NAT directing to web server???

Hewlett-packard Microsoft windows server...
October 21, 2009 at 12:06:04
Specs: Windows 2003 svr, 1024
I have a Win03 server with 2 NIC's, its acting as a NAT router for the private LAN. I have a Win 03 web server inside the private LAN, is there a way to direct the incoming web requests that are received by the NAT and direct them to go to the web server?
I want this web server to be accessed from the internet, but i want to try and see if i can have it accessed while its part of the private LAN, instead of having the web server seperated from the LAN and connected directly to the router.

LAN setup = linksys router --> NIC #1 from NAT router to linksys router --> linksys switch then connect the private LAN hardware such as NIC #2, web server, XP clients.

it would probably be easier to connect the web server to the linksys router and keep it out of the LAN, but i want to see if i can do it while the web server is in the LAN


See More: NAT directing to web server???

Report •


#1
October 21, 2009 at 14:44:27
I want this web server to be accessed from the internet, but i want to try and see if i can have it accessed while its part of the private LAN, instead of having the web server seperated from the LAN and connected directly to the router.

Typically, you would put a web server in a DMZ and not inside your LAN. This is for security reasons. I'm not sure why you would prefer to take a less safe path and have it inside the LAN and still be accessed externally. If you'll pardon me saying so, this is an accident waiting to happen.

If it were me, I'd play it safe, attach the web server directly to the Linksys router and put it in the DMZ.

it would probably be easier to connect the web server to the linksys router and keep it out of the LAN, but i want to see if i can do it while the web server is in the LAN

No, it would definitely be easier. When dealing with most anything computer related the KISS principle is always best (ie: keep it simple). Making anything more complex than it needs to be means making it easier for it to break and when it does (note the use of "when" and not "if") it also makes troubleshooting and fixing the problem harder too.

You go ahead and do what you want, but if you do, and you find your LAN hacked because someone breached your web server and got into your LAN, or, when something breaks and you find yourself unable to fix it, remember you were warned by a professional to not do this.


Report •

#2
October 21, 2009 at 14:56:31
Canman you shuuld spend some time learning about network security. Things changed a few years back concerning the internet. It's all about stealing now. Every virus, every malware, etc is all about cybercrime now. What you proposed with the web server in the lan is just what these thieves are hoping for; and open door.

Report •

#3
October 22, 2009 at 11:09:46
Curt R & Wanderer, thanks, i will probably do it using the DMZ.

can you explain what this DMZ does, or what it is?


Report •

Related Solutions

#4
October 22, 2009 at 12:36:25
i already have a couple ports open on the router for the AD DC vpn server, and rdp.

if i do dmz with the web server, will it cause a conflict with the present port forwarding?


Report •

#5
October 22, 2009 at 17:37:32
"i will probably do it using the DMZ. "

That is the worst choice to use.

Playing to the angels
Les Paul (1915-2009)


Report •

#6
October 22, 2009 at 19:29:51
what is the worst choice to use?

putting the web server in the DMZ?


Report •

#7
October 22, 2009 at 19:35:18
i do not want to use the DMZ, i would rather use port forwarding!!

but should i set it up by putting the web server in the private lan, and have any requests go from the RRAS to the web server? how would i set this up

or have the web server not part of the lan, have it connected to the router and forward port 80 on it?


Report •

#8
October 23, 2009 at 10:00:28
You'll have to excuse jefro. He frequently says things that make little or no sense and this is one of those cases. You'll notice he makes a negative statement about DMZ's but then doesn't offer any proof of his statement or any alternatives (right or wrong).

Everybody who has a clue puts web servers in a DMZ. This gives them external availability while keeping them separate from your LAN. This keeps your LAN safe and keeps external users out of it. Don't believe me though, do some research and ask around.

If you're not sure what a DMZ is, use google and start doing some reading and research. Try the following search string to start, "web servers+dmz".

Everything you need to know is freely available on the web.



Report •

#9
October 23, 2009 at 10:29:21
i did some research and it says the port forwarding is safer than DMZ, but i will probably go with the DMZ since many people are recommending it.

Report •

#10
October 23, 2009 at 12:05:07
Read the following:

http://en.wikipedia.org/wiki/DMZ_(c...

Pay attention to the first paragraph and it's statement about the purpose of a DMZ.

Keep in mind, if you use a port forward to something inside your LAN, what you end up with is a potential hacker inside your firewall(s) and then try to figure out for yourself just how that is safer than a DMZ.

Whatever you were reading is dead wrong. Where I work we have many web servers and outward facing servers and all are in our DMZ and under no circumstances would anybody EVER, do a port foward to a server inside our firewalls. In fact, to do so would be grounds for immediate dismissal. Full Stop!


Report •

#11
October 23, 2009 at 13:28:05
They should have directed you to places like this long ago.

http://technet.microsoft.com/en-us/...

The Wiki is junk.
First part says.
" This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (October 2008)"

This is what CurtR claims to be fact.

