none
RRAS/NAT connection issues

    Question

  • Hi everyone, I'm running into a weird problem with RRAS/NAT on my Windows Server 2012 machine for my home lab. In my lab I have a private 10.0.0.x network that are hosted VMs. My hypervisor is running RRAS and NAT and is configured with one physical nic and 1 virtual Internal nic. The physical nic connects to my router that goes to the internet(192.168.1.0/24 subnet) and the internal nic connects to my private network.

    In the RRAS management tool I use a custom config and select only NAT and LAN Routing. Now at this point NAT is not configured since I haven't assigned the internal and external interfaces. So from here I'm able to ping the 10.0.0.x machines from the 192.168.1.x network and vice versa. After I configure NAT with the external and internal interfaces, I am no longer to ping the 10.0.0.x machines from the 192.168.1.x subnet. However, I can successfully ping from the 10.0.0.x machines to the 192.168.1.x network.

    I've also setup a rule on the internet router to route all 10.0.0.0 traffic to the physical nic of the hypervisor. Here's my current layout.

    Internet

    |

    Router 192.168.1.1

    |

    Hypervisor - Physical nic 192.168.1.100 DG 192.168.1.1

                    - Virtual Internal nic 10.0.0.1 No DG assigned

    |

     VM Client - 10.0.0.4 DG 10.0.0.1 

    Any ideas as to why I can ping both ways when NAT is disabled but not when it is enabled? I'd like to keep NAT on that way my clients can connect to the internet for updates, but also accessible for remote login from the 192.168 subnet.

    Friday, December 27, 2013 5:35 PM

Answers

  • Hi,

    “I've also setup a rule on the internet router to route all 10.0.0.0 traffic to the physical nic of the hypervisor. Here's my current layout.”

    Are you planning to setup a NAT for connect the internal virtual switch network vms and the external network nodes?

    If yes, the network topology must like the following similar thread mentioned:

    Hyper-V VM cannot access internet through RRAS NAT

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/884edab8-c31d-43e0-af55-fe241c9029ee/hyperv-vm-cannot-access-internet-through-rras-nat?forum=winserverhyperv

    RRAS in VM

    http://social.technet.microsoft.com/Forums/en-US/486bcbb4-bf01-4946-b103-cd896e9dafb9/rras-in-vm?forum=winserverhyperv

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, December 30, 2013 8:24 AM
    Moderator
  • <snipped>

    .... After I configure NAT with the external and internal interfaces, I am no longer to ping the 10.0.0.x machines from the 192.168.1.x subnet. However, I can successfully ping from the 10.0.0.x machines to the 192.168.1.x network.

    I've also setup a rule on the internet router to route all 10.0.0.0 traffic to the physical nic of the hypervisor. Here's my current layout.

    Internet

    |

    Router 192.168.1.1

    |

    Hypervisor - Physical nic 192.168.1.100 DG 192.168.1.1

                    - Virtual Internal nic 10.0.0.1 No DG assigned

    |

     VM Client - 10.0.0.4 DG 10.0.0.1 

    Any ideas as to why I can ping both ways when NAT is disabled but not when it is enabled? I'd like to keep NAT on that way my clients can connect to the internet for updates, but also accessible for remote login from the 192.168 subnet.

    Unless I'm totally misunderstanding the problem here, and I apologize if I do, but with NAT, any internal machine behind a NAT can and will successfully be able to ping anything external (referred to outbound traffic) that is as long as the firewall rules allow ICMP echo replies for established sessions by an internal host.

    However, anything external, including a directly connected subnet, such as your 192.168.1.0/24, WILL NOT be able to do ping anything internal (referred to Inbound traffic). This is because the outside interface of a NAT is that one and only one IP. NAT will then translate inbound traffic...

    This is default and expected behavior.

    It's the same as if I had setup a Cisco ASA firewall that is using NAT for my internal company network. It will not allow inbound access from anything unless I create port translations. I wouldn't want anything to do that anyway.

    As for no NAT, then if you have a machine on the outside subnet directly connected to the router, (such as your server), then the router will route that traffic directly to the internal subnet because it knows the route, since it's directly connected.

    I hope I understood your question and concerns. If not, please elaborate...


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, December 31, 2013 5:26 AM

All replies

  •   Looks like you are using the "belts and braces" approach. With LAN routing you need to static route on the Internet router. With NAT routing you don't.

      See my reply to a similar post close by in this forum.


    Bill

    Friday, December 27, 2013 11:52 PM
  •   Looks like you are using the "belts and braces" approach. With LAN routing you need to static route on the Internet router. With NAT routing you don't.

      See my reply to a similar post close by in this forum.


