RRAS Question for you routing gurus

I'm probably making this more difficult than it should be but I'm having an
issue with RRAS routing & NAT.

I have two servers. One server has two network interfaces, one public and
one private. The other server is solely private. Both servers are running
Windows Server 2003 R2 Enterprise 64-bit. The server that with a single
trusted network interface runs Virtual Server 2005 with two Windows Server
2003 R2 Standard 32-bit servers using a trusted network address through the
VS network bridge. The server that has two interfaces obviously has a public
and a trusted interface and thus is the server with RRAS installed. My
network has 10 workstations all running Windows XP or Vista.

When I started, I had two IP addresses from my ISP. The server is plugged
in directly to the ethernet interface on the cable modem and both IP
addresses are bound to the public adapter. Initially I planned on running
everything that needed to be accessed from the Internet from one server thus
I had RRAS configured to NAT the public interface on behalf of my
workstations and to implement the basic firewall. I have many of the default
enabled services and ports enabled such as port 80 and 25 to go to the
localhost IP, etc. Well due to Exchange server requiring 64-bit IIS and my
FrontPage webs not happy about it I decided to put the FrontPage
webs/extensions on one of my 32-bit virtual servers and requested 2 more IP
addresses from my ISP. They are not continuous with the other addresses but
they are in the same subnet and mask. I knew that I wanted to "redirect"
port 80 & 443 TCP traffic for one of these addresses to one of the private
servers so I configured the address pool tab with each of the ranges of two
addresses for a total of 4 addresses in the pool. As soon as I did this, all
of the port mappings on the Services and Ports tab no longer worked nor would
my workstations connect to the Internet. I did have Internet access from the
console of the server with the direct Internet access though. I went to the
extent of reconfiguring one of the services to reflect the correct address in
the pool, etc. with no luck. I then figured I would try using a reservation
in the Address Pool window and dedicate one of the public IP addresses to one
of the virtual servers on the private network. This did not help. Keep in
mind all 4 IP addresses are bound to the public network interface in the IP
properties as well.

My question is simple...can I do this with RRAS or am I overstepping it's
capabilities? Summary of the problem is below...

* Server 1 (1 public interface/1 trusted interface running RRAS)
* Server 2 (1 trusted interface)
* Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
physical interface)
* 10 workstations which must access the Internet via NAT through Server 1
* Services on Server 1 need to be available to the Internet
* Services on Server 3 need to be available to the Internet

I have 4 public IP addresses (2 committed to Server 1 and at least one other
should be pointed to Server 3, either for all connections to that public IP
or via NAT port mapping.

If I didn't confuse anyone else, can this be done without jeopardizing the
Internet access to services on Server 1? Some services such as TCP port 80
need to be able to go to both servers on different public IP's however all
traffic is going through the interfaces on Server 1.

Thanks for taking the time to have a look...just when I think I have it
configured right, the entire process is broken so for now I simply have all 4
public IP's bound to the public adapter on Server 1 with Service/Port access
through the basic firewall with All Interfaces set with a TCP or UDP port
redirect to 127.0.0.1.

Any ideas?

Dave

I think the basic problem is that you are confusing two separate
functions of NAT. Services and Ports is used to split off traffic according
to the port being used. If you only have one public IP address, this is how
you separate traffic according to its function (such as tcp port 80 traffic
to your web server).

The Address Pool is used to split traffic according to the IP address
(ie one to one NAT). If you have enough IP addresses to allocate one to each
server you do not need to use services and ports at all.

I would only allocate one IP address to the public NIC of the RRAS
server. Select this interface as the public interface in NAT and check the
"Translate TCP/UDP Headers" box. This IP address will be used for your
outgoing traffic and will give the LAN clients Internet access.

Now put the public IP addresses in the address pool and create
reservations to link a public IP to the private IP of each server on the LAN
and check the "Allow incoming sessions to this address" box. All traffic
from the Internet using this address will be forwarded to the server on the
LAN. Each server will operate as if it had a direct Internet connection.

