Questions

Network Address Translation Problem? Windows 2003 Server

+
0 Votes
Locked

Network Address Translation Problem? Windows 2003 Server

assassin
Hey, and thanks for your consideration in advance. I'm redoing a network for a company I've started working with recently, using a server running Windows Server 2003 as the gateway and nat translator for the network.

Basic layout is Internet --- Server ---- Router ---- Workstations.

Having a weird problem however, the workstations are only able to access the internet sporadically. It's the weirdest thing, sometimes they can, sometimes they cant. I have absolutely no idea what causes them to NOT be able to access the internet. The server is running its own dns (internal) and for external addresses, forwards inquiries to external servers. Here's the other part: Even when the workstations cant access the internet, they're able to nslookup any site through the server, and the server IS able to get to the internet. I'm pretty sure it's a configuration specific problem, but I'm lost, can any one please help me out?
  • +
    0 Votes
    viperiii

    Just a quick question... Why use the 2003 server as the public NAT Device...

    Yes it can do it but are you running ISA or just as a VPN Server with NAT?

    Reason I ask is because typically even if you are using a ISA you put a hardware firewall in front of that. Then manage both or just the hardware firewall..

    Beyond all that... it sounds like the DNS isn't able to effectively communicate with the machines... or they aren't setup to use this as their DNS...

    basically a quick test is to run nslookup on some of the machines... they should resolve the NAT Server as their DNS.

    I see in your diagram you have router between workstations and server... is that meant to be SWITCH? Router is typically on the other side of the server separating it from the internet...

    More like Internet --- Router----Server-Port1--- Workstations Other Ports

    or in your case internet---Server---Switch--Workstations

    +
    0 Votes
    assassin

    Im not running ISA but I AM trying to run it as a VPN server. Actually, it WORKS as a vpn server, I have connection from an external computer, etc, etc, it assigns it an address and everything.

    Ok, here's a reexplanation of the network.

    Provider's Cisco IAD (internet) --- Server ---- Switch ---- Workstations.

    The machines ALL pull the correct DNS addresses via nslookup. They're able to resolve addresses both internal and external to the network. As in, they can resolve computer names as well as .coms. There are no DNS errors in the logs either.

    Ideas?

    It seems really weird though, I tried something, and it COMPLETELY stumped me. I just set one of the internal computers to ping yahoo.com 50000 times. It went merrily on its way pinging (successfully). The computer RIGHT NEXT TO IT on the SAME switch can't ping. They were both setup in EXACTLY the same way within MINUTES of each other, and all the network info is pulled from the dhcp on the server, so no discrepancies there.

    Here's the REALLY messed up part. A few minutes later, I stopped the 50000 pings, and tried to surf. THAT computer couldn't get outside to the internet. Still able to resolve addresses and everything, just was totally cut off from the outside. The OTHER computer (previously not able to see the internet) suddenly began connecting. This cycle repeated all night, and between more than just these two computers. Its the WEIRDEST THING.

    +
    0 Votes
    fwang

    When I ping DNS server, sometime went through, sometime not. It turns out the wire between our switch to the server had problem, fixed once the cable replaced. May not be your case, but just a thought.

    +
    0 Votes
    assassin

    I thought of this, and replaced the cable, but I don't think thats the problem, here's why. There's always SOME computers that can access external resources (internet), so more than likely, it isn't a hardware defect. And ALL the computers can ALWAYS access internal resources, so it's not a switch / switching problem. Not to mention that all DNS lookups still work.

    +
    0 Votes
    viperiii

    Seems like it might be something with the Filtering Tab in RRAS...

    also which interface is selected for Internet and which interface is selected for LAN...

    I'm just going for the obvious but if you didn't use two interfaces the filtering can cause this...

    Outbound filters would be my first check..

    +
    0 Votes
    assassin

    using two interfaces, one facing inward (network) and one facing outward (internet).

    Used RRAS to do the NAT. As far as filters go, I dont have jack set up because currently, im just trying to get the dang thing workin.

    +
    0 Votes
    CG IT

    both interfaces have to be on different subnets or Windows will get confused on which one to use. Also for routing you need to specify a default gateway on the external interface [but not on the internal interface]. Clients use the external interface as the gateway out.

    For external clients to gain access to internal resources via RRAS, you have to create a pool of addresses external clients will use. you can manually create this pool or have DHCP do it if you are using DHCP.

    Then you have to configure the RRAS miniports on PPTP and L2TP that external clients will use to connect.

    After than you must create rules to allow remote access and whether authentication is windows AD or a RADIUS server.

    +
    0 Votes
    assassin

    ok, currently the two interfaces are actually on the same subnet (10.0.1.x), I'm not sure why this would cause problems, but I guess I can change the entire network's subnet via dhcp if needed. The internal interface currently doesn't have a gateway set, and the external interface's default gateway is the ISP's router (which is normal). The External IP's have been configured as well, and haven't been causing an issue. Oh, let me add one thing to the original post. even when the computers inside the network CANNOT get to the internet, i AM able to remote into them (weird...).

    The authentication via AD is setup correctly, and the RRAS miniports are as well.

    I'll try the different subnet thing, see if that helps.

    +
    0 Votes
    CG IT

    the reason is RRAS is routing and unless it knows where to send packets not destined for the internal network, it will drop them [same as a router].