    Bill

      My guess is that either NAT is not configured correctly or it hasn't taken effect yet. You usually have to reboot at least once before it takes in my experience. 

     


    Bill

    Saturday, December 28, 2013 9:52 PM
  • Hi,

    “I've also setup a rule on the internet router to route all 10.0.0.0 traffic to the physical nic of the hypervisor. Here's my current layout.”

    Are you planning to setup a NAT for connect the internal virtual switch network vms and the external network nodes?

    If yes, the network topology must like the following similar thread mentioned:

    Hyper-V VM cannot access internet through RRAS NAT

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/884edab8-c31d-43e0-af55-fe241c9029ee/hyperv-vm-cannot-access-internet-through-rras-nat?forum=winserverhyperv

    RRAS in VM

    http://social.technet.microsoft.com/Forums/en-US/486bcbb4-bf01-4946-b103-cd896e9dafb9/rras-in-vm?forum=winserverhyperv

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, December 30, 2013 8:24 AM
    Moderator
  • <snipped>

    .... After I configure NAT with the external and internal interfaces, I am no longer to ping the 10.0.0.x machines from the 192.168.1.x subnet. However, I can successfully ping from the 10.0.0.x machines to the 192.168.1.x network.

    I've also setup a rule on the internet router to route all 10.0.0.0 traffic to the physical nic of the hypervisor. Here's my current layout.

    Internet

    |

    Router 192.168.1.1

    |

    Hypervisor - Physical nic 192.168.1.100 DG 192.168.1.1

                    - Virtual Internal nic 10.0.0.1 No DG assigned

    |

     VM Client - 10.0.0.4 DG 10.0.0.1 

    Any ideas as to why I can ping both ways when NAT is disabled but not when it is enabled? I'd like to keep NAT on that way my clients can connect to the internet for updates, but also accessible for remote login from the 192.168 subnet.

    Unless I'm totally misunderstanding the problem here, and I apologize if I do, but with NAT, any internal machine behind a NAT can and will successfully be able to ping anything external (referred to outbound traffic) that is as long as the firewall rules allow ICMP echo replies for established sessions by an internal host.

    However, anything external, including a directly connected subnet, such as your 192.168.1.0/24, WILL NOT be able to do ping anything internal (referred to Inbound traffic). This is because the outside interface of a NAT is that one and only one IP. NAT will then translate inbound traffic...

    This is default and expected behavior.

    It's the same as if I had setup a Cisco ASA firewall that is using NAT for my internal company network. It will not allow inbound access from anything unless I create port translations. I wouldn't want anything to do that anyway.

    As for no NAT, then if you have a machine on the outside subnet directly connected to the router, (such as your server), then the router will route that traffic directly to the internal subnet because it knows the route, since it's directly connected.

    I hope I understood your question and concerns. If not, please elaborate...


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, December 31, 2013 5:26 AM
  • Hi Ace,

    I have similar setup like the author of this post and I face the same issue. Here's the link to my question posted on forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b0a474ce-d995-45e0-8a48-45fec2a150b6/home-lab-with-rras-nat-and-lan-routing?forum=winservergen

    I tempting to try out your solution quoted above: "It's the same as if I had setup a Cisco ASA firewall that is using NAT for my internal company network. It will not allow inbound access from anything unless I create port translations".  however, I not sure how to implement that. Appreciate your guide step-by-step, if you don't mind.

    Also, I would like to understand your remark of "I wouldn't want anything to do that anyway". Could you explain further and the reason why you say so?

    Lastly, I would like to hear your advice on by implement your idea above of port translation, would it pose any issue at the later stage when I trying to achieve my setup objective of "trying to create a server farm that would be become my psedo "Production" environment that I will then replicate to the cloud using Azure Site Recover (ASR)" as I narrated in my question posted in the forum.

    Really appreciate your expert advice as this issue has been driving my crazy.

    Friday, July 13, 2018 7:56 AM
  • Hi Ace,

    I have similar setup like the author of this post and I face the same issue. Here's the link to my question posted on forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b0a474ce-d995-45e0-8a48-45fec2a150b6/home-lab-with-rras-nat-and-lan-routing?forum=winservergen

    I tempting to try out your solution quoted above: "It's the same as if I had setup a Cisco ASA firewall that is using NAT for my internal company network. It will not allow inbound access from anything unless I create port translations".  however, I not sure how to implement that. Appreciate your guide step-by-step, if you don't mind.

    This is a really old post. How did you find it? What were you searching on that led you to this?

    I'm not an ASA expert. If you have a Cisco Gold 24/7 contract, submit a TAC request with your exact needs, and they will remote in and set this up for you.

