NAT Problem Port Forwarding

Hi people!

Need some help here.

My network schema:

Client PC1 -> 192.168.0.XX
Client PC2 -> 192.168.0.XY

Windows 2003 DC -> 2 NICs (Internal -> 192.168.0.XX; External -> 146.XX.XX.XX)
-External NIC connected to the internet
-RRAS with NAT/Basic Firewall enabled
-External NIC as public interface...
-Internal NIC as private interface...

My needs:

1. I need to forward traffic from the internet to my Windows 2003 DC TCP
port 80 to Client PC1 TCP port 80.

2. I need to provide RDC access from the internet to 146.XX.XX.XX TCP port
3389 to Client PC2 TCP port 3389.

What i did:

In my Windows 2003 DC, RRAS, NAT/Basic Firewall, External, Properties,
Services and Ports, i did this:

- Marked checkbox Web Server (HTTP), on this interface, protocol TCP,
incoming port 80, private ip address Client PC1, outgoing port 80;
- Marked checkbox Remote Desktop, on this interface, protocol TPC, incoming
3389, private ip address Client PC2, outgoing port 3389;

But it didn´t work.

As a test, i could successfully redirect HTTP traffic to my Windows 2003 DC
itself via the same step above, only changing the private ip address to my
Windows 2003 DC ip address instead of Client PC1.

Any clue?

I do not have ISA Server (it is out of question by now).

Thanks in advance,
Kotowski.

If the clients are XP with firewalls enabled (or any OS with a firewall
installed), you will have to open these ports on the clients as well.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Kotowski" <(E-Mail Removed)> wrote in message
news:0944A389-B6DB-44D9-835E-(E-Mail Removed)...
> Hi people!
>
> Need some help here.
>
> My network schema:
>
> Client PC1 -> 192.168.0.XX
> Client PC2 -> 192.168.0.XY
>
> Windows 2003 DC -> 2 NICs (Internal -> 192.168.0.XX; External ->
146.XX.XX.XX)
> -External NIC connected to the internet
> -RRAS with NAT/Basic Firewall enabled
> -External NIC as public interface...
> -Internal NIC as private interface...
>
> My needs:
>
> 1. I need to forward traffic from the internet to my Windows 2003 DC TCP
> port 80 to Client PC1 TCP port 80.
>
> 2. I need to provide RDC access from the internet to 146.XX.XX.XX TCP port
> 3389 to Client PC2 TCP port 3389.
>
> What i did:
>
> In my Windows 2003 DC, RRAS, NAT/Basic Firewall, External, Properties,
> Services and Ports, i did this:
>
> - Marked checkbox Web Server (HTTP), on this interface, protocol TCP,
> incoming port 80, private ip address Client PC1, outgoing port 80;
> - Marked checkbox Remote Desktop, on this interface, protocol TPC,
incoming
> 3389, private ip address Client PC2, outgoing port 3389;
>
> But it didn´t work.
>
> As a test, i could successfully redirect HTTP traffic to my Windows 2003
DC
> itself via the same step above, only changing the private ip address to my
> Windows 2003 DC ip address instead of Client PC1.
>
> Any clue?
>
> I do not have ISA Server (it is out of question by now).
>
> Thanks in advance,
> Kotowski.

"Kotowski" <(E-Mail Removed)> wrote in message
news:0944A389-B6DB-44D9-835E-(E-Mail Removed)...
> In my Windows 2003 DC, RRAS, NAT/Basic Firewall, External, Properties,
> Services and Ports, i did this:
>
> - Marked checkbox Web Server (HTTP), on this interface, protocol TCP,
> incoming port 80, private ip address Client PC1, outgoing port 80;
> - Marked checkbox Remote Desktop, on this interface, protocol TPC,
incoming
> 3389, private ip address Client PC2, outgoing port 3389;
>
> But it didn´t work.

My guess is that the Server is already running RDP-Terminal Services on
itself for itself. Two Applications cannot use the same port on the same
interface at the same time. RRAS cannot listen for port 3389 to "NAT" back
to the other machine if RDP-Terminal Services is already using that same
port on that same Interface. The reason the process worked with the Local
Web Site is probably because you have the Site bound only to the Internal
IP# which leaves port 80 "freed up" on the external interface, therefore
RRAS's "Static NAT" was able to use port 80 on the external interface and
NAT it to the internal interface.

In the end, you would be100 times better off to use VPN to connect into the
LAN from outside first,...then use whatever you want to use on whatever
machine you want to use it on by targeting the actual private IP# of the
target machine.

