Network Address Translation Problem? Windows 2003 Server

By assassin ·
Hey, and thanks for your consideration in advance. I'm redoing a network for a company I've started working with recently, using a server running Windows Server 2003 as the gateway and nat translator for the network.

Basic layout is Internet --- Server ---- Router ---- Workstations.

Having a weird problem however, the workstations are only able to access the internet sporadically. It's the weirdest thing, sometimes they can, sometimes they cant. I have absolutely no idea what causes them to NOT be able to access the internet. The server is running its own dns (internal) and for external addresses, forwards inquiries to external servers. Here's the other part: Even when the workstations cant access the internet, they're able to nslookup any site through the server, and the server IS able to get to the internet. I'm pretty sure it's a configuration specific problem, but I'm lost, can any one please help me out?

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

2003 on the outside public

by viperiii In reply to Network Address Translati ...

Just a quick question... Why use the 2003 server as the public NAT Device...

Yes it can do it but are you running ISA or just as a VPN Server with NAT?

Reason I ask is because typically even if you are using a ISA you put a hardware firewall in front of that. Then manage both or just the hardware firewall..

Beyond all that... it sounds like the DNS isn't able to effectively communicate with the machines... or they aren't setup to use this as their DNS...

basically a quick test is to run nslookup on some of the machines... they should resolve the NAT Server as their DNS.

I see in your diagram you have router between workstations and server... is that meant to be SWITCH? Router is typically on the other side of the server separating it from the internet...

More like Internet --- Router----Server-Port1--- Workstations Other Ports

or in your case internet---Server---Switch--Workstations

Collapse -

pardon, reexplanation

by assassin In reply to 2003 on the outside publi ...

Im not running ISA but I AM trying to run it as a VPN server. Actually, it WORKS as a vpn server, I have connection from an external computer, etc, etc, it assigns it an address and everything.

Ok, here's a reexplanation of the network.

Provider's Cisco IAD (internet) --- Server ---- Switch ---- Workstations.

The machines ALL pull the correct DNS addresses via nslookup. They're able to resolve addresses both internal and external to the network. As in, they can resolve computer names as well as .coms. There are no DNS errors in the logs either.


It seems really weird though, I tried something, and it COMPLETELY stumped me. I just set one of the internal computers to ping 50000 times. It went merrily on its way pinging (successfully). The computer RIGHT NEXT TO IT on the SAME switch can't ping. They were both setup in EXACTLY the same way within MINUTES of each other, and all the network info is pulled from the dhcp on the server, so no discrepancies there.

Here's the REALLY messed up part. A few minutes later, I stopped the 50000 pings, and tried to surf. THAT computer couldn't get outside to the internet. Still able to resolve addresses and everything, just was totally cut off from the outside. The OTHER computer (previously not able to see the internet) suddenly began connecting. This cycle repeated all night, and between more than just these two computers. Its the WEIRDEST THING.

Collapse -

I had similar issue before

by fwang In reply to pardon, reexplanation

When I ping DNS server, sometime went through, sometime not. It turns out the wire between our switch to the server had problem, fixed once the cable replaced. May not be your case, but just a thought.

Collapse -

Possible cabling problem?

by assassin In reply to I had similar issue befor ...

I thought of this, and replaced the cable, but I don't think thats the problem, here's why. There's always SOME computers that can access external resources (internet), so more than likely, it isn't a hardware defect. And ALL the computers can ALWAYS access internal resources, so it's not a switch / switching problem. Not to mention that all DNS lookups still work.

Collapse -


by viperiii In reply to pardon, reexplanation

Seems like it might be something with the Filtering Tab in RRAS...

also which interface is selected for Internet and which interface is selected for LAN...

I'm just going for the obvious but if you didn't use two interfaces the filtering can cause this...

Outbound filters would be my first check..

Collapse -


by assassin In reply to Humm...

using two interfaces, one facing inward (network) and one facing outward (internet).

Used RRAS to do the NAT. As far as filters go, I dont have jack set up because currently, im just trying to get the dang thing workin.

Collapse -


by CG IT In reply to interfaces

both interfaces have to be on different subnets or Windows will get confused on which one to use. Also for routing you need to specify a default gateway on the external interface [but not on the internal interface]. Clients use the external interface as the gateway out.

For external clients to gain access to internal resources via RRAS, you have to create a pool of addresses external clients will use. you can manually create this pool or have DHCP do it if you are using DHCP.

Then you have to configure the RRAS miniports on PPTP and L2TP that external clients will use to connect.

After than you must create rules to allow remote access and whether authentication is windows AD or a RADIUS server.

Collapse -

RRAS configuration

by assassin In reply to RRAS

ok, currently the two interfaces are actually on the same subnet (10.0.1.x), I'm not sure why this would cause problems, but I guess I can change the entire network's subnet via dhcp if needed. The internal interface currently doesn't have a gateway set, and the external interface's default gateway is the ISP's router (which is normal). The External IP's have been configured as well, and haven't been causing an issue. Oh, let me add one thing to the original post. even when the computers inside the network CANNOT get to the internet, i AM able to remote into them (weird...).

The authentication via AD is setup correctly, and the RRAS miniports are as well.

I'll try the different subnet thing, see if that helps.

Collapse -

can't have both NICs on same subnet

by CG IT In reply to RRAS configuration

the reason is RRAS is routing and unless it knows where to send packets not destined for the internal network, it will drop them [same as a router].

There's nothing different between a "perimeter" router doing NAT and a server with 2 NICs that must also route traffic even if it doesn't perform NAT for one to many sharing.

Collapse -

thanks :)

by alex In reply to RRAS configuration

Hey I realise this is an old thread but wanted to thank you guys for the input...and to add to it, for me I had to start the Windows Firewall/Internet Connection Sharing service as well after disabling RRAS in order for it to work

Back to Networks Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums