Shown in Figure 8.22 is the NAT/Basic Firewall tab of the public interface, which is config-
ured as Public interface connected to the Internet.This properties dialog can be accessed from
the Routing and Remote Access Console by expanding the NAT/Basic Firewall node, then
right-clicking the LAN connection that is the external (public) interface adapter and selecting
Properties. Also note that the check box for Enable NAT on this interface is checked.This
turns the NAT protocol on, and is required for NAT protocol to map internal address and port
requests to the public IP interface.
You can have the Enable a basic firewall on this interface option checked, which will
block all public Internet access to the local private network.This is equivalent in concept to
enabling filters on an interface.There are several methods you can use to define filters:
■
The TCP/IP filtering option, which is located in the LAN properties, contains filter
settings that are defined on the Internet Protocol (TCP/IP) Properties, Advanced
TCP/IP Settings, Options tab.
■
In the RRAS snap-in, in the NAT/Basic Firewall node, the Internal and each LAN
Connection Interface properties there are the filters discussed previously.
■
In the RRAS snap-in, in the General node, the Internal and each LAN Connection
Interface properties there are the filters discussed previously.
You should check each location for filter settings to make sure that you are allowing or disal-
lowing the appropriate traffic.
You can enable common services to access your network by simply checking the box next to
the service name in the Services and Ports tab shown in Figure 8.23.You can also manage the
behavior of ICMP by checking the boxes next to the functions you wish to allow on the ICMP tab
seen in Figure 8.24.These settings are equivalent to setting filters and are disabled by default.
306 Chapter 8 • Monitoring and Troubleshooting Network Activity
Figure 8.22 NAT/Basic Firewall Tab of the Public Interface
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 306
The client machines that use the NAT server will need their TCP/IP configuration set to
obtain their IP addresses automatically. When the clients receive the IP configuration from the NAT

server, they will be assigned:
■
IP address from the defined pool (Defaults to 192.168.0.0/24)
■
Subnet mask (Defaults to 255.255.255.0)
■
Default gateway (NAT computer internal IP address)
■
DNS server (NAT computer internal IP address)
Clients that obtain their address from the NAT server will use the NAT server to resolve DNS
queries.The DNS server that is defined on the NAT server actually handles the request that is for-
warded from the NAT server for the NAT client.This will limit your capabilities to resolve host-
names on your internal network if you have a DNS server providing the name resolution for
internal hosts.
Monitoring and Troubleshooting Network Activity • Chapter 8 307
Figure 8.23 Services and Ports Tab
Figure 8.24 ICMP Tab
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 307
If the client machine is configured to use DHCP, or any of the TCP/IP settings were manually
configured incorrectly, then it may not be able to access the Internet. If you are running DHCP ser-
vice on another server on your network, and the client computer gets its IP address from the
DHCP server, then it may not be able to access the Internet or resolve host names on the Internet.
We will discuss name resolution in a later section.A nice feature of NAT is that you can disable
NAT address assignment and allow your DHCP clients to use a DHCP server.This will simplify
your network administration and provide you with the means to provide additional configuration
information to DHCP clients in the scope options, such as WINS servers, which type of name reso-
lution to use, and many others. With ICS you cannot disable address assignment.
To disable NAT addressing, using the RRAS Console, right-click on NAT/Basic Firewall
and select Properties.You will be presented with the Properties dialog. Click the Address
Assignment tab as shown in Figure 8.25. Simply uncheck the Automatically assign IP

addresses by using the DHCP allocator check box, then click OK. Clients on your internal
network will no longer obtain IP addresses from the NAT server.
Monitoring NAT Activity
Now that your LAN clients are using NAT, you will need to be able to monitor use, and to identify
and resolve issues associated with NAT.There are several tools to provide you with the necessary
information for identifying which clients are connected and to which address and port they are
connected with what protocol.You may also need to identify causes of unreliable Internet access. All
clients that use NAT to access the Internet will have their internal IP address mapped to an external
IP address and the private address will need to map the appropriate port for the desired protocol to
an external port for the same protocol.
You can view the mappings of NAT clients in the Network Address Translation Mappings
Table shown in Figure 8.26, by right-clicking the interface listed in the NAT/Basic Firewall pane
of RRAS console.The route table (see Figure 8.27) and other TCP, UDP, and IP information is also
accessible from RRAS by right-clicking the interface listed in the General pane.
308 Chapter 8 • Monitoring and Troubleshooting Network Activity
Figure 8.25 NAT/Basic Firewall Properties—Disable NAT Address Assignment
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 308
There are other options to monitor the client Internet connections over NAT. In addition to
providing an overview of mappings, the Netstat utility has a new option that allows you to find out
what process is the owner of the connection.This is helpful when you have many connections
through a routing server and need to identify what application is using which connection.The
command is Netstat –o and adds the Process column as you can see in Figure 8.28.The process
can then be cross-referenced by id using Task Manager (see Figure 8.29).Another helpful utility to
get details about a process is Process Explorer, a free utility from www.sysinternals.com.You can also
enable logging.
Monitoring and Troubleshooting Network Activity • Chapter 8 309
Figure 8.26 Network Address Translation Mappings Table
Figure 8.27 Routes Table
Figure 8.28 Netstat Command with –o Option
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 309

