Configuring NAT in RRAS with only one net

Dear Gurus!

   Trying to understand why I can not configure NAT in RRAS. To work around redirect requests to a computer in AD, as there may be additional problems, try to do so.
    Requests from the Internet (rdp) comes to the router dir-100, from it through the NAT, request is sent to one of the servers (Windows server 2008 R2) in the network 192.168.3.153 In it RRAS installed and with NAT I trying to redirect request to another computer  192.168.3.105 in the same net.  But the server 192.168.3.153 becomes unavailable over the RDP.ove
    What could be the problem?





  • Edited by ATerentjev Friday, February 13, 2015 1:19 PM
February 13th, 2015 10:32am

Thus, is it possible in principle such a scheme ?

request from IE -> dir-100 -> over NAT -> 192.168.3.153 -> over NAT of RRAS -> 192.168.3.105


  • Edited by ATerentjev Friday, February 13, 2015 2:09 PM
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2015 4:27pm

It is interesting article concerned the problem - cascaded NAT or double NAT.

This example has the same scheme . 



As it seems to me - this is just what I wanted on this step. And it works. But in my case -  does not work. I can't understand - why. May be any where there is some group politic or firewall, which I don't see. 



  • Edited by ATerentjev Monday, February 16, 2015 1:22 PM
February 16th, 2015 12:40pm

 

   Yes, the example you show will work. Double NAT is not a problem and I often use it.

  The difference between the example you quote here and what you want to do is that the target machine is behind the RRAS/NAT and in a different IP subnet. You want to redirect traffic which is in the same subnet as the public router. NAT cannot do this. It can only redirect traffic on the "private" side of its NAT. 

  You will either have to put the target machine behind the RRAS/NAT or do your redirection from the DSL router before the data reaches the RRAS/NAT device.

 Looking at your original post, RRAS will work for the 10.37 machines (and you could direct traffic to a particular machine in this subnet), but it cannot redirect traffic on its "public" side (the 192.168.subnet).

  In the second example, the redirection would need to be done at the DSL router because the target machines are all in the same subnet as the DSL router's private interface.

 Sorry this sounds so technical, I can't think of any simpler way to put it.

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 4:25am

     Thank you very much, everything is clear from the first reading. I am familiar with networking technologies, but little practical experience - I'm a programmer.  However, there are some peculiarities of the problem. I would be very grateful for any advice.

 1.   Really, the host, on which I want to make mysql (or mssql) server accessible from the Internet, is in a private network  10.37 behind RRAS/ NAT (it's address is 10.37.2.3). And there is Windows Server 2008 R2 installed in it.

2. There is cisco router in 10.37 net routing which, in principle, I can adjust, but while wanted to do without it, because it is controlled  by other peoples .

3. All hosts in 10.37 net has default gateway - 10.37.0.1 (cisco). And so I can't reassign default gateway in it to 10.37.2.93 (on first scheme).

4. Hosts in 10.37 net - are membes of Active Directory and some VLAN.


Do I understand correctly, that NAT is not enough in this case. As an option I can install RRAS on 10.37.2.3 and set a static route to 10.37.2.93 for all packets, wich destination is not in the network  10.37?  


  • Edited by ATerentjev Tuesday, February 17, 2015 7:27 AM
February 17th, 2015 10:24am

  You can certainly have a machine in the 10.37 which did not use the Cisco as its default gateway, but it could cause problems reaching all the machines in the local network. It really depends on how this network is set up. If it is set up with internal subnets or VLANs, all machines really need to use the Cisco as their default gateway.

 If you want a machine to be reachable from the Internet, there is really no  option. Its default gateway must be an Internet router. You can use a static route to redirect particular traffic (such as traffic from a particular site or subnet) to use an alternative gateway. But to be reachable from any possible user of the Internet, all traffic must use that gateway, so it needs to be a default route.

  In a simple network, where all machines are in the same IP subnet and the only router is a gateway or Internet router, things are simple. If your local network has an internal router which controls VLANs, things are much more complicated.

  I would look at the problem in a different way. I would configure this server in its own network with its own IP subnet behind its own Internet router, using this router as its default gateway and get that working. I would then consider how I could route between this machine and the 10.37 network using static routing (and adding the LAN router) so that it can communicate with machines on your local LAN. A simple diagram would look like this.

Internet
   |
 DIR-100
192.168.3.1
   |
Application server
Remote access
192.168.3.x
dg 192.168.3.1
   |
   |
192.168.3.254 dg blank
  LAN router
10.37.2.93    dg blank

 Then configure static routes in both subnets so that all traffic from 192.168.3.0 can reach 10.37.0.0 and all traffic from 10.37.0.0 can reach 192.168.3.0 through your LAN router (which could be a hardware device or a RRAS server).

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 11:32pm

I am thinking ... But needs a few refinements

1. There are some tasks, but the first is the next. On 10.37.2.3 server I have mysql (and mssql) server which is in active use of 10.37 hosts.  And for one organization it is uncomfortable to work in 10.37 net. So it needs to me  to do so, that this organization could work with mysql server from the internet.  

2. It's not clear for me - if I open access from the internet to the server 192.168.3.105 (10.37.2.93) on which I have installed mysql (and mssql) server , I'll need a special program to keep track of changes made  from the Internet and transfer them to the database  on 10.37.2.3?

3. Can I install RRAS server on 192.168.3.105 for that task or I must install it on the special server?




February 18th, 2015 2:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics