Solved

ICS on Win2000 Pro

Posted on 2002-07-18
9
434 Views
Last Modified: 2010-04-13
I have just installed ICS on my Win2k Pro machine.(put in another NIC. Made that one my local network. Shared the connection on the external network)  Everything works fine on the host. I am having a problem with one of my clients.(actually my only client at this time)  It is a Red Hat 7.3 Linux box.  I have it set to use DHCP.  That part seems to work fine.  It receives an IP address, usually something like 192.168.0.93.  But I can't seem to get it to connect to the internet though.

From the Win2k host, I can ping the Linux client just fine.  From the Linux client, I can ping my host's real IP address(64.xxx.xxx.xxx), but not the local address of the host(192.168.0.1)

It also seems like DNS is working correctly.  I can 'ping anydomain.com' from the client, and it resolves the name to an ip address, yet it does not actually recieve any packets back.(or actually send any for all I know)  Traceroute, telnet, ftp, whois, etc. does not work either.  But nslookup, host, and dig work just fine.  That is why it seems like my dns stuff is working, but I am not sure.  I cannot connect to any websites though.  This is my big problem.

I have taken down my personal firewall on the Win2k host.  I have taken down the firewall on my linux box as well.('ipchains -F')  I cannot think of anything that would be blocking it.

I can't seem to figure out what I am doing wrong.  Do I need to share certain applications from the host that the client will use, such as port 80, tcp and upd?  I played around with these settings, but without much luck.  Any help would be appreciated.
0
Comment
Question by:barthalamu
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 4

Expert Comment

by:EricWestbo
Comment Utility
post and 'ipconfig /all' read on both these systems for us... it sounds to me like you might have a default gateway issue on the linux...

0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I agree. You normally leave the default gateway on the Win2k Server Internal LAN NIC empty, since win2k knows it should route all external traafic to the second NIC.

Also

Yes there is. Go to Routing & Remote Access, chose to manually configure and start the service if asked.

 Open IP-Routing. Right-click on "General" and choose "New Routing Protocol". Add the "Network Address
                 Translation" (NAT) protocol. Goto the NAT protocol.
 Add your internet connection (using the contect menu) as public interface with TCP/UDP header translation
                 enabled.
                 Add your private NIC(s) as private interfaces.
                 Goto static routes and add a route for "0.0.0.0", mask "0.0.0.0" with your internet gateway (if on a
                 NIC card) and a metric of 100 or so.

  This should be working now. You can change the options for the NAT and add mapped ports etc. using the  context menu.
 Routing and RAS is not a proxy, thus it does not check the requests made by name or URL. However, you  can define filters for each netowrk interface, including IP range and ports to be locked out (or to  have exclusive access).
This will allow you to define simple rules depending on the IP or IP range. You could also block port 80 and use another proxy software to do more detailed filtering, while still allowing all other traffic  to be handled by the NAT.
From: andyalder   Date: 09/04/2001 05:32AM PST
   The second screen of the RRAS connection wizard allows ICS or NAT, not both. Which did you pick???

    If you picked ICS then disable the DHCP service as ICS provides it's own DHCP agent.

     If picked NAT then ensure the DHCP service is running and had a router (03) option of your servers 192.168.0.1.
               There's more to it than this but confirm whether ICS or NAT first.
  From: Kong     Date: 09/04/2001 06:26AM PST
     Hi Andy, I chose NAT on the second screen...

  Sorry about the confusion, on the first screen, I selected ICS and on the second screen, I selected
               NAT...
               From: andyalder   Date: 09/04/2001 06:45AM PST
               Under RRAS, ip routing NAT check that the 2 interfaces properties in case you have the inside interface
               defined as the external interface (unlikely)

               On DHCP manager set the router(03) and DNS server(06) to be your server 192.168.0.1

               Under DNS manager, select the properties of the server and under the Forwarders tab enter your ISP's
               DNS server as a forwarder. If the checkbox is grayed out then under forward lookup zones delete the
               zonefile "." then action-refresh it will no longer be grayed out.

