clueless and need help.

[Westy]

"Simon Hobson" <shobson0309 at colony.com> wrote in message
news:c0skb4$2u9n$1 at sf1.isc.org...
> Westy wrote:
> >Here's the setup.  We have a consortium of three different\separate
> >domains\organizations A.org, B.org, and C.org that are sharing a domain
> >D.org. The server they share\use is housed at domain A.org.  Domain A.org
> >also maintains the primary nameserver for both internal and external DNS.
> >The server they share has two nic cards in it, each having a different
> >subnet address for the internal network. Nic A 192.104.39.226 (label
D.org)
> >and Nic B 192.104.40.225. (label D-2.org)They all use one external
address
> >and the domain name D.org for the external network  Domain A.org uses the
> >subnet 192.104.39.0 and the other two domains  B.org and C.org  both use
the
> >subnet 192.104.40.0.  Domain A.org has a zone setup in it's internal DNS
> >with an A record that maps D.org to 192.104.39.226.  The other two
domains
> >B.org, and C.org do not have zones setup on their internal DNS.  Domain
> >A.org has a zone setup for external DNS for domain D.org.  There is an A
> >record in the file that maps www.d.org to the external address
205.46.83.71.
> >We have a firewall setup that nat's the address 205.46.83.71 to
> >192.104.39.226.  We're switching ISP's and I changed the external address
to
> >4.36.130.71 in the zone file and on the firewall.  From the outside all
> >seems to be working well, other than reverse lookup is not enabled, you
can
> >get the page displayed with no problem if you use www.d.org , and
nslookup
> >and dig return the correct nameserver information.  The problems are on
the
> >internal subnet 192.104.40.0.  Primarily with domain C.org.  Since the
> >change of the external ip address domain C.org cannot attach to the
server
> >via http.  Domain C.org can ping and telnet to the server nic
> >192.104.40.225, and login via telnet.
> >
> >Here's the problems.  The domains B.org and C.org cannot resolve the name
> >D.org.  I'm told they do not need zones setup in there internal DNS.
That
> >when the query to their internal DNS for www.d.org fails, the query will
be
> >sent out to the Internet and the primary nameserver housed at domain
A.org
> >will resolve the name www.d.org to 205.46.83.71, the firewall then nat's
it
> >to 192.104.39.226, and the page is displayed.  This is not working,
domains
> >B.org and C.org  get (page not found) via a browser when using the DNS
name.
> >Domain B.org can connect and display the page if it use's the ip address
> >http://192.104.40.225. The domain B.org admin tells me the DNS name
> >resolution has never worked from day one, they have always had to use the
ip
> >address.  Domain C.org cannot get the page displayed period, the domain
> >C.org admin tells me they have always used the DNS name and not the
address.
> >Now, neither domain can ping by name. Both can ping and telnet
successfully
> >by using the ip address 192.104.40.225.
> >
> >Do we need to setup something in domain A.org's internal DNS to map the
ip
> >address 192.104.40.225 to d-2.org or should it be www.d-2.org ?  And,
tell
> >domains B.org and C.org to use that DNS name? Or, is there a way to set
up
> >the configuration in domain A.org, so all three domains can use D.org or
> >www.d.org internally?  What would prevent domain C.org from being able to
> >connect via http, when you can ping and telnet to the ip address?  This
> >really puzzles me. The outside world and domains A.org and B.org can
connect
> >via http, even though domain B.org has to use the ip address rather than
the
> >DNS name.  Domain A.org,  has no problems connecting via DNS name or ip
> >address, it can ping and telnet also.  Do we need to setup something (a
zone
> >or an A record and PTR record) in domains B.org and C.org's internal DNS
> >that would map an ip address (192.104.40.225) back to d.org or d-2.org?
Or
> >should the external nameserver be resolving the name for us?  I fail to
see
> >why changing the external ip address in the zone file and on the firewall
> >would prevent domain C.org from connecting via http.  I assumed that with
> >them being on the internal network, that the change would not have an
impact
> >on them. Is this assumption correct?
>
> Well, from all that I THINK you have this :
>
> in B & C, you use external name resolution to get the public IP of
> the server www.D.org from the nameserver in A - but you cannot
> connect to it from B or C.
>
> My guess is that the firewall is not set up to take an internal
> connection, map it to the outside interface, and then map it back
> into the internal network. The quick and simple way to deal with this
> is to setup a slave (or stub) zone for D.org on teh internal
> nameservers for B & C with the master(s) specified as the internal
> address of the A nameserver. This will result in queries for D.org
> being sent to the internal server and being resolved to the internal
> address of the server.
>
> Alternatively, configure a split horizon name service so that
> requests from B & C are resolved to the internal address, but all
> other requests are resolved to the external address. For this setup I
> suggest it would be overkill though.
>
> Simon
>
> --
>
> NOTE: This is a throw-away email address which will reach me for as
> long as it stays spam-free, remove date for real address.
>
> Simon Hobson, Technology Specialist
> Colony Gift Corporation Limited
> Lindal in Furness, Ulverston, Cumbria, LA12 0LD
> Tel 01229 461100, Fax 01229 461101
>
> Registered in England No. 1499611
> Regd. Office : 100 New Bridge Street, London, EC4V 6JA.
>

as i said clueless, but thanks for the reply. in the end a dumb ass mistake.
i forgot to change the default gateway on the server whose external ip
address i changed.