PAT / NAT with ISA?

TheMSsForum.com: The Microsoft Software Forum

Due to limitations with my Open Networks 501R ADSL Router, I require ISA on
SBS2K to do Port Address Translation.

The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for the
port number to be assigned once - even if you are using multiple external
addresses.

I have additional public IP's in the 501R NAT global pool which need access
to an internal Terminal Server. As I need remote RDP access to both internal
servers, I require ISA to listen for RDP connections using the standard port
(3389) and as well as a different TCP port.

Then using ISA server publishing, I would then route this connection to the
internal terminal server which uses the default TCP port number 3389.

i.e. [the 192.x is considered ext int on SBS][the 10.x is the int network]
165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2

Small Business Server 2000 w/ ISA, Exchange.
Windows 2000 Server w/ Terminal Services.

Public IP address 1 is NAT'd to Internal IP.[This Works!]
Public IP address 2 is NAT'd to internal IP using different TCP port on
ISA.????

If there is a better way of achieving my desired config, pls feel free to
put forward to suggestions.

Regards

Peter
Top

Re: PAT / NAT with ISA? by Javier

Javier
Mon Oct 18 06:33:33 CDT 2004

To do what you want you would need to assign two IPs to the external ISA
interface and the forward requests to the different IPs from the router.
However, it looks like your router doesn't have this capability... so I
suggest you get something else.

In any event, my solution for you is to use RWW either for both servers or
only for the SBS box. This way you free the 3389 port for one of the boxes
and still be capable to RDP to the 2nd one.

The other option is to move one of the servers to another (non standar)
port. So you would use 3389 for the TS box and 3388 for the SBS.

... and still you have another option that is to publish the TS box using
3389 and use VPN/RDP to connect to the SBS box (keep using 3389 on both).

Cheers,

--
Javier [SBS MVP]

<< SBS ROCKS !!! >>

"Peter Scott" <me@privacy.net.au> wrote in message
news:OqhfITOtEHA.2596@TK2MSFTNGP15.phx.gbl...
> Due to limitations with my Open Networks 501R ADSL Router, I require ISA
> on SBS2K to do Port Address Translation.
>
> The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for
> the port number to be assigned once - even if you are using multiple
> external addresses.
>
> I have additional public IP's in the 501R NAT global pool which need
> access to an internal Terminal Server. As I need remote RDP access to both
> internal servers, I require ISA to listen for RDP connections using the
> standard port (3389) and as well as a different TCP port.
>
> Then using ISA server publishing, I would then route this connection to
> the internal terminal server which uses the default TCP port number 3389.
>
> i.e. [the 192.x is considered ext int on SBS][the 10.x is the int network]
> 165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
> 203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2
>
> Small Business Server 2000 w/ ISA, Exchange.
> Windows 2000 Server w/ Terminal Services.
>
> Public IP address 1 is NAT'd to Internal IP.[This Works!]
> Public IP address 2 is NAT'd to internal IP using different TCP port on
> ISA.????
>
> If there is a better way of achieving my desired config, pls feel free to
> put forward to suggestions.
>
> Regards
>
> Peter
>


Top

Re: PAT / NAT with ISA? by Javier

Javier
Mon Oct 18 06:45:50 CDT 2004

Sorry I just reread your thread and realize that you are not using SBS2k3,
so RWW is not an option (a reason to upgrade!). In any event the other
options are still valid.

--
Javier [SBS MVP]

