Shown in Figure 8.22 is the NAT/Basic Firewall tab of the public interface, which is config- ured as Public interface connected to the Internet.This properties dialog can be accessed from the Routing and Remote Access Console by expanding the NAT/Basic Firewall node, then right-clicking the LAN connection that is the external (public) interface adapter and selecting Properties. Also note that the check box for Enable NAT on this interface is checked.This turns the NAT protocol on, and is required for NAT protocol to map internal address and port requests to the public IP interface. You can have the Enable a basic firewall on this interface option checked, which will block all public Internet access to the local private network.This is equivalent in concept to enabling filters on an interface.There are several methods you can use to define filters: ■ The TCP/IP filtering option, which is located in the LAN properties, contains filter settings that are defined on the Internet Protocol (TCP/IP) Properties, Advanced TCP/IP Settings, Options tab. ■ In the RRAS snap-in, in the NAT/Basic Firewall node, the Internal and each LAN Connection Interface properties there are the filters discussed previously. ■ In the RRAS snap-in, in the General node, the Internal and each LAN Connection Interface properties there are the filters discussed previously. You should check each location for filter settings to make sure that you are allowing or disal- lowing the appropriate traffic. You can enable common services to access your network by simply checking the box next to the service name in the Services and Ports tab shown in Figure 8.23.You can also manage the behavior of ICMP by checking the boxes next to the functions you wish to allow on the ICMP tab seen in Figure 8.24.These settings are equivalent to setting filters and are disabled by default. 306 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.22 NAT/Basic Firewall Tab of the Public Interface 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 306 The client machines that use the NAT server will need their TCP/IP configuration set to obtain their IP addresses automatically. When the clients receive the IP configuration from the NAT server, they will be assigned: ■ IP address from the defined pool (Defaults to 192.168.0.0/24) ■ Subnet mask (Defaults to 255.255.255.0) ■ Default gateway (NAT computer internal IP address) ■ DNS server (NAT computer internal IP address) Clients that obtain their address from the NAT server will use the NAT server to resolve DNS queries.The DNS server that is defined on the NAT server actually handles the request that is for- warded from the NAT server for the NAT client.This will limit your capabilities to resolve host- names on your internal network if you have a DNS server providing the name resolution for internal hosts. Monitoring and Troubleshooting Network Activity • Chapter 8 307 Figure 8.23 Services and Ports Tab Figure 8.24 ICMP Tab 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 307 If the client machine is configured to use DHCP, or any of the TCP/IP settings were manually configured incorrectly, then it may not be able to access the Internet. If you are running DHCP ser- vice on another server on your network, and the client computer gets its IP address from the DHCP server, then it may not be able to access the Internet or resolve host names on the Internet. We will discuss name resolution in a later section.A nice feature of NAT is that you can disable NAT address assignment and allow your DHCP clients to use a DHCP server.This will simplify your network administration and provide you with the means to provide additional configuration information to DHCP clients in the scope options, such as WINS servers, which type of name reso- lution to use, and many others. With ICS you cannot disable address assignment. To disable NAT addressing, using the RRAS Console, right-click on NAT/Basic Firewall and select Properties.You will be presented with the Properties dialog. Click the Address Assignment tab as shown in Figure 8.25. Simply uncheck the Automatically assign IP addresses by using the DHCP allocator check box, then click OK. Clients on your internal network will no longer obtain IP addresses from the NAT server. Monitoring NAT Activity Now that your LAN clients are using NAT, you will need to be able to monitor use, and to identify and resolve issues associated with NAT.There are several tools to provide you with the necessary information for identifying which clients are connected and to which address and port they are connected with what protocol.You may also need to identify causes of unreliable Internet access. All clients that use NAT to access the Internet will have their internal IP address mapped to an external IP address and the private address will need to map the appropriate port for the desired protocol to an external port for the same protocol. You can view the mappings of NAT clients in the Network Address Translation Mappings Table shown in Figure 8.26, by right-clicking the interface listed in the NAT/Basic Firewall pane of RRAS console.The route table (see Figure 8.27) and other TCP, UDP, and IP information is also accessible from RRAS by right-clicking the interface listed in the General pane. 308 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.25 NAT/Basic Firewall Properties—Disable NAT Address Assignment 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 308 There are other options to monitor the client Internet connections over NAT. In addition to providing an overview of mappings, the Netstat utility has a new option that allows you to find out what process is the owner of the connection.This is helpful when you have many connections through a routing server and need to identify what application is using which connection.The command is Netstat –o and adds the Process column as you can see in Figure 