We have several web servers behind a BM3.6/Netware5.1 box that get
NAT'd to
public addresses with port 80 filter exceptions, and it works
perfectly when
coming in from the 'Net. From inside the firewall we have no probs
getting
to these web servers' private IP addresses but we cannot, from the
inside,
get to their public IP addresses. Normally this is not a problem for
users
inside the firewall - internal DNS resolves to their private
addresses.
Where this is a problem is with dial-up VPN users: the users are
getting
public address resolutions and, apparently, the VPN client has them
trying
to go outside the firewall and then back in again, which doesn't work.


Question: should it work? By that I mean, should an internal user be
able to
get to an internal server via its NAT'd public address?

If the answer is yes then I need to ask how should the static routing
in the
BM box be set up. It's a flat internal network, the BM box is the
default
route for internal users, the BM box has a default route pointing to
the
Cisco's ethernet port and a static route for the outside segment alsopointing to the Cisco [this is a tickler for me, I'm not sure it ought
to be
there but that's the way it was when I inherited the system]. The VPN

setting in nwadmin has protect the VPN IP tunnel network, the BM box
external address and the internal 10dot network.

Any comments/suggestions/hints/clues [for the clueless] gratefully
accepted
and appreciated.
Fred