I have a DSL Line from ameritech as my external DCHP assigned IP address. I am using RAS PPPoE and it works great. On the internal network I am using the private address range 192.168.0-255. All clients are SecureNAT clients.
Here is my problem: My internal network has a windows 2000 DNS server configured with it's own authoritative internal only zone, and for all external queries it is configured to use forwarders.
I configured ISA with Tom's reccomended "all open" config. When I use nslookup to ask my internal DNS server to resolve an external name I get a timeout error, and I see dropped dns packets in the packet filter log file. I thought the "all open" packet filter allowed everything, what is going on here?
Next I tried to configure outbound DNS query filters and protocol rules without the "all open" policy. I set up my filters and rules correctly because there were no dropped packets in the packet filter logs. Just to make sure I put a packet sniffer on the internal network and sure enough I see DNS queries headed out to the configured forwarder.
Next I put a sniffer on the external network, I can see DNS packets from my internal DNS server (Private source address) going to my forwarder, but no replies ever come back. I checked the logs and there are no dropped packets. What could be going on? Perhaps my ISP's DNS server is dropping my packets due to the source ip being private? I thought ISA NAT was supposed to overwrite the IP and maintain a state table? I would see the external IP of my ISA server in the packet traces as the source address of the outbound packet to the ISP DNS server if NAT was working right, or am I wrong?
Also when I make requests from my ISA server via nslookup with my ISP's DNS server as the default server I get responces back, I also see inbound and out bound queries and replies in my packet sniffer network traces.
So the ISP's DNS Server likes my ISA servers external public IP, but when I make a query from my intenal (private IP) DNS server the ISP server does not reply, and ISA NAT does not mask the private IP with my external public IP. Man I cannot figure out what I am doing wrong here, pls help.
I know others have gotten this config to work, there simply must be a way...