Solved

NAT proxying through Win 2K

Posted on 2001-07-19
15
202 Views
Last Modified: 2013-12-23
I have successfully set up a NAT proxy through a machine with two NICs via the RRAS NAT special ports

x.x.x.4:80  --->  10.0.0.1:80

The 10.0.0.1 machine is a Sun box. This works fine.

However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.

x.x.x.5:80 ---> 10.0.0.2:80

Neither does

x.x.x.4:81 ---> 10.0.0.2:80

Yet

x.x.x.5:81 ---> 10.0.0.1:80

does work.

It seems it works with the Sun webserver but not with IIS!

The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.

I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.

Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.

I am totally stumped.

Can you help?

0
Comment
Question by:AndrewEarl
  • 5
  • 3
  • 2
  • +3
15 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300419
Have you applied the SP2 and any other relevant patches ??
0
 

Author Comment

by:AndrewEarl
ID: 6300471
yup
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300525
Have you checked the LAT ( Local access table ? ) on the ISA ?

Have you done  a

route print

to see if it likes like the routing is OK ?

Have you redirected any ports ??

Is the DNS / AD set up correctly ??

Have you checked the event logs and the ISA etc Logs ?

0
 

Author Comment

by:AndrewEarl
ID: 6306707
I'm not using ISA.
I'm doing my proxying with NAT (thru RRAS).

route print looks okay.

Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)

DNS looks okay.

Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles but nothing there is any help.

I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.

0
 
LVL 5

Expert Comment

by:Droby10
ID: 6324502
are your routing with translation or are you proxying?

there is a distinct and functional difference between the two.  if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat.  that's how networks get hosed by bad people.

back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation?  if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
0
 

Author Comment

by:AndrewEarl
ID: 6324887
Well, maybe my terminology isn't right then.

I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.

I am not running any proxy program.
Just doing everything through RRAS.


0
 
LVL 5

Expert Comment

by:Droby10
ID: 6325340
okay...try translating ip to ip instead of ip:port to ip:port and see if it makes a difference, my experience is that the granularity of ip:port translations isn't handled well...although that doesn't explain how transactions occur with a sun box and not another windows machine.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:AndrewEarl
ID: 6325389
Do you mean put in a static route?

Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.

0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6326996
AndrewEarl, from the machine that is doing the NAT, can you access the IIS web server properly? I've been able to do NAT translation using W2K Server and connecting to an IIS on the private net, so I can tell you that it is possible.
0
 

Author Comment

by:AndrewEarl
ID: 6435250
Yes, I could access the IIS server properly.

In all this time I actually solved the problem. But raises several other ones.

The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.

However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6436027
The new problem is because an interface can not be used both as private and public interface in the NAT simultaneously. Right not, on the proxying machine, you have the private net as private NAT interface, but the mapping is bound to the public NAT interfaces of the proxying machine.
0
 

Expert Comment

by:CleanupPing
ID: 9160365
AndrewEarl:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 11420919
I think this thread should be PAQed.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11461491
PAQed - no points refunded (of 200)

DarthMod
Community Support Moderator
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now