By the way, just as a general FYI, what you are wanting to do is called
Static NAT,...there is no such thing as "port forwarding" (there aren't any
ports being forwarded anyway) although that term gets thrown around alot
thanks to the SOHO market making a mess of the industry's terminology.
There is a such thing as Port Address Translation (PAT) but that is not what
it being done here. There is a such thing as IP Forwarding but that is not
what is being done here either,...IP Forwarding is just normal evey-day
Layer3 routing, as can be seen called by that name in NT4, Linux, and the
various Unix's.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Hi Phillip,

Thanks for the explanation.

Sorry ´bout my ignorance, but just for confirmation...

I used to have three ways out to the internet - one im My DC, another in
Client PC1, other in Client PC2.

Now, we are going through a network reestructuring phase (sorry about my
english) and I have only one way out to the internet - My DC

I have only one public IP Address - My DC.

The Client PCs now have only internal IP Addresses.

I must provide three services - one website in My DC (TCP 80), other website
in Client PC1 (TCP 80), one "Terminal Services" in Client PC2 (TCP 3389).

These services must be accessible not only to the people i work with, but
also to other folks who are simply navigating in the web, which made me think
VPN wouldn´t be a solution to this case, as i do not have control over who´s
gonna visit my web sites, for example.

Correct? If so, what could i do?

Thanks again,
Kotowski.

"Phillip Windell" wrote:

> "Kotowski" <(E-Mail Removed)> wrote in message
> news:0944A389-B6DB-44D9-835E-(E-Mail Removed)...
> > In my Windows 2003 DC, RRAS, NAT/Basic Firewall, External, Properties,
> > Services and Ports, i did this:
> >
> > - Marked checkbox Web Server (HTTP), on this interface, protocol TCP,
> > incoming port 80, private ip address Client PC1, outgoing port 80;
> > - Marked checkbox Remote Desktop, on this interface, protocol TPC,
> incoming
> > 3389, private ip address Client PC2, outgoing port 3389;
> >
> > But it didn´t work.
>
> My guess is that the Server is already running RDP-Terminal Services on
> itself for itself. Two Applications cannot use the same port on the same
> interface at the same time. RRAS cannot listen for port 3389 to "NAT" back
> to the other machine if RDP-Terminal Services is already using that same
> port on that same Interface. The reason the process worked with the Local
> Web Site is probably because you have the Site bound only to the Internal
> IP# which leaves port 80 "freed up" on the external interface, therefore
> RRAS's "Static NAT" was able to use port 80 on the external interface and
> NAT it to the internal interface.
>
> In the end, you would be100 times better off to use VPN to connect into the
> LAN from outside first,...then use whatever you want to use on whatever
> machine you want to use it on by targeting the actual private IP# of the
> target machine.
>
> By the way, just as a general FYI, what you are wanting to do is called
> Static NAT,...there is no such thing as "port forwarding" (there aren't any
> ports being forwarded anyway) although that term gets thrown around alot
> thanks to the SOHO market making a mess of the industry's terminology.
> There is a such thing as Port Address Translation (PAT) but that is not what
> it being done here. There is a such thing as IP Forwarding but that is not
> what is being done here either,...IP Forwarding is just normal evey-day
> Layer3 routing, as can be seen called by that name in NT4, Linux, and the
> various Unix's.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>

"Kotowski" <(E-Mail Removed)> wrote in message
news:961989EA-1296-430F-AB41-(E-Mail Removed)...
> I must provide three services - one website in My DC (TCP 80), other
website
> in Client PC1 (TCP 80), one "Terminal Services" in Client PC2 (TCP 3389).
>
> These services must be accessible not only to the people i work with, but
> also to other folks who are simply navigating in the web, which made me
think
> VPN wouldn´t be a solution to this case, as i do not have control over
who´s
> gonna visit my web sites, for example.

Ok,..I think I follow what you are saying. The DC has two-nics and has
everything else running on it as well? It is also acting as the LAN's
"firewall"? If that is the case,..I think I better "bow-out" and let
somebody else deal with that.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Phillip,

Please don't give up. Serious. You're providing help, maybe you could figure
out a way out for my problem.

About your question, yeah, my DC has two NICs and it's acting like a
"firewall", but with no specific service/application for this purpose.

Thanks again,
Nelson Kotowski.

