Solved

NAT proxying through Win 2K

Posted on 2001-07-19
15
260 Views
Last Modified: 2013-12-23
I have successfully set up a NAT proxy through a machine with two NICs via the RRAS NAT special ports

x.x.x.4:80  --->  10.0.0.1:80

The 10.0.0.1 machine is a Sun box. This works fine.

However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.

x.x.x.5:80 ---> 10.0.0.2:80

Neither does

x.x.x.4:81 ---> 10.0.0.2:80

Yet

x.x.x.5:81 ---> 10.0.0.1:80

does work.

It seems it works with the Sun webserver but not with IIS!

The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.

I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.

Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.

I am totally stumped.

Can you help?

0
Comment
Question by:AndrewEarl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
15 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300419
Have you applied the SP2 and any other relevant patches ??
0
 

Author Comment

by:AndrewEarl
ID: 6300471
yup
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300525
Have you checked the LAT ( Local access table ? ) on the ISA ?

Have you done  a

route print

to see if it likes like the routing is OK ?

Have you redirected any ports ??

Is the DNS / AD set up correctly ??

Have you checked the event logs and the ISA etc Logs ?

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:AndrewEarl
ID: 6306707
I'm not using ISA.
I'm doing my proxying with NAT (thru RRAS).

route print looks okay.

Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)

DNS looks okay.

Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles but nothing there is any help.

I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.

0
 
LVL 5

Expert Comment

by:Droby10
ID: 6324502
are your routing with translation or are you proxying?

there is a distinct and functional difference between the two.  if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat.  that's how networks get hosed by bad people.

back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation?  if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
0
 

Author Comment

by:AndrewEarl
ID: 6324887
Well, maybe my terminology isn't right then.

I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.

I am not running any proxy program.
Just doing everything through RRAS.


0
 
LVL 5

Expert Comment

by:Droby10
ID: 6325340
okay...try translating ip to ip instead of ip:port to ip:port and see if it makes a difference, my experience is that the granularity of ip:port translations isn't handled well...although that doesn't explain how transactions occur with a sun box and not another windows machine.
0
 

Author Comment

by:AndrewEarl
ID: 6325389
Do you mean put in a static route?

Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.

0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6326996
AndrewEarl, from the machine that is doing the NAT, can you access the IIS web server properly? I've been able to do NAT translation using W2K Server and connecting to an IIS on the private net, so I can tell you that it is possible.
0
 

Author Comment

by:AndrewEarl
ID: 6435250
Yes, I could access the IIS server properly.

In all this time I actually solved the problem. But raises several other ones.

The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.

However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6436027
The new problem is because an interface can not be used both as private and public interface in the NAT simultaneously. Right not, on the proxying machine, you have the private net as private NAT interface, but the mapping is bound to the public NAT interfaces of the proxying machine.
0
 

Expert Comment

by:CleanupPing
ID: 9160365
AndrewEarl:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 11420919
I think this thread should be PAQed.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11461491
PAQed - no points refunded (of 200)

DarthMod
Community Support Moderator
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question