You can also log events associated with NAT.There are several different options for logging
NAT events. One method you can use to configure NAT logging is by using Netsh: Netsh
routing ip nat set global LogLevel= none | info | warn | error, where LogLevel specifies
the events you want to log. None turns off all NAT logging.The error parameter enables errors
related to NAT to be logged, warn means that only warnings should be logged and info parameter
logs all events related to NAT. Each of these options is configurable in the General tab of the
NAT/Basic Firewall Global properties, as shown in Figure 8.30.The events that are logged are
written to the Application Event log.
Name Resolution
The resources you provide on your LAN must be accessible by some means. In order to facilitate
the use of friendly names, we must provide readily available services or mechanisms to resolve names
to IP addresses.There are two basic types of name resolution, Host Name Resolution and NetBIOS
Name Resolution.
310 Chapter 8 • Monitoring and Troubleshooting Network Activity
Figure 8.29 Task Manager Listing at the Same Time of the Netstat –o Command
Figure 8.30 NAT/Basic Firewall Global Properties
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 310
Host Name Resolution Troubleshooting Tools
You can use nslookup to troubleshoot host name resolution. Nslookup is an interactive command
line utility that can be used to perform domain name queries against a specific DNS server, examine
zone files, and validate the entries in the zone records in the DNS database. If the forward look up
zone is not available, when you run nslookup to query that zone, it will timeout. Netdiag,
Dnscmd, and dcdiag are all enhanced command line utilities that can also be used to resolve more
Active Directory/DNS related issues. Netdiag is used to check distributed and network services
such as IPSec, and to verify WINS and DNS name resolution and consistency.You can install the
netdiag utility from the suptools.msi file located in the Support\Tools folder on the Windows
Server 2003 product disc.
Dnscmd is the command line version of the DNS configuration utility.This tool can be used
to add, delete, or verify records in a DNS database, configure DNS servers, and manage zones.
Dcdiag can be used with netdiag and dnscmd to check the domain controllers in your enterprise

and verify that the domain controllers are running properly.
NetBIOS Name Resolution
A NetBIOS name is a 16-byte address that maps to a network node that is defined as a NetBIOS
resource on your network. NetBIOS name resolution entails resolving the NetBIOS name to the
NetBIOS resource. NetBIOS names are unique names used by a host exclusively or a group name
that can be resolved to more than one computer or process. If you request a single resource, then
you use a unique name, otherwise you will use a group name to request resolution of more than
one process on more than one computer.
NetBIOS Node Types
There are different methods for resolving NetBIOS names to IP addresses.The order in which each
of the methods is used to resolve NetBIOS names depends on the NetBIOS node type defined for
the client host.You can configure DHCP scope to define the node type setting for each host that
gets an address from that scope. See Table 8.1 for a description of each of the node types that can be
defined.
Table 8.1 Definition of NetBIOS Node Types
Type of Node Definition
B-node (broadcast) B-node broadcasts NetBIOS name queries for resolution
of NetBIOS names and registering NetBIOS resources.
Since B-node is broadcast-based, it is confined to local
segments and contributes a good deal to overall net-
work traffic on a segment.
P-node (peer-peer) P-node resolves NetBIOS names with a direct request to
a NetBIOS name server (NBNS).
Monitoring and Troubleshooting Network Activity • Chapter 8 311
Continued
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 311
Table 8.1 Definition of NetBIOS Node Types
Type of Node Definition
M-node (mixed) M-node basically is made up of B-node and P-node res-
olution combined. M-Node hosts attempt to resolve

