AndrewEarl
asked on
NAT proxying through Win 2K
I have successfully set up a NAT proxy through a machine with two NICs via the RRAS NAT special ports
x.x.x.4:80 ---> 10.0.0.1:80
The 10.0.0.1 machine is a Sun box. This works fine.
However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.
x.x.x.5:80 ---> 10.0.0.2:80
Neither does
x.x.x.4:81 ---> 10.0.0.2:80
Yet
x.x.x.5:81 ---> 10.0.0.1:80
does work.
It seems it works with the Sun webserver but not with IIS!
The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.
I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.
Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.
I am totally stumped.
Can you help?
x.x.x.4:80 ---> 10.0.0.1:80
The 10.0.0.1 machine is a Sun box. This works fine.
However, doing exactly the same thing to an IIS webserver (on another Win2K machine 10.0.0.2) doesn't work.
x.x.x.5:80 ---> 10.0.0.2:80
Neither does
x.x.x.4:81 ---> 10.0.0.2:80
Yet
x.x.x.5:81 ---> 10.0.0.1:80
does work.
It seems it works with the Sun webserver but not with IIS!
The 10.0.0.2 machine can serve pages quite happily to the
other machines in the 10.0.0 network.
I have also tried two other Win2K IIS webservers, also on the internal network, and I can't get them to respond through the NAT proxy either.
Notes:
* Under Default Web Site properties of the target IIS webservers: IP Addresses are "(All unassigned)", there are no Host Header Names and pages served on TCP port 80.
* The NAT server has multiple IPs on each of its NICs.
* There is an IIS webserver on the NAT server (answering to a different IP), but I did try switching that off as part of the tests.
I am totally stumped.
Can you help?
SysExpert
Have you applied the SP2 and any other relevant patches ??
ASKER
yup
Have you checked the LAT ( Local access table ? ) on the ISA ?
Have you done a
route print
to see if it likes like the routing is OK ?
Have you redirected any ports ??
Is the DNS / AD set up correctly ??
Have you checked the event logs and the ISA etc Logs ?
Have you done a
route print
to see if it likes like the routing is OK ?
Have you redirected any ports ??
Is the DNS / AD set up correctly ??
Have you checked the event logs and the ISA etc Logs ?
ASKER
I'm not using ISA.
I'm doing my proxying with NAT (thru RRAS).
route print looks okay.
Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)
DNS looks okay.
Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles
I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.
I'm doing my proxying with NAT (thru RRAS).
route print looks okay.
Redirected ports? No. (Well only the "Special Ports"
under NAT - but then that is how I'm doing the proxying)
DNS looks okay.
Well, RRAS claims it is putting logfiles in c:\winnt\system32\logfiles
I'm just puzzled why Sun webservers work through the NAT proxy but IIS webservers don't.
are your routing with translation or are you proxying?
there is a distinct and functional difference between the two. if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat. that's how networks get hosed by bad people.
back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation? if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
there is a distinct and functional difference between the two. if you're running rras with nat then you shouldn't be running proxy...if you're running proxy then you DEFINATELY don't need to be running rras with or without nat. that's how networks get hosed by bad people.
back to your question...
i've found that itemized translation entries on 2k run fairly flakey...have you tried doing a complete host translation? if that works out, i would back up sysexpert on the idea of ISA, you'll need something somewhere to perform filtering...
ASKER
Well, maybe my terminology isn't right then.
I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.
I am not running any proxy program.
Just doing everything through RRAS.
I am translating an outside IP to an inside IP.
If you call that "routing with translation", then that is what I'm doing or trying to do.
I am not running any proxy program.
Just doing everything through RRAS.
okay...try translating ip to ip instead of ip:port to ip:port and see if it makes a difference, my experience is that the granularity of ip:port translations isn't handled well...although that doesn't explain how transactions occur with a sun box and not another windows machine.
ASKER
Do you mean put in a static route?
Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.
Because the RRAS NAT "special port"s require a port to be specified - and can't be avoided.
AndrewEarl, from the machine that is doing the NAT, can you access the IIS web server properly? I've been able to do NAT translation using W2K Server and connecting to an IIS on the private net, so I can tell you that it is possible.
ASKER
Yes, I could access the IIS server properly.
In all this time I actually solved the problem. But raises several other ones.
The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.
However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
In all this time I actually solved the problem. But raises several other ones.
The default gateway of the target machine 10.0.0.2 on my example, wasn't pointing at the proxying machine. Switching it to the internal IP address of the proxying machine let everything spring to life.
However, we then encountered another problem. Other machines in the internal 10.x network that wish to connect to the 10.0.0.2 webserver cannot use the "outside" IP address (the x.x.x.5 one) if their default gateway points at the proxying machine. We could only get them to see the webserver by setting their gateways to a separate Gateway machine.
The new problem is because an interface can not be used both as private and public interface in the NAT simultaneously. Right not, on the proxying machine, you have the private net as private NAT interface, but the mapping is bound to the public NAT interfaces of the proxying machine.
AndrewEarl:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
I think this thread should be PAQed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.