               Also ensure no win2k workstation or win98SE has accidentally setup ICS or that might assign the DHCP
               info to your clients. Easy to check with ipconfig.
 From: andyalder   Date: 09/04/2001 09:38AM PST
               I'm not sure, I always use a firewall or setup the router to filter unwanted traffic. Probably the router
               itself is performing NAT in which case no incoming ports would be forwarded to your server anyway, just
               replies to it's own packets.
How to Configure Input Filters for Services That Run  Behind Network Address Translation NAT
http://support.microsoft.com/support/kb/articles/Q254/0/18.ASP might be worth a read.

-------------------
I hope this helps !

0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
Comment Utility
Whoops, you are using win2k Pro, not server..

OK
More info :

From: dcgames
                                                                  Date: 07/11/2001 08:09AM PST
        A) IP Forwarding cannot be enabled with a dialog box or button on Win2K PROFESSIONAL. You have to set a flag in the registry using REGEDT32.

      B) To share an internet connection, just right click on it and open it's properties. There should be
                 a tab to do it. Just check "Share this connection".  It works for dialup just fine.

  - You have to have installed Internet COnnection Sharing (ICS) as a component when you installed Win
         2K. Check in the Control Panel, Add/Remove Programs, Windows Components and make sure it's installed.

      - When you "share the connection", you also need to specify that the connection is "dial-on-demand".

       - You don't need to worry about enabling IP Forwarding if you are using the sharing the connection.
                 That's automatic.

   - The lan NIC will be changed by ICS to IP address 192.168.0.1. It also installs a mini DHCP service.
      Clients then use "dynamic IP" and are assigned 192.168.0.2, etc., with gateway 192.168.0.1.  But you
      can set the client's IP address statically if you prefer. Just remember it's 192.168.0.2 (or higher),
          mask 255.255.255.0 and gateway 192.168.0.1.

-----------------------------
http://www.win2000mag.com/articles/index.cfm?articleid=21189
0
 

Author Comment

by:barthalamu
Comment Utility
ipconfig on host machine:

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : win2k1
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : sd.cox.net

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Macronix MX98715 Family Fast Ethernet Adapter (ACPI)
        Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

Ethernet adapter Cable Modem:

        Connection-specific DNS Suffix  . : sd.cox.net
        Description . . . . . . . . . . . : NETGEAR FA311 Fast Ethernet PCI Adap
ter
        Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 64.xxx.xxx.27
        Subnet Mask . . . . . . . . . . . : 255.255.254.0
        Default Gateway . . . . . . . . . : 64.xxx.xxx.1
        DHCP Server . . . . . . . . . . . : 172.xxx.xxx.25
        DNS Servers . . . . . . . . . . . : 64.xxx.xxx.30
                                            64.xxx.xxx.30
                                            64.xxx.xxx.5
        Lease Obtained. . . . . . . . . . : Thursday, July 18, 2002 7:09:52 AM
        Lease Expires . . . . . . . . . . : Friday, July 19, 2002 7:09:52 AM


netstat -r on Linux client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     *               255.255.255.0   U        40 0          0 eth0
127.0.0.0       *               255.0.0.0       U        40 0          0 lo
default         192.168.0.1     0.0.0.0         UG       40 0          0 eth0


Default gateway seems to be configured right, I think.  Thanks.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 4

Expert Comment

by:EricWestbo
Comment Utility
the gateway does, in fact, look good... however the IP on the linux seems a bit problematic... 192.168.0.0 is a network address & cannot be used for a machine.  change this to 192.168.0.2 and see how it goes

/ew
0
 
LVL 4

Expert Comment

by:EricWestbo
Comment Utility
as a add'l thought... 127.0.0.0 is also questionable, as that is also a network address... if this is your "localhost" IP, it should be 127.0.0.1

/ew
0
 

Author Comment

by:barthalamu
Comment Utility
The problem was actually a VPN client(SecureRemote) on the host machine.  ICS works when I unbind SecureRemote from both interfaces.  Thanks to both for the help.  Wish I could give points to each.
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
You can !

You can put in a request to                    
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
to distribute the points in any manner you think is proper.
This is especially true when you think you have received good information from more than one person.

Also see  http://www.experts-exchange.com/jsp/cmtyQuestAnswer.jsp

     I hope this helps !
0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
Points reduced for split.  Eric, look for your question in this topic area.

Computer101
E-E Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now