Hi Guys, Pulling my hair out with this one! I've got a cisco router with all the home stuff right behind it (the 'DMZ' ;-) ) and for Testing & Dev Ive got a Hyper-V Machine with 3 private VM LANs. There's a virtual Multihomed RRAS Server connecting the private lans to the outside. It all looks a bit like this: Wan Side | 192.168.1.1 - cisco (Default Gateway) | ----- Home PC's, Mobiles etc | 192.168.1.101 - RRAS External Interface (NAT & Basic Firewall) | 172.16.0.1 / 172.16.1.1 / 172.16.2.1 - RRAS Private Interfaces X3 (Each LAN is /24 Subnetted) Now I've got ports forwarded through both the cisco and RRAS so, from the internet, I can access the test websites on 172.16.0.x Subnet - works perfect. The machines on 172 subnet can also get out to the internet fine, and they can even ping hosts on the 192 side, no problems. The problem I'm having is I can't get anything through from the 192.168.1.x side to the 172.16.0.x hosts. I've put a static route on the cisco and I've installed Netmon on the RRAS server and confirm the packets are getting there, but they're being dropped. This occurs for services for which I've defined a specific firewall exception (http:80) or anything else (Tracert, ping, RDP etc) DO NOT UNDERSTAND!!! I want this to work so I can administer the servers on the 172 side without having to vpn in. I don't get why I can access the websites from the internet but not from the 'next door' private range... is it an RFC 1918 thing? I have tried disabling the basic firewall - no Joy. If I change the RRAS External interface to "Private Interface connected to Private Network", voila! Access granted from 192 network, but then there's no NAT and the 172.16.0.x clients have no access to the internet. I've also tried changing inbound & outbound filters to drop every packet except the following 'Any Any Any Any Any Any Any'. I can't find any options which look like they should help - is there anything you can think of? Cheers, Mark

What static route have you put on the Cisco? You need to bounce all traffic for 172.16.0.0 back to the RRAS router. eg 172.16.0.0 255.255.0.0 192.168.1.101 The default route of the Cisco will be out to the Internet. To get traffic from 192.168.1.0 to your 172.16 subnets you need static routing to redirect it to the RRAS router. Otherwise it wil be dropped by the Cisco or later routers (because private addresses can't cross the Internet). Bill

What static route have you put on the Cisco? You need to bounce all traffic for 172.16.0.0 back to the RRAS router. eg 172.16.0.0 255.255.0.0 192.168.1.101 The default route of the Cisco will be out to the Internet. To get traffic from 192.168.1.0 to your 172.16 subnets you need static routing to redirect it to the RRAS router. Otherwise it wil be dropped by the Cisco or later routers (because private addresses can't cross the Internet). Bill

Hi Mark, Thanks for posting here. What do you mean DMZ, is this router had been built-in DMZ feature and all other devices but Hyper-V host have been connect to DMZ ? So were you able to access your website where been hosted on 172.16.0.x Subnet form 192.168.1.X subnet via http://192.168.1.101? You might need set port forwarding for publishing services where behind NAT to external instead setting exceptions on firewall: Configuring Access to Services Behind a Network Address Translator (NAT) http://technet.microsoft.com/en-us/library/bb878046.aspx Due to the nature of NAT, we can’t directly access/manage all internal hosts form external but set port forwarding, however considering that all these hosts are in private network environment so why not access these VMs by setting routing instead NAT on RRAS? And you can set NAT and port forwarding on your internet edge cisco router for publishing your internal service to internet. Internet---Cisco Router--- [home network(192.168.1.X)]---RRAS/Hype-V host(router)---[Virtual Network(172.16.0.0/24)] Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Mark, Please feel free to let us know if the information was helpful to you. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Mark, Please feel free to let us know if the information was helpful to you. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Both, thank you for your replies - i'm going to try your suggestions today or tomorrow! Will report back asap!

Hi Both, thank you for your replies - i'm going to try your suggestions today or tomorrow! Will report back asap!

Bill, I have put a static route on the cisco to bounce traffic for 172 back to the RRAS, here's the output from 'show ip route': 172.16.0.0/24 is subnetted, 1 subnets S 172.16.0.0 [1/0] via 192.168.1.101, Ethernet0 I've also installed netmon on the RRAS and can see the packets arriving, so it looks like the cisco is doing its job, but RRAS isn't passing them through to the hosts on 172.16.0.x UNLESS the packet originates from the internet.

Tiger Li, I might have overcomplicated when I explained first. Let's say I'm just trying to access the website on 172.16.0.2 from 192.168.1.10. It works perfectly from anywhere on the internet but not from 192.168.1.10. What might be the reasons for this? All hosts can access the internet. 172 hosts can access 192 hosts, but not the other way round - 192 hosts can't access 172 hosts, even for services which are accessible from the internet. With your suggestion to set routing instead of NAT, is that implemented by changing the outside NIC from "Public Interface Connected to the Internet" to one of the other options? I find that doing that breaks external connectivity for the 172 clients, although it then allows access to 172 for 192? Cheers, Mark

Bill, I have put a static route on the cisco to bounce traffic for 172 back to the RRAS, here's the output from 'show ip route': 172.16.0.0/24 is subnetted, 1 subnets S 172.16.0.0 [1/0] via 192.168.1.101, Ethernet0 I've also installed netmon on the RRAS and can see the packets arriving, so it looks like the cisco is doing its job, but RRAS isn't passing them through to the hosts on 172.16.0.x UNLESS the packet originates from the internet.

Tiger Li, I might have overcomplicated when I explained first. Let's say I'm just trying to access the website on 172.16.0.2 from 192.168.1.10. It works perfectly from anywhere on the internet but not from 192.168.1.10. What might be the reasons for this? All hosts can access the internet. 172 hosts can access 192 hosts, but not the other way round - 192 hosts can't access 172 hosts, even for services which are accessible from the internet. With your suggestion to set routing instead of NAT, is that implemented by changing the outside NIC from "Public Interface Connected to the Internet" to one of the other options? I find that doing that breaks external connectivity for the 172 clients, although it then allows access to 172 for 192? Cheers, Mark

Hello Both again! Just thought I would reply back as, thanks to your replies, I've fixed the problem. The main problem was that I was having a major brain glitch! I was trying to access the website on 172.16.0.2 from 192.168.1.10, forgetting that I was using port forwarding on the RRAS, as Tiger mentioned below, I needed routing only. Course, once I accessed the website via 192.168.1.101 it all worked! So to get my desired result, I turned off NATting on the RRAS, went to basic firewall only. Then I had to give the 172 network an access list on the Cisco so the router will do the NAT instead - that’s why I lost internet access when I tried it before. Here's what I did in case it helps anyone: conf t access-list 102 permit ip 172.16.0.0 0.0.255.255 any ip nat inside source list 102 interface Dialer0 overload Then finally I had to remap the port forwards on the Cisco directly to 172.16.0.2 instead of going via the RRAS external interface. no ip nat inside source static tcp 192.168.1.101 80 interface Dialer 0 80 ip nat inside source static tcp 172.16.0.2 80 interface Dialer 0 80 BOOM! All Working! Thanks guys for your help, I would never have straightened it in my head without your comments making me think a bit! Mark