<< SBS ROCKS !!! >>

"Javier Gomez [SBS MVP]" <javier_gomez@remove.this.engineer.com> wrote in
message news:uWooMZQtEHA.3256@TK2MSFTNGP10.phx.gbl...
> To do what you want you would need to assign two IPs to the external ISA
> interface and the forward requests to the different IPs from the router.
> However, it looks like your router doesn't have this capability... so I
> suggest you get something else.
>
> In any event, my solution for you is to use RWW either for both servers or
> only for the SBS box. This way you free the 3389 port for one of the boxes
> and still be capable to RDP to the 2nd one.
>
> The other option is to move one of the servers to another (non standar)
> port. So you would use 3389 for the TS box and 3388 for the SBS.
>
> ... and still you have another option that is to publish the TS box using
> 3389 and use VPN/RDP to connect to the SBS box (keep using 3389 on both).
>
> Cheers,
>
> --
> Javier [SBS MVP]
>
> << SBS ROCKS !!! >>
>
> "Peter Scott" <me@privacy.net.au> wrote in message
> news:OqhfITOtEHA.2596@TK2MSFTNGP15.phx.gbl...
>> Due to limitations with my Open Networks 501R ADSL Router, I require ISA
>> on SBS2K to do Port Address Translation.
>>
>> The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for
>> the port number to be assigned once - even if you are using multiple
>> external addresses.
>>
>> I have additional public IP's in the 501R NAT global pool which need
>> access to an internal Terminal Server. As I need remote RDP access to
>> both internal servers, I require ISA to listen for RDP connections using
>> the standard port (3389) and as well as a different TCP port.
>>
>> Then using ISA server publishing, I would then route this connection to
>> the internal terminal server which uses the default TCP port number 3389.
>>
>> i.e. [the 192.x is considered ext int on SBS][the 10.x is the int
>> network]
>> 165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
>> 203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2
>>
>> Small Business Server 2000 w/ ISA, Exchange.
>> Windows 2000 Server w/ Terminal Services.
>>
>> Public IP address 1 is NAT'd to Internal IP.[This Works!]
>> Public IP address 2 is NAT'd to internal IP using different TCP port on
>> ISA.????
>>
>> If there is a better way of achieving my desired config, pls feel free to
>> put forward to suggestions.
>>
>> Regards
>>
>> Peter
>>
>
>


Top

Re: PAT / NAT with ISA? by SuperGumby

SuperGumby
Mon Oct 18 07:27:24 CDT 2004

your easiest solution would be to drop the multiple public IP's and server
publish the one TS, then use it to hop over to the other.

"Peter Scott" <me@privacy.net.au> wrote in message
news:OqhfITOtEHA.2596@TK2MSFTNGP15.phx.gbl...
> Due to limitations with my Open Networks 501R ADSL Router, I require ISA
> on SBS2K to do Port Address Translation.
>
> The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for
> the port number to be assigned once - even if you are using multiple
> external addresses.
>
> I have additional public IP's in the 501R NAT global pool which need
> access to an internal Terminal Server. As I need remote RDP access to both
> internal servers, I require ISA to listen for RDP connections using the
> standard port (3389) and as well as a different TCP port.
>
> Then using ISA server publishing, I would then route this connection to
> the internal terminal server which uses the default TCP port number 3389.
>
> i.e. [the 192.x is considered ext int on SBS][the 10.x is the int network]
> 165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
> 203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2
>
> Small Business Server 2000 w/ ISA, Exchange.
> Windows 2000 Server w/ Terminal Services.
>
> Public IP address 1 is NAT'd to Internal IP.[This Works!]
> Public IP address 2 is NAT'd to internal IP using different TCP port on
> ISA.????
>
> If there is a better way of achieving my desired config, pls feel free to
> put forward to suggestions.
>
> Regards
>
> Peter
>


Top

Re: PAT / NAT with ISA? by Peter

Peter
Mon Oct 18 09:58:14 CDT 2004

SuperGumby > This was one of the scenarios I was wanting to avoid. Many
thanks for your input.



"SuperGumby [SBS MVP]" <not@your.nellie> wrote in message
news:uuCj62QtEHA.2664@TK2MSFTNGP12.phx.gbl...
> your easiest solution would be to drop the multiple public IP's and server
> publish the one TS, then use it to hop over to the other.
>
> "Peter Scott" <me@privacy.net.au> wrote in message
> news:OqhfITOtEHA.2596@TK2MSFTNGP15.phx.gbl...
>> Due to limitations with my Open Networks 501R ADSL Router, I require ISA
>> on SBS2K to do Port Address Translation.
>>
>> The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for
>> the port number to be assigned once - even if you are using multiple
>> external addresses.
>>
>> I have additional public IP's in the 501R NAT global pool which need
>> access to an internal Terminal Server. As I need remote RDP access to
>> both internal servers, I require ISA to listen for RDP connections using
>> the standard port (3389) and as well as a different TCP port.
>>
>> Then using ISA server publishing, I would then route this connection to
>> the internal terminal server which uses the default TCP port number 3389.
>>
>> i.e. [the 192.x is considered ext int on SBS][the 10.x is the int
>> network]
>> 165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
>> 203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2
>>
>> Small Business Server 2000 w/ ISA, Exchange.
>> Windows 2000 Server w/ Terminal Services.
>>
>> Public IP address 1 is NAT'd to Internal IP.[This Works!]
>> Public IP address 2 is NAT'd to internal IP using different TCP port on
>> ISA.????
>>
>> If there is a better way of achieving my desired config, pls feel free to
>> put forward to suggestions.
>>
>> Regards
>>
>> Peter
>>
>
>


