windows 2k3: inbound static mapping does not work (long, with example)

Hi,
after two weeks spent googling and testing I ask for your help: you guru of
win2k3 networking

I want to NAT a public Address/Port to a private Address/Port using win2k3
Routing And Remote Access (a quite simple task) so I set up this test
enviroment:

Let's imagine I was given this public ip address range:
207.46.10.1/255.255.255.248(example address: don't know whom this address
belongs to).

1st box (win2k3 server std edition w SP2) The NAT/Router :
- NIC a: 192.168.0.1 (private)
- NIC b: 207.46.10.2 (public)

2nd box (win2k3 server std edition w SP2) Running some custom apps
- NIC a: 192.168.0.20 (GateWay 192.168.0.1)
# custom application listening on TCP port 7020
# custom application listening on TCP port 7021

3nd box (win2k3 server std edition w SP2) Running some custom apps
- NIC a: 192.168.0.30 (GateWay 192.168.0.1)
# custom application listening on TCP port 7030
# custom application listening on TCP port 7031

All I need to be happy is allow any remote client to connect to box 2 on
port 7020, 7021 and box 3 on port 7030, 7031.
So I digged into RRAS (IP Routing -> Nat/Basic Firewall -> [Public
Interface] -> Properties -> Services and Ports -> Add)
and configured this 5ples:

Public Addr: on this address pool entry 207.46.10.3
Protocol: TCP
Incoming Port: 7020
Private Address: 192.168.0.20
Private Address 7020

Did the same for PubblicIP:Port -> PrivateIP:Port
207.46.10.4:7021 ->192.168.0.20:7021
207.46.10.3:7030 ->192.168.0.30:7030
207.46.10.4:7031 ->192.168.0.30:7031

Of course I configured RRAS (IP Routing -> Nat/Basic Firewall -> [Public
Interface] -> Properties -> Address Pool) whith the given address range:
Start Address 207.46.10.1
Mask 255.255.255.248
End Address 207.46.10.7

In such a scenario clients fail to connect to any box because of TimeOut.
This is unexplicable to me:
from a box connected to internet (adsl modem no router/firewall) if I try to
telnet 207.46.10.3 7020 I get a connection error after 15 sec
else if i try to telnet a not-natted port (example 207.46.10.3 666) I get a
connection error within 2 sec.
As Far as I understand NAT server accepts incoming calls but something goes
wrong while forwarding packets

If I add a reservation (example: Public IP 207.46.10.3 reserved to Private
IP 192.168.0.20) remote clients are enabled to reach 2nd box but I have two
problems:
1) cannot use public IP 207.46.10.3:7030 to reach 3rd box
2) 2nd box is totally accessible from internet (ok: I can manage this with a
firewall or Inbound/Outbound filters)

Additional Info:
- No packet Filter configured
- UnChecked IP Routing -> Nat/Basic Firewall -> [Public Interface] ->
Properties -> Enable a Basic Firewall

Beg your pardon for my bad english: pls ask for further detail if my example
isn't clear.

Thank you in advance for your attention and your time

Giusy



Giuseppina Longobardi

If you have a pool of public addresses, I cannot think why you are trying
to use port forwarding. I would simply map one public IP from the pool to
each machines on the LAN.

As you have said, using this method (called Reservations in RRAS) works
if you map 207.46.10.3 to 192.168.0.20 . Why can't you map 207.46.10.4 to
the private IP of the other server on the LAN?

"Giuseppina Longobardi" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hi,
> after two weeks spent googling and testing I ask for your help: you guru
> of
> win2k3 networking
>
> I want to NAT a public Address/Port to a private Address/Port using win2k3
> Routing And Remote Access (a quite simple task) so I set up this test
> enviroment:
>
> Let's imagine I was given this public ip address range:
> 207.46.10.1/255.255.255.248(example address: don't know whom this address
> belongs to).
>
> 1st box (win2k3 server std edition w SP2) The NAT/Router :
> - NIC a: 192.168.0.1 (private)
> - NIC b: 207.46.10.2 (public)
>
> 2nd box (win2k3 server std edition w SP2) Running some custom apps
> - NIC a: 192.168.0.20 (GateWay 192.168.0.1)
> # custom application listening on TCP port 7020
> # custom application listening on TCP port 7021
>
> 3nd box (win2k3 server std edition w SP2) Running some custom apps
> - NIC a: 192.168.0.30 (GateWay 192.168.0.1)
> # custom application listening on TCP port 7030
> # custom application listening on TCP port 7031
>
> All I need to be happy is allow any remote client to connect to box 2 on
> port 7020, 7021 and box 3 on port 7030, 7031.
> So I digged into RRAS (IP Routing -> Nat/Basic Firewall -> [Public
> Interface] -> Properties -> Services and Ports -> Add)
> and configured this 5ples:
>
> Public Addr: on this address pool entry 207.46.10.3
> Protocol: TCP
> Incoming Port: 7020
> Private Address: 192.168.0.20
> Private Address 7020
>
> Did the same for PubblicIP:Port -> PrivateIP:Port
> 207.46.10.4:7021 ->192.168.0.20:7021
> 207.46.10.3:7030 ->192.168.0.30:7030
> 207.46.10.4:7031 ->192.168.0.30:7031
>
> Of course I configured RRAS (IP Routing -> Nat/Basic Firewall -> [Public
> Interface] -> Properties -> Address Pool) whith the given address range:
> Start Address 207.46.10.1
> Mask 255.255.255.248
> End Address 207.46.10.7
>
> In such a scenario clients fail to connect to any box because of TimeOut.
> This is unexplicable to me:
> from a box connected to internet (adsl modem no router/firewall) if I try
> to telnet 207.46.10.3 7020 I get a connection error after 15 sec
> else if i try to telnet a not-natted port (example 207.46.10.3 666) I get
> a connection error within 2 sec.
> As Far as I understand NAT server accepts incoming calls but something
> goes wrong while forwarding packets
>
> If I add a reservation (example: Public IP 207.46.10.3 reserved to Private
> IP 192.168.0.20) remote clients are enabled to reach 2nd box but I have
> two problems:
> 1) cannot use public IP 207.46.10.3:7030 to reach 3rd box
> 2) 2nd box is totally accessible from internet (ok: I can manage this with
> a firewall or Inbound/Outbound filters)
>
> Additional Info:
> - No packet Filter configured
> - UnChecked IP Routing -> Nat/Basic Firewall -> [Public Interface] ->
> Properties -> Enable a Basic Firewall
>
> Beg your pardon for my bad english: pls ask for further detail if my
> example isn't clear.
>
> Thank you in advance for your attention and your time
>
> Giusy

