NetNatStaticMapping not routing

Question

I am trying to configure traffic to NAT through my Hyper-V host to VMs on an internal v-switch and all the info I can find online would suggest what I have tried should work.

"External" LAN Network 192.168.6.0/24

Internal vSwitch Network 172.21.21.0/24

Hyper-V Host running Windows Server 2019 Datacenter 1809

IPs: 192.168.6.200 and 172.21.21.1

Windows Server 2019 VM running IIS

IP: 172.21.21.2

Windows 10 PC on LAN

IP: 192.168.6.150

Powershell commands ran:

New-NetNat –Name "NATSwitch" –InternalIPInterfaceAddressPrefix 172.21.21.0/24
Add-NetNatStaticMapping -NatName "NATSwitch" -Protocol TCP -ExternalIPAddress "0.0.0.0/0"-InternalIPAddress "172.21.21.2/32" -InternalPort 80 -ExternalPort 81
I am able to access http://172.21.21.2 from the hyper-v host I am NOT able to access http://192.168.6.200:81 from the Win 10 PC.

Windows firewall turned off everywhere. No other AV type software anywhere. Wireshark shows traffic on port 81 getting to the Hyper-V host, but it doesn't go anywhere from there.

What am I missing here?

Answer 1

Hi,
When the NAT is first created, it is suggested that the internal IP prefix defined does not overlap with the external IP addresses assigned to the host.
Please remove your old mapping and try to map one of your two host IPs like Add-NetNatStaticMapping -NatName "NATSwitch" -Protocol TCP -ExternalIPAddress "192.168.6.200/24"-InternalIPAddress "172.21.21.2/32" -InternalPort 80 -ExternalPort 81 and check if it helps.

Thanks for your time!
Best Regards,
Mico Mi

-----------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,
It seems that the Add-NetNatExternalAddress is available through Azure Pack and VMM.
Please try to run the command Get-NetNatExternalAddress, then choose any External IP and port and use it as the parameter for the Add-NetNatStaticMapping command.
Best Regards,
Mico Mi

Answer 3

Hi,
When using the old mapping(0.0.0.0), please ensure your LAN connects both host A and host B(using the same router).
Have you added port binding and configured the Inbound Rules for the given ports? Can win 10 access using http://172.21.21.2?
Besides, I found some further information about NAT in a doc:

Internal endpoints assigned to VMs or containers cannot be accessed using the external IPs / ports referenced in NAT static port mappings directly from the NAT host. From the NAT host, these internal endpoints must be addressed directly by their internal IP and ports. For instance, assume a container endpoint has IP 172.16.1.100 and is running a web server which is listening on port 80. Moreover, assume a port mapping has been created through docker to forward traffic from the host’s IP address (10.10.50.20) received on TCP port 8080 to the container endpoint. In this case, a user on the container host cannot directly access the web server using the externally mapped ports. e.g. A user operating on the container host cannot access the container web server indirectly on http://10.10.50.20:8080 . Instead, the user must directly access the container web server on http://172.16.1.100:80 .

The one caveat to this limitation is that the internal endpoint can be accessed using the external IP/port from a separate, VM/container endpoint running on the same NAT host: this is called hair-pinning. E.g. A user operating on container A can access a web server running in Container B using the internal IP and port of http://10.10.50.20:8080.

Best Regards,
Mico Mi

Answer 4

Maybe This Gist @ Github will help?