RRAS Win2003: Cannot reach public IP reserved hosts behind our NAT

Our Internet NAT router is a box with dual NICs (one for internet, another for intranet respectively) running Windows 2003 Std Ed., connected to our ISP with 5 static IPs.
Three of the static IPs are assigned (via RRAS address pool reservations) to our Windows 2003 servers. They are able to access the Internet and accept incoming connections on their reserved public IP just fine.

The problem is, we are unable to access them by their public IP address from our intranet. From within our intranet we can access the machines by their private addresses (10.x.x.x) just fine, as these packets are not routed to our RRAS box.

Is this a limitation of RRAS or a simple configuration error we can remedy?


Thanks

I would say it is a limitation of your DNS setup. Your LAN clients should
not be trying to access these servers by their public addresses. LAN clients
should only see the local IP address of LAN machines. External clients
should only see their public IP addresses.

"Nick" <(E-Mail Removed)> wrote in message
news:1A20D5E0-1056-4D97-9687-(E-Mail Removed)...
>
> Our Internet NAT router is a box with dual NICs (one for internet, another
for intranet respectively) running Windows 2003 Std Ed., connected to our
ISP with 5 static IPs.
> Three of the static IPs are assigned (via RRAS address pool reservations)
to our Windows 2003 servers. They are able to access the Internet and accept
incoming connections on their reserved public IP just fine.
>
> The problem is, we are unable to access them by their public IP address
from our intranet. From within our intranet we can access the machines by
their private addresses (10.x.x.x) just fine, as these packets are not
routed to our RRAS box.
>
> Is this a limitation of RRAS or a simple configuration error we can
remedy?
>
>
> Thanks

In news:1A20D5E0-1056-4D97-9687-(E-Mail Removed),
Nick <(E-Mail Removed)> asked for help and I offered my
suggestions below:
> Our Internet NAT router is a box with dual NICs (one for internet,
> another for intranet respectively) running Windows 2003 Std Ed.,
> connected to our ISP with 5 static IPs.
> Three of the static IPs are assigned (via RRAS address pool
> reservations) to our Windows 2003 servers. They are able to access
> the Internet and accept incoming connections on their reserved public
> IP just fine.
>
> The problem is, we are unable to access them by their public IP
> address from our intranet. From within our intranet we can access the
> machines by their private addresses (10.x.x.x) just fine, as these
> packets are not routed to our RRAS box.
>
> Is this a limitation of RRAS or a simple configuration error we can
> remedy?
>
>
> Thanks

In addition to Bill's comments, you didn't describe your DNS setup. You need
to enter the internal resources manually in your DNS, such as a www record,
or whatever you need to get to and provide it the internal IP. Now if you
are hosting DNS for the public, then you can't mix private and public data
on one DNS server. You will need two separate DNS servers if that is your
scenario, one for the public IPs, one for you internal users with just
private IPs.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================

"Nick" <(E-Mail Removed)> wrote in message
news:1A20D5E0-1056-4D97-9687-(E-Mail Removed)...
> The problem is, we are unable to access them by their public IP address
from our intranet. From within our intranet we can access the machines by
their private addresses (10.x.x.x) just fine, as these packets are not
routed to our RRAS box.

Since you are accessing by IP# there isn't any DNS involved here (sorry,
guys). What you describe is exactly the way it is supposed to behave if you
are "reverse-NATting" (Static NATing) from publich IP#s bound to the
external Interface of the Router back to these machines on your internal
LAN.

Contrary to popular misconception, Ethernet runs on MAC addresses not on
IP#s. The role of the IP# in Ethernet is only to provide a Layer3 routing
mechanism and to provide a means to resolve the MAC address (ARP). The
reason intranet host must use the private addresses to access the servers is
because NAT can't make "u-turns". When you send a packet to the external
IP# the "NAT" process takes it and creates a situation where the source and
destination MAC addresses in the packet headers are the same address. It
can't go from itself to istself and shoots itself in the head.

These types of situations will work with other types of "processing" like
the "Web Publishing" or "Server Publishing" features of ISA & Proxy2 because
the internal methodology is different, but it will not work with a NAT
Device.

So when outside your system use the public IP# and when inside the system
use the private IP#. If you want to access by "FQDN" then make sure your
DNS functions properly to resolve to the proper IP# as the other guys are
describing.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

If you want some reference material on this issue look in this article about
two-thirds the way down under the heading called "14120 Errors"

[Those are underscores, not spaces between the words]
14120 Errors; Discussion and Solution
http://www.isaserver.org/articles/14..._Solution.html


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Nick" <(E-Mail Removed)> wrote in message
> news:1A20D5E0-1056-4D97-9687-(E-Mail Removed)...
> > The problem is, we are unable to access them by their public IP address
> from our intranet. From within our intranet we can access the machines by
> their private addresses (10.x.x.x) just fine, as these packets are not
> routed to our RRAS box.
>
> Since you are accessing by IP# there isn't any DNS involved here (sorry,
> guys). What you describe is exactly the way it is supposed to behave if
you
> are "reverse-NATting" (Static NATing) from publich IP#s bound to the
> external Interface of the Router back to these machines on your internal
> LAN.
>
> Contrary to popular misconception, Ethernet runs on MAC addresses not on
> IP#s. The role of the IP# in Ethernet is only to provide a Layer3 routing
> mechanism and to provide a means to resolve the MAC address (ARP). The
> reason intranet host must use the private addresses to access the servers
is
> because NAT can't make "u-turns". When you send a packet to the external
> IP# the "NAT" process takes it and creates a situation where the source
and
> destination MAC addresses in the packet headers are the same address. It
> can't go from itself to istself and shoots itself in the head.
>
> These types of situations will work with other types of "processing" like
> the "Web Publishing" or "Server Publishing" features of ISA & Proxy2
because
> the internal methodology is different, but it will not work with a NAT
> Device.
>
> So when outside your system use the public IP# and when inside the system
> use the private IP#. If you want to access by "FQDN" then make sure your
> DNS functions properly to resolve to the proper IP# as the other guys are
> describing.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>