8.28.The process can then be cross-referenced by id using Task Manager (see Figure 8.29).Another helpful utility to get details about a process is Process Explorer, a free utility from www.sysinternals.com.You can also enable logging. Monitoring and Troubleshooting Network Activity • Chapter 8 309 Figure 8.26 Network Address Translation Mappings Table Figure 8.27 Routes Table Figure 8.28 Netstat Command with –o Option 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 309 You can also log events associated with NAT.There are several different options for logging NAT events. One method you can use to configure NAT logging is by using Netsh: Netsh routing ip nat set global LogLevel= none | info | warn | error, where LogLevel specifies the events you want to log. None turns off all NAT logging.The error parameter enables errors related to NAT to be logged, warn means that only warnings should be logged and info parameter logs all events related to NAT. Each of these options is configurable in the General tab of the NAT/Basic Firewall Global properties, as shown in Figure 8.30.The events that are logged are written to the Application Event log. Name Resolution The resources you provide on your LAN must be accessible by some means. In order to facilitate the use of friendly names, we must provide readily available services or mechanisms to resolve names to IP addresses.There are two basic types of name resolution, Host Name Resolution and NetBIOS Name Resolution. 310 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.29 Task Manager Listing at the Same Time of the Netstat –o Command Figure 8.30 NAT/Basic Firewall Global Properties 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 310 Host Name Resolution Troubleshooting Tools You can use nslookup to troubleshoot host name resolution. Nslookup is an interactive command line utility that can be used to perform domain name queries against a specific DNS server, examine zone files, and validate the entries in the zone records in the DNS database. If the forward look up zone is not available, when you run nslookup to query that zone, it will timeout. Netdiag, Dnscmd, and dcdiag are all enhanced command line utilities that can also be used to resolve more Active Directory/DNS related issues. Netdiag is used to check distributed and network services such as IPSec, and to verify WINS and DNS name resolution and consistency.You can install the netdiag utility from the suptools.msi file located in the Support\Tools folder on the Windows Server 2003 product disc. Dnscmd is the command line version of the DNS configuration utility.This tool can be used to add, delete, or verify records in a DNS database, configure DNS servers, and manage zones. Dcdiag can be used with netdiag and dnscmd to check the domain controllers in your enterprise and verify that the domain controllers are running properly. NetBIOS Name Resolution A NetBIOS name is a 16-byte address that maps to a network node that is defined as a NetBIOS resource on your network. NetBIOS name resolution entails resolving the NetBIOS name to the NetBIOS resource. NetBIOS names are unique names used by a host exclusively or a group name that can be resolved to more than one computer or process. If you request a single resource, then you use a unique name, otherwise you will use a group name to request resolution of more than one process on more than one computer. NetBIOS Node Types There are different methods for resolving NetBIOS names to IP addresses.The order in which each of the methods is used to resolve NetBIOS names depends on the NetBIOS node type defined for the client host.You can configure DHCP scope to define the node type setting for each host that gets an address from that scope. See Table 8.1 for a description of each of the node types that can be defined. Table 8.1 Definition of NetBIOS Node Types Type of Node Definition B-node (broadcast) B-node broadcasts NetBIOS name queries for resolution of NetBIOS names and registering NetBIOS resources. Since B-node is broadcast-based, it is confined to local segments and contributes a good deal to overall net- work traffic on a segment. P-node (peer-peer) P-node resolves NetBIOS names with a direct request to a NetBIOS name server (NBNS). Monitoring and Troubleshooting Network Activity • Chapter 8 311 Continued 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 311 Table 8.1 Definition of NetBIOS Node Types Type of Node Definition M-node (mixed) M-node basically is made up of B-node and P-node res- olution combined. M-Node hosts attempt to resolve hosts by using B-node broadcasts, and if that fails, then it will query a NetBIOS Name Server using a direct request using P-node. H-node (hybrid) H-node is a Hybrid made up of P-node and B-node reso- lution combined. H-Node requests are the opposite of M-node requests. The first attempt to resolve hosts is by a direct query to NetBIOS Name Server using P-node, and then it will use B-node broadcasts. If a Windows Server 2003 machine is configured to use NetBIOS over TCP/IP, then it will use B-node broadcast to resolve NetBIOS names, unless a WINS server is defined, which will cause it to use H-Node resolution.You can also define the node type setting in DCHP for those hosts on your network that are set to dynamically configure the IP address. LMHOSTS File The LMHosts file is also located in the WINDIR\System32\Drivers\etc folder.There are differ- ences in the file format of LMHosts. Instructions in the LMHosts.sam file located in the WINDIR\ System32\Drivers\etc folder can be used to create a file without the full name LMHosts (no .sam extension).You can configure the clients with the option to use LMHosts files for resolution if you like. NBTStat can be used to purge the NetBIOS name cache and load the LMHosts file to the cache using NBTStat –RR, as well as troubleshooting NetBIOS name resolution. It is strongly rec- ommended