Multihomed RRAS server IP forwarding help.

D

DJLeviathan

n00b
Joined
Nov 22, 2004
Messages
41
Hopefully I can finally get this figured out since I've been pulling my hair out searching for a solution. Here's the situation :

In the office we have a fiber line with 5 IP's going into an external nic on a multihomed windows 2003 RRAS server using NAT. 2nd internal nat goes into internal network with private IPs :

Ext Nic IP 209.128.1.99 with assigned netmask 255.255.255.252 and gateway 209.x.x.98
Int Nic 192.168.0.15 subnet 255.255.255.0 no gateway.

The NAT is working fine for sharing the internet within the office but I also have a block of IPs from 100-105 that i want to use on internal servers (with direct access to the outside world)

IPRouting is enabled in the registry

Basically I have an internal IIS6 server on 192.168.0.22 and I want to add an external IP (not just port forward) of 209.x.x.105. I can only ping the 105 IP when I add it directly to the RRAS server (obviously not what I want)

If someone could please shed any light on the subject or point me in the right direction I'd appreciate it as I'd have my sanity back.
 
Wow, I think what you need is a real firewall. I've never seen RRAS in a production environment doing multiple NAT translations for separate internal clients. Is this just a vanilla 2003 server runnint RRAS or is this at least ISA server?
 
Well, at least it's ISA 2006 at least. Can't really help much with the configuration. The places I've seen ISA installed still had a firewall in front of it. :(
 
seems to me you need to setup the IIS server on a DMZ or do one to one NAT. linksys/cisco business routers support this feature for under $250.
 
I beleive it's called "server publishing" on the ISA interface.

EDIT:

open ISA Server Maangement
Select firewall policy
select "tasks" tab on the far right hand column
click "Publish Web Sites"
 
I'm guessing I may have to bite the bullet and buy into a hardware router. I've checked the server publishing and while it sort of does work, its not quite what I was looking for.

Can anyone recommend a router that would be able to handle 5-10 external IP's with the routing capabilites I'm looking for?
 
DJLeviathan said:
I'm guessing I may have to bite the bullet and buy into a hardware router. I've checked the server publishing and while it sort of does work, its not quite what I was looking for.

Can anyone recommend a router that would be able to handle 5-10 external IP's with the routing capabilites I'm looking for?
Click to expand...

What isn't presently working?

I've got an ISA2006 box with about 20-30 external IP's (maybe more, would have to check) used, NAT'ing for a few subnets with a few hundred websites published.

That being said, I hate ISA and it's being deprecated. I agree that a hardware firewall/router would be a better solutions.
 
Cisco ASA5500 series would work nicely. What is your budget? How many users do you have? If it's not too many you could probably get away with an ASA5505 otherwise you'd have to step up to the 5510.
 
Captain Colonoscopy said:
Cisco ASA5500 series would work nicely. What is your budget? How many users do you have? If it's not too many you could probably get away with an ASA5505 otherwise you'd have to step up to the 5510.
Click to expand...

Need to know a few things:

What features do you need? site to site VPN?, client VPN?, IPS, IDS?
How much bandwidth are you working with, you mentioned fibre, most ISP don't provision less than 10Mb, but for all we know you've got a gigabit fibre connection you're almost saturating! (unlikely, but before we can size something up for you, we should probably know)
How many VLANs does it need to support? How many clients behind the firewall? Do you need HA? (clustering?)
 
Berg0 said:
LOL I didn't mean to come across as an arse :( you hoenstly seem to be one of the more inteligent people in the networking subforum, seriously.
Click to expand...

flattery will get you everywhere . . . .

no worries, though, I was just being an arse myself. Although you do raise a good point about needing much more information before we just up and recommend a particular solution.

OP - are you using of the other features of ISA other than the NAT? Do you need UTM features at all?
 
Cheers for all the help by the way.

we have a 10mbit full connection coming into the office. vSphere server with about 15 VM's, 20 concurrent users/desktop clients connected through AD and VPN (only 1 or two users through VPN). Also an ISA edge firewall, all set up by myself.

I really wouldn't have needed a router but I want to move my dedicated servers from an online company into our office since we were getting a fiber connection. It comes with a block of IPs so I wanted to create a VM for the webserver etc and give it a visible external IP adress different from the office. It won't be associated with the work network at all.

I'm new to routing and have been reading up on things mainly about how to do it with a software router but like I said, I think I'm going to need a cisco option.
 
Last edited:
throw a /28 vlan on your core for the WAN connection and just don't have a default gateway for the vlan on the core. Then you can tag the vlan on your trunk to the ESX host and put your soft firewalls outside interface in that vswitch? Also gives you the flexibility of plugging your physical routers outside interface into the core and just putting it in the "WAN" vlan.
 
I think an ASA5505 is just what you're looking for. You'll need to get a 50-user model minium, however, if you think you'll come close to 50 device limit then I'd just go for the unlimited user model.
 
After doing a bit of research I think you're right. I've found a 50 user asa 5505 for just over 300 which I think is a pretty good deal. The next problem is I've never worked with that kind of hardware, the general setup seems ok but could you recommend anything that I could read which might help with really understanding the device?
 
DJLeviathan said:
After doing a bit of research I think you're right. I've found a 50 user asa 5505 for just over 300 which I think is a pretty good deal. The next problem is I've never worked with that kind of hardware, the general setup seems ok but could you recommend anything that I could read which might help with really understanding the device?
Click to expand...

where the hell did you find a 50 user asa5505 for $300? I've only seen it for $550 on the net. I got mine for home use for about $501 and that is because i had a buddy at pc connection.com..he told me their cost was $496.00
 
Cheers for the link Capt. As for where I found it. On ebay. Used. Actually got an unlimited user 5505 for 470 Canadian with shipping.
 
DJLeviathan said:
Cheers for the link Capt. As for where I found it. On ebay. Used. Actually got an unlimited user 5505 for 470 Canadian with shipping.
Click to expand...

awww...okay used. thats the key. yeah, mine is new...okay thanks for following up bro
 
You must log in or register to reply here.
Back
Top