hosts by using B-node broadcasts, and if that fails, then
it will query a NetBIOS Name Server using a direct
request using P-node.
H-node (hybrid) H-node is a Hybrid made up of P-node and B-node reso-
lution combined. H-Node requests are the opposite of
M-node requests. The first attempt to resolve hosts is by
a direct query to NetBIOS Name Server using P-node,
and then it will use B-node broadcasts.
If a Windows Server 2003 machine is configured to use NetBIOS over TCP/IP, then it will use
B-node broadcast to resolve NetBIOS names, unless a WINS server is defined, which will cause it
to use H-Node resolution.You can also define the node type setting in DCHP for those hosts on
your network that are set to dynamically configure the IP address.
LMHOSTS File
The LMHosts file is also located in the WINDIR\System32\Drivers\etc folder.There are differ-
ences in the file format of LMHosts. Instructions in the LMHosts.sam file located in the WINDIR\
System32\Drivers\etc folder can be used to create a file without the full name LMHosts (no .sam
extension).You can configure the clients with the option to use LMHosts files for resolution if you
like. NBTStat can be used to purge the NetBIOS name cache and load the LMHosts file to the
cache using NBTStat –RR, as well as troubleshooting NetBIOS name resolution. It is strongly rec-
ommended that if you are using a Windows operating systems other than Windows 2000/XP or
Windows Server 2003, that you implement a WINS server to reduce broadcast traffic and aid in the
resolution of the other Windows resources.
Using IPConfig to Troubleshoot Name Resolution
The front line in host name resolution problem solving is Ipconfig.You can use ipconfig to give you
the details of your IP address settings for all your adapters.This allows you to verify the subnet
mask, default gateway, and other settings for every adapter on the machine.The ipconfig utility
with no command line options will provide the simple view as shown in Figure 8.31. For more
detail you can use ipconfig /all for the results shown in Figure 8.32. In addition, you can now use
ipconfig with the option /displaydns to give you the list of host name resolutions cached on the
client machine as shown in Figure 8.33.

312 Chapter 8 • Monitoring and Troubleshooting Network Activity
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 312
If you are having trouble resolving hosts, you can try clearing the resolver cache using ipconfig
/flushdns as in Figure 8.34. On occasion, IP addresses change on the network. A common scenario
is one in which a machine has a host name registered in DNS, you remove the computer account
from Active Directory, and remove the entry from DNS.Then you add the machine with the same
name as it had before, only now, it gets assigned a new IP address. When other machines attempt to
Monitoring and Troubleshooting Network Activity • Chapter 8 313
Figure 8.31 Results of ipconfig
Figure 8.32 Results of ipconfig /all
Figure 8.33 Results of ipconfig /displaydns
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 313
resolve the machine by using the host name, if they have the old address for the same host name in
cache, then the client machine will not be able to connect to the rebuilt machine. Simply use
ipconfig /flushdns and the local resolver cache will be cleared, thus requiring the client to request
resolution from DNS, where the current information can be obtained.
If required, you can use ipconfig /registerdns (see Figure 8.35) to add the client to the
Dynamic DNS server if you are using Active Directory integrated DNS and your host name is not
registered in DNS.Your machine name may not be registered in DNS if you have assigned a static
IP address.
IP Addressing
The flexibility of TCP/IP contributes to the complexity of troubleshooting addresses and connec-
tions.There are several tools that can help isolate and identify issues with addressing, but it is also
imperative that you understand IP addressing rules and subnetting. Ipconfig, ping, and tracert are
the most useful tools in identifying addressing problems with the client configurations and connec-
tions to other hosts on the Internet.
314 Chapter 8 • Monitoring and Troubleshooting Network Activity
Figure 8.34 Results of ipconfig /flushdns
Figure 8.35 Results of ipconfig /registerdns
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 314

Client Configuration Issues
Some of the issues that occur with manual configuration of IP addresses include duplicate addresses,
invalid subnet masks, invalid default gateways, and invalid or missing host name resolution settings
(such as DNS and WINS).To help identify the problem, start by typing ipconfig /all at a com-
mand prompt. Verify the information that is output by the command is correct, and then continue
by using ping to help isolate the problem.
1. Ping the loopback address (127.0.0.1) to verify that the TCP/IP protocol stack is config-
ured correctly on the local computer.
2. Ping the external IP address of the local computer to ensure the host is on the network
and using a valid IP address; that is, no address conflicts.
3. Ping the IP address of the default gateway to verify that the default gateway is accessible
and your local network configuration contains the correct subnet mask.
4. Ping the IP address of a remote host to verify that you can transmit data over the default
gateway.
If you are not able to get traffic through to a site, but you are making it through the default
gateway, then you should use tracert to identify the break in the route to the destination. An
example of using tracert is shown in Figure 8.36, using the command line tracert www.syn-
gress.com. To prevent the resolution of the hostnames that are shown in the results of Figure 8.36,
specify the command with the –d option: tracert -d www.syngress.com.
Another utility that is more useful than tracert and ping combined is pathping. Pathping is
basically tracert and ping combined.The pathping command line utility provides an overview of
latency and loss of data over a network at each hop from a source to a destination.The pathping
utility will continue to ping over a specified period of time in seconds, but it will default to a value
related to the total number of hops from the source to the destination. Pathping computes the
latency and packet loss from each router.This allows you to identify firewalls that block icmp but
still provide information about latency on the hops past the firewall.You can also use pathping to
Monitoring and Troubleshooting Network Activity • Chapter 8 315
Figure 8.36 Results of tracert
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 315