Network question regarding web server?

Sorry if it is the wrong newsgroup.

I am trying to access a web site : http://cipo.gc.ca
I am getting a page not found.

After contacting the IT departement, here is what they told me:

In your instance, the Connecting IP and the Reported IP do not match. This
often occurs when people are behind firewalls or have networks using NAT
Translation. Unfortunately, it is also a tactic (reporting a different IP
address) used by people who are attacking a website.
Due to Government of Canada guidelines regarding the protection of data
(Protected 'B' data), all inbound web traffic that reports an incorrect IP
address is refused.
In order to use Strategis and the CIPO website, the user will have to
rectify the Reverse DNS Lookup problem that they are experiencing.You need
to resolve this issue by calling you IPS and give them this information or
by contacting your source behind your firewalls.

We do use 2 different IP address (we use NAT with our PIX firewall)

Is this a normal setup for that company?
Do we really need to change our IP address so they are both the same?
Is in it a security risk?

Thanks for any help or feedback

John

> We do use 2 different IP address (we use NAT with our PIX firewall)
>
> Is this a normal setup for that company?

Yes, this is more than normal, if that's possible.

> Do we really need to change our IP address so they are both the same?

They should be the same. When traffic leaves the PIX from AddrA, the remote
server establishes the connection with this address.

> Is in it a security risk?

No more than usual, when you're connected to the Internet.

Unless you're doing something very screwy with your firewall, it sounds like
someone's taking the reverse lookup to the extreme.

On Tue, 25 Nov 2003 08:13:37 -0500, "JP Breton"
<(E-Mail Removed)> wrote:

>Sorry if it is the wrong newsgroup.
>
>I am trying to access a web site : http://cipo.gc.ca
>I am getting a page not found.
>
>After contacting the IT departement, here is what they told me:
>
>In your instance, the Connecting IP and the Reported IP do not match. This
>often occurs when people are behind firewalls or have networks using NAT
>Translation. Unfortunately, it is also a tactic (reporting a different IP
>address) used by people who are attacking a website.
>Due to Government of Canada guidelines regarding the protection of data
>(Protected 'B' data), all inbound web traffic that reports an incorrect IP
>address is refused.
>In order to use Strategis and the CIPO website, the user will have to
>rectify the Reverse DNS Lookup problem that they are experiencing.You need
>to resolve this issue by calling you IPS and give them this information or
>by contacting your source behind your firewalls.
>
>We do use 2 different IP address (we use NAT with our PIX firewall)
>
>Is this a normal setup for that company?

Sure.

>Do we really need to change our IP address so they are both the same?

No. You need to correct the reverse DNS so it returns the correct
information.

>Is in it a security risk?

It decreases a security risk. It lets the web server know you really
are who you said you were.

Check a DNS group for better specifics, but it's your ISP and/or your
network administrator that need to configure this.

If it's any consolation, from behind a firewall and with a NAT'd
address, I connect just fine to the above site. But my reverse DNS
points to the correct host. In your case, my guess is your ISP has
pointed the reverse DNS to a generic port name on a different domain,
or more possibly has no reverse DNS defined for your IP.

Jeff