How to access ext ip from my internal lan on remote ipsec nework



  • I have an issue which I thought was resolved.

    Here was my initial issue…

    I recently install a mail server on for my company at ip = ***.***.1.11
    and my external ip will nat to this all mail works well.

    Internally I setup outlook to point to my internal ip, ***.***.1.11

    Externally (outside the firewall) I point to mail.mydomain.com  this works.

    but this doesn't work when I am internal, therefore when I have a laptop each time I come into the building I need to change the pop and smtp to the internal IP address.

    We also use citrix which users have web access, when users try to access citrix through the ext IP (on our website) in the building they can't yet if i modify the link and change the external IP to our internal IP it works.

    Anyone know what I need to fix?  I can't see any blocking in the logs. We are running squid and squid guard is this what is preventing it?

    This was resolved on my local network by.
    "using NAT reflection" but on my remote network via ipsec I don't get a response either pinging mail.mydomain.com or my external Ip address.  I have checked through the logs and I don't see anything.

    To sum it up

    My mail server is in Location 1 with NAT reflection on (all work and pinging is working) outside the network all works, on Location 2 which is connected to location 1 via IPsec I can't ping.  What should I be looking for.

    Thanks for any help



  • Turn on NAT reflection.

    Alternatively, if your users use only DNS names instead of IP addresses, define host overrides in pfSense's DNS forwarder.



  • Thanks  but neither will work.

    I have set NAT reflection which didn't work. and using a dns forwarder wont' work.

    I can't ping my external Ip address.



  • @nambi:

    on Location 2 which is connected to location 1 via IPsec I can't ping.  What should I be looking for.

    I suggest:
    1. Use traceroute at location 2 to verify your traffic takes the correct path.
    2. If the path is incomplete, use packet capture at the last system listed in the trace to verify a ping goes out the correct interface. Then use packet capture at the end of the "next hop"to verify the ping is being received. If not, fix the problem then repeat.

    @nambi:

    using a dns forwarder wont' work.

    Why not?

    @nambi:

    on my remote network via ipsec I don't get a response either pinging mail.mydomain.com or my external Ip address.  I have checked through the logs and I don't see anything.

    Do such pings go over the public internet or over the VPN? On which path should they go? Why?



  • Thank you for the response, I do appreciate the assistance.

    Here is what i have discovered, location A and B are connected via ipsec. Location A holds the mail server.  Location B is unable to ping Location A's External Ip.  Location A is unable to ping location B's external Ip

    Location B can ping Locations A's INTERNAL IP

    After looking through the logs I was able to allow Location a to ping Location B, I had to enable ICM (echo request).

    Unfortunately reversing this on location B was unsuccessful.

    I have used traceroute for (mail@mydomain.com) which points to location A's external IP on the remote network

    the route is incomplete at ip 64.230.152.250

    I then ran a traceroute at 64.230.152.250

    the route gave one hop from my pfbox to 50.43.250.1 then the hop became incomplete.

    I installed Microsoft Network monitor on a server in Location B and filtered 50.43.250.1

    This was the result

    943021 2:01:37 PM 3/19/2013 12161.0588449 System PRISMUSASERVER  50.43.250.1 NbtNs NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service {UDP:7589, IPv4:7513}
    943023 2:01:37 PM 3/19/2013 12161.0744699 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Destination Unreachable Message, Port Unreachable, 50.43.250.1:137 {IPv4:7513}
    943095 2:01:39 PM 3/19/2013 12162.5588449 System PRISMUSASERVER  50.43.250.1 NbtNs NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service {UDP:7589, IPv4:7513}
    943099 2:01:39 PM 3/19/2013 12162.5744699 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Destination Unreachable Message, Port Unreachable, 50.43.250.1:137 {IPv4:7513}
    945442 2:02:49 PM 3/19/2013 12232.6994699 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Time Exceeded Message {IPv4:7513}
    945444 2:02:49 PM 3/19/2013 12232.7307199 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Time Exceeded Message {IPv4:7513}
    945446 2:02:49 PM 3/19/2013 12232.7463449 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Time Exceeded Message {IPv4:7513}
    945527 2:02:53 PM 3/19/2013 12237.1994699 System PRISMUSASERVER  50.43.250.1 NbtNs NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service {UDP:7589, IPv4:7513}
    945528 2:02:53 PM 3/19/2013 12237.2150949 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Destination Unreachable Message, Port Unreachable, 50.43.250.1:137 {IPv4:7513}
    945566 2:02:55 PM 3/19/2013 12238.6994699 System PRISMUSASERVER  50.43.250.1 NbtNs NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service {UDP:7589, IPv4:7513}
    945568 2:02:55 PM 3/19/2013 12238.7150949 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Destination Unreachable Message, Port Unreachable, 50.43.250.1:137 {IPv4:7513}
    945626 2:02:56 PM 3/19/2013 12240.1994699 System PRISMUSASERVER  50.43.250.1 NbtNs NbtNs:Query Request for *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> <0x00> Workstation Service {UDP:7589, IPv4:7513}
    945629 2:02:56 PM 3/19/2013 12240.2150949 50.43.250.1 PRISMUSASERVER  ICMP ICMP:Destination Unreachable Message, Port Unreachable, 50.43.250.1:137 {IPv4:7513}

    looking through location A logs I see no records of Location B's ext Ip, or 50.43.250.1

    As for DNS forwarding, My domain has a DNS server, (windows) I assume I would need to put this into the DNS server instead of the PFbox I can't seem to get this to work either.

    Any more ideas would be appreciated.  I have tried to use the DNS forwarding via pfsense (location b) but also unsuccessful,  I'm  going to reboot the firewall tonight when no one is online, With hopes that there mayu be a glitch although I doubt there is.

    "Do such pings go over the public internet or over the VPN? On which path should they go? Why?"

    I expect the pings go outside the VPN, which is ok, this will allow my laptop users which fluctuate inside and outside the building to use the same setting.


Log in to reply