Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NAT proxying through Win 2K

Posted on 2001-07-19
15
Medium Priority
?
267 Views
Last Modified: 2013-12-23
I have successfully set up a NAT proxy through a machine with two NICs via the RRAS NAT special ports

x.x.x.4:80  --->  10.0.0.1:80

The 10.0.0.1 machine is a Sun box. This works fine.

However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.

x.x.x.5:80 ---> 10.0.0.2:80

Neither does

x.x.x.4:81 ---> 10.0.0.2:80

Yet

x.x.x.5:81 ---> 10.0.0.1:80

does work.

It seems it works with the Sun webserver but not with IIS!

The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.

I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.

Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.

I am totally stumped.

Can you help?

0
Comment
Question by:AndrewEarl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
15 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300419
Have you applied the SP2 and any other relevant patches ??
0
 

Author Comment

by:AndrewEarl
ID: 6300471
yup
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300525
Have you checked the LAT ( Local access table ? ) on the ISA ?

Have you done  a

route print

to see if it likes like the routing is OK ?

Have you redirected any ports ??

Is the DNS / AD set up correctly ??

Have you checked the event logs and the ISA etc Logs ?

0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:AndrewEarl
ID: 6306707
I'm not using ISA.
I'm doing my proxying with NAT (thru RRAS).

route print looks okay.

Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)

DNS looks okay.

Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles but nothing there is any help.

I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.

0
 
LVL 5

Expert Comment

by:Droby10
ID: 6324502
are your routing with translation or are you proxying?

there is a distinct and functional difference between the two.  if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat.  that's how networks get hosed by bad people.

back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation?  if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
0
 

Author Comment

by:AndrewEarl
ID: 6324887
Well, maybe my terminology isn't right then.

I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.

I am not running any proxy program.
Just doing everything through RRAS.


0
 
LVL 5

Expert Comment

by:Droby10
ID: 6325340
okay...try translating ip to ip instead of ip:port to ip:port and see if it makes a difference, my experience is that the granularity of ip:port translations isn't handled well...although that doesn't explain how transactions occur with a sun box and not another windows machine.
0
 

Author Comment

by:AndrewEarl
ID: 6325389
Do you mean put in a static route?

Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.

0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6326996
AndrewEarl, from the machine that is doing the NAT, can you access the IIS web server properly? I've been able to do NAT translation using W2K Server and connecting to an IIS on the private net, so I can tell you that it is possible.
0
 

Author Comment

by:AndrewEarl
ID: 6435250
Yes, I could access the IIS server properly.

In all this time I actually solved the problem. But raises several other ones.

The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.

However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6436027
The new problem is because an interface can not be used both as private and public interface in the NAT simultaneously. Right not, on the proxying machine, you have the private net as private NAT interface, but the mapping is bound to the public NAT interfaces of the proxying machine.
0
 

Expert Comment

by:CleanupPing
ID: 9160365
AndrewEarl:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 11420919
I think this thread should be PAQed.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11461491
PAQed - no points refunded (of 200)

DarthMod
Community Support Moderator
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

662 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question