    Also, I would like to understand your remark of "I wouldn't want anything to do that anyway". Could you explain further and the reason why you say so?

    That was in reference to not permitting anyone from the internet to directly ping an internal machine by it's private IP. We don't want that, nor can it happen anyway, unless your port translate the outside public to the internal private IP & port.

    Lastly, I would like to hear your advice on by implement your idea above of port translation, would it pose any issue at the later stage when I trying to achieve my setup objective of "trying to create a server farm that would be become my psedo "Production" environment that I will then replicate to the cloud using Azure Site Recover (ASR)" as I narrated in my question posted in the forum.

    Really appreciate your expert advice as this issue has been driving my crazy.


    You will need to create a VPN tunnel between your onprem and Azure tenant. This question would be best suited for the Azure forum.


    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: https://blogs.msmvps.com/acefekay/

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, July 13, 2018 10:21 PM
  • Hi Ace,

    Really thanks for replying.

    With regards to your comments:

    "This is a really old post. How did you find it? What were you searching on that led you to this?"

    My Answer: I am trying to resolve the network communication issue as presented in the home lab setup diagram as shown in the link -

     https://drive.google.com/open?id=17ssUcXqJ9ZJwe0w8pYHaYcW1F8kUNybQ 

    When searching on google for the solution, I search for the topic "Windows Server RRAS NAT and LAN Routing Internet Access Bidirectional Communication", and this search led me to this forum thread.

    "I'm not an ASA expert. If you have a Cisco Gold 24/7 contract, submit a TAC request with your exact needs, and they will remote in and set this up for you."

    My answer: Don't get me wrong. I am not asking anything related to ASA nor CISCO. I not sure what are that meant. It just a phrase I copied from your reply above earlier in this forum thread. Let's skip this.

    All I want is to find out is a solution how I could be able to ping the Internal Network behind NAT, from external network. 

    As you can see from my home lab setup diagram from the link above, I am facing the following issues while trying to meet my setup objective:

    The purpose of such setup in my home lab is because I trying to create a server farm that would be become my psedo "Production" environment that I will then replicate to the cloud using Azure Site Recover (ASR).

    At the current setup stage, the objective I would try to reached is

    (1)  to enable to all the nested VMs, including the VM1 and VM2 to have internet access;

    (2) bidirectional Ping communication - the nested VMs in VM1 able to ping VM2 and vice versa (i.e. VM2 able to ping the nested VMs)

    In my RRAS configuration, I enable both NAT and LAN Routing under "Custom Configuration". This allow me to achieve the objective (1) which is all the nested VMs have internet access; at the same time, part of the objective (2) which is the nested VMs able to ping the VM2 and the External Virtual Switch in VM1.

    However, the VM2 is unable to ping the nested VMs.

    If I would to remove the NAT, objective (2) immediately achieved. However, the nested VMs would lost the internet connection.

    Really appreciate if you could advise me on this. Thanks in advance.





    • Edited by Tommy1212 Saturday, July 14, 2018 1:56 AM
    Saturday, July 14, 2018 1:53 AM
  • Hi Ace,

    Really thanks for replying.

    With regards to your comments:

    "This is a really old post. How did you find it? What were you searching on that led you to this?"

    My Answer: I am trying to resolve the network communication issue as presented in the home lab setup diagram as shown in the link -

     https://drive.google.com/open?id=17ssUcXqJ9ZJwe0w8pYHaYcW1F8kUNybQ 

    When searching on google for the solution, I search for the topic "Windows Server RRAS NAT and LAN Routing Internet Access Bidirectional Communication", and this search led me to this forum thread.

    "I'm not an ASA expert. If you have a Cisco Gold 24/7 contract, submit a TAC request with your exact needs, and they will remote in and set this up for you."

    My answer: Don't get me wrong. I am not asking anything related to ASA nor CISCO. I not sure what are that meant. It just a phrase I copied from your reply above earlier in this forum thread. Let's skip this.

    All I want is to find out is a solution how I could be able to ping the Internal Network behind NAT, from external network. 

    As you can see from my home lab setup diagram from the link above, I am facing the following issues while trying to meet my setup objective:

    The purpose of such setup in my home lab is because I trying to create a server farm that would be become my psedo "Production" environment that I will then replicate to the cloud using Azure Site Recover (ASR).

    At the current setup stage, the objective I would try to reached is

    (1)  to enable to all the nested VMs, including the VM1 and VM2 to have internet access;

    (2) bidirectional Ping communication - the nested VMs in VM1 able to ping VM2 and vice versa (i.e. VM2 able to ping the nested VMs)

    In my RRAS configuration, I enable both NAT and LAN Routing under "Custom Configuration". This allow me to achieve the objective (1) which is all the nested VMs have internet access; at the same time, part of the objective (2) which is the nested VMs able to ping the VM2 and the External Virtual Switch in VM1.