"Dave Durand" <(E-Mail Removed)> wrote in message
news:6BB4FFCC-C652-4806-8FF5-(E-Mail Removed)...
> I'm probably making this more difficult than it should be but I'm having
> an
> issue with RRAS routing & NAT.
>
> I have two servers. One server has two network interfaces, one public and
> one private. The other server is solely private. Both servers are
> running
> Windows Server 2003 R2 Enterprise 64-bit. The server that with a single
> trusted network interface runs Virtual Server 2005 with two Windows Server
> 2003 R2 Standard 32-bit servers using a trusted network address through
> the
> VS network bridge. The server that has two interfaces obviously has a
> public
> and a trusted interface and thus is the server with RRAS installed. My
> network has 10 workstations all running Windows XP or Vista.
>
> When I started, I had two IP addresses from my ISP. The server is plugged
> in directly to the ethernet interface on the cable modem and both IP
> addresses are bound to the public adapter. Initially I planned on running
> everything that needed to be accessed from the Internet from one server
> thus
> I had RRAS configured to NAT the public interface on behalf of my
> workstations and to implement the basic firewall. I have many of the
> default
> enabled services and ports enabled such as port 80 and 25 to go to the
> localhost IP, etc. Well due to Exchange server requiring 64-bit IIS and
> my
> FrontPage webs not happy about it I decided to put the FrontPage
> webs/extensions on one of my 32-bit virtual servers and requested 2 more
> IP
> addresses from my ISP. They are not continuous with the other addresses
> but
> they are in the same subnet and mask. I knew that I wanted to "redirect"
> port 80 & 443 TCP traffic for one of these addresses to one of the private
> servers so I configured the address pool tab with each of the ranges of
> two
> addresses for a total of 4 addresses in the pool. As soon as I did this,
> all
> of the port mappings on the Services and Ports tab no longer worked nor
> would
> my workstations connect to the Internet. I did have Internet access from
> the
> console of the server with the direct Internet access though. I went to
> the
> extent of reconfiguring one of the services to reflect the correct address
> in
> the pool, etc. with no luck. I then figured I would try using a
> reservation
> in the Address Pool window and dedicate one of the public IP addresses to
> one
> of the virtual servers on the private network. This did not help. Keep
> in
> mind all 4 IP addresses are bound to the public network interface in the
> IP
> properties as well.
>
> My question is simple...can I do this with RRAS or am I overstepping it's
> capabilities? Summary of the problem is below...
>
> * Server 1 (1 public interface/1 trusted interface running RRAS)
> * Server 2 (1 trusted interface)
> * Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
> physical interface)
> * 10 workstations which must access the Internet via NAT through Server 1
> * Services on Server 1 need to be available to the Internet
> * Services on Server 3 need to be available to the Internet
>
> I have 4 public IP addresses (2 committed to Server 1 and at least one
> other
> should be pointed to Server 3, either for all connections to that public
> IP
> or via NAT port mapping.
>
> If I didn't confuse anyone else, can this be done without jeopardizing the
> Internet access to services on Server 1? Some services such as TCP port
> 80
> need to be able to go to both servers on different public IP's however all
> traffic is going through the interfaces on Server 1.
>
> Thanks for taking the time to have a look...just when I think I have it
> configured right, the entire process is broken so for now I simply have
> all 4
> public IP's bound to the public adapter on Server 1 with Service/Port
> access
> through the basic firewall with All Interfaces set with a TCP or UDP port
> redirect to 127.0.0.1.
>
> Any ideas?
>
> Dave

Bill,

I know most of what you said but I think the key I want to clarify is
regarding the IP binding on the public interface. I have 4 IP's from my ISP
but only one needs to be redirected. The other 3 are handling service
requests for the publicly exposed machine in the first place. For example, I
have two FTP configurations in IIS for different purposes...standard port for
each instance but different IP. So if I only want to direct one of the four
you are saying I do not need to bind them to the adapter if they are in the
address pool? I am aware of using the Services and Ports to properly handle
where the traffic is destined to go even if it reflects localhost for a given
service but I just want to know if I'm understanding you correctly. So, if I
apply your thinking to my scenario would I bind the 3 IP's that are only used
on the publicly accessible server to the public interface and put the one IP
that requires a redirect to a trusted IP in the address pool?...or would I
still carry out your initial direction with only the first IP being bound to
the public interface of the publicly accessible server and put the 3
additional IP's in the address pool even though two of those three would
never require a redirect to a system on my trusted network?

Thanks for taking a look and providing your input. I'm going to try the
first of the two scenarios while I await your reply.

Dave



