Enabling internal connections to transparently connect via external IP address

Enabling internal connections to transparently connect via external IP address

[Chris Willis]

Environment:
Windows XP laptop machine, part of domain acme.int, IP 192.168.1.150
Windows 2003 Server running Exchange 2003 (exchange.acme.int, 192.168.1.10)
External Domain: acme.com (T1 line, firewall external IP & MX record mail.acme.com 60.60.60.60)
Firewall: PC running Fedora Core 6, IPTables, using FWBuilder to create a ruleset, 2 NICs (eth0 192.168.1.1, eth1 60.60.60.60)

Problem: when a laptop user (works in office and remotely) goes to https://mail.acme.com, it works fine from the outside, but not from the inside.

Goal: when an internal (192.168.1.X) client goes to https://mail.acme.com, the firewall should accept the packets, route them to the exchange box, and then route return packets back to the client.

This works just fine on a netscreen firewall I tested with at the client site (same IP addresses as  linux box above).



Chris Willis

Re: Enabling internal connections to transparently connect via external IP address

[Robby Workman]

Chris Willis wrote:
> Environment:
> Windows XP laptop machine, part of domain acme.int, IP 192.168.1.150
> Windows 2003 Server running Exchange 2003 (exchange.acme.int, 192.168.1.10)
> External Domain: acme.com (T1 line, firewall external IP & MX record mail.acme.com 60.60.60.60)
> Firewall: PC running Fedora Core 6, IPTables, using FWBuilder to create a ruleset, 2 NICs (eth0 192.168.1.1, eth1 60.60.60.60)
> 
> Problem: when a laptop user (works in office and remotely) goes to https://mail.acme.com, it works fine from the outside, but not from the inside.
> 
> Goal: when an internal (192.168.1.X) client goes to https://mail.acme.com, the firewall should accept the packets, route them to the exchange box, and then route return packets back to the client.
> 
> This works just fine on a netscreen firewall I tested with at the client site (same IP addresses as  linux box above).


There's the "dirty" way (IMHO):
http://iptables-tutorial.frozentux.net/chunkyhtml/x4033.html

There's the cleaner way (IMHO):
Have your DNS server setup to serve internal clients the internal
address of mail.acme.com.

RW

Re: Enabling internal connections to transparently connect via external IP address

[Martijn Lievaart]

Robby Workman wrote:
> Chris Willis wrote:
>   
>> Environment:
>> Windows XP laptop machine, part of domain acme.int, IP 192.168.1.150
>> Windows 2003 Server running Exchange 2003 (exchange.acme.int, 192.168.1.10)
>> External Domain: acme.com (T1 line, firewall external IP & MX record mail.acme.com 60.60.60.60)
>> Firewall: PC running Fedora Core 6, IPTables, using FWBuilder to create a ruleset, 2 NICs (eth0 192.168.1.1, eth1 60.60.60.60)
>>
>> Problem: when a laptop user (works in office and remotely) goes to https://mail.acme.com, it works fine from the outside, but not from the inside.
>>
>> Goal: when an internal (192.168.1.X) client goes to https://mail.acme.com, the firewall should accept the packets, route them to the exchange box, and then route return packets back to the client.
>>
>> This works just fine on a netscreen firewall I tested with at the client site (same IP addresses as  linux box above).
>>     
>
>
> There's the "dirty" way (IMHO):
> http://iptables-tutorial.frozentux.net/chunkyhtml/x4033.html
>
> There's the cleaner way (IMHO):
> Have your DNS server setup to serve internal clients the internal
> address of mail.acme.com.
>   

Or even cleaner, set up the Exchange server in a DMZ (you still have to 
do the split-dns unless you get multiple IPAs).

M4