On 11/2/05, JC hiep@ee.ucr.edu wrote:
Hi everyone,
I have this problem that I'm not sure what's the best solution for it. I need your input & help...
I have an internal network behind a hardware firewall. All traffics go thru. the firewall. One of the firewall's rules is that it doesn't allow internal network accesses internal resources that travels outside then come back. In the other words, it drops all packets originate from inside the network that travels outside and then come back to access internal resources.
For example: I have web server (used internal ip 10.1.1.10) behind the firewall, internal network can access this web server with http://10.1.1.10, but they can't access http://www.mydomain.com. Assume that I have static IP (xxx.xxx.xxx.xxx) maps to 10.1.1.10 and dns record www.mydomain.com points to xxx.xxx.xxx.xxx
What I want is to allow users inside the network be able to access http://www.mydomain.com instead of http://10.1.1.10
Here is my question: should I change the rule of the firewall? If so, is there a security risk?
Is there any other solution for this?
By the way, I don't have an internal DNS, I use my ISP DNS service.
Thank you so much for your help,
Switch your view to a different angle. In order of extensibility:
1. Create an internal DNS, with two DSN servers, and an external DNS with different zone files. External resolves the external IP address, and internal resolves the internal IP address.
2. "Hijack" www.mydomain.com by creating a zone of that name on the internal DNS and giving it, the zone, the internal IP address.
3."Hijack" www.mydomain.com by creating an entry in the local hosts file with the internal IP address.
Pros/Cons
1. Most extensible but may be a fair amount of initial setup. Normal for large to very large companies. Add/change/delete requests require up to two changes each.
2. Requires internal DNS servers but only requires maintenance for "hijacked" internal sites.
3. Requires every system be touched and retouched for and maintenance.
-- Leonard Isham, CISSP Ostendo non ostento.