"Bill Grant" wrote:

> I think the basic problem is that you are confusing two separate
> functions of NAT. Services and Ports is used to split off traffic according
> to the port being used. If you only have one public IP address, this is how
> you separate traffic according to its function (such as tcp port 80 traffic
> to your web server).
>
> The Address Pool is used to split traffic according to the IP address
> (ie one to one NAT). If you have enough IP addresses to allocate one to each
> server you do not need to use services and ports at all.
>
> I would only allocate one IP address to the public NIC of the RRAS
> server. Select this interface as the public interface in NAT and check the
> "Translate TCP/UDP Headers" box. This IP address will be used for your
> outgoing traffic and will give the LAN clients Internet access.
>
> Now put the public IP addresses in the address pool and create
> reservations to link a public IP to the private IP of each server on the LAN
> and check the "Allow incoming sessions to this address" box. All traffic
> from the Internet using this address will be forwarded to the server on the
> LAN. Each server will operate as if it had a direct Internet connection.
>
> "Dave Durand" <(E-Mail Removed)> wrote in message
> news:6BB4FFCC-C652-4806-8FF5-(E-Mail Removed)...
> > I'm probably making this more difficult than it should be but I'm having
> > an
> > issue with RRAS routing & NAT.
> >
> > I have two servers. One server has two network interfaces, one public and
> > one private. The other server is solely private. Both servers are
> > running
> > Windows Server 2003 R2 Enterprise 64-bit. The server that with a single
> > trusted network interface runs Virtual Server 2005 with two Windows Server
> > 2003 R2 Standard 32-bit servers using a trusted network address through
> > the
> > VS network bridge. The server that has two interfaces obviously has a
> > public
> > and a trusted interface and thus is the server with RRAS installed. My
> > network has 10 workstations all running Windows XP or Vista.
> >
> > When I started, I had two IP addresses from my ISP. The server is plugged
> > in directly to the ethernet interface on the cable modem and both IP
> > addresses are bound to the public adapter. Initially I planned on running
> > everything that needed to be accessed from the Internet from one server
> > thus
> > I had RRAS configured to NAT the public interface on behalf of my
> > workstations and to implement the basic firewall. I have many of the
> > default
> > enabled services and ports enabled such as port 80 and 25 to go to the
> > localhost IP, etc. Well due to Exchange server requiring 64-bit IIS and
> > my
> > FrontPage webs not happy about it I decided to put the FrontPage
> > webs/extensions on one of my 32-bit virtual servers and requested 2 more
> > IP
> > addresses from my ISP. They are not continuous with the other addresses
> > but
> > they are in the same subnet and mask. I knew that I wanted to "redirect"
> > port 80 & 443 TCP traffic for one of these addresses to one of the private
> > servers so I configured the address pool tab with each of the ranges of
> > two
> > addresses for a total of 4 addresses in the pool. As soon as I did this,
> > all
> > of the port mappings on the Services and Ports tab no longer worked nor
> > would
> > my workstations connect to the Internet. I did have Internet access from
> > the
> > console of the server with the direct Internet access though. I went to
> > the
> > extent of reconfiguring one of the services to reflect the correct address
> > in
> > the pool, etc. with no luck. I then figured I would try using a
> > reservation
> > in the Address Pool window and dedicate one of the public IP addresses to
> > one
> > of the virtual servers on the private network. This did not help. Keep
> > in
> > mind all 4 IP addresses are bound to the public network interface in the
> > IP
> > properties as well.
> >
> > My question is simple...can I do this with RRAS or am I overstepping it's
> > capabilities? Summary of the problem is below...
> >
> > * Server 1 (1 public interface/1 trusted interface running RRAS)
> > * Server 2 (1 trusted interface)
> > * Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
> > physical interface)
> > * 10 workstations which must access the Internet via NAT through Server 1
> > * Services on Server 1 need to be available to the Internet
> > * Services on Server 3 need to be available to the Internet
> >
> > I have 4 public IP addresses (2 committed to Server 1 and at least one
> > other
> > should be pointed to Server 3, either for all connections to that public
> > IP
> > or via NAT port mapping.
> >
> > If I didn't confuse anyone else, can this be done without jeopardizing the
> > Internet access to services on Server 1? Some services such as TCP port
> > 80
> > need to be able to go to both servers on different public IP's however all
> > traffic is going through the interfaces on Server 1.
> >
> > Thanks for taking the time to have a look...just when I think I have it
> > configured right, the entire process is broken so for now I simply have
> > all 4
> > public IP's bound to the public adapter on Server 1 with Service/Port
> > access
> > through the basic firewall with All Interfaces set with a TCP or UDP port
> > redirect to 127.0.0.1.
> >
> > Any ideas?
> >
> > Dave
>
>
>