    There's nothing different between a "perimeter" router doing NAT and a server with 2 NICs that must also route traffic even if it doesn't perform NAT for one to many sharing.

    +
    0 Votes
    alex

    Hey I realise this is an old thread but wanted to thank you guys for the input...and to add to it, for me I had to start the Windows Firewall/Internet Connection Sharing service as well after disabling RRAS in order for it to work

  • +
    0 Votes
    viperiii

    Just a quick question... Why use the 2003 server as the public NAT Device...

    Yes it can do it but are you running ISA or just as a VPN Server with NAT?

    Reason I ask is because typically even if you are using a ISA you put a hardware firewall in front of that. Then manage both or just the hardware firewall..

    Beyond all that... it sounds like the DNS isn't able to effectively communicate with the machines... or they aren't setup to use this as their DNS...

    basically a quick test is to run nslookup on some of the machines... they should resolve the NAT Server as their DNS.

    I see in your diagram you have router between workstations and server... is that meant to be SWITCH? Router is typically on the other side of the server separating it from the internet...

    More like Internet --- Router----Server-Port1--- Workstations Other Ports

    or in your case internet---Server---Switch--Workstations

    +
    0 Votes
    assassin

    Im not running ISA but I AM trying to run it as a VPN server. Actually, it WORKS as a vpn server, I have connection from an external computer, etc, etc, it assigns it an address and everything.

    Ok, here's a reexplanation of the network.

    Provider's Cisco IAD (internet) --- Server ---- Switch ---- Workstations.

    The machines ALL pull the correct DNS addresses via nslookup. They're able to resolve addresses both internal and external to the network. As in, they can resolve computer names as well as .coms. There are no DNS errors in the logs either.

    Ideas?

    It seems really weird though, I tried something, and it COMPLETELY stumped me. I just set one of the internal computers to ping yahoo.com 50000 times. It went merrily on its way pinging (successfully). The computer RIGHT NEXT TO IT on the SAME switch can't ping. They were both setup in EXACTLY the same way within MINUTES of each other, and all the network info is pulled from the dhcp on the server, so no discrepancies there.

    Here's the REALLY messed up part. A few minutes later, I stopped the 50000 pings, and tried to surf. THAT computer couldn't get outside to the internet. Still able to resolve addresses and everything, just was totally cut off from the outside. The OTHER computer (previously not able to see the internet) suddenly began connecting. This cycle repeated all night, and between more than just these two computers. Its the WEIRDEST THING.

    +
    0 Votes
    fwang

    When I ping DNS server, sometime went through, sometime not. It turns out the wire between our switch to the server had problem, fixed once the cable replaced. May not be your case, but just a thought.

    +
    0 Votes
    assassin

    I thought of this, and replaced the cable, but I don't think thats the problem, here's why. There's always SOME computers that can access external resources (internet), so more than likely, it isn't a hardware defect. And ALL the computers can ALWAYS access internal resources, so it's not a switch / switching problem. Not to mention that all DNS lookups still work.

    +
    0 Votes
    viperiii

    Seems like it might be something with the Filtering Tab in RRAS...

    also which interface is selected for Internet and which interface is selected for LAN...

    I'm just going for the obvious but if you didn't use two interfaces the filtering can cause this...

    Outbound filters would be my first check..

    +
    0 Votes
    assassin

    using two interfaces, one facing inward (network) and one facing outward (internet).

    Used RRAS to do the NAT. As far as filters go, I dont have jack set up because currently, im just trying to get the dang thing workin.

    +
    0 Votes
    CG IT

    both interfaces have to be on different subnets or Windows will get confused on which one to use. Also for routing you need to specify a default gateway on the external interface [but not on the internal interface]. Clients use the external interface as the gateway out.

    For external clients to gain access to internal resources via RRAS, you have to create a pool of addresses external clients will use. you can manually create this pool or have DHCP do it if you are using DHCP.

    Then you have to configure the RRAS miniports on PPTP and L2TP that external clients will use to connect.

    After than you must create rules to allow remote access and whether authentication is windows AD or a RADIUS server.

    +
    0 Votes
    assassin

    ok, currently the two interfaces are actually on the same subnet (10.0.1.x), I'm not sure why this would cause problems, but I guess I can change the entire network's subnet via dhcp if needed. The internal interface currently doesn't have a gateway set, and the external interface's default gateway is the ISP's router (which is normal). The External IP's have been configured as well, and haven't been causing an issue. Oh, let me add one thing to the original post. even when the computers inside the network CANNOT get to the internet, i AM able to remote into them (weird...).

    The authentication via AD is setup correctly, and the RRAS miniports are as well.

    I'll try the different subnet thing, see if that helps.

    +
    0 Votes
    CG IT

    the reason is RRAS is routing and unless it knows where to send packets not destined for the internal network, it will drop them [same as a router].

    There's nothing different between a "perimeter" router doing NAT and a server with 2 NICs that must also route traffic even if it doesn't perform NAT for one to many sharing.

    +
    0 Votes
    alex

    Hey I realise this is an old thread but wanted to thank you guys for the input...and to add to it, for me I had to start the Windows Firewall/Internet Connection Sharing service as well after disabling RRAS in order for it to work