"Phillip Windell" wrote:

> "Kotowski" <(E-Mail Removed)> wrote in message
> news:961989EA-1296-430F-AB41-(E-Mail Removed)...
> > I must provide three services - one website in My DC (TCP 80), other
> website
> > in Client PC1 (TCP 80), one "Terminal Services" in Client PC2 (TCP 3389).
> >
> > These services must be accessible not only to the people i work with, but
> > also to other folks who are simply navigating in the web, which made me
> think
> > VPN wouldn´t be a solution to this case, as i do not have control over
> who´s
> > gonna visit my web sites, for example.
>
> Ok,..I think I follow what you are saying. The DC has two-nics and has
> everything else running on it as well? It is also acting as the LAN's
> "firewall"? If that is the case,..I think I better "bow-out" and let
> somebody else deal with that.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>

Having your DC directly connected to the Internet is a very dangerous
way to live! I would recommend you get some firewall software running on it
ASAP!

The forwarding options can be found in the RRAS console under NAT. On
your public interface select Special Ports.

Kotowski wrote:
> Phillip,
>
> Please don't give up. Serious. You're providing help, maybe you could
> figure out a way out for my problem.
>
> About your question, yeah, my DC has two NICs and it's acting like a
> "firewall", but with no specific service/application for this purpose.
>
> Thanks again,
> Nelson Kotowski.
>
> "Phillip Windell" wrote:
>
>> "Kotowski" <(E-Mail Removed)> wrote in message
>> news:961989EA-1296-430F-AB41-(E-Mail Removed)...
>>> I must provide three services - one website in My DC (TCP 80),
>>> other website in Client PC1 (TCP 80), one "Terminal Services" in
>>> Client PC2 (TCP 3389).
>>>
>>> These services must be accessible not only to the people i work
>>> with, but also to other folks who are simply navigating in the web,
>>> which made me think VPN wouldn´t be a solution to this case, as i
>>> do not have control over who´s gonna visit my web sites, for
>>> example.
>>
>> Ok,..I think I follow what you are saying. The DC has two-nics and
>> has everything else running on it as well? It is also acting as the
>> LAN's "firewall"? If that is the case,..I think I better "bow-out"
>> and let somebody else deal with that.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------

Bill,

Yeah, i realize it´s dangerous stuff, but so far it´s the only way...

Anyway,

That Special Port thing is just what i was trying to do. For instance, i
tried to check the Web Server (HTTP) checkbox, forwarding requests from the
internet to the external interface to 192.168.0.10 (a private IP which is not
in the DC, but in another client PC), but so far it didn´t work...

Thanks,
Nelson Kotowski.

"Bill Grant" wrote:

> Having your DC directly connected to the Internet is a very dangerous
> way to live! I would recommend you get some firewall software running on it
> ASAP!
>
> The forwarding options can be found in the RRAS console under NAT. On
> your public interface select Special Ports.
>
> Kotowski wrote:
> > Phillip,
> >
> > Please don't give up. Serious. You're providing help, maybe you could
> > figure out a way out for my problem.
> >
> > About your question, yeah, my DC has two NICs and it's acting like a
> > "firewall", but with no specific service/application for this purpose.
> >
> > Thanks again,
> > Nelson Kotowski.
> >
> > "Phillip Windell" wrote:
> >
> >> "Kotowski" <(E-Mail Removed)> wrote in message
> >> news:961989EA-1296-430F-AB41-(E-Mail Removed)...
> >>> I must provide three services - one website in My DC (TCP 80),
> >>> other website in Client PC1 (TCP 80), one "Terminal Services" in
> >>> Client PC2 (TCP 3389).
> >>>
> >>> These services must be accessible not only to the people i work
> >>> with, but also to other folks who are simply navigating in the web,
> >>> which made me think VPN wouldn´t be a solution to this case, as i
> >>> do not have control over who´s gonna visit my web sites, for
> >>> example.
> >>
> >> Ok,..I think I follow what you are saying. The DC has two-nics and
> >> has everything else running on it as well? It is also acting as the
> >> LAN's "firewall"? If that is the case,..I think I better "bow-out"
> >> and let somebody else deal with that.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >> -----------------------------------------------------
> >> Understanding the ISA 2004 Access Rule Processing
> >> http://www.isaserver.org/articles/IS...cessRules.html
> >>
> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> http://www.microsoft.com/isaserver/t...dance/2004.asp
> >> http://www.microsoft.com/isaserver/t...dance/2000.asp
> >>
> >> Microsoft Internet Security & Acceleration Server: Partners
> >> http://www.microsoft.com/isaserver/partners/default.asp
> >> -----------------------------------------------------
>
>
>

"Kotowski" <(E-Mail Removed)> wrote in message
news:F0D8587F-9DBE-4414-BABE-(E-Mail Removed)...
> Bill,
>
> Yeah, i realize it´s dangerous stuff, but so far it´s the only way...

It is not the only way when $50 bucks (less than a tank of gas now-a-days)
will buy a NAT Device.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------