**ADDITION, please see the following illustration:
click here **
Ok, maybe I' m missing the obvious here but here is the story:
SITUATION
====================
Two DNS servers sit behind the Fortinet unit. All servers run in the private network and all have 192.168.1.x addresses assigned to them. No DMZ is being used at this time, just internal (my servers) / external (the internet).
The two DNS servers act as public nameservers for the websites I host.
One of the DNS servers is a primary (with internal IP 192.168.1.6) and the other a secondary (with internal IP 192.168.1.7). All of the DNS entries have public IP' s the records they host as they serve up sites on the public internet. This includes the nameserver records NS1.myhost.com (69.90.x.1) and NS2.myhost.com (69.90.x.2).
The primary nameserver is set to push updates (MSDNS) to the secondary nameserver (MSDNS). It is by default set to only allow transfers to listed nameservers, which should be fine because the external ip of ns2.myhost.com is listed in each primary zone.
I have VIP' s set on the Fortinet...
(ns1.myhost.com) VIP set 69.90.x.1 -> 192.168.1.6
(ns2.myhost.com) VIP set 69.90.x.2 -> 192.168.1.7
------------------------------------
The Problem
====================
After a new secondary zone is created on the secondary server, it seems that it doesn' t actually go out on 69.90.x.2 and come in on 69.90.x.1 to get the update from the primary. It just goes internally using 192.168.1.1
Thus the request to update gets denied.
I am using the EXACT same configuration as I had working with a Netscreen unit (don' t get me wrong, I like Fortinet a LOT better). Why doesn' t the traffic get routed out on the correct IP... why does it use the Fortinet box internal IP?
------------------------------------
Sorry for the long winded post, I didn' t want to leave out any details and would really appreciate any thoughts people could give this.
Thanks so much,
Chris