - this has never been an issue up to now but we have some iPads that cannot get company email while connected to the company network (works fine from outside).
I know it is a firewall issue but we use BT Secure Services and their firewall will not allow it.
Is there any way to create a DNS entry on the DC Server (2003) that will somehow fudge it so that we can reach the external WAN IP from inside?
Question by:activateahsd
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    As workaround, have you tried to create in DNS external domain name and put there hsot (A) record with internal IP address?

    Just a trick but may work.

    LVL 25

    Expert Comment

    by:Fred Marshall
    I doubt that name service will get around this issue.
    Can you ping the outside address from the LAN?  That might shed some light on it.

    Also, why only iPads?  Why wouldn't you be having this issue in general if it's the firewall?

    BT Secure Services firewall "will not allow ""IT"" ?  not allow what?  Or are you simply referring to the traffic mentioned.  If so, how do you know that's what it is?  Would be helpful information.
    LVL 6

    Accepted Solution

    It sounds like you have ipad users connected to your local network over wireless.  You want these ipad users to be able to connect to Email locally on the internal network but when you configure the ipads they are set to use en external DNS domain name.  The firewall will not allow the ipads to go out and come back in on the external IP to connect to Email.

    You need to set up DNS so when the ipads query the domain name and they are local on the network the local DNS server will send them to your internal Email server.

    Are you using Exchange for Email and if so are you using ISA too?  I got around this on my network by creating a new forward lookup zone in DNS for the external domain name and an A record to point queries to my ISA server.

    Example: If your external domain name is then create a forward lookup zone called and then inside that lookup zone create an A host record called owa and set the ip address to your exchange server or ISA server.  When the ipads query DNS they will resolve the external name to the internal server.

    LVL 3

    Assisted Solution

    First you need to ensure what DNS server the ipad's are pointing to? If the yare on the internal wifi network, and assuming DNS is provided by a local DC, you could create a forward look up zone as penguinjas suggested and create a new A record with the local/internal IP address. Essentially what you need is a loopback NAT policy, but since you mention you don't have much control over the BT firewall, this may not be possible. We normally achieve this by creating a loopback NAT policy that translates requests frominternal networks for external IP address, back to the internal IP address, hence requests never go outside the firewall. They are routed back to the correct server.
    In cases, when such firewall config is not possible, we achieve this by created a forward lookup zone in DNS for the external domain name, and create A record with the internal IP address. This is required to be created on the DNS server that the ipad's are pointing to. In most cases, it is the DNS on DC.

    Author Comment

    It turned out to be the BT Secure Services firewall blocking the traffic. Haven't tried the DNS suggestions yet but it sounds like they would work.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now