Solved

NAT on 2000 server

Posted on 2003-12-01
21
724 Views
Last Modified: 2010-04-14
Unable to get NAT to alow clients access to internet.
Have 2000 server with working DHCP: Clients recieve IP
Have DNS Configured: I think it is working Problem might be here?


Have checked everything several times.
0
Comment
Question by:userlinux
  • 7
  • 7
  • 4
  • +2
21 Comments
 
LVL 1

Expert Comment

by:yuureibanashi
Comment Utility
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
Please give us your network configuration (layout), where are you doing the NAT, at a router or does your server acting as a router also?  We need somewhere to start....<G>

cheers
0
 

Author Comment

by:userlinux
Comment Utility
Two nics, one internal one outside, DHCP running, DNS running and Routing remote acces-NAT all on one win 2000 server. running internal nic to Cisco 2924xl to 5 clients.

Clients are recieving DHCP address from 2000, but no internet, Firewall is Black ICE which I do have acess to all internal addresses 192.168.0.1 thru 192.168.0.254 even tried disabling.

I had internet last night for a while now this morning can't get IP. I tried using DHCP in NAT-no luck that is why I configured 2000 DHCP.
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
If I understand you correctly:
[Wa - is it DSL?] <==> [Win2K Server] <==> [Cisco Router] <==> Internal network.

Please rethink your network design, it's going to be a major problem with a dual-home server.  See my previous posts to those who did the same thing and ran into a major performance problem, below.

We don't know what your objective is so please post your objectives - so that we can assist with a design and solve your problem.  See the following post to see what happen when we know your objective:  http://www.experts-exchange.com/Networking/Q_20811311.html#9854908

For now I will be patience to wait for your post.

cheers


********** Here are my previous posts: ************
Your problem is in dual-home server.  It's a known problem - what's happening is the master browser election taking place and causing the network resources to disappear so clients are not able to access the resources until the election is complete and the client can see the resource again.  (Added) Meanwhile, the clients have to wait.... so network appears a very slow........ It takes minutes to logon and minutes to access anything.....

Here are my previous answers to the problem:

http://www.experts-exchange.com/Operating_Systems/Q_20811566.html
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20747880.html

Here is the MS knowledge base article and how to deal with it:

http://support.microsoft.com/default.aspx?scid=kb;en-us;135404&Product=win2000

0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Cisco Routers are extremely complicated in the line of code.
did you configure code yourself ?

Also are the NIC's set to Full Duplex

can you map out your network so we can find the error please

WAN (dhcp)   ----------------- NIC1
                                        /                                     /---CL1
                                      /                                     /---CL2
                         SERVER                                      /---CL3
                                      \                                 /---CL4  
                                        \                             /---CL5
                                          NIC2 ---- ROUTER -

in this case you would set SERVER TCP/IP NIC1 Properties to automatically detect IP
Set NIC1 under the properties to share this connection
that would send the IP to your router ROUTER thru NIC2 @ 192.168.0.1 which is assigned by the ICS portion of your server
now the 5 clients need to be set up STATIC as 192.168.0.101 thru 192.168.0.105
with whatever your DNS is...

Is this what your situation is ?


wtrmk74                
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
Ok, do this if you have broadband (DSL or cable) as your Internet connection.

1)  Get yourself a broadband router... such as Linksys, Dlink, etc... chose one:
     - One with just plain old routing ($40) - not recommended - think of the future.
     - Firewall, routing and DMZ ($60) - not bad - you can host your own web, mail, etc..
     - Firewall, routing, DMZ and VPN capabilities - ($80-120).....

2)  Set it up as follow:
[WAN] <==> [router] <==> [2924 Switch] <==> Server
                                                             ] <==> WS1
                                                             ] <==> WS2

Let the router do the Nat, DNS, Firewall, etc..... You can also use host based firewall for the server and/or client.....

3)  Give the server a static address in the subnet set by your router.
4)  Point the default gateway for all machines to your router.
5)  Point the server DNS to your router.
6)  Point the clients DNS to your server (primary), router (secondary) in case server is down.

cheers
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
I would agree with the setup portion you have Gnart !
I was merely wondering if userlinux has it set up the way I described !

definately:

WAN > ROUTER / SWITCH > VIRTUAL SERVER ACCESS PORT
                        \                                       \                    
                          \                                       \                  
                      CLIENTS                             SERVER          

is the way to go !

I would like input from userlinux on his diagram !



wtrmk74
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 500 total points
Comment Utility
Basically....2000 NAT is fast.  No need to have clients running the ComputerBrowser service.  Multi-homed is fine, but don't use ICS.  Use RRAS and use NAT.  A basic config on the cisco is all that is needed, if it's purpose is just that of a switch.  Do not let other services do what a specific service can do.  You could even install a cacheing/forwarding DNS server, no need for extra hardware.  If security is your concern 99% of soho "firewalls" just use their implementation of NAT to provide security, while better than an app layer "firewall" NAT is NAT is NAT.  Pretty annoying to hack NAT, the header is useless, unless staticly mapped largely dynamic, of course it can be done, but if one is that dedicated, NAT is NAT is NAT.  ISA 2000 is very nice and that goes right ontop of 2K.  Provides stateful packet inspection, intrusion detections, SOCKS4 (and SOCKS5 <tweaking req.>), content and app aware, etc.ect.ect.  But as is...

www------/\/-----CPE-----2K-------2924xl-------LAN

Configure your interfaces.  
First off stop and disable "Computer Browser" from all systems except for one (prolly this is the one you'll run it on)  OK....assuming that the 2K host's external adapter is configured via DHCP by the ISP then per the above steps, configure your external adapter to "automatically...".  In advanced; do not register this connection with DNS and uncheck the "append..." box. and disable NetBIOS on that adapter.  Unbind everything except for TCP/IP  Set link speed according to CPE specs (do not trust "Auto").  

OK...you say you have 5 hosts and a switch, lets just say a /27 (30 host IPs) for expansion...172.16.100.224/27
Statically set the internal adapter to 172.16.100.254, no default gateway, IF it is a caching/forwarding DNS server, point DNS to itself (.254) and make sure you disable recurion for the forwarding zone (no need to devolve internet dns queries).  if not then leave blank (it'll default to itself, but try hardcoding it, if you want), again do not register or additional appending.  Set link to 100FDX (or whatever you network is) give the switch .250 and point DNS and default gateway/route to the internal adapter on the 2K box.

Config RRAS and under routing protocols install NAT.  Set up an internal and external interface, enable protocol translation and DNS query forwarding under NAT.  Config any other name resolution services (DNS and/or WINS) and make sure you bind or "listen" only on the internal interface.  Then setup DHCP server services (NOT via RRAS NAT config) and create a scope.    Make sure it is bound ONLY to the internal adapter and you are not proxy'ing DHCP within RRAS.  Config. the options (DNS, WINS, Default Gateway <"router">, etc.) with the internal adapters IP.
ex.
IP Scope: 172.16.100.225-172.16.100.240
Subnet Mask: 255.255.255.224
Default Gateway ("router"): 172.16.100.254
DNS: 172.16.100.254
WINS: 172.16.100.254

All should be good at this point.  What is your CPE?  I would stay away from app-layer "firewalls" definitely on the server.  Map vestigal and high-risk ports to bogus IP (192.168.200.200).  I mean NAT with minor tweaking, I consider barebones security.  I am talking network layer NAT, not app layer and/or usermode dependant NAT.  Because most soho "firewalls" are doing just that, but have limited resources, lame "easy-to-use web browser interface", ugly defaults, not as flexible.  Again, these are better than app-layer FW.  If you want REAL security; the low-end SoHo appliances (not the "firewall" devices mentioned above) offer decent features for the price, of course medium to high-end appliances (I lean more to CheckPoint on those), the Linux (I think it is called "Filters"?) is decent from my observations (never "used" it), FreeBSD IPF is very good, but the best I have seen are ISA 2000, CheckPoint appliances (mentioned above) and PIX.  

Hope this helps.

-Eric
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
good description!

wtrmk74
0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
Danke!!!
Gotta keep that edge sharp somehow. :D

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
Danke!!!
Gotta keep that edge sharp somehow. :D

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
One last thing...and sorry for the double post <*cAfFiNe*>

If there are no static mappings, incomming traffic is refused or dropped (cannot remember, beeing using ISA for a while now).  I think TCP is refused and UDP is dropped, but I seriously cannot remember.  I do not think it stealths, BUT because of mapping dangerous ports, for example; msblast did not penetrate, even on an unpatched server.  Because the data reached the session layer.  Another good thing about NAT vs. app-layer NAT is it is two-way.  Security is often mistaken as southbound (incomming) only or preoccupied.  Once the slightest compromise happens on a host you cannot trust your local security systems.  It would be quite easy to add a subroutine to alter these app-layer "firewall" ACLs.  If you can modify it, so can anything running in your interactive session.  Another level, you can unbind TCP/IP from file and printer sharing, client for MS, disable netBIOS over TCP/IP, etc., install IPX/SPX and bind file and printer sharing, client for MS, etc only to that protocol.  I'd like to see someone hack through NAT and TCP/IP and hack IPX/SPX.  It is possible, but if someone wants you THAT bad, you really crossed someone and they're gonna get you anyway.

-Eric
0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
The need an edit and delete post....

