Solved

NAT with Windows 2003

Posted on 2009-03-29
7
356 Views
Last Modified: 2012-05-06
Hi, I'm using Windows 2003 as Router on my LAN. Two Networks: 10.10.60.x/24 and 192.168.1.xx24
When I'm configure NAT on the RRAS i don't have access to 192.168.1.x LAN from 10.10.60.x LAN.From 192.168.1.x LAN i have access.
When I'm delete the NAT i have access from 192 LAN to 10.10 LAN and the opposite but no INTERNET connection.
Please your assist.
0
Comment
Question by:questil
  • 3
  • 3
7 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24012972
Configuring NAT on a router will mean that by default you can only really initiate communications one way - from the 'internal' subnet to the 'external' subnet. All outgoing packets from the internal subnet will have the same 'from' IP address - that of the NAT router's external interface. All of the IP addresses on the internal subnet are shielded from the outside world.
You can enable traffic to be initiated the other way by configuring port forwarding on the router based on port number and external IP address so that certain traffic is routed to certain private IP addresses.
What subnet is your internet gateway on? Is this also on the RRAS box? If the gateway is on a different router, you will need to add a static route to the RRAS box, or configure a routing protocol such as RIP so that it knows where to send traffic out to the internet.
0
 

Author Comment

by:questil
ID: 24013015
I understand what you have explain, but what do you mean in saying "You can enable traffic to be initiated the other way by configuring port forwarding on the router based on port number and external IP address so that certain traffic is routed to certain private IP addresses"

Thanks!
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24013078
In order to be able to initiate communication from the 'outside' to the private subnet, you need to configure port forwarding. For example:
Say the external IP address of the router is 10.10.60.254. This is the only IP address that outside sources can send packets to. If you wanted to, say, access remote desktop on a server inside the private subnet (say it's private IP is 192.168.1.1), you configure a port forwarding rule to say:
Any packets sent to 10.10.60.254 using port 3389 (remote desktop port number), allow them through and forward them on to 192.168.1.1. Essentially the outside machine 'thinks' it's talking to 10.10.60.254 - it's not aware of the internal private IP it's actually in comminucations with, thus shielding the private IP from the outside world. So when you wanted to access remote desktop on 192.168.1.1, you actually connect to 10.10.60.254 and the communications will be forwarded by the router.
On RRAS, you configure a port forwarding rule on the interface you have nominated as the 'public' interface - on the 'Service and ports' tab.
See here for some info on configuring NAT : http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 68

Expert Comment

by:Qlemo
ID: 24018381
What device manages the internet traffic? Hardware Router? RRAS? And on which LAN?

Using the configuration without NAT is correct (for the internal networks). Howerver, your Internet router seems not to know how to answer to traffic originating from "the other" LAN (the LAN it is not positioned itself into).
0
 

Author Comment

by:questil
ID: 24018401
It's a Router(Cisco)
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24018613
Yes, agree - there's no real need to run NAT between two of your own subnets in your case, unless maybe you were setting up a perimeter, or 'DMZ', network for security reasons.
The issue you have is that your two routers don't 'know' where to route some of their traffic.
1. Your RRAS box needs to have a static route configured so that it forwards all traffic it doesn't know about (the destination 0.0.0.0) to the Cisco router's internal interface.
2. Your Cisco router then needs to know where to send traffic to the subnet it's not directly connected to. So for example, if it's the subnet 192.168.... that it's not connected to, you need to configure a route to it. Something similar to:
ip route 192.168.1.0 255.255.255.0 (then the IP address of the RRAS box interface on the 10.10.60.x subnet)
 
0
 

Author Closing Comment

by:questil
ID: 31564029
OK now i understand what i missed.
Thanks!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now