NAT on 2000 server

Unable to get NAT to alow clients access to internet.
Have 2000 server with working DHCP: Clients recieve IP
Have DNS Configured: I think it is working Problem might be here?

Have checked everything several times.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please give us your network configuration (layout), where are you doing the NAT, at a router or does your server acting as a router also?  We need somewhere to start....<G>

10 Holiday Gifts Perfect for Your Favorite Geeks

Still have some holiday shopping to do for the geeks in your life? While toys, clothing, games, and gift cards are still viable options for your friends and family, there’s more reason than ever to consider gadgets and software.

userlinuxAuthor Commented:
Two nics, one internal one outside, DHCP running, DNS running and Routing remote acces-NAT all on one win 2000 server. running internal nic to Cisco 2924xl to 5 clients.

Clients are recieving DHCP address from 2000, but no internet, Firewall is Black ICE which I do have acess to all internal addresses thru even tried disabling.

I had internet last night for a while now this morning can't get IP. I tried using DHCP in NAT-no luck that is why I configured 2000 DHCP.
If I understand you correctly:
[Wa - is it DSL?] <==> [Win2K Server] <==> [Cisco Router] <==> Internal network.

Please rethink your network design, it's going to be a major problem with a dual-home server.  See my previous posts to those who did the same thing and ran into a major performance problem, below.

We don't know what your objective is so please post your objectives - so that we can assist with a design and solve your problem.  See the following post to see what happen when we know your objective:

For now I will be patience to wait for your post.


********** Here are my previous posts: ************
Your problem is in dual-home server.  It's a known problem - what's happening is the master browser election taking place and causing the network resources to disappear so clients are not able to access the resources until the election is complete and the client can see the resource again.  (Added) Meanwhile, the clients have to wait.... so network appears a very slow........ It takes minutes to logon and minutes to access anything.....

Here are my previous answers to the problem:

Here is the MS knowledge base article and how to deal with it:;en-us;135404&Product=win2000

Cisco Routers are extremely complicated in the line of code.
did you configure code yourself ?

Also are the NIC's set to Full Duplex

can you map out your network so we can find the error please

WAN (dhcp)   ----------------- NIC1
                                        /                                     /---CL1
                                      /                                     /---CL2
                         SERVER                                      /---CL3
                                      \                                 /---CL4  
                                        \                             /---CL5
                                          NIC2 ---- ROUTER -

in this case you would set SERVER TCP/IP NIC1 Properties to automatically detect IP
Set NIC1 under the properties to share this connection
that would send the IP to your router ROUTER thru NIC2 @ which is assigned by the ICS portion of your server
now the 5 clients need to be set up STATIC as thru
with whatever your DNS is...

Is this what your situation is ?

Ok, do this if you have broadband (DSL or cable) as your Internet connection.

1)  Get yourself a broadband router... such as Linksys, Dlink, etc... chose one:
     - One with just plain old routing ($40) - not recommended - think of the future.
     - Firewall, routing and DMZ ($60) - not bad - you can host your own web, mail, etc..
     - Firewall, routing, DMZ and VPN capabilities - ($80-120).....

2)  Set it up as follow:
[WAN] <==> [router] <==> [2924 Switch] <==> Server
                                                             ] <==> WS1
                                                             ] <==> WS2

Let the router do the Nat, DNS, Firewall, etc..... You can also use host based firewall for the server and/or client.....

3)  Give the server a static address in the subnet set by your router.
4)  Point the default gateway for all machines to your router.
5)  Point the server DNS to your router.
6)  Point the clients DNS to your server (primary), router (secondary) in case server is down.

I would agree with the setup portion you have Gnart !
I was merely wondering if userlinux has it set up the way I described !


                        \                                       \                    
                          \                                       \                  
                      CLIENTS                             SERVER          

is the way to go !

I would like input from userlinux on his diagram !

Basically....2000 NAT is fast.  No need to have clients running the ComputerBrowser service.  Multi-homed is fine, but don't use ICS.  Use RRAS and use NAT.  A basic config on the cisco is all that is needed, if it's purpose is just that of a switch.  Do not let other services do what a specific service can do.  You could even install a cacheing/forwarding DNS server, no need for extra hardware.  If security is your concern 99% of soho "firewalls" just use their implementation of NAT to provide security, while better than an app layer "firewall" NAT is NAT is NAT.  Pretty annoying to hack NAT, the header is useless, unless staticly mapped largely dynamic, of course it can be done, but if one is that dedicated, NAT is NAT is NAT.  ISA 2000 is very nice and that goes right ontop of 2K.  Provides stateful packet inspection, intrusion detections, SOCKS4 (and SOCKS5 <tweaking req.>), content and app aware, etc.ect.ect.  But as is...


Configure your interfaces.  
First off stop and disable "Computer Browser" from all systems except for one (prolly this is the one you'll run it on)  OK....assuming that the 2K host's external adapter is configured via DHCP by the ISP then per the above steps, configure your external adapter to "automatically...".  In advanced; do not register this connection with DNS and uncheck the "append..." box. and disable NetBIOS on that adapter.  Unbind everything except for TCP/IP  Set link speed according to CPE specs (do not trust "Auto"). say you have 5 hosts and a switch, lets just say a /27 (30 host IPs) for expansion...
Statically set the internal adapter to, no default gateway, IF it is a caching/forwarding DNS server, point DNS to itself (.254) and make sure you disable recurion for the forwarding zone (no need to devolve internet dns queries).  if not then leave blank (it'll default to itself, but try hardcoding it, if you want), again do not register or additional appending.  Set link to 100FDX (or whatever you network is) give the switch .250 and point DNS and default gateway/route to the internal adapter on the 2K box.

Config RRAS and under routing protocols install NAT.  Set up an internal and external interface, enable protocol translation and DNS query forwarding under NAT.  Config any other name resolution services (DNS and/or WINS) and make sure you bind or "listen" only on the internal interface.  Then setup DHCP server services (NOT via RRAS NAT config) and create a scope.    Make sure it is bound ONLY to the internal adapter and you are not proxy'ing DHCP within RRAS.  Config. the options (DNS, WINS, Default Gateway <"router">, etc.) with the internal adapters IP.
IP Scope:
Subnet Mask:
Default Gateway ("router"):

All should be good at this point.  What is your CPE?  I would stay away from app-layer "firewalls" definitely on the server.  Map vestigal and high-risk ports to bogus IP (  I mean NAT with minor tweaking, I consider barebones security.  I am talking network layer NAT, not app layer and/or usermode dependant NAT.  Because most soho "firewalls" are doing just that, but have limited resources, lame "easy-to-use web browser interface", ugly defaults, not as flexible.  Again, these are better than app-layer FW.  If you want REAL security; the low-end SoHo appliances (not the "firewall" devices mentioned above) offer decent features for the price, of course medium to high-end appliances (I lean more to CheckPoint on those), the Linux (I think it is called "Filters"?) is decent from my observations (never "used" it), FreeBSD IPF is very good, but the best I have seen are ISA 2000, CheckPoint appliances (mentioned above) and PIX.  

Hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
good description!

Gotta keep that edge sharp somehow. :D

Gotta keep that edge sharp somehow. :D

One last thing...and sorry for the double post <*cAfFiNe*>

If there are no static mappings, incomming traffic is refused or dropped (cannot remember, beeing using ISA for a while now).  I think TCP is refused and UDP is dropped, but I seriously cannot remember.  I do not think it stealths, BUT because of mapping dangerous ports, for example; msblast did not penetrate, even on an unpatched server.  Because the data reached the session layer.  Another good thing about NAT vs. app-layer NAT is it is two-way.  Security is often mistaken as southbound (incomming) only or preoccupied.  Once the slightest compromise happens on a host you cannot trust your local security systems.  It would be quite easy to add a subroutine to alter these app-layer "firewall" ACLs.  If you can modify it, so can anything running in your interactive session.  Another level, you can unbind TCP/IP from file and printer sharing, client for MS, disable netBIOS over TCP/IP, etc., install IPX/SPX and bind file and printer sharing, client for MS, etc only to that protocol.  I'd like to see someone hack through NAT and TCP/IP and hack IPX/SPX.  It is possible, but if someone wants you THAT bad, you really crossed someone and they're gonna get you anyway.

The need an edit and delete post....

BUT because of mapping dangerous ports to bogus IPs, for example; msblast did not penetrate, even on an unpatched server.  Because the data never reached the session layer.  Its just forwarding to an external network that cannot be routed via external interface (being the only default gateway).

