NAT troubleshooting

Discussion in 'Server Networking' started by Alex Smirnoff, Aug 15, 2006.

  1. I have installed RRAS in very basic configuration but computers on the
    private network cannot access the internet. All public/private interfaces are
    configured properly. DNS is the only thing which is working fine from the
    inside. (I can access the internet from the primary server just fine)

    tracert from the private network to any internet address doesn't even show
    first hop (it' is supposed to be default gateway) - times out.

    How I can troubleshoot the problem and see why ip packets from the private
    network don't go outside? Where I can find any useful logs/traces
    (firewall, NAT - anything)?

    Alex
     
    Alex Smirnoff, Aug 15, 2006
    #1
    1. Advertisements

  2. I saw this guide already and double-checked everything.
    NICs are configured correctly, one is public with static IP given by ISP,
    another private with IP of 10.0.0.16.
    Not clear where to check these. Both network cards are under NAT/Basic
    Firewall node. I recently switched to DHCP from static address pool, computer
    inside the private network gets everything automatically.

    DNS works fine. All outbound traffic is enabled in the firewall.

    Are there any tools I can use, like packet sniffers/tracers? I just dont
    believe it is so hard to figure out the source of the problem.

    Alex
     
    Alex Smirnoff, Aug 16, 2006
    #2
    1. Advertisements

  3. Alex Smirnoff

    Guest Guest

    Hello,

    Please post your ipconfig /all here please so we can have a look at that for
    starters.

    Cheers
     
    Guest, Aug 16, 2006
    #3
  4. All setup has been done according to the documentation/FAQ. I can access the
    internet from the main server, I can also ping private machine IP (and back).
    DNS works. According to windump, packets arrive at the local interface but
    nothing goes outside. NAT creates port mapping for the outgoing connection (I
    can see it in the public network interface properties when I try to access a
    web site from the internal network)

    Nothing special about the config:

    Main machine:

    Windows IP Configuration
    Host Name . . . . . . . . . . . . : myhost
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection 2:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
    Physical Address. . . . . . . . . : 00-30-48-56-xx-xx

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-30-48-56-xx-xx

    Ethernet adapter External.Jack1:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server
    Adapter
    Physical Address. . . . . . . . . : 00-04-23-CE-xx-xx
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : Static external ip
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Default Gateway . . . . . . . . . : ISP gateway
    DNS Servers . . . . . . . . . . . : ISP DNS


    Ethernet adapter Internal.Jack2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server
    Adapter #2
    Physical Address. . . . . . . . . : 00-04-23-CE-xx-xx
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.0.0.16
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : ISP DNS

    Local computer:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : mshome.net
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-0C-29-6E-xx-xx
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 10.0.2.10
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . : 10.0.0.16
    DHCP Server . . . . . . . . . . . : 10.0.0.16
    DNS Servers . . . . . . . . . . . : 10.0.0.16
    Lease Obtained. . . . . . . . . . : Wednesday, August 16, 2006 2:12:58 AM
    Lease Expires . . . . . . . . . . : Wednesday, August 23, 2006 2:12:58 AM
     
    Alex Smirnoff, Aug 16, 2006
    #4
  5. Alex Smirnoff

    Guest Guest

    Hello,

    I see you have to internal NIC's on the RRAS sever. Just as a test try to
    levae the gateway on that NIC with IP x.x.x.20 blank or even better disable
    it. You don't really Need that NIC for NAT to work.

    Cheers
     
    Guest, Aug 16, 2006
    #5
  6. I dont follow...which interface are you talking about? Private interface does
    not have gateway set, public does - but it needs it.

    Another observation: NAT creates port mappings for the client - I can see
    them in the "Show mappings" dialog. But packets do not go outside (even with
    firewall disabled). Really strange...
     
    Alex Smirnoff, Aug 17, 2006
    #6
  7. Alex Smirnoff

    Guest Guest

    I see now that I misread the ipconfig post, the other NIC belongs to a
    different machine .. sorry for the confusion ...

    What I would do when I look at the IPCONFIG is set the DNS for the internal
    NIC and external NIC to internal DNS Server that uses forwarding or root
    hints, unless you don't have an internal DNS server ... IS this a pure RRAS
    Server of a DC/DNS/RASS with NAT setup?

    Cheers
     
    Guest, Aug 17, 2006
    #7
  8. This is pure RRAS, no DNS server. As I mentioned before, DNS is the only
    thing which works fine.
     
    Alex Smirnoff, Aug 18, 2006
    #8
  9. Alex Smirnoff

    Guest Guest

    Hello again,

    What I see in your IPCONFIG is:

    Cient says DNS is 10.0.0.16 but it is the RRAS machine which is not a DNS
    server ...?

    The client machine lives on 10.0.2.X subnet and the RRAS/NAT Machine on
    10.0.0.X ... can they find each other? Routing is OK?

    If your machines live in a Active Directory Domain they should use the
    internal DNS that is used forActive Directory and which is configured with
    root hints or forwarding ... and so should the RRAS/NAT machine on the
    internal side or do you not have a domain at all?

    thx for your input & feedback




    Nothing special about the config:

    Main machine:

    Windows IP Configuration
    Host Name . . . . . . . . . . . . : myhost
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection 2:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    #2
    Physical Address. . . . . . . . . : 00-30-48-56-xx-xx

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-30-48-56-xx-xx

    Ethernet adapter External.Jack1:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server
    Adapter
    Physical Address. . . . . . . . . : 00-04-23-CE-xx-xx
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : Static external ip
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Default Gateway . . . . . . . . . : ISP gateway
    DNS Servers . . . . . . . . . . . : ISP DNS


    Ethernet adapter Internal.Jack2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server
    Adapter #2
    Physical Address. . . . . . . . . : 00-04-23-CE-xx-xx
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.0.0.16
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : ISP DNS

    Local computer:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : mshome.net
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
    Connection
    Physical Address. . . . . . . . . : 00-0C-29-6E-xx-xx
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 10.0.2.10
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . : 10.0.0.16
    DHCP Server . . . . . . . . . . . : 10.0.0.16
    DNS Servers . . . . . . . . . . . : 10.0.0.16
    Lease Obtained. . . . . . . . . . : Wednesday, August 16, 2006 2:12:58 AM
    Lease Expires . . . . . . . . . . : Wednesday, August 23, 2006 2:12:58 AM
     
    Guest, Aug 18, 2006
    #9
  10. Cient says DNS is 10.0.0.16 but it is the RRAS machine which is not a DNS
    DNS relay is enabled on RRAS and works fine - names are being resolved from
    the private network
    Yes, I can ping and access web server using internal address. I switched
    back from DHCP to static allocation using 10.0.0.0 address and 255.0.0.0
    subnet
    Nope, no domain - all computers are stand-alone.

    I tried different scenario - set up static port mapping from the public
    machine to 10.0.2.1 on port 80. Using windump, I can see arriving packets on
    the public interface, properly translated (entry appears in the "Show
    mappings"), sent to the private server. Private interface gets packet back
    (10.0.2.1:80 -> external client) but it never gets translated back, even with
    firewall disabled. Mystery... And logging totally sucks - there is nothing
    useful.
     
    Alex Smirnoff, Aug 18, 2006
    #10
  11. Alex Smirnoff

    Guest Guest

    What about the fact that the client PC is on a different subnet then the
    RRAS/NAT server ... hopw is routing set up?
     
    Guest, Aug 18, 2006
    #11
  12. It's the same subnet - 255.0.0.0. I assume that routing is ok. Again,
    according to the documentation, theres nothing special about setting up
    routing in NAT config.
     
    Alex Smirnoff, Aug 19, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.