Announcement

Collapse
No announcement yet.

Enable NAT and no RDP?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enable NAT and no RDP?

    Good morning all.

    I've been trying to resolve this issue myself and have finally given up and am seeking your help. I have an issue whereby when I enable NAT on my RRAS server, RDP access into the subnet stops if I'm adding a certain interface and I can't get my head around why. It's not a production environment and to be honest I don't need to enable NAT, but I hate to leave an unanswered question.

    My topology is as follows:
    Subnet1 - 192.168.0.x/24
    Subnet2 - 192.168.1.x/24
    ST510 Router provides DHCP to subnet1
    W2k3 (SP1) provides DHCP to subnet2
    W2k3 RRAS on subnet2 with 2 interfaces - 192.168.0.99 (ExtNIC) & 192.168.1.1 (IntNIC)

    From a client station on subnet1, I can RDP into the RRAS and any client on subnet just fine. All clients on subnet2 have internet access via 192.168.1.1 as a gateway and are all pingable.

    When I enable NAT/Basic Firewall on the RRAS and add the ExtNIC interface, all RDP access from outside of subnet2 stops including the ability to ping into subnet2. Clients within the subnet are still able to ping, RDP and have internet access.

    I've tracked RDP packets arriving at the ExtNIC but they don't get forwarded into the IntNIC so I know they're being stopped but for the life of me I can't figure out why. Removing the IntNIC interface from NAT/Basic Firewall immediately restores RDP functionality. I've checked to ensure that Basic Firewall is disabled, there are no filter restrictions in place... I'm obviously missing something so blatantly obvious that I just can't see it.

    As I say, this is just a test environment so it's not urgent, but if anyone could point out the obvious to me I'd be most grateful.

    Many thanks,
    Michael P
    Regards,
    Michael

  • #2
    Re: Enable NAT and no RDP?

    Hi Mike.
    OK, the obvious is that this is normal behaviour.

    When you enable NAT and then connect from subnet 2 to a computer on subnet one, the computer on subnet one thinks it has a connection with 192.168.0.99. When you try to establish a connection from subnet 1 to a computer on subnet 2 it won't work because the router won't route anything to subnet 2 because NAT is enabled.

    If you want to connect to a computer on subnet 2 while NAT is enabled you would have to connect to 192.168.0.99 and forward port 3389 to the computer on subnet 2 that you want to connect to.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Enable NAT and no RDP?

      I appreciate you taking the time to reply Jeremy, thank you.

      Okay... at least my understanding of NAT is intact... sort of.

      As a quick experiment I configured the port forwarder and you're right, it forwards to the designated client even if I've setup to RDP into 192.168.0.99. I'm still surprised at this though, I assumed that by not having the firewall enabled on the RRAS, that it'd just route the RDP packets to the client addressed in the header. I know that NAT would change the packet header, but thought it'd still be routable (which is hard without the original header of course!)

      I guess what I'm doing is trying to justify the use of an RRAS to act as a NAT device and I'm struggling to do so.

      Anyway I'd better get on with something more constructive! Thanks again.

      Michael P
      Regards,
      Michael

      Comment


      • #4
        Re: Enable NAT and no RDP?

        I think you'll find the general consensus is that hardware firewalls are better. They're usually faster, sometimes more robust, and generally more secure because they don't have other functions to exploit.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment

        Working...
        X