BUT because of mapping dangerous ports to bogus IPs, for example; msblast did not penetrate, even on an unpatched server.  Because the data never reached the session layer.  Its just forwarding to an external network that cannot be routed via external interface (being the only default gateway).

Again....sorry for the chatter....

-Eric
0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
NAT is NAT is NAT, OK.  

Not trying to start a religious war here - but as some would say firewalls just make syadmins sleep better at night....

But "2000 NAT is fast" - let the router do NAT and route.  The OS has too many other tasks to attend to and it's full of security issues that constantly pop up.....

>> If security is your concern 99% of soho "firewalls" just use their implementation of NAT to provide security,
Huh?  Host based firewalls are not NAT.  It's just that SOHO routers state that they offer firewall "feature"..... but most now offers State Full Inspection as part of their offerings..... They all copied from CheckPoint (Pix does that, as a matter of fact Pix GUI is almost identical to Checkpoint - Cisco's SE said that they basically copied CheckPoint)......

BTW, Pix is OK,  I am working on PIX right now.  I am not putting money on it, I found a couple of serious holes... I am putting together a package to send to Cisco to outline the IPSec problems with Pix.

NAT is hard to hack if you have to route because most ISP won't route the private address space.  If you can get close and tap you can hack NAT.  If you can poison a BGP router (some corporation idiots ran them) within close proximity you can do it.

IPX/SPX - most people don't bother with it, but it was hacked before - that was when I was still a CNE (expired).. We used IP/IPX gateway as a way to secure Internet access - because it was hard to go around both protocols.  But don't think that IPX/SPX is safe... A packet is a packet, an address is an address, it's fixed within the frame and it can be spoofed.

Put it together - you can get at those gateways  NAT <=> IP/IPX..... Hack for practice and hack for fame when the game is up.... Few games are up for the NAT <=> IP/IPX because those guys don't run web sites.....

cheers

0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
There is one constant about the concept of security and it doesn't apply just to info.; If someone wants you bad enough they are going to get you, be it data, your deck, your wallet, etc.  It is about keeping the "kids" out and at least make them work for their gains, after all a lot can happen in 30 seconds.  There are always ways, this is not static subject matter, holes open and close and open back up again.  You want total security....unplug and put it in safety deposit box, even then...All I was trying to do was illustrate options given tools on hand.

<snip>
But "2000 NAT is fast" - let the router do NAT and route.  The OS has too many other tasks to attend to and it's full of security issues that constantly pop up.....
</endsnip>

Sorta...depends on the hardware, services, load, etc.  I saw this one 2000 SBS, AD, DNS, WINS, DHCP, TermSrvr, ISA, IIS...everything but Exchange and SQL.  I would NEVER EVER recommend this or SBS, but you work with what you got.  It was a PII450 384mb ram, cached objects avg. 11MB/sec at the brim of 100base.  Like I said, I dunno what he has, his needs, so I am providing options.  In the hands of a skilled user, anything can be effective.

<snip>
Huh?  Host based firewalls are not NAT.  It's just that SOHO routers state that they offer firewall "feature"..... but most now offers State Full Inspection as part of their offerings..... They all copied from CheckPoint (Pix does that, as a matter of fact Pix GUI is almost identical to Checkpoint - Cisco's SE said that they basically copied CheckPoint)......
</endsnip>

Let me clarify.  Applayer security systems are inherently flawed.  Most of the low-end devices are NAT, at least its on the right layer.  I just prefer a more proactive approach.  Those $100 NAT devices are great for home use, professionally I would avoid it if possible.  I have never liked applayer or usermode FWs.  All these essentially distill to NAT, but its how its implemented...I dunno...I know things can be hacked, well I could get robbed too.  Try to avoid both as much as possible.  I am not into the religious war either, just giving input within the confines of the apparent situation.  There is no SINGLE one answer for all.  

So get of my jock man...private emails are better for this sort of candor
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
where is userlinux ?

this is an open forum and it helps if you respond to your own question !

please respond or close this post if your not satisfied with the comments !

it has been 5 days since your last response !


Thanks,
wtrmk74
0
 
LVL 1

Expert Comment

by:NetwerkMerc
Comment Utility
One last thing, if you config as cacheing/forwarding DNS server, the external int. Pri.DNS server should point to its internal IP (I have seen 127.0.0.1, but for some reason I don't like it).  

Ohh and my apologies everyone, including Gnart, last comment was uncalled for.  It is the curse of the internet with its lack of contextual expression and inflection.  At first it came off agressive and even if, it is no reason to be an arse.  

Looks like we helped, so peace out all.

-Eric
0
 

Author Comment

by:userlinux
Comment Utility
Thanks evryone, you all are on the mark.
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Hello  NetwerkMerc, Gnart

Take a look at this post and see if you can help :)
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20814265.html

thanks,
wtrmk74
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now