Mapping problem

Hi everybody.

I've got annoying issue with Routing and Remote access on one of my win2k3
servers. I have added "Remote assess / VPN server" role, selected custom
config and chosen only NAT/basic firewall component. Firewall set as "Basic
firewall only" and inbound filters configured.
Two servers out of three work fine. On the third one, firewall works for
sure, but in "rrasmgmt.msc /s" IP routing -> Nat / Basic firewall -> right
pane there is no mapping and packet translation statistics. Popup -> Show
mappings shows nothing.
Does anybody know how to help this? The information is really helpful
sometimes.

Other firewall related questions I have:
Is there any way to see statistics on dropped packets (source addresses /
destination ports)?
What's the difference between TCP and TCP connected? Does Connected in terms
of inbound filtering mean only connections that established from the server
already?
Is there any other software firewall solution suitable for public HTTP
server with quite high traffic and users served? I tried few recommended
like Outpost firewall, they usually die on my servers.

Any help or hint is gratefully appreciated.

Best regards,
Dmitry

"Dmitry Demchuk" wrote:

> Hi everybody.
>
> I've got annoying issue with Routing and Remote access on one of my win2k3
> servers. I have added "Remote assess / VPN server" role, selected custom
> config and chosen only NAT/basic firewall component. Firewall set as "Basic
> firewall only" and inbound filters configured.
> Two servers out of three work fine. On the third one, firewall works for
> sure, but in "rrasmgmt.msc /s" IP routing -> Nat / Basic firewall -> right
> pane there is no mapping and packet translation statistics. Popup -> Show
> mappings shows nothing.
> Does anybody know how to help this? The information is really helpful
> sometimes.
>

This might not be related, but i've also seen times when the RRAS gui does
not update correctly. In my case static routes that appeared in "route print"
did not appear. I only found one way to correct problems with this gui, and
that was to use netsh to reset the routing/ip configuration.
before trying this i recommend you do "netsh routing ip dump >
some-safe-file.txt" - incase you want to put your config back
please make sure you understand the implications of doing this - to reset
this component the command is "netsh routing ip reset"



> Other firewall related questions I have:
> Is there any way to see statistics on dropped packets (source addresses /
> destination ports)?
seems i need to look at this in more depth - if you are using the "Basic
Firewall" (Part of ICS service) then you can capture this level of info. When
you enable RRAS you have to disable ICS, which turns off this logging. So far
I didn't manage to get the same functionality from any RRAS logs :-(

> What's the difference between TCP and TCP connected? Does Connected in terms
> of inbound filtering mean only connections that established from the server
> already?
you seem to have understood the distinction correctly; remember "the server
already" could include clients that the server is performing NAT for

> Is there any other software firewall solution suitable for public HTTP
> server with quite high traffic and users served? I tried few recommended
> like Outpost firewall, they usually die on my servers.
if we put the logging issue aside for the moment (see above) what
functionality don't you have from the RRAS firewall?

>
> Any help or hint is gratefully appreciated.
>
> Best regards,
> Dmitry
>
>
>
>

Thanks for your response, Ewan!

>> Is there any other software firewall solution suitable for public HTTP
>> server with quite high traffic and users served? I tried few recommended
>> like Outpost firewall, they usually die on my servers.
> if we put the logging issue aside for the moment (see above) what
> functionality don't you have from the RRAS firewall?

1. I have 1 NIC with 8 IP addresses assigned for different services. 2 of
them supposed to be used for 2 websites. Now, even if I allow all traffic
to TCP port 80 in inbound filters, I'm not receiving packets to port 80
until I enable Web Server NAT on "Services and Ports" tab of the connection
properties in "IP Routing -> NAT/Basic firewall". But this mapping works for
only one IP address on the interface. In other words, there is no way to
allow service on the sme port on 2 out of 8 IP addresses if those addresses
sit on one NIC.
I guess, I'm missing something.

2. I have 3 servers that communicate trough public interfaces. To simplify
things, before locking down interserver communication, I allowed all traffic
between my 3 servers and ran into strange situation. All traffic from server
A to server B is being blocked (any TCP connection attempt stucks at
SYN_SENT, pings don't go). B -> A and all other traffic goes through fine. I
tried all magic passes, including allowing all traffic (sure, I got my
Iass.exe DOSed in 90 seconds), and reinstalling RRAS on the servers A and
B - still, I can't help it. And having no statistics on dropped packets
drives me nuts - I don't have enough information on what's going on.

3. Sometimes investigation of dropped packets statistics is very helpful.
I'm not a guru of all the services I'm using, I may not allow something only
because I don't know or forget about that particular port. It also helps to
identify port scanning, probes, DOS and other hack attempts.

Best regards,
Dmitry