Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

ICS on Win2000 Pro

I have just installed ICS on my Win2k Pro machine.(put in another NIC. Made that one my local network. Shared the connection on the external network)  Everything works fine on the host. I am having a problem with one of my clients.(actually my only client at this time)  It is a Red Hat 7.3 Linux box.  I have it set to use DHCP.  That part seems to work fine.  It receives an IP address, usually something like 192.168.0.93.  But I can't seem to get it to connect to the internet though.

From the Win2k host, I can ping the Linux client just fine.  From the Linux client, I can ping my host's real IP address(64.xxx.xxx.xxx), but not the local address of the host(192.168.0.1)

It also seems like DNS is working correctly.  I can 'ping anydomain.com' from the client, and it resolves the name to an ip address, yet it does not actually recieve any packets back.(or actually send any for all I know)  Traceroute, telnet, ftp, whois, etc. does not work either.  But nslookup, host, and dig work just fine.  That is why it seems like my dns stuff is working, but I am not sure.  I cannot connect to any websites though.  This is my big problem.

I have taken down my personal firewall on the Win2k host.  I have taken down the firewall on my linux box as well.('ipchains -F')  I cannot think of anything that would be blocking it.

I can't seem to figure out what I am doing wrong.  Do I need to share certain applications from the host that the client will use, such as port 80, tcp and upd?  I played around with these settings, but without much luck.  Any help would be appreciated.
0
barthalamu
Asked:
barthalamu
  • 3
  • 3
  • 2
  • +1
1 Solution
 
EricWestboCommented:
post and 'ipconfig /all' read on both these systems for us... it sounds to me like you might have a default gateway issue on the linux...

0
 
SysExpertCommented:
I agree. You normally leave the default gateway on the Win2k Server Internal LAN NIC empty, since win2k knows it should route all external traafic to the second NIC.

Also

Yes there is. Go to Routing & Remote Access, chose to manually configure and start the service if asked.

 Open IP-Routing. Right-click on "General" and choose "New Routing Protocol". Add the "Network Address
                 Translation" (NAT) protocol. Goto the NAT protocol.
 Add your internet connection (using the contect menu) as public interface with TCP/UDP header translation
                 enabled.
                 Add your private NIC(s) as private interfaces.
                 Goto static routes and add a route for "0.0.0.0", mask "0.0.0.0" with your internet gateway (if on a
                 NIC card) and a metric of 100 or so.

  This should be working now. You can change the options for the NAT and add mapped ports etc. using the  context menu.
 Routing and RAS is not a proxy, thus it does not check the requests made by name or URL. However, you  can define filters for each netowrk interface, including IP range and ports to be locked out (or to  have exclusive access).
This will allow you to define simple rules depending on the IP or IP range. You could also block port 80 and use another proxy software to do more detailed filtering, while still allowing all other traffic  to be handled by the NAT.
From: andyalder   Date: 09/04/2001 05:32AM PST
   The second screen of the RRAS connection wizard allows ICS or NAT, not both. Which did you pick???

    If you picked ICS then disable the DHCP service as ICS provides it's own DHCP agent.

     If picked NAT then ensure the DHCP service is running and had a router (03) option of your servers 192.168.0.1.
               There's more to it than this but confirm whether ICS or NAT first.
  From: Kong     Date: 09/04/2001 06:26AM PST
     Hi Andy, I chose NAT on the second screen...

  Sorry about the confusion, on the first screen, I selected ICS and on the second screen, I selected
               NAT...
               From: andyalder   Date: 09/04/2001 06:45AM PST
               Under RRAS, ip routing NAT check that the 2 interfaces properties in case you have the inside interface
               defined as the external interface (unlikely)

               On DHCP manager set the router(03) and DNS server(06) to be your server 192.168.0.1

               Under DNS manager, select the properties of the server and under the Forwarders tab enter your ISP's
               DNS server as a forwarder. If the checkbox is grayed out then under forward lookup zones delete the
               zonefile "." then action-refresh it will no longer be grayed out.

               Also ensure no win2k workstation or win98SE has accidentally setup ICS or that might assign the DHCP
               info to your clients. Easy to check with ipconfig.
 From: andyalder   Date: 09/04/2001 09:38AM PST
               I'm not sure, I always use a firewall or setup the router to filter unwanted traffic. Probably the router
               itself is performing NAT in which case no incoming ports would be forwarded to your server anyway, just
               replies to it's own packets.
How to Configure Input Filters for Services That Run  Behind Network Address Translation NAT
http://support.microsoft.com/support/kb/articles/Q254/0/18.ASP might be worth a read.

-------------------
I hope this helps !

0
 
SysExpertCommented:
Whoops, you are using win2k Pro, not server..

OK
More info :

From: dcgames
                                                                  Date: 07/11/2001 08:09AM PST
        A) IP Forwarding cannot be enabled with a dialog box or button on Win2K PROFESSIONAL. You have to set a flag in the registry using REGEDT32.

      B) To share an internet connection, just right click on it and open it's properties. There should be
                 a tab to do it. Just check "Share this connection".  It works for dialup just fine.

  - You have to have installed Internet COnnection Sharing (ICS) as a component when you installed Win
         2K. Check in the Control Panel, Add/Remove Programs, Windows Components and make sure it's installed.

      - When you "share the connection", you also need to specify that the connection is "dial-on-demand".

       - You don't need to worry about enabling IP Forwarding if you are using the sharing the connection.
                 That's automatic.

   - The lan NIC will be changed by ICS to IP address 192.168.0.1. It also installs a mini DHCP service.
      Clients then use "dynamic IP" and are assigned 192.168.0.2, etc., with gateway 192.168.0.1.  But you
      can set the client's IP address statically if you prefer. Just remember it's 192.168.0.2 (or higher),
          mask 255.255.255.0 and gateway 192.168.0.1.

-----------------------------
http://www.win2000mag.com/articles/index.cfm?articleid=21189
0
Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

 
barthalamuAuthor Commented:
ipconfig on host machine:

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : win2k1
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : sd.cox.net

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Macronix MX98715 Family Fast Ethernet Adapter (ACPI)
        Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

Ethernet adapter Cable Modem:

        Connection-specific DNS Suffix  . : sd.cox.net
        Description . . . . . . . . . . . : NETGEAR FA311 Fast Ethernet PCI Adap
ter
        Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 64.xxx.xxx.27
        Subnet Mask . . . . . . . . . . . : 255.255.254.0
        Default Gateway . . . . . . . . . : 64.xxx.xxx.1
        DHCP Server . . . . . . . . . . . : 172.xxx.xxx.25
        DNS Servers . . . . . . . . . . . : 64.xxx.xxx.30
                                            64.xxx.xxx.30
                                            64.xxx.xxx.5
        Lease Obtained. . . . . . . . . . : Thursday, July 18, 2002 7:09:52 AM
        Lease Expires . . . . . . . . . . : Friday, July 19, 2002 7:09:52 AM


netstat -r on Linux client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     *               255.255.255.0   U        40 0          0 eth0
127.0.0.0       *               255.0.0.0       U        40 0          0 lo
default         192.168.0.1     0.0.0.0         UG       40 0          0 eth0


Default gateway seems to be configured right, I think.  Thanks.
0
 
EricWestboCommented:
the gateway does, in fact, look good... however the IP on the linux seems a bit problematic... 192.168.0.0 is a network address & cannot be used for a machine.  change this to 192.168.0.2 and see how it goes

/ew
0
 
EricWestboCommented:
as a add'l thought... 127.0.0.0 is also questionable, as that is also a network address... if this is your "localhost" IP, it should be 127.0.0.1

/ew
0
 
barthalamuAuthor Commented:
The problem was actually a VPN client(SecureRemote) on the host machine.  ICS works when I unbind SecureRemote from both interfaces.  Thanks to both for the help.  Wish I could give points to each.
0
 
SysExpertCommented:
You can !

You can put in a request to                    
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt 
to distribute the points in any manner you think is proper.
This is especially true when you think you have received good information from more than one person.

Also see  http://www.experts-exchange.com/jsp/cmtyQuestAnswer.jsp

     I hope this helps !
0
 
Computer101Commented:
Points reduced for split.  Eric, look for your question in this topic area.

Computer101
E-E Moderator
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now