Top

Re: PAT / NAT with ISA? by Peter

Peter
Mon Oct 18 10:05:48 CDT 2004

Once the packets reach the 501R router, it proxies to the external interface
on the ISA server (which has two addresses on the interface - 192.168.10.2
and 192.168.10.3). I then have a server publishing rule to proxy that
connection to the desired internal interface.

If the 192.168.10.3 could listen for RDP connections on an alternate port
and 192.168.10.2 listen on the standard 3389 port - my problem would be
resolved.

I hope that explains the scenario.

*** The VPN option is trying to be avoided at this time. Or I could do a
session in a session - which is not what I want and is impractical.

Peter

"Javier Gomez [SBS MVP]" <javier_gomez@remove.this.engineer.com> wrote in
message news:uWooMZQtEHA.3256@TK2MSFTNGP10.phx.gbl...
> To do what you want you would need to assign two IPs to the external ISA
> interface and the forward requests to the different IPs from the router.
> However, it looks like your router doesn't have this capability... so I
> suggest you get something else.
>
> In any event, my solution for you is to use RWW either for both servers or
> only for the SBS box. This way you free the 3389 port for one of the boxes
> and still be capable to RDP to the 2nd one.
>
> The other option is to move one of the servers to another (non standar)
> port. So you would use 3389 for the TS box and 3388 for the SBS.
>
> ... and still you have another option that is to publish the TS box using
> 3389 and use VPN/RDP to connect to the SBS box (keep using 3389 on both).
>
> Cheers,
>
> --
> Javier [SBS MVP]
>
> << SBS ROCKS !!! >>
>
> "Peter Scott" <me@privacy.net.au> wrote in message
> news:OqhfITOtEHA.2596@TK2MSFTNGP15.phx.gbl...
>> Due to limitations with my Open Networks 501R ADSL Router, I require ISA
>> on SBS2K to do Port Address Translation.
>>
>> The 501R does PAT for incoming SMTP, POP3, RDP - but will only allow for
>> the port number to be assigned once - even if you are using multiple
>> external addresses.
>>
>> I have additional public IP's in the 501R NAT global pool which need
>> access to an internal Terminal Server. As I need remote RDP access to
>> both internal servers, I require ISA to listen for RDP connections using
>> the standard port (3389) and as well as a different TCP port.
>>
>> Then using ISA server publishing, I would then route this connection to
>> the internal terminal server which uses the default TCP port number 3389.
>>
>> i.e. [the 192.x is considered ext int on SBS][the 10.x is the int
>> network]
>> 165.x.x.x:3389 > 192.168.10.2:3389 >10.4.2.1:3389
>> 203.52.x.x.x:3389 > 192.168.10.3:3390 > 10.4.2
>>
>> Small Business Server 2000 w/ ISA, Exchange.
>> Windows 2000 Server w/ Terminal Services.
>>
>> Public IP address 1 is NAT'd to Internal IP.[This Works!]
>> Public IP address 2 is NAT'd to internal IP using different TCP port on
>> ISA.????
>>
>> If there is a better way of achieving my desired config, pls feel free to
>> put forward to suggestions.
>>
>> Regards
>>
>> Peter
>>
>
>


Top

Re: PAT / NAT with ISA? by Javier

Javier
Mon Oct 18 12:44:33 CDT 2004

> If the 192.168.10.3 could listen for RDP connections on an alternate port
> and 192.168.10.2 listen on the standard 3389 port - my problem would be
> resolved.

Of course you can do that... but I suspect that's not really what you want.
If fact, if you *can* use that setup... why do you need 2 IPs in the first
place? If I understood you correctly you want to access both servers using
the standard port (3389) from outside your lan. If that's the case, what you
are proposing won't work, because the ADSL router will be forwarding
*another* port.

Remember SBS/ISA can direct traffic of 192.168.10.3 to one server and
192.168.10.2 to another... but you can't redirect the port number (i.e
listen in port 3390 and then forward to 3389).

--
Javier [SBS MVP]

<< SBS ROCKS!!! >>


Top