Solved

NAT proxying through Win 2K

Posted on 2001-07-19
15
227 Views
Last Modified: 2013-12-23
I have successfully set up a NAT proxy through a machine with two NICs via the RRAS NAT special ports

x.x.x.4:80  --->  10.0.0.1:80

The 10.0.0.1 machine is a Sun box. This works fine.

However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.

x.x.x.5:80 ---> 10.0.0.2:80

Neither does

x.x.x.4:81 ---> 10.0.0.2:80

Yet

x.x.x.5:81 ---> 10.0.0.1:80

does work.

It seems it works with the Sun webserver but not with IIS!

The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.

I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.

Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.

I am totally stumped.

Can you help?

0
Comment
Question by:AndrewEarl
  • 5
  • 3
  • 2
  • +3
15 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300419
Have you applied the SP2 and any other relevant patches ??
0
 

Author Comment

by:AndrewEarl
ID: 6300471
yup
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6300525
Have you checked the LAT ( Local access table ? ) on the ISA ?

Have you done  a

route print

to see if it likes like the routing is OK ?

Have you redirected any ports ??

Is the DNS / AD set up correctly ??

Have you checked the event logs and the ISA etc Logs ?

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:AndrewEarl
ID: 6306707
I'm not using ISA.
I'm doing my proxying with NAT (thru RRAS).

route print looks okay.

Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)

DNS looks okay.

Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles but nothing there is any help.

I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.

0
 
LVL 5

Expert Comment

by:Droby10
ID: 6324502
are your routing with translation or are you proxying?

there is a distinct and functional difference between the two.  if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat.  that's how networks get hosed by bad people.

back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation?  if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
0
 

Author Comment

by:AndrewEarl
ID: 6324887
Well, maybe my terminology isn't right then.

I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.

I am not running any proxy program.
Just doing everything through RRAS.


0
 
LVL 5

Expert Comment

by:Droby10
ID: 6325340
okay...try translating ip to ip instead of ip:port to ip:port and see if it makes a difference, my experience is that the granularity of ip:port translations isn't handled well...although that doesn't explain how transactions occur with a sun box and not another windows machine.
0
 

Author Comment

by:AndrewEarl
ID: 6325389
Do you mean put in a static route?

Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.

0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6326996
AndrewEarl, from the machine that is doing the NAT, can you access the IIS web server properly? I've been able to do NAT translation using W2K Server and connecting to an IIS on the private net, so I can tell you that it is possible.
0
 

Author Comment

by:AndrewEarl
ID: 6435250
Yes, I could access the IIS server properly.

In all this time I actually solved the problem. But raises several other ones.

The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.

However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6436027
The new problem is because an interface can not be used both as private and public interface in the NAT simultaneously. Right not, on the proxying machine, you have the private net as private NAT interface, but the mapping is bound to the public NAT interfaces of the proxying machine.
0
 

Expert Comment

by:CleanupPing
ID: 9160365
AndrewEarl:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 11420919
I think this thread should be PAQed.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 11461491
PAQed - no points refunded (of 200)

DarthMod
Community Support Moderator
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question