Microsoft KB Archive/253145

= RAS Clients Cannot Gain Access to the Internet Using Network Address Translation =

PSS ID Number: 253145

Article Last Modified on 10/11/2002

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q253145



SYMPTOMS
You can configure the Network Address Translation (NAT) protocol on a server running Routing and Remote Access Service (RRAS) to allow network clients with private addresses to gain access to the Internet. NAT allows the RRAS server to use its public address(es) on behalf of network clients, including Remote Access Service (RAS) clients. When you use a single server to provide both RAS and NAT services, RAS clients are unable to gain access to the Internet.



RESOLUTION
To work around this behavior, use either of the following methods:

Method 1
Use two different servers to provide RAS and NAT services. Configure one server as the NAT server (see online help provided with RRAS, to configure NAT). Install RRAS or RAS on a second server and configure the service to allow remote clients to gain access to the network (see online help provided with RRAS, to configure remote access). You should configure the default gateway and DNS settings for the RRAS server to use the Internet Protocol (IP) address of the internal interface of the NAT server.

Method 2
NOTE: The Modem/Modem bank on the RRAS/NAT computer must be configured to support demand-dial conections. To verify this, right-click Ports on the RRAS/NAT server, click Properties, click the modem, and then click Configure. Check the Demand-dial routing connections (inbound and outbound) box.

Install and configure RRAS and NAT on a single server that provides RAS. This still allows RAS clients to gain access to the Internet using NAT, but you must configure demand-dial and NAT interfaces for each RAS client.

Note that the DHCP allocator, which can be configured with NAT and ICS, cannot be used to supply the demand-dial connection's IP address. The DHCP allocator only supplies IP addresses to network clients, and does not give IP addresses to demand-dial interfaces. The demand-dial connection's IP address should be provided by a DHCP server service, such as the Windows 2000 DHCP Server service. Alternatively, a static pool should be configured in RRAS to provide IP addresses to clients as well as demand-dial connections.

After you install RRAS and configure the service to provide both RAS service and NAT, use the following steps to configure a NAT interface that RAS clients can use to gain access to the Internet:
 * 1) In the RRAS Microsoft Management Console (MMC), open the properties of the appropriate server.
 * 2) Right-click Routing Interfaces, and then click New Demand-dial Interface from the list.
 * 3) After the Demand Dial Interface Wizard starts, type the exact user name in the Interface Name box, and then click Next.
 * 4) The wizard then prompts you to type a phone number. You can ignore this prompt because this information is used for a router-to-router demand-dial phone number. Click Next.
 * 5) When the Protocols and Security dialog box is displayed, click to select the IP check box (and the IPX check box, if applicable), click Add a user account so a remote router can dial in, and then click Next.
 * 6) Type and confirm the user's account password, and then click Next.

NOTE: RRAS attempts to match the user's account to an existing account in either Active Directory or a local Security Accounts Manager (SAM) database when the wizard is finished.
 * 1) The Dial Out Credentials dialog box is displayed. Although these credentials are used only for router-to-router authentication (and not necessary for this process), you must provide the information. Type the information for any account, click Next, and then click Finish.
 * 2) In the RRAS MMC, expand IP Routing.
 * 3) Right-click Network Address Translation (NAT), and then click New Interface.
 * 4) Click the demand-dial interface you created in steps 1-7, and then click OK.
 * 5) Click Private interface connect to private network, and then click OK.

The RAS user for which you defined the connection can now dial and connect to the RRAS server, and gain access to the Internet using the NAT interface that you configured.



STATUS
This behavior is by design. This is a security feature that does not allow remote clients to share Internet connections without authorization.

Keywords: kbnetwork kbprb KB253145

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2003 Microsoft Corporation. All rights reserved.