[NAT] TCP connections going out and then in again... nothing works

[Massimo]

I have this private subnet (192.168.42.0/255.255.255.0), connected to the
Internet through a Windows 2003 RRAS computer with two NICs, one of them
attached to the LAN, the other to the Internet with some public IP
addresses.
The RRAS server is also configured to do some port forwardings, mainly to
allow our public web server and Exchange front-end to be reached on ports
80, 25 and 110.
On this server, we are hosting our company web site (on www.mydomain.com),
our SMTP and POP3 front-end (on mail.mydomain.com) and some customer's web
sites (let's call them www.hostedsite1.com, www.hostedsite2.com, and so on).
In our internal DNS, www.mydomain.com and mail.mydomain.com are mapped to
the local private IP address of the server, so to allow intranet users to
connect to the server without going through the RRAS router.

All of this is working, except for a problem: when, from inside the
Intranet, an user tries to reach one of our hosted websites, its browser
queries the DNS, which in turn queries external ones, and the result of this
query is our public IP address. Then the browser tries to connect to that
address, and something weird heppens in the RRAS router, which, instead of
properly forwarding the request to the intranet IP of the web server,
refuses it. The server is perfectly working when accessing it from the
Internet through our public IP address, but when doing the same from inside
the intranet nothing works, and I think the problem is in the RRAS server,
which has troubles handling these connections that go outside and then
inside again through the NAT.
I've done some testings, and the same happens for other protocols: when
trying, from inside the intranet, to reach our front-end server thorugh the
public IP and the NAT, the connection is refused.

Any one ever had this problem, and how did he fix it, if this can actually
be done ?

I could find a workaround setting up fake DNS zones in our server to make
intranet clients think www.hostedsite1.com points directly to our web
server's internal IP, but I'd prefer to avoid this, since this would make
the real DNS records for those zones unavailable...

Thanks for any help

Massimo

 

[Marina Roos]

So the server has 2 nics and you're using RRAS. Checkout 292822, you might
need to do those regedits.
Also check the bindingorder of the nics and make sure the internal is on
top.
DNS on both nics point to your server-IP, right?

Marina

 

[Bill Grant]

From any machine on your local network, you cannot access machines which
are inside your NAT router by using their public IPs. Your local DNS should
resolve them to their LAN IP address.

A NAT device will not transfer traffic it receives on its internal
interface to its external interface to be redirected (by static mapping or
port forwarding) to a LAN server.

 

[Massimo]

So the server has 2 nics and you're using RRAS. Checkout 292822,
you might need to do those regedits.

I don't think so... that server is not a domain controller.

Also check the bindingorder of the nics and make sure the internal
is on top.

I'll check this.

DNS on both nics point to your server-IP, right?

Of course.
But DNS is not the problem... it's routing.

Massimo

 

[Massimo]

From any machine on your local network, you cannot access machines which
are inside your NAT router by using their public IPs. Your local DNS should
resolve them to their LAN IP address.

A NAT device will not transfer traffic it receives on its internal
interface to its external interface to be redirected (by static mapping or
port forwarding) to a LAN server.

So, there is no way to solve this problem ?
How can I reach my hosted websites from inside the LAN ? This is something I
really need to do... and I don't want to create (a lot of) fake DNS zones!

Massimo

 

[Massimo]

All of this is working, except for a problem: when, from inside the
Intranet, an user tries to reach one of our hosted websites, its browser
queries the DNS, which in turn queries external ones, and the result of this
query is our public IP address. Then the browser tries to connect to that
address, and something weird heppens in the RRAS router, which, instead of
properly forwarding the request to the intranet IP of the web server,
refuses it. The server is perfectly working when accessing it from the
Internet through our public IP address, but when doing the same from inside
the intranet nothing works, and I think the problem is in the RRAS server,
which has troubles handling these connections that go outside and then
inside again through the NAT.
I've done some testings, and the same happens for other protocols: when
trying, from inside the intranet, to reach our front-end server thorugh the
public IP and the NAT, the connection is refused.

Solved.
But in a very dirty way, I think... maybe the relationships between system
network interfaces and RRAS should be made *a little* clearer.
I found that, by assigning only one of my public IPs to the public NIC,
*while assigning all of them to the RRAS*, this out-and-in-again NAT works
for all of the IPs that where not assigned to the NIC. Fortunately, the IP
used for hosted web sites is one of them. It doesn't work on the IP that is
assigned to the NIC, but in this case that IP is used only for our main
domain's servers (www.mydomain.com and mail.mydomain.com), so that can be
easily managed at the DNS level.
That was definitely *ugly*, anyway...

Massimo