also...is it necessary to restart RRAS after each of these changes?

Dave

"Bill Grant" wrote:

> I think the basic problem is that you are confusing two separate
> functions of NAT. Services and Ports is used to split off traffic according
> to the port being used. If you only have one public IP address, this is how
> you separate traffic according to its function (such as tcp port 80 traffic
> to your web server).
>
> The Address Pool is used to split traffic according to the IP address
> (ie one to one NAT). If you have enough IP addresses to allocate one to each
> server you do not need to use services and ports at all.
>
> I would only allocate one IP address to the public NIC of the RRAS
> server. Select this interface as the public interface in NAT and check the
> "Translate TCP/UDP Headers" box. This IP address will be used for your
> outgoing traffic and will give the LAN clients Internet access.
>
> Now put the public IP addresses in the address pool and create
> reservations to link a public IP to the private IP of each server on the LAN
> and check the "Allow incoming sessions to this address" box. All traffic
> from the Internet using this address will be forwarded to the server on the
> LAN. Each server will operate as if it had a direct Internet connection.
>
> "Dave Durand" <(E-Mail Removed)> wrote in message
> news:6BB4FFCC-C652-4806-8FF5-(E-Mail Removed)...
> > I'm probably making this more difficult than it should be but I'm having
> > an
> > issue with RRAS routing & NAT.
> >
> > I have two servers. One server has two network interfaces, one public and
> > one private. The other server is solely private. Both servers are
> > running
> > Windows Server 2003 R2 Enterprise 64-bit. The server that with a single
> > trusted network interface runs Virtual Server 2005 with two Windows Server
> > 2003 R2 Standard 32-bit servers using a trusted network address through
> > the
> > VS network bridge. The server that has two interfaces obviously has a
> > public
> > and a trusted interface and thus is the server with RRAS installed. My
> > network has 10 workstations all running Windows XP or Vista.
> >
> > When I started, I had two IP addresses from my ISP. The server is plugged
> > in directly to the ethernet interface on the cable modem and both IP
> > addresses are bound to the public adapter. Initially I planned on running
> > everything that needed to be accessed from the Internet from one server
> > thus
> > I had RRAS configured to NAT the public interface on behalf of my
> > workstations and to implement the basic firewall. I have many of the
> > default
> > enabled services and ports enabled such as port 80 and 25 to go to the
> > localhost IP, etc. Well due to Exchange server requiring 64-bit IIS and
> > my
> > FrontPage webs not happy about it I decided to put the FrontPage
> > webs/extensions on one of my 32-bit virtual servers and requested 2 more
> > IP
> > addresses from my ISP. They are not continuous with the other addresses
> > but
> > they are in the same subnet and mask. I knew that I wanted to "redirect"
> > port 80 & 443 TCP traffic for one of these addresses to one of the private
> > servers so I configured the address pool tab with each of the ranges of
> > two
> > addresses for a total of 4 addresses in the pool. As soon as I did this,
> > all
> > of the port mappings on the Services and Ports tab no longer worked nor
> > would
> > my workstations connect to the Internet. I did have Internet access from
> > the
> > console of the server with the direct Internet access though. I went to
> > the
> > extent of reconfiguring one of the services to reflect the correct address
> > in
> > the pool, etc. with no luck. I then figured I would try using a
> > reservation
> > in the Address Pool window and dedicate one of the public IP addresses to
> > one
> > of the virtual servers on the private network. This did not help. Keep
> > in
> > mind all 4 IP addresses are bound to the public network interface in the
> > IP
> > properties as well.
> >
> > My question is simple...can I do this with RRAS or am I overstepping it's
> > capabilities? Summary of the problem is below...
> >
> > * Server 1 (1 public interface/1 trusted interface running RRAS)
> > * Server 2 (1 trusted interface)
> > * Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
> > physical interface)
> > * 10 workstations which must access the Internet via NAT through Server 1
> > * Services on Server 1 need to be available to the Internet
> > * Services on Server 3 need to be available to the Internet
> >
> > I have 4 public IP addresses (2 committed to Server 1 and at least one
> > other
> > should be pointed to Server 3, either for all connections to that public
> > IP
> > or via NAT port mapping.
> >
> > If I didn't confuse anyone else, can this be done without jeopardizing the
> > Internet access to services on Server 1? Some services such as TCP port
> > 80
> > need to be able to go to both servers on different public IP's however all
> > traffic is going through the interfaces on Server 1.
> >
> > Thanks for taking the time to have a look...just when I think I have it
> > configured right, the entire process is broken so for now I simply have
> > all 4
> > public IP's bound to the public adapter on Server 1 with Service/Port
> > access
> > through the basic firewall with All Interfaces set with a TCP or UDP port
> > redirect to 127.0.0.1.
> >
> > Any ideas?
> >
> > Dave
>
>
>

