Re: RRAS Question for you routing gurus
- From: Dave Durand <DaveDurand@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 2 Jul 2007 11:00:00 -0700
Bill,
I know most of what you said but I think the key I want to clarify is
regarding the IP binding on the public interface. I have 4 IP's from my ISP
but only one needs to be redirected. The other 3 are handling service
requests for the publicly exposed machine in the first place. For example, I
have two FTP configurations in IIS for different purposes...standard port for
each instance but different IP. So if I only want to direct one of the four
you are saying I do not need to bind them to the adapter if they are in the
address pool? I am aware of using the Services and Ports to properly handle
where the traffic is destined to go even if it reflects localhost for a given
service but I just want to know if I'm understanding you correctly. So, if I
apply your thinking to my scenario would I bind the 3 IP's that are only used
on the publicly accessible server to the public interface and put the one IP
that requires a redirect to a trusted IP in the address pool?...or would I
still carry out your initial direction with only the first IP being bound to
the public interface of the publicly accessible server and put the 3
additional IP's in the address pool even though two of those three would
never require a redirect to a system on my trusted network?
Thanks for taking a look and providing your input. I'm going to try the
first of the two scenarios while I await your reply.
Dave
"Bill Grant" wrote:
I think the basic problem is that you are confusing two separate.
functions of NAT. Services and Ports is used to split off traffic according
to the port being used. If you only have one public IP address, this is how
you separate traffic according to its function (such as tcp port 80 traffic
to your web server).
The Address Pool is used to split traffic according to the IP address
(ie one to one NAT). If you have enough IP addresses to allocate one to each
server you do not need to use services and ports at all.
I would only allocate one IP address to the public NIC of the RRAS
server. Select this interface as the public interface in NAT and check the
"Translate TCP/UDP Headers" box. This IP address will be used for your
outgoing traffic and will give the LAN clients Internet access.
Now put the public IP addresses in the address pool and create
reservations to link a public IP to the private IP of each server on the LAN
and check the "Allow incoming sessions to this address" box. All traffic
from the Internet using this address will be forwarded to the server on the
LAN. Each server will operate as if it had a direct Internet connection.
"Dave Durand" <DaveDurand@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6BB4FFCC-C652-4806-8FF5-D6AAA81F1C2F@xxxxxxxxxxxxxxxx
I'm probably making this more difficult than it should be but I'm having
an
issue with RRAS routing & NAT.
I have two servers. One server has two network interfaces, one public and
one private. The other server is solely private. Both servers are
running
Windows Server 2003 R2 Enterprise 64-bit. The server that with a single
trusted network interface runs Virtual Server 2005 with two Windows Server
2003 R2 Standard 32-bit servers using a trusted network address through
the
VS network bridge. The server that has two interfaces obviously has a
public
and a trusted interface and thus is the server with RRAS installed. My
network has 10 workstations all running Windows XP or Vista.
When I started, I had two IP addresses from my ISP. The server is plugged
in directly to the ethernet interface on the cable modem and both IP
addresses are bound to the public adapter. Initially I planned on running
everything that needed to be accessed from the Internet from one server
thus
I had RRAS configured to NAT the public interface on behalf of my
workstations and to implement the basic firewall. I have many of the
default
enabled services and ports enabled such as port 80 and 25 to go to the
localhost IP, etc. Well due to Exchange server requiring 64-bit IIS and
my
FrontPage webs not happy about it I decided to put the FrontPage
webs/extensions on one of my 32-bit virtual servers and requested 2 more
IP
addresses from my ISP. They are not continuous with the other addresses
but
they are in the same subnet and mask. I knew that I wanted to "redirect"
port 80 & 443 TCP traffic for one of these addresses to one of the private
servers so I configured the address pool tab with each of the ranges of
two
addresses for a total of 4 addresses in the pool. As soon as I did this,
all
of the port mappings on the Services and Ports tab no longer worked nor
would
my workstations connect to the Internet. I did have Internet access from
the
console of the server with the direct Internet access though. I went to
the
extent of reconfiguring one of the services to reflect the correct address
in
the pool, etc. with no luck. I then figured I would try using a
reservation
in the Address Pool window and dedicate one of the public IP addresses to
one
of the virtual servers on the private network. This did not help. Keep
in
mind all 4 IP addresses are bound to the public network interface in the
IP
properties as well.
My question is simple...can I do this with RRAS or am I overstepping it's
capabilities? Summary of the problem is below...
* Server 1 (1 public interface/1 trusted interface running RRAS)
* Server 2 (1 trusted interface)
* Server 3 (Virtual server with 1 trusted IP bridged from Server 2's
physical interface)
* 10 workstations which must access the Internet via NAT through Server 1
* Services on Server 1 need to be available to the Internet
* Services on Server 3 need to be available to the Internet
I have 4 public IP addresses (2 committed to Server 1 and at least one
other
should be pointed to Server 3, either for all connections to that public
IP
or via NAT port mapping.
If I didn't confuse anyone else, can this be done without jeopardizing the
Internet access to services on Server 1? Some services such as TCP port
80
need to be able to go to both servers on different public IP's however all
traffic is going through the interfaces on Server 1.
Thanks for taking the time to have a look...just when I think I have it
configured right, the entire process is broken so for now I simply have
all 4
public IP's bound to the public adapter on Server 1 with Service/Port
access
through the basic firewall with All Interfaces set with a TCP or UDP port
redirect to 127.0.0.1.
Any ideas?
Dave
- Follow-Ups:
- Re: RRAS Question for you routing gurus
- From: Bill Grant
- Re: RRAS Question for you routing gurus
- Prev by Date: Re: OT windows media server and internet radio
- Next by Date: Re: RRAS Question for you routing gurus
- Previous by thread: OT windows media server and internet radio
- Next by thread: Re: RRAS Question for you routing gurus
- Index(es):
Relevant Pages
|