Again....sorry for the chatter....

NAT is NAT is NAT, OK.  

Not trying to start a religious war here - but as some would say firewalls just make syadmins sleep better at night....

But "2000 NAT is fast" - let the router do NAT and route.  The OS has too many other tasks to attend to and it's full of security issues that constantly pop up.....

>> If security is your concern 99% of soho "firewalls" just use their implementation of NAT to provide security,
Huh?  Host based firewalls are not NAT.  It's just that SOHO routers state that they offer firewall "feature"..... but most now offers State Full Inspection as part of their offerings..... They all copied from CheckPoint (Pix does that, as a matter of fact Pix GUI is almost identical to Checkpoint - Cisco's SE said that they basically copied CheckPoint)......

BTW, Pix is OK,  I am working on PIX right now.  I am not putting money on it, I found a couple of serious holes... I am putting together a package to send to Cisco to outline the IPSec problems with Pix.

NAT is hard to hack if you have to route because most ISP won't route the private address space.  If you can get close and tap you can hack NAT.  If you can poison a BGP router (some corporation idiots ran them) within close proximity you can do it.

IPX/SPX - most people don't bother with it, but it was hacked before - that was when I was still a CNE (expired).. We used IP/IPX gateway as a way to secure Internet access - because it was hard to go around both protocols.  But don't think that IPX/SPX is safe... A packet is a packet, an address is an address, it's fixed within the frame and it can be spoofed.

Put it together - you can get at those gateways  NAT <=> IP/IPX..... Hack for practice and hack for fame when the game is up.... Few games are up for the NAT <=> IP/IPX because those guys don't run web sites.....


There is one constant about the concept of security and it doesn't apply just to info.; If someone wants you bad enough they are going to get you, be it data, your deck, your wallet, etc.  It is about keeping the "kids" out and at least make them work for their gains, after all a lot can happen in 30 seconds.  There are always ways, this is not static subject matter, holes open and close and open back up again.  You want total security....unplug and put it in safety deposit box, even then...All I was trying to do was illustrate options given tools on hand.

But "2000 NAT is fast" - let the router do NAT and route.  The OS has too many other tasks to attend to and it's full of security issues that constantly pop up.....

Sorta...depends on the hardware, services, load, etc.  I saw this one 2000 SBS, AD, DNS, WINS, DHCP, TermSrvr, ISA, IIS...everything but Exchange and SQL.  I would NEVER EVER recommend this or SBS, but you work with what you got.  It was a PII450 384mb ram, cached objects avg. 11MB/sec at the brim of 100base.  Like I said, I dunno what he has, his needs, so I am providing options.  In the hands of a skilled user, anything can be effective.

Huh?  Host based firewalls are not NAT.  It's just that SOHO routers state that they offer firewall "feature"..... but most now offers State Full Inspection as part of their offerings..... They all copied from CheckPoint (Pix does that, as a matter of fact Pix GUI is almost identical to Checkpoint - Cisco's SE said that they basically copied CheckPoint)......

Let me clarify.  Applayer security systems are inherently flawed.  Most of the low-end devices are NAT, at least its on the right layer.  I just prefer a more proactive approach.  Those $100 NAT devices are great for home use, professionally I would avoid it if possible.  I have never liked applayer or usermode FWs.  All these essentially distill to NAT, but its how its implemented...I dunno...I know things can be hacked, well I could get robbed too.  Try to avoid both as much as possible.  I am not into the religious war either, just giving input within the confines of the apparent situation.  There is no SINGLE one answer for all.  

So get of my jock man...private emails are better for this sort of candor
where is userlinux ?

this is an open forum and it helps if you respond to your own question !

please respond or close this post if your not satisfied with the comments !

it has been 5 days since your last response !

One last thing, if you config as cacheing/forwarding DNS server, the external int. Pri.DNS server should point to its internal IP (I have seen, but for some reason I don't like it).  

Ohh and my apologies everyone, including Gnart, last comment was uncalled for.  It is the curse of the internet with its lack of contextual expression and inflection.  At first it came off agressive and even if, it is no reason to be an arse.  

Looks like we helped, so peace out all.

userlinuxAuthor Commented:
Thanks evryone, you all are on the mark.
Hello  NetwerkMerc, Gnart

Take a look at this post and see if you can help :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.