That doesn't tally with your original post. You said that you had two
physical servers and two virtual servers. If that is the case, three servers
will need to have their traffic redirected. The virtual servers cannot
access traffic which is directed to a host machine. The RRAS server will
handle NAT for your LAN machines using one IP. A virtual machine will not
see traffic coming to the RRAS server, even if it is running on that
machine.

Each virtual server has its own MAC address and its own IP, and needs to
be treated as a separate machine on the LAN. You do not redirect traffic to
them by port number - you statically map one of your public IPs to the
private IP of the vm. You configure NAT as if you had three additional
servers running on the LAN behind the RRAS router.

So my advice remains the same. Give the RRAS server one IP and configure
it to as a NAT router for your LAN. Add your extra IP addresses to the
address pool and use static mapping to redirect one public IP to each server
whether is is a physical or virtual machine. From a networking point of view
there is no difference between real and virtual machines. Virtual Machine
Network Services separates traffic according to the MAC address of the
interface. The IP stack in the host does not see traffic addressed to a vm.

"Dave Durand" <(E-Mail Removed)> wrote in message
news:05DF71EF-C36A-49A4-B8F8-(E-Mail Removed)...
> Bill,
>
> I know most of what you said but I think the key I want to clarify is
> regarding the IP binding on the public interface. I have 4 IP's from my
> ISP
> but only one needs to be redirected. The other 3 are handling service
> requests for the publicly exposed machine in the first place. For
> example, I
> have two FTP configurations in IIS for different purposes...standard port
> for
> each instance but different IP. So if I only want to direct one of the
> four
> you are saying I do not need to bind them to the adapter if they are in
> the
> address pool? I am aware of using the Services and Ports to properly
> handle
> where the traffic is destined to go even if it reflects localhost for a
> given
> service but I just want to know if I'm understanding you correctly. So,
> if I
> apply your thinking to my scenario would I bind the 3 IP's that are only
> used
> on the publicly accessible server to the public interface and put the one
> IP
> that requires a redirect to a trusted IP in the address pool?...or would I
> still carry out your initial direction with only the first IP being bound
> to
> the public interface of the publicly accessible server and put the 3
> additional IP's in the address pool even though two of those three would
> never require a redirect to a system on my trusted network?
>
> Thanks for taking a look and providing your input. I'm going to try the
> first of the two scenarios while I await your reply.
>
> Dave
>
>
>
> "Bill Grant" wrote:
>
>> I think the basic problem is that you are confusing two separate
>> functions of NAT. Services and Ports is used to split off traffic
>> according
>> to the port being used. If you only have one public IP address, this is
>> how
>> you separate traffic according to its function (such as tcp port 80
>> traffic
>> to your web server).
>>
>> The Address Pool is used to split traffic according to the IP address
>> (ie one to one NAT). If you have enough IP addresses to allocate one to
>> each
>> server you do not need to use services and ports at all.
>>
>> I would only allocate one IP address to the public NIC of the RRAS
>> server. Select this interface as the public interface in NAT and check
>> the
>> "Translate TCP/UDP Headers" box. This IP address will be used for your
>> outgoing traffic and will give the LAN clients Internet access.
>>
>> Now put the public IP addresses in the address pool and create
>> reservations to link a public IP to the private IP of each server on the
>> LAN
>> and check the "Allow incoming sessions to this address" box. All traffic
>> from the Internet using this address will be forwarded to the server on
>> the
>> LAN. Each server will operate as if it had a direct Internet connection.
>>
>> "Dave Durand" <(E-Mail Removed)> wrote in message
>> news:6BB4FFCC-C652-4806-8FF5-(E-Mail Removed)...
>> > I'm probably making this more difficult than it should be but I'm
>> > having
>> > an
>> > issue with RRAS routing & NAT.
>> >
>> > I have two servers. One server has two network interfaces, one public
>> > and
>> > one private. The other server is solely private. Both servers are
>> > running
>> > Windows Server 2003 R2 Enterprise 64-bit. The server that with a
>> > single
>> > trusted network interface runs Virtual Server 2005 with two Windows
>> > Server
>> > 2003 R2 Standard 32-bit servers using a trusted network address through
>> > the
>> > VS network bridge. The server that has two interfaces obviously has a
>> > public
>> > and a trusted interface and thus is the server with RRAS installed. My
>> > network has 10 workstations all running Windows XP or Vista.
>> >
>> > When I started, I had two IP addresses from my ISP. The server is
>> > plugged
>> > in directly to the ethernet interface on the cable modem and both IP
>> > addresses are bound to the public adapter. Initially I planned on
>> > running
>> > everything that needed to be accessed from the Internet from one server
>> > thus
>> > I had RRAS configured to NAT the public interface on behalf of my
>> > workstations and to implement the basic firewall. I have many of the
>> > default
>> > enabled services and ports enabled such as port 80 and 25 to go to the
>> > localhost IP, etc. Well due to Exchange server requiring 64-bit IIS
>> > and
>> > my
>> > FrontPage webs not happy about it I decided to put the FrontPage
>> > webs/extensions on one of my 32-bit virtual servers and requested 2
>> > more
>> > IP
>> > addresses from my ISP. They are not continuous with the other
>> > addresses
>> > but
>> > they are in the same subnet and mask. I knew that I wanted to
>> > "redirect"
>> > port 80 & 443 TCP traffic for one of these addresses to one of the
>> > private
>> > servers so I configured the address pool tab with each of the ranges of
>> > two
>> > addresses for a total of 4 addresses in the pool. As soon as I did
>> > this,
>> > all
>> > of the port mappings on the Services and Ports tab no longer worked nor
>> > would
>> > my workstations connect to the Internet. I did have Internet access
>> > from
>> > the
>> > console of the server with the direct Internet access though. I went
>> > to
>> > the
>> > extent of reconfiguring one of the services to reflect the correct
>> > address
>> > in
>> > the pool, etc. with no luck. I then figured I would try using a
>> > reservation
>> > in the Address Pool window and dedicate one of the public IP addresses
>> > to
>> > one
>> > of the virtual servers on the private network. This did not help.
>> > Keep
>> > in
>> > mind all 4 IP addresses are bound to the public network interface in
>> > the
>> > IP
>> > properties as well.
>> >
>> > My question is simple...can I do this with RRAS or am I overstepping
>> > it's
>> > capabilities? Summary of the problem is below...
>> >
>> > * Server 1 (1 public interface/1 trusted interface running RRAS)
>> > * Server 2 (1 trusted interface)
>> > * Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
>> > physical interface)
>> > * 10 workstations which must access the Internet via NAT through Server
>> > 1
>> > * Services on Server 1 need to be available to the Internet
>> > * Services on Server 3 need to be available to the Internet
>> >
>> > I have 4 public IP addresses (2 committed to Server 1 and at least one
>> > other
>> > should be pointed to Server 3, either for all connections to that
>> > public
>> > IP
>> > or via NAT port mapping.
>> >
>> > If I didn't confuse anyone else, can this be done without jeopardizing
>> > the
>> > Internet access to services on Server 1? Some services such as TCP
>> > port
>> > 80
>> > need to be able to go to both servers on different public IP's however
>> > all
>> > traffic is going through the interfaces on Server 1.
>> >
>> > Thanks for taking the time to have a look...just when I think I have it
>> > configured right, the entire process is broken so for now I simply have
>> > all 4
>> > public IP's bound to the public adapter on Server 1 with Service/Port
>> > access
>> > through the basic firewall with All Interfaces set with a TCP or UDP
>> > port
>> > redirect to 127.0.0.1.
>> >
>> > Any ideas?
>> >
>> > Dave
>>
>>
>>

OK...I follow you but how does RRAS "listen" and respond for addresses that
are not bound to the linked adapter? It looks like I may have it working
though I don't get ping response I tried a remote desktop from the Internet
to that forwarded public address and it works fine. I'll set up a web site
and see what kind of behavior I get.

So basically I really only need to add addresses to the address pool that
would need to be redirected to a trusted address? If I leave the other 3
bound to the public interface everything seems to work fine or is that not
"technically" correct? I guess I would wonder why the other two addresses
would need to be directed to a trusted address when in reality I want them
responding on the machine that has direct connectivity to the Internet anyway
though aside from that, I follow you.

Sorry about my initial example being confusing. I suppose it would have
helped if I could paste a network diagram.

Now this redirected public connection is wide open pending firewall
configuration on the server exposed via this configuration?

Thanks for your help thus far.

Dave



"Bill Grant" wrote:

> That doesn't tally with your original post. You said that you had two
> physical servers and two virtual servers. If that is the case, three servers
> will need to have their traffic redirected. The virtual servers cannot
> access traffic which is directed to a host machine. The RRAS server will
> handle NAT for your LAN machines using one IP. A virtual machine will not
> see traffic coming to the RRAS server, even if it is running on that
> machine.
>
> Each virtual server has its own MAC address and its own IP, and needs to
> be treated as a separate machine on the LAN. You do not redirect traffic to
> them by port number - you statically map one of your public IPs to the
> private IP of the vm. You configure NAT as if you had three additional
> servers running on the LAN behind the RRAS router.
>
> So my advice remains the same. Give the RRAS server one IP and configure
> it to as a NAT router for your LAN. Add your extra IP addresses to the
> address pool and use static mapping to redirect one public IP to each server
> whether is is a physical or virtual machine. From a networking point of view
> there is no difference between real and virtual machines. Virtual Machine
> Network Services separates traffic according to the MAC address of the
> interface. The IP stack in the host does not see traffic addressed to a vm.
>
> "Dave Durand" <(E-Mail Removed)> wrote in message
> news:05DF71EF-C36A-49A4-B8F8-(E-Mail Removed)...
> > Bill,
> >
> > I know most of what you said but I think the key I want to clarify is
> > regarding the IP binding on the public interface. I have 4 IP's from my
> > ISP
> > but only one needs to be redirected. The other 3 are handling service
> > requests for the publicly exposed machine in the first place. For
> > example, I
> > have two FTP configurations in IIS for different purposes...standard port
> > for
> > each instance but different IP. So if I only want to direct one of the
> > four
> > you are saying I do not need to bind them to the adapter if they are in
> > the
> > address pool? I am aware of using the Services and Ports to properly
> > handle
> > where the traffic is destined to go even if it reflects localhost for a
> > given
> > service but I just want to know if I'm understanding you correctly. So,
> > if I
> > apply your thinking to my scenario would I bind the 3 IP's that are only
> > used
> > on the publicly accessible server to the public interface and put the one
> > IP
> > that requires a redirect to a trusted IP in the address pool?...or would I
> > still carry out your initial direction with only the first IP being bound
> > to
> > the public interface of the publicly accessible server and put the 3
> > additional IP's in the address pool even though two of those three would
> > never require a redirect to a system on my trusted network?
> >
> > Thanks for taking a look and providing your input. I'm going to try the
> > first of the two scenarios while I await your reply.
> >
> > Dave
> >
> >
> >
> > "Bill Grant" wrote:
> >
> >> I think the basic problem is that you are confusing two separate
> >> functions of NAT. Services and Ports is used to split off traffic
> >> according
> >> to the port being used. If you only have one public IP address, this is
> >> how
> >> you separate traffic according to its function (such as tcp port 80
> >> traffic
> >> to your web server).
> >>
> >> The Address Pool is used to split traffic according to the IP address
> >> (ie one to one NAT). If you have enough IP addresses to allocate one to
> >> each
> >> server you do not need to use services and ports at all.
> >>
> >> I would only allocate one IP address to the public NIC of the RRAS
> >> server. Select this interface as the public interface in NAT and check
> >> the
> >> "Translate TCP/UDP Headers" box. This IP address will be used for your
> >> outgoing traffic and will give the LAN clients Internet access.
> >>
> >> Now put the public IP addresses in the address pool and create
> >> reservations to link a public IP to the private IP of each server on the
> >> LAN
> >> and check the "Allow incoming sessions to this address" box. All traffic
> >> from the Internet using this address will be forwarded to the server on
> >> the
> >> LAN. Each server will operate as if it had a direct Internet connection.
> >>
> >> "Dave Durand" <(E-Mail Removed)> wrote in message
> >> news:6BB4FFCC-C652-4806-8FF5-(E-Mail Removed)...
> >> > I'm probably making this more difficult than it should be but I'm
> >> > having
> >> > an
> >> > issue with RRAS routing & NAT.
> >> >
> >> > I have two servers. One server has two network interfaces, one public
> >> > and
> >> > one private. The other server is solely private. Both servers are
> >> > running
> >> > Windows Server 2003 R2 Enterprise 64-bit. The server that with a
> >> > single
> >> > trusted network interface runs Virtual Server 2005 with two Windows
> >> > Server
> >> > 2003 R2 Standard 32-bit servers using a trusted network address through
> >> > the
> >> > VS network bridge. The server that has two interfaces obviously has a
> >> > public
> >> > and a trusted interface and thus is the server with RRAS installed. My
> >> > network has 10 workstations all running Windows XP or Vista.
> >> >
> >> > When I started, I had two IP addresses from my ISP. The server is
> >> > plugged
> >> > in directly to the ethernet interface on the cable modem and both IP
> >> > addresses are bound to the public adapter. Initially I planned on
> >> > running
> >> > everything that needed to be accessed from the Internet from one server
> >> > thus
> >> > I had RRAS configured to NAT the public interface on behalf of my
> >> > workstations and to implement the basic firewall. I have many of the
> >> > default
> >> > enabled services and ports enabled such as port 80 and 25 to go to the
> >> > localhost IP, etc. Well due to Exchange server requiring 64-bit IIS
> >> > and
> >> > my
> >> > FrontPage webs not happy about it I decided to put the FrontPage
> >> > webs/extensions on one of my 32-bit virtual servers and requested 2
> >> > more
> >> > IP
> >> > addresses from my ISP. They are not continuous with the other
> >> > addresses
> >> > but
> >> > they are in the same subnet and mask. I knew that I wanted to
> >> > "redirect"
> >> > port 80 & 443 TCP traffic for one of these addresses to one of the
> >> > private
> >> > servers so I configured the address pool tab with each of the ranges of
> >> > two
> >> > addresses for a total of 4 addresses in the pool. As soon as I did
> >> > this,
> >> > all
> >> > of the port mappings on the Services and Ports tab no longer worked nor
> >> > would
> >> > my workstations connect to the Internet. I did have Internet access
> >> > from
> >> > the
> >> > console of the server with the direct Internet access though. I went
> >> > to
> >> > the
> >> > extent of reconfiguring one of the services to reflect the correct
> >> > address
> >> > in
> >> > the pool, etc. with no luck. I then figured I would try using a
> >> > reservation
> >> > in the Address Pool window and dedicate one of the public IP addresses
> >> > to
> >> > one
> >> > of the virtual servers on the private network. This did not help.
> >> > Keep
> >> > in
> >> > mind all 4 IP addresses are bound to the public network interface in
> >> > the
> >> > IP
> >> > properties as well.
> >> >
> >> > My question is simple...can I do this with RRAS or am I overstepping
> >> > it's
> >> > capabilities? Summary of the problem is below...
> >> >
> >> > * Server 1 (1 public interface/1 trusted interface running RRAS)
> >> > * Server 2 (1 trusted interface)
> >> > * Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
> >> > physical interface)
> >> > * 10 workstations which must access the Internet via NAT through Server
> >> > 1
> >> > * Services on Server 1 need to be available to the Internet
> >> > * Services on Server 3 need to be available to the Internet
> >> >
> >> > I have 4 public IP addresses (2 committed to Server 1 and at least one
> >> > other
> >> > should be pointed to Server 3, either for all connections to that
> >> > public
> >> > IP
> >> > or via NAT port mapping.
> >> >
> >> > If I didn't confuse anyone else, can this be done without jeopardizing
> >> > the
> >> > Internet access to services on Server 1? Some services such as TCP
> >> > port
> >> > 80
> >> > need to be able to go to both servers on different public IP's however
> >> > all
> >> > traffic is going through the interfaces on Server 1.
> >> >
> >> > Thanks for taking the time to have a look...just when I think I have it
> >> > configured right, the entire process is broken so for now I simply have
> >> > all 4
> >> > public IP's bound to the public adapter on Server 1 with Service/Port
> >> > access
> >> > through the basic firewall with All Interfaces set with a TCP or UDP
> >> > port
> >> > redirect to 127.0.0.1.
> >> >
> >> > Any ideas?
> >> >
> >> > Dave
> >>
> >>
> >>
>
>
>

