**ADDITION, please see the following illustration: click here **
Ok, maybe I' m missing the obvious here but here is the story:
SITUATION
====================
Two DNS servers sit behind the Fortinet unit. All servers run in the private network and all have 192.168.1.x addresses assigned to them. No DMZ is being used at this time, just internal (my servers) / external (the internet).
The two DNS servers act as public nameservers for the websites I host.
One of the DNS servers is a primary (with internal IP 192.168.1.6) and the other a secondary (with internal IP 192.168.1.7). All of the DNS entries have public IP' s the records they host as they serve up sites on the public internet. This includes the nameserver records NS1.myhost.com (69.90.x.1) and NS2.myhost.com (69.90.x.2).
The primary nameserver is set to push updates (MSDNS) to the secondary nameserver (MSDNS). It is by default set to only allow transfers to listed nameservers, which should be fine because the external ip of ns2.myhost.com is listed in each primary zone.
I have VIP' s set on the Fortinet...
(ns1.myhost.com) VIP set 69.90.x.1 -> 192.168.1.6
(ns2.myhost.com) VIP set 69.90.x.2 -> 192.168.1.7
------------------------------------
The Problem
====================
After a new secondary zone is created on the secondary server, it seems that it doesn' t actually go out on 69.90.x.2 and come in on 69.90.x.1 to get the update from the primary. It just goes internally using 192.168.1.1
Thus the request to update gets denied. 
I am using the EXACT same configuration as I had working with a Netscreen unit (don' t get me wrong, I like Fortinet a LOT better). Why doesn' t the traffic get routed out on the correct IP... why does it use the Fortinet box internal IP?
------------------------------------
Sorry for the long winded post, I didn' t want to leave out any details and would really appreciate any thoughts people could give this.
Thanks so much,
Chris
I am using the EXACT same configuration as I had working with a Netscreen unit (don' t get me wrong, I like Fortinet a LOT better). Why doesn' t the traffic get routed out on the correct IP... why does it use the Fortinet box internal IP?
------------------------------------
Sorry for the long winded post, I didn' t want to leave out any details and would really appreciate any thoughts people could give this.
Thanks so much,
Chris
ORIGINAL: Adrian Lewis Unfortunately, I have no fix for the fg' s behaviour but: If you were to multihome and add both internal 192 net and 69 net VIP addresses to your DNS servers' interfaces with no default route on the 69 net, when the secondary tries to contact the primary, it should (I think) do the following:You are nothing short of brilliant. It works like a charm, everything propagates between the two servers fine as soon as I put in the external DNS IP into the IP list in TCP/IP properties. Case closed this is now fixed!!!!
Just out of curiosity though... are there any security or other implications to having an external IP assigned to the machine along with internal addresses? Just wondering.
Thanks again for all your help everybody! I' m so happy right now!
ORIGINAL: MeritWell I found out a pretty good reason to not have an external IP assigned on a an internal server with NAT IP' s.... my server couldn' t communicate with another server (owned by another hosting company on the other side of Canada) that had an IP on the same subnet. Pretty nasty side effect. Anyways, I have re-opened my support ticket as this issue perists and I found another problem it causes.... When one of my mail servers sends out e-mail for a newsletter from a website it sends some e-mails to users on my primary mail server (communicating on the external IP). However, the primary mailserver sees the incoming connection as 192.168.1.1 NOT the proper external IP and marks the message as spam because it fails an SPF check. Yet another side effect of this persisting problem.ORIGINAL: Adrian Lewis Unfortunately, I have no fix for the fg' s behaviour but: If you were to multihome and add both internal 192 net and 69 net VIP addresses to your DNS servers' interfaces with no default route on the 69 net, when the secondary tries to contact the primary, it should (I think) do the following:You are nothing short of brilliant. It works like a charm, everything propagates between the two servers fine as soon as I put in the external DNS IP into the IP list in TCP/IP properties. Case closed this is now fixed!!!!