And if they say run DMZ that is fine but they should say they re too stupid to configure the port forwarding and can't help the people. Instead they are simply insulting.

I don't care if it is private, or behind a firewall. Virus, malware, hackers and unauthorized users can ruin a lan.

I guess dummies say stuff like disable firewalls, use dmz and what ever it's safe. If they were so smart they'd have fixed your deal by now.

Playing to the angels
Les Paul (1915-2009)


Report •

#12
October 23, 2009 at 15:20:24
Honestly jefro.......

I said, and I quote: "Pay attention to the first paragraph and it's statement about the purpose of a DMZ." Nowhere in that does it say "take wiki as gospel" or that it is "fact". Why not, because I know better. But the first paragraph,

"In computer security, a demilitarized zone, named after the military usage of the term and normally abbreviated to DMZ; also known as a Data Management Zone or Demarcation Zone or Perimeter Network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network."

is actually rather accurate and a good description of a DMZ.

I also understand you have very limited experience in the computing industry. Just like I understand english is not your first language and that frequently leads to you misunderstanding and giving out some strange 'advice'.

I try to be patient with you but when you say things that are patently wrong, I have to point it out. The only thing I can thing of that's worse than not answering someone, is giving them misinformation. I'm not trying to pick on you or disrespect you and if you think about it honestly for a minute, when you give out good advice, I don't jump on you do I!? No, I keep my trap shut and go read another post.

I see you like to rely heavily on microsoft, as per your link above. I gave it a quick scan but not an in-depth one because it's very one-sided as most anything Microsoft publishes tends to be.

I stand firm in my conviction that the majority of businesses out there (including places that run MS and nothing else) use a DMZ for web, and any other external, servers as compared to port forwarding.

I feel quite confident most, if not all, web hosting sites also use a DMZ over port forwarding. Not only is it easier to setup, it's easier to maintain. It requires less administration to add/remove and it's safer.


I guess dummies say stuff like disable firewalls, use dmz and what ever it's safe. If they were so smart they'd have fixed your deal by now.

I'm not sure if you're directing this at me or not. I never said anywhere to disable firewalls. Conversely, I said use a DMZ which is segregated from a private (internal) network by a firewall.

As to having "fixed his deal" if I were on-site, I'd have had his web server up and running, in the DMZ, in probably less than 15 minutes. I can't make someone do something via a forum like this. It doesn't help when you're in there offering contradictory advice that confuses the OP and makes them unsure of who's advice to take.

All I know is that for the less-in-the-know, using a DMZ, that's available on their SOHO router, is a lot easier and safer than setting up a port forward to a web server and keep it inside the LAN.


Report •

#13
October 24, 2009 at 09:53:14
I have a present Win03Svr AD DC server that is connected to the router, it has 2 NICs, providing internet access to clients in the LAN via NAT. The ip address that the router is giving this server is 192.168.1.104

NOTE: this router is the basic home linksys wireless WRT54GS with four ethernet cable ports.

if I connect this other Win03 web server to the router and configure port forward on port 80 it will be assigned an ip address in the same subnet range as 192.168.1.xxx will this make it possible for users that visit the website to then hack into the 192.168.1.104 server and get into the LAN?

if i put this web server in the DMZ instead, the ip address that the router assigns the web server will still be in the 192.168.1.xxx subnet, so won't hackers still be able to get into the LAN?


Report •

#14
October 25, 2009 at 06:08:21
I have a present Win03Svr AD DC server that is connected to the router, it has 2 NICs, providing internet access to clients in the LAN via NAT. The ip address that the router is giving this server is 192.168.1.104

Ok, two problems here.
1) You're letting your server get it's IP from DHCP by the sound of it. Servers and all other devices providing services in a network like a network printer, should always have statically assigned IP addresses. This way they can never change.

I have seen it happen where device, for whatever reason, gets a new IP from DHCP and the DNS host record doesn't update and suddenly nobody can access the service.

Considering this is your DC in an AD integrated domain, that's one thing you most definitely want to have a statically assigned IP.

2) Since you have a router, using RRAS/NAT on your server is moot and a waste of the DC's resources. You already have NAT doing the exact same job on the router so why would you want to duplicate it? All you're doing is adding another layer of complexity and therefore making it more likely something will break and if/when it does, you're making it harder to troubleshoot the issue.


I could tell from your first post that you don't really know what you're doing. Your doubling NAT and lack of understanding about something as basic as a DMZ confirms my assumption. If this is for a business, take some advice, hire someone like me to come and get you setup before you shoot yourself in the foot and get fired.

You know what. At the risk of being rude, I'm done talking to you. You don't listen and you don't do any research on your own and you don't seem to grasp even the most basic concepts. I won't be looking at this thread again so I wouldn't bother responding if I were you. I'm done trying to help you.


Report •

#15
October 25, 2009 at 09:57:06
my web server is up and running in the DMZ!! what was so hard Curt R?