Hi Bill,
this is a test environment for a solution with 5 public IP and 15 different
services running on 7 server.
I canot use reservation because 5 servers aren't enough to 'serve' all
requests.

There is also another way to accomplish my goal: using Network Load
Balancing but, again, I prefere to avoid this kind of complexity.
Can you figure out what's missing in my RRSA to get PAT up 'n running?

Tnx a lot for your attention
Giusy


"Bill Grant" <not.available@online> ha scritto nel messaggio
news:(E-Mail Removed)...
> If you have a pool of public addresses, I cannot think why you are
> trying to use port forwarding. I would simply map one public IP from the
> pool to each machines on the LAN.

I can't think of any way you could get RRAS to do that. As far as I know
you can use one-to-one mapping (reservations) or you can use port
forwarding, but not a combination of the two.
..
"Giuseppina Longobardi" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hi Bill,
> this is a test environment for a solution with 5 public IP and 15
> different services running on 7 server.
> I canot use reservation because 5 servers aren't enough to 'serve' all
> requests.
>
> There is also another way to accomplish my goal: using Network Load
> Balancing but, again, I prefere to avoid this kind of complexity.
> Can you figure out what's missing in my RRSA to get PAT up 'n running?
>
> Tnx a lot for your attention
> Giusy
>
>
> "Bill Grant" <not.available@online> ha scritto nel messaggio
> news:(E-Mail Removed)...
>> If you have a pool of public addresses, I cannot think why you are
>> trying to use port forwarding. I would simply map one public IP from the
>> pool to each machines on the LAN.
>

Have you considered clustering the application servers? If you can put
the servers in five or less clusters you could use static mapping to map a
public IP to each cluster.

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> I can't think of any way you could get RRAS to do that. As far as I know
> you can use one-to-one mapping (reservations) or you can use port
> forwarding, but not a combination of the two.
> .
> "Giuseppina Longobardi" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>> Hi Bill,
>> this is a test environment for a solution with 5 public IP and 15
>> different services running on 7 server.
>> I canot use reservation because 5 servers aren't enough to 'serve' all
>> requests.
>>
>> There is also another way to accomplish my goal: using Network Load
>> Balancing but, again, I prefere to avoid this kind of complexity.
>> Can you figure out what's missing in my RRSA to get PAT up 'n running?
>>
>> Tnx a lot for your attention
>> Giusy
>>
>>
>> "Bill Grant" <not.available@online> ha scritto nel messaggio
>> news:(E-Mail Removed)...
>>> If you have a pool of public addresses, I cannot think why you are
>>> trying to use port forwarding. I would simply map one public IP from the
>>> pool to each machines on the LAN.
>>
>

Hi Bill,
I'm not interested in one-to-one mapping, I strongly desire port forwarding
to work on my win2k3 ... but I'm starting considering to give up and turn on
some linux based solution.

As far as I can read on technet, msdn and so on, it's possible (ad quite
simple) to enabl eport forwarding on RRAS.
For example in this article
http://technet.microsoft.com/en-us/l.../bb878046.aspx
I'm told Address mapping is very simple to configure but ... it does not
work :-(

I'm almost out of ideas: actually I'm just thinking about a way to verify if
the VPN configuration is somewhat 'responsible' of PAT not working.
I just enable one ras policy (allow auth users on vpn port): may be there is
something to be explicitly allowed in order to make PAT working ...

Anyway thank you for your time and your attention

"Bill Grant" <not.available@online> ha scritto nel messaggio
news:(E-Mail Removed)...
> I can't think of any way you could get RRAS to do that. As far as I know
> you can use one-to-one mapping (reservations) or you can use port
> forwarding, but not a combination of the two.
> .
> "Giuseppina Longobardi" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>> Hi Bill,
>> this is a test environment for a solution with 5 public IP and 15
>> different services running on 7 server.
>> I canot use reservation because 5 servers aren't enough to 'serve' all
>> requests.
>>
>> There is also another way to accomplish my goal: using Network Load
>> Balancing but, again, I prefere to avoid this kind of complexity.
>> Can you figure out what's missing in my RRSA to get PAT up 'n running?
>>
>> Tnx a lot for your attention
>> Giusy
>>
>>
>> "Bill Grant" <not.available@online> ha scritto nel messaggio
>> news:(E-Mail Removed)...
>>> If you have a pool of public addresses, I cannot think why you are
>>> trying to use port forwarding. I would simply map one public IP from the
>>> pool to each machines on the LAN.
>>
>