How do I discover (horizontal) a windows server behind a NAT?

tammykuhns
Kilo Guru

I am attempting to discover a windows server which is behind a NAT.   I get a message "(IP) is not a reachable host (no response to target ports scanned by MID)."    Firewall rules are open to allow discovery. 

Any guidance or suggestion would be appreciated.

Thanks.  Tammy

5 REPLIES 5

Jim Palmer
ServiceNow Employee
ServiceNow Employee

Tammy,

(Firstly I'm assuming the target does not have Windows defender firewall turned on with it blocking WinRM connections).

If you're trying to use the real IP of the target in discovery, I doubt that is going to work, because the MID won't be able to see the real IP of the target only the NATed IP and that in turn might cause problems with the identification and dependency parts of discovery.

You might need to ask your networking team how the NAT is configured because NAT can play havoc with automated discovery tools just because what IPs you see, depends on the origin of the traffic. 

 

So, something to think about is what NATed IP can the MID server see from it's end and have you tried using that address at least for the Shazzam probe?

Richard Hine
Tera Guru
Tera Guru

Tammy,

One thought I would have is that if you have devices behind a NAT, it might make more sense to place a MID server inside of the compartment/network where the NATted devices are.

In this scenario I am guessing you only have a single device so it may not be practical to land a MID?

As @Jim Palmer has said, I would try discovering it using a quick discovery to the NATted IP and then follow up with the network team to see if there are restrictions on the NAT or the device providing the NAT.

Hope this helps,

Richard

Thank you both for your reply and insights.  I have attempted the discovery with both IP's NAT'd and real IP.  Both get the same message that it is unreachable.  I have contacted my network team and they are troubleshooting potential issue with how the NAT is set up and traffic routing.  

The suggestion for a MID inside the NAT'd network would probably work I'm going to keep that in mind for the last resort option. 

 

I really appreciate your direction.  Thanks to Jim & Richard. 

romanzillek
Tera Contributor

How can a NATed machine be not reachable since it should provide service irrespective of NAT or not ? Client<>Public-Server_IP<>NAT-router-/-switch/-host<>Private-Server_IP<>Server ! So when you connect to the Public-Server_IP and all necessary ports for a connection/session are open/allowed and TCP/UDP/ICMP-packets properly NATed you should be able to logon to those machines and discover their even their Private-Server_IP and all other CI-Attributes. The Public_ServerIP-Range has to be configured as ip-range and accessible and scheduled and MID assigned ...   I'm really ver eager to know if you had any success in the meantime since you posted this issue here 🙂    br R.