    However, the VM2 is unable to ping the nested VMs.

    If I would to remove the NAT, objective (2) immediately achieved. However, the nested VMs would lost the internet connection.

    Really appreciate if you could advise me on this. Thanks in advance.





    Take a look at this:

    Site Recovery: Ensure application availability with cloud-based disaster recovery
    This has some videos showing a step by step
    https://azure.microsoft.com/en-us/services/site-recovery/

    I think you may benefit reading up on how AD works and a background of how basic networking works with AD. First thing I see in your network diagram is you are using Google's DNS servers. Google has no idea about your AD. If a machine needs to find something in AD, it asks DNS, Does Google DNS have that answer? Nope.

    Active Directory’s Reliance on DNS – Why not to use your ISP’s DNS 
    https://blogs.msmvps.com/acefekay/2016/10/15/active-directorys-reliance-on-dns-why-not-to-use-your-isps-dns/

    Look at the basic network image, below. If it does not post, click here:
    https://onedrive.live.com/?auth=1&cid=0C7B9FD0852378B8&id=C7B9FD0852378B8%21204&parId=C7B9FD0852378B8%21198&o=OneUp

    Basic Network Design

    Some more reading to do:

    Connecting your on-premises network to Azure (2011)
    https://docs.microsoft.com/en-us/azure/guidance/guidance-connecting-your-on-premises-network-to-azure

    ASR (Azure Site Recovery) question about networking
    https://www.reddit.com/r/AZURE/comments/80sbfs/asr_azure_site_recovery_question_about_networking/

    Azure Site Recovery: frequently asked questions (FAQ)
    https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-faq


    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: https://blogs.msmvps.com/acefekay/

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, July 14, 2018 2:30 AM
  • Hi Ace,

    Perhaps, things are getting complicated here. I apology if I could had misled you somewhere. Really sorry.

    Lets forget about the Azure Site Recovery, AD and etc topics... All these roles/functionality/purposes are yet implementing at this stage. What it shown in the diagram about the AD is what I would eventually plan to achieve at the later stage but not now. At this moment, all the three nested VMs are just have the OS installed without any roles or whatsoever software installed. 

    At this early stage, all I wish to achieve is very simple objective. It just about how I could be able to ping from VM2 to all the three nested VMs which resided in the internal network behind NAT.





    • Edited by Tommy1212 Saturday, July 14, 2018 2:54 AM
    Saturday, July 14, 2018 2:46 AM
  • Hi Ace,

    Perhaps, things are getting complicated here. I apology if I could had misled you somewhere. Really sorry.

    Lets forget about the Azure Site Recovery, AD and etc topics... All these roles/functionality/purposes are yet implementing at this stage. What it shown in the diagram about the AD is what I would eventually plan to achieve at the later stage but not now. At this moment, all the three nested VMs are just have the OS installed without any roles or whatsoever software installed. 

    At this early stage, all I wish to achieve is very simple objective. It just about how I could be able to ping from VM2 to all the three nested VMs which resided in the internal network behind NAT.





    Hi Tommy,

    You are correct. What you are requesting is a bit complicated to discuss in a thread.

    You are saying you want to Ping vm1 to vm2. Do you want to ping by name, or by IP address?

    Based on your Network Settings, this won't work. I see different gateways, different subnets, you are using Google DNS servers that do not have your internal information. HyperV settings and interfaces are another factor.

    I honestly think you should post this question to the HyperV forum to help you straighten out your hyper-v settings and configuration. 

    Then I like to ask you to read my blog on how Active Directory and DNS works. .



    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Blogs: https://blogs.msmvps.com/acefekay/

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, July 14, 2018 1:11 PM
  • Hi Ace,

    "You are saying you want to Ping vm1 to vm2. Do you want to ping by name, or by IP address?"

    My Respond: Ping from either VM1 or from the three nested VMs within VM1 to VM2 has no issue because it is pinging from inside NAT network to outside NAT network. My issue is pinging from VM2 to the three nested VMs which are behind NAT.

    Perhaps my diagram confuse you. I have simplify the diagram. Heres the new link: https://drive.google.com/open?id=1t183iwlm9Sc4RU6pJE2cPKPrXEhXFDjh

    From your replies to other forums, I believe you can help to resolve the issue I face. All I want to achieve is very straight forward: How to be able to ping the internal network behind NAT from external network. That's all.  




    • Edited by Tommy1212 Thursday, July 19, 2018 3:51 AM
    Wednesday, July 18, 2018 11:00 PM