In news:14F28000-0FEA-4206-B409-(E-Mail Removed),
Dave Durand <(E-Mail Removed)> typed:
> OK...I follow you but how does RRAS "listen" and respond for
> addresses that are not bound to the linked adapter? It looks like I
> may have it working though I don't get ping response I tried a remote
> desktop from the Internet to that forwarded public address and it
> works fine. I'll set up a web site and see what kind of behavior I
> get.
>
> So basically I really only need to add addresses to the address pool
> that would need to be redirected to a trusted address? If I leave
> the other 3 bound to the public interface everything seems to work
> fine or is that not "technically" correct? I guess I would wonder
> why the other two addresses would need to be directed to a trusted
> address when in reality I want them responding on the machine that
> has direct connectivity to the Internet anyway though aside from
> that, I follow you.
>
> Sorry about my initial example being confusing. I suppose it would
> have helped if I could paste a network diagram.
>
> Now this redirected public connection is wide open pending firewall
> configuration on the server exposed via this configuration?
>
> Thanks for your help thus far.
>
> Dave

Honestly the best way to address this is to use a dedicated router, such as
a Pix, to perform the multiple IP addresses translations.

However sticking with Windows, and I hope this multihomed machine is not a
DC, Bill's examples and suggestions concerning mapping a port on an inbound
IP to a specific server or a website with it's own IP will work. You are
mapping an external IP to an internal IP port for port.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

.....and not to mention up went the firewall on that 'exposed' virtual server
Ace :-)

Dave

"Ace Fekay [MVP]" wrote:

> In news:14F28000-0FEA-4206-B409-(E-Mail Removed),
> Dave Durand <(E-Mail Removed)> typed:
> > OK...I follow you but how does RRAS "listen" and respond for
> > addresses that are not bound to the linked adapter? It looks like I
> > may have it working though I don't get ping response I tried a remote
> > desktop from the Internet to that forwarded public address and it
> > works fine. I'll set up a web site and see what kind of behavior I
> > get.
> >
> > So basically I really only need to add addresses to the address pool
> > that would need to be redirected to a trusted address? If I leave
> > the other 3 bound to the public interface everything seems to work
> > fine or is that not "technically" correct? I guess I would wonder
> > why the other two addresses would need to be directed to a trusted
> > address when in reality I want them responding on the machine that
> > has direct connectivity to the Internet anyway though aside from
> > that, I follow you.
> >
> > Sorry about my initial example being confusing. I suppose it would
> > have helped if I could paste a network diagram.
> >
> > Now this redirected public connection is wide open pending firewall
> > configuration on the server exposed via this configuration?
> >
> > Thanks for your help thus far.
> >
> > Dave
>
> Honestly the best way to address this is to use a dedicated router, such as
> a Pix, to perform the multiple IP addresses translations.
>
> However sticking with Windows, and I hope this multihomed machine is not a
> DC, Bill's examples and suggestions concerning mapping a port on an inbound
> IP to a specific server or a website with it's own IP will work. You are
> mapping an external IP to an internal IP port for port.
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, try using OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. Anonymous access. It's free - no username or password
> required nor do you need a Newsgroup Usenet account with your ISP. It
> connects directly to the Microsoft Public Newsgroups. OEx allows you
> o easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject. It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>
>
>

Ace...I understand using a more secure means would be the way to go however
this is at home and is really for test purposes. Unfortunately the NAT'd
machine is a DC w/Exchange 2007 but like I said for testing only.

Thanks for getting me pointed in the right direction Bill.

Gentlemen, could I set up a small server running ISA Server 2006 considering
the configuration I mentioned in this post? The Exchange stuff with ISA
seems very well documented and when I tried using ISA Server 2006 when it was
in beta I think I had some problems getting a simple web site to work through
it but then again the product was beta and I probably read the documentation
too quickly. If anything I was definitely protected :-) I guess what I'm
wondering is if my public IP situation is common when you consider I have 4
addresses in the same subnet but I don't own the entire subnet, etc. etc.



