W2K Server NAT problem

[DVNT1]

This is my first attempt at using W2K Server's NAT ability.

I have outgoing connections to the Internet working fine but not incoming. For testing purpose at least, all IP addressing is statically assigned.

I've been trying to map DNS and http to an internal addresses by opening Routing and Remote Access, drill down to NAT, properties of the WAN interface, Special Ports, then Added the mapping.

When I test it from another computer on the Internet, it shows the request in the Show Mappings but a response is not received by the Internet computer.

What might I be missing?

[meese]

I'm guessing under Add Special Port you have "On this interface" selected and the incoming and outgoing port set to 80 for http? You shouldn't have to forward the DNS port for http.

[blubomber]

What is your NAT server configuration? Are you using it as your gateway for your internal clients? Also, are you trying to access an internal web server?

First, make sure the NIC card that is for the internal network has no default gateway set and lists your internal DNS servers for its lookup. Then, make sure the NIC card for the external network has the appropriate Gateway IP and use external DNS server IPs. For clients on the outside, DNS should happen automaticaly if you have your internal NIC looking at the internal DNS. Are you using a firewall with this NAT server?

What happens if you use ShieldsUp on the external IP for the NAT server to do a port scan? Does it show your http port as open?

[DVNT1]

meese: yes, "On this interface" is selected. Port 80 is selected for both Public and private. The DNS mapping has nothing to do with the HTTP mapping; I'm hosting the Public DNS servers for this domain.

bluebomber: It isn't my primary gateway for the LAN but it does work correctly for that.

As for the internal web server, it has this RRAS computer LAN IP as the default fgateway (and no other default gateway). The web server effectively goes out the RRAS server via NAT to access the Internet.
When I port scan this RRAS server from the Internet neither the expected port 80 nor 53 respond. As a side note, this RRAS server is showing port 25 as open which is correct since I also enabled the SMTP service.
Firewall question: I do not have any 2rd party software on this RRAS server. The other external firewall is not part of this problem since I am testing between teh RRAS and our outer firewall. Also, the RRAS server does not have any IP filters enabled for either NIC. IPSEC is enable on the LAN NIC but I doubt that has anything to do with this problem since IPSEC is working correctly and the initial problem seems to be with the RRAS server not showing the appropriate open ports on the WAN NIC.

Thanks for the help so far, keep it coming.

[blubomber]

How about a sniffer? Did you try running a sniffer, i like ethereal, on the external NIC to see if you can see the external client knocking on the door?

[DVNT1]

I didn't use a sniffer but W2k's "Show Mappings" does indicate the attempt to connect to the internal NATed web server from the WAN nic.

For testing purposes, I also changed the port 80 mapping to another internal web server but had the same results. In either case, the RRAS server can always access the internal web server and the internal web server can also access the Internet via the RRAS server (including this test computer on the Internet)

[DVNT1]

After having this machine completely lock up once, I decided to reformat and start over. I think in all my experimenting I have corrupted the install to some degree.

[DVNT1]

A clean reinstall didn't fix it.

What I done since the clean OS install:

1) set static IP addresses for both NICs
2) Used RRAS wizard to setup Internet Connection Sharing while choosing NAT.
3) under IP Routing, NAT, properties of the WAN nic, Special port, I added a TCP entry for public port 888 to internal IP of web server with private port 80 (this is to ensure IIS web server wasn't interfering).
4) added a UDP mapping for Public port 53 to private port 53 to LAN IP of a DNS server.

Result:

1) web server can ping Internet host name successfully using NAT via this RRAS server
2) port scan to port 888 and 53 from Internet host do not show any response
3) DNS queries from Internet host via RRAS server port 53 time out
4) http from Internet host via RRAS server port 888 time out

I must be missing something simple but it still eludes me. Suggestions?

[cadetstimp]

It sounds like your external interface to the internet needs a DNS service running or DNS/host entries updated to route requests from the internet properly.

Is your Internet test system using the correct DNS server? Where is it pointing to for DNS resolution? (i.e. what does ipconfig /all report on the Internet test system? )

<edit>It may be as simple as adding your ISP's DNS server as a secondary DNS for the external NIC of the NAT. </edit>

[DVNT1]

RRAS server DNS resolution is fine for accessing the Internet and the LAN.

I'm simply trying to do two things:

1) host a Internet accessible DNS server behind this RRAS server so I need to use a NAT/PAT mapping.
2) host a Internet accessible WEB server behind this RRAS device so I need another NAT mapping

As for the bit about DNS timing out, that is when I run NSLOOKUP on another Internet host computer and point it to the RRAS server for DNS. In turn, the RRAS should do the NAT mapping to the specific DNS server on the LAN.