that if you are using a Windows operating systems other than Windows 2000/XP or Windows Server 2003, that you implement a WINS server to reduce broadcast traffic and aid in the resolution of the other Windows resources. Using IPConfig to Troubleshoot Name Resolution The front line in host name resolution problem solving is Ipconfig.You can use ipconfig to give you the details of your IP address settings for all your adapters.This allows you to verify the subnet mask, default gateway, and other settings for every adapter on the machine.The ipconfig utility with no command line options will provide the simple view as shown in Figure 8.31. For more detail you can use ipconfig /all for the results shown in Figure 8.32. In addition, you can now use ipconfig with the option /displaydns to give you the list of host name resolutions cached on the client machine as shown in Figure 8.33. 312 Chapter 8 • Monitoring and Troubleshooting Network Activity 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 312 If you are having trouble resolving hosts, you can try clearing the resolver cache using ipconfig /flushdns as in Figure 8.34. On occasion, IP addresses change on the network. A common scenario is one in which a machine has a host name registered in DNS, you remove the computer account from Active Directory, and remove the entry from DNS.Then you add the machine with the same name as it had before, only now, it gets assigned a new IP address. When other machines attempt to Monitoring and Troubleshooting Network Activity • Chapter 8 313 Figure 8.31 Results of ipconfig Figure 8.32 Results of ipconfig /all Figure 8.33 Results of ipconfig /displaydns 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 313 resolve the machine by using the host name, if they have the old address for the same host name in cache, then the client machine will not be able to connect to the rebuilt machine. Simply use ipconfig /flushdns and the local resolver cache will be cleared, thus requiring the client to request resolution from DNS, where the current information can be obtained. If required, you can use ipconfig /registerdns (see Figure 8.35) to add the client to the Dynamic DNS server if you are using Active Directory integrated DNS and your host name is not registered in DNS.Your machine name may not be registered in DNS if you have assigned a static IP address. IP Addressing The flexibility of TCP/IP contributes to the complexity of troubleshooting addresses and connec- tions.There are several tools that can help isolate and identify issues with addressing, but it is also imperative that you understand IP addressing rules and subnetting. Ipconfig, ping, and tracert are the most useful tools in identifying addressing problems with the client configurations and connec- tions to other hosts on the Internet. 314 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.34 Results of ipconfig /flushdns Figure 8.35 Results of ipconfig /registerdns 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 314 Client Configuration Issues Some of the issues that occur with manual configuration of IP addresses include duplicate addresses, invalid subnet masks, invalid default gateways, and invalid or missing host name resolution settings (such as DNS and WINS).To help identify the problem, start by typing ipconfig /all at a com- mand prompt. Verify the information that is output by the command is correct, and then continue by using ping to help isolate the problem. 1. Ping the loopback address (127.0.0.1) to verify that the TCP/IP protocol stack is config- ured correctly on the local computer. 2. Ping the external IP address of the local computer to ensure the host is on the network and using a valid IP address; that is, no address conflicts. 3. Ping the IP address of the default gateway to verify that the default gateway is accessible and your local network configuration contains the correct subnet mask. 4. Ping the IP address of a remote host to verify that you can transmit data over the default gateway. If you are not able to get traffic through to a site, but you are making it through the default gateway, then you should use tracert to identify the break in the route to the destination. An example of using tracert is shown in Figure 8.36, using the command line tracert www.syn- gress.com. To prevent the resolution of the hostnames that are shown in the results of Figure 8.36, specify the command with the –d option: tracert -d www.syngress.com. Another utility that is more useful than tracert and ping combined is pathping. Pathping is basically tracert and ping combined.The pathping command line utility provides an overview of latency and loss of data over a network at each hop from a source to a destination.The pathping utility will continue to ping over a specified period of time in seconds, but it will default to a value related to the total number of hops from the source to the destination. Pathping computes the latency and packet loss from each router.This allows you to identify firewalls that block icmp but still provide information about latency on the hops past the firewall.You can also use pathping to Monitoring and Troubleshooting Network Activity • Chapter 8 315 Figure 8.36 Results of tracert 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 315 . obtain their address from the NAT server will use the NAT server to resolve DNS queries .The DNS server that is defined on the NAT server actually handles the request that is for- warded from the. Windows operating systems other than Windows 2000/XP or Windows Server 2003, that you implement a WINS server to reduce broadcast traffic and aid in the resolution of the other Windows resources. Using. consistency.You can install the netdiag utility from the suptools.msi file located in the SupportTools folder on the Windows Server 2003 product disc. Dnscmd is the command line version of the DNS configuration