"Ace Fekay [MVP]" wrote:

> In news:14F28000-0FEA-4206-B409-(E-Mail Removed),
> Dave Durand <(E-Mail Removed)> typed:
> > OK...I follow you but how does RRAS "listen" and respond for
> > addresses that are not bound to the linked adapter? It looks like I
> > may have it working though I don't get ping response I tried a remote
> > desktop from the Internet to that forwarded public address and it
> > works fine. I'll set up a web site and see what kind of behavior I
> > get.
> >
> > So basically I really only need to add addresses to the address pool
> > that would need to be redirected to a trusted address? If I leave
> > the other 3 bound to the public interface everything seems to work
> > fine or is that not "technically" correct? I guess I would wonder
> > why the other two addresses would need to be directed to a trusted
> > address when in reality I want them responding on the machine that
> > has direct connectivity to the Internet anyway though aside from
> > that, I follow you.
> >
> > Sorry about my initial example being confusing. I suppose it would
> > have helped if I could paste a network diagram.
> >
> > Now this redirected public connection is wide open pending firewall
> > configuration on the server exposed via this configuration?
> >
> > Thanks for your help thus far.
> >
> > Dave
>
> Honestly the best way to address this is to use a dedicated router, such as
> a Pix, to perform the multiple IP addresses translations.
>
> However sticking with Windows, and I hope this multihomed machine is not a
> DC, Bill's examples and suggestions concerning mapping a port on an inbound
> IP to a specific server or a website with it's own IP will work. You are
> mapping an external IP to an internal IP port for port.
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, try using OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. Anonymous access. It's free - no username or password
> required nor do you need a Newsgroup Usenet account with your ISP. It
> connects directly to the Microsoft Public Newsgroups. OEx allows you
> o easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject. It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>
>
>

You could always run ISA as a dedicated firewall and run Exchange on your
other X64 server. Running a DC as a router is asking for trouble.Or you
could run RRAS or ISA on a virtual server. That takes a bit of care to
ensure that the public connection of the ISA server is isolated from the
machine hosting it (which isn't really hard, you just have to be careful).

"Dave Durand" <(E-Mail Removed)> wrote in message
news:8AD9B5E1-5FE4-451E-AB31-(E-Mail Removed)...
> Ace...I understand using a more secure means would be the way to go
> however
> this is at home and is really for test purposes. Unfortunately the NAT'd
> machine is a DC w/Exchange 2007 but like I said for testing only.
>
> Thanks for getting me pointed in the right direction Bill.
>
> Gentlemen, could I set up a small server running ISA Server 2006
> considering
> the configuration I mentioned in this post? The Exchange stuff with ISA
> seems very well documented and when I tried using ISA Server 2006 when it
> was
> in beta I think I had some problems getting a simple web site to work
> through
> it but then again the product was beta and I probably read the
> documentation
> too quickly. If anything I was definitely protected :-) I guess what I'm
> wondering is if my public IP situation is common when you consider I have
> 4
> addresses in the same subnet but I don't own the entire subnet, etc. etc.
>
>
>
> "Ace Fekay [MVP]" wrote:
>
>> In news:14F28000-0FEA-4206-B409-(E-Mail Removed),
>> Dave Durand <(E-Mail Removed)> typed:
>> > OK...I follow you but how does RRAS "listen" and respond for
>> > addresses that are not bound to the linked adapter? It looks like I
>> > may have it working though I don't get ping response I tried a remote
>> > desktop from the Internet to that forwarded public address and it
>> > works fine. I'll set up a web site and see what kind of behavior I
>> > get.
>> >
>> > So basically I really only need to add addresses to the address pool
>> > that would need to be redirected to a trusted address? If I leave
>> > the other 3 bound to the public interface everything seems to work
>> > fine or is that not "technically" correct? I guess I would wonder
>> > why the other two addresses would need to be directed to a trusted
>> > address when in reality I want them responding on the machine that
>> > has direct connectivity to the Internet anyway though aside from
>> > that, I follow you.
>> >
>> > Sorry about my initial example being confusing. I suppose it would
>> > have helped if I could paste a network diagram.
>> >
>> > Now this redirected public connection is wide open pending firewall
>> > configuration on the server exposed via this configuration?
>> >
>> > Thanks for your help thus far.
>> >
>> > Dave
>>
>> Honestly the best way to address this is to use a dedicated router, such
>> as
>> a Pix, to perform the multiple IP addresses translations.
>>
>> However sticking with Windows, and I hope this multihomed machine is not
>> a
>> DC, Bill's examples and suggestions concerning mapping a port on an
>> inbound
>> IP to a specific server or a website with it's own IP will work. You are
>> mapping an external IP to an internal IP port for port.
>>
>>
>> --
>> Regards,
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>> Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Infinite Diversities in Infinite Combinations
>>
>> Having difficulty reading or finding responses to your post?
>> Instead of the website you're using, try using OEx (Outlook Express
>> or any other newsreader), and configure a news account, pointing to
>> news.microsoft.com. Anonymous access. It's free - no username or password
>> required nor do you need a Newsgroup Usenet account with your ISP. It
>> connects directly to the Microsoft Public Newsgroups. OEx allows you
>> o easily find, track threads, cross-post, sort by date, poster's name,
>> watched threads or subject. It's easy:
>>
>> How to Configure OEx for Internet News
>> http://support.microsoft.com/?id=171164
>>
>> "Quitting smoking is easy. I've done it a thousand times." - Mark Twain
>>
>>
>>