NIC #1 has the same ip address all the time, while NIC #2 is static for the AD DC on the LAN, all the clients are getting ip addresses from a static DHCP server. (i know what devices need static ip's, so shutup and get a job)

i am using RRAS/NAT because i wanted to learn to configure it, and have VPN capabilities, everything works perfect.

how is the router set up to use rras/nat?

i could not get internet access to the clients until i setup NAT on the AD DC


Report •

#16
October 26, 2009 at 10:45:33
i know how to set this up, i just wanted to hear where the best location to put the web serrver would be.

Report •

#17
October 26, 2009 at 11:27:39
"i could not get internet access to the clients until i setup NAT on the AD DC"

This is because you didn't read how to setup Microsoft DNS server and in particular the forwarders tab if you had MS dhcp giving the pcs the correct ip for gateway.

It is going to take you twice as long to learn this stuff if you keep winging it and coming to the wrong conclusions because you didn't do the research. IT is all about research.

Jefro simply does not understand corporate network security like CurtR does which is revealed by his rant about dmz and port forwarding. His perspective on dmz if based on the home user. Someday he will put together the amount of spam and how many of these "home servers" there are and realize if it wasn't for these incorrectly configured systems there wouldn't be any hosts for the spammers to use.


Report •

#18
October 26, 2009 at 13:43:51
Uhhh, no. You two (or maybe the same rude person) are quick to insult but slow to read.

And somehow I passed the 2000, 2003, network, cisco, linux cert.


Thanks for at least putting my comments back.


No, DMZ is not a solution, it is a band aid.

I do understand one of the largest networks in the US. We out grew our Class A subnet 20 years ago, Our firewalls are supposed to be the best Cisco offers and yet we do not ever allow internal lans to be open. No one that claims to be qualified would either.

Playing to the angels
Les Paul (1915-2009)


Report •

#19
October 26, 2009 at 15:24:33
No one is insulting you jefro. We simply disagree with your opinion since it is not based in experience or fact. BTW CurtR and Wanderer are two different people.

Here is a good article explaining DMZ. You have the idea about port forwarding. Now you need to put that together with what a DMZ is for. For you these are two separate concepts when they are but a part of each other.

http://neworder.box.sk/news/7326

You may also find the reason some of us deliberately make DMZs is so we can detect attacks before they can penetrate to the core network.

Best of luck in your endeavors.


Report •

#20
October 26, 2009 at 18:10:09
Wanderer: I did set up the dns server correctly.

for the forwarders tab of the DNS Server i added my ISP's DNS servers!!
on the DHCP server I have the default gateway set to the ip static ip address of the internal NIC (192.168.11.33), wich is the NIC #2 of the computer doing NAT.

once i removed the values for the forwarders tab in DNS, the clients were not able to get internet, so i put them back in.

i don't see how this is setup up wrong??? if i remove any of these ip address, clients do not get any internet access!

clarify yourself!!


Report •

#21
October 26, 2009 at 18:17:45
No assumptions just your own words which are quoted at the top of post 17. You did not have to setup nat to get internet to the workstations.

To connect workstations to the internet you provide them with the gateway ip of the router and dns is pointed at the server. At the server you put the isps dns servers in the forwarders tab.

Great you wanted to play with RRAS but it was not required to get your workstations to the internet.


Report •

#22
October 26, 2009 at 18:43:22
so your saying instead of having the dhcp give the default gateway of 192.168.11.33 (internal NIC) to the clients, to give it the ip address of the router (192.168.1.1) instead?

i can't, the lan is using a different subnet than the router


Report •

#23
October 26, 2009 at 19:20:05
:-) If you hadn't configured RRAS you wouldn't need the 2nd nic and the workstations/server would have all been on the same subnet.

Don't lose track that what I am addressing is your statement and why your original config failed.

"i could not get internet access to the clients until i setup NAT on the AD DC"


Report •

#24
October 26, 2009 at 19:29:24
i wanted to learn about RRAS/NAT/VPN

all works fine -- the NAT -- the VPN -- the RDP

could the VPN be setup with just 1 NIC?

ther workstations/servers (NIC #2) are all on the same 192.168.11.xxx subnet wich all connect to a linksys 5 port switch, NIC #1 is going to the router wich is on 192.168.1.xxx


Report •

#25
October 26, 2009 at 19:41:28
My understanding is you can't do any of the rras features with just one nic. Hey what you have is working. Great. Have a great night. I am off to bed.

Report •

#26
October 27, 2009 at 10:37:17
i wanted to learn it this way. I could of easily had all clients directly connected to router and left it alone, but i wanted to create a little LAN with AD DC, DHCP, and set up NAT, VPN etc.. and have xp clients.

as long as the NIC that is connected to the router is not removed, it will keep the same ip address, and i can vpn, rdp in with no problems. once i disconnect i will have to get the new ip address and change the port forwarding to the new address.

the web server is in the dmz.


Report •


Ask Question