[Please help] Repost - some NAT questions

[Massimo]

This is the third time I've been asking this, I'd really like to receive at
least a reply...

I have a Windows 2003 server doing RRAS from the private LAN to the
Internet, using a range of public IP addresses assegned to our company by
our ISP. When I use these multiple IPs with a single NIC, do I need to
assign them to the NIC too, or is it enough to specify them in the RRAS
public interface properties ?

Second question: I need to forward port 80, 25, 110 and 443 of one of these
IPs to one server (running Exchange), and port 80 and 443 of another IP to
another server (running the company web site). This doesn't seem to work
unless I create a reservation for the second IP address, forwarding it fully
to the web server. Without the reservation, the forwarding simply doesn't
work.
Why is this happening ? Do I really need that reservation ? Do I need more
than one NIC to handle those IPs ? Is this some kind of by-design behaviour,
or just a nasty bug ?

Thanks for any help...

Massimo

 

[Herb Martin]

This is the third time I've been asking this, I'd really like to receive at
least a reply...

When you receive no replies (multiple times) it is usually a sign
of an unclear question, or hiding the question in a bunch of
camflaging detail.

I have a Windows 2003 server doing RRAS from the private LAN to the
Internet, using a range of public IP addresses assegned to our company by
our ISP. When I use these multiple IPs with a single NIC, do I need to
assign them to the NIC too, or is it enough to specify them in the RRAS
public interface properties ?

You need the addresses on the NIC -- you may or may not need to
specify them in RRAS depending on your precise goal.

Second question: I need to forward port 80, 25, 110 and 443 of one of these
IPs to one server (running Exchange), and port 80 and 443 of another IP to
another server (running the company web site).

Depends on if that is what you want. Port 80 is usually for a web site
(including
OWA) but you can pretty much use any port internally since you get to map
or forward from the outside address to the actual port in use.

This doesn't seem to work
unless I create a reservation for the second IP address, forwarding it fully
to the web server. Without the reservation, the forwarding simply doesn't
work.

Well, unless you use a fixed address it is difficult to setup a (fixed)
mapping.
You can do this with a reservation or you can use a static IP on the
internal
NIC.

Why is this happening ? Do I really need that reservation ? Do I need more
than one NIC to handle those IPs ? Is this some kind of by-design behaviour,
or just a nasty bug ?

No, you don't need more than one external NIC.

 

[Massimo]

You need the addresses on the NIC -- you may or may not need to
specify them in RRAS depending on your precise goal.

I need the RRAS to accept incoming connections on all of these IPs, so I
think I'll need to tell it to use them. Howewer, all works fine even if I
don't specify them on the NIC, which uses only the first of them... this was
the main reason behind my question; do the RRAS settings override the NIC
ones ?

Depends on if that is what you want. Port 80 is usually for a web site
(including OWA) but you can pretty much use any port internally since
you get to map or forward from the outside address to the actual port
in use.

Yes, this is true, but I need to use these servers inside the intranet too,
so they should be listening on the default ports.

Well, unless you use a fixed address it is difficult to setup a (fixed)
mapping.
You can do this with a reservation or you can use a static IP on the
internal NIC.

Can you give more details about this ?
I'm using four fixed public IPs and all fixed private ones (the RRAS and all
servers have, of course, fixed IPs...).

No, you don't need more than one external NIC.

Ok, so I can handle more than one IP with a single NIC.
So, why does RRAS seem to need a reservation on the second IP to properly
forward its incoming connections ?

Massimo

 

[Herb Martin]

No, they don't really "override" the NIC -- the RRAS cannot use
an address (as an interface) not assigned to the NIC.

This would be equivalent to RRAS just using 10.1.2.3 even though
you had no 10-net.

 

[Matt]

Massimo, you need to setup a reservation for each public
to each private IP that you want, that is the point of
NAT. I am also doing pretty much the exact same thing
you are, except that my RRAS stops passing external
traffic after about an hour... Have you been experiencing
this same issue?

 

[Massimo]

No, they don't really "override" the NIC -- the RRAS cannot use
an address (as an interface) not assigned to the NIC.

This would be equivalent to RRAS just using 10.1.2.3 even though
you had no 10-net.

Why did it work, then ?
Howewer, now I've assigned all of the IPs to the NIC, and finally the RRAS
port forwarding works without needing reservations.
Thanks

Massimo

 

[Massimo]

Massimo, you need to setup a reservation for each public
to each private IP that you want, that is the point of
NAT.

Well, this is not (and can't be) true: what if you need to forward, say,
port 25 and 100 to your mailserver and port 80 to your webserver ?
Actually, I found it was my fault: I didn't assign all of my public IPs to
the NIC, so the RRAS didn't work without reservations. After I fixed this,
it started working fine without them, only doing the port forwarding I told
it to do.

I am also doing pretty much the exact same thing
you are, except that my RRAS stops passing external
traffic after about an hour... Have you been experiencing
this same issue?

Luckily, I never experienced anything like this... can't help you here.
The only thing I can think of is a resources exhaustion, such as memory
running low or too much TCP ports opened... what kind of traffic are you
passing on ?

Massimo