Windows 2003 Server unable to see in or out behind a firewall (even with open access rules).

Posted on 2004-08-26
Medium Priority
Last Modified: 2010-04-11
Our Windows 2003 Server has 2 gigabit ethernet cards. We use one and have 2 IP addresses assigned to it. We don't use NAT and we've tried turning off/on the integrated firewall with the 2003 server. The server, when connected directly to the network, will function properly and see in and out. When we turn on the integrated firewall, it still works fine (we keep http/https open). We then put up a Sonicwall firewall and the computer was unable to see in or out. The Sonicwall has one wan and one lan port (Soho3). The lan port connects to a separate switch where the the servers all connect to. We have 2 other Windows 2000 servers that operate correctly behind this Sonicwall (i.e. they can see in and out) through this switch which traverses through the firewall.

At first we thought the firewall went bad and replaced it with another functioning unit that had 3 built in ports (Soho 10) and we got the same problem. The Windows 2003 server solely can not see in or out. The IP address (each computer has it's own non-conflicting ip address), subnet mask, and gateway are all the same in all locations (the two Windows 2000 servers, the Windows 2003 server, and the firewall's own settings). To make sure that there were no rules that conflicted, we deleted all the rules and set 2 simple rules to allow all traffic inbound and outbound with no port restrictions. The Windows 2000 servers operate perfectly. These network connections are through a colo-center directly into their switch (no dsl/cable, etc).  We also tried using the other ethernet card on the 2003 server (and the ip addresses of both ethernet cards are different - the other settings are the same in terms of subnet mask and gateway). This didn't work either.

We also tried an experiment of putting the Windows 2000 servers behind the firewall (no rules) and the Windows 2003 on a separate direct network connection to the colo's switch. The firewalled machines were able to see out to any website EXCEPT our own website which was on the same network. To make sure that the 2003 machine was not down, we went to an outside machine on a different subnet and connected directly to our website. We then tried from the Windows 2003 server and it too could see any machine except the Windows 2000 machines (behind the firewall). We also tried to ping the machines behind the 'open' firewall and it could not reach them. We tried from an outside machine to ping the Windows 2000 machines and it could.  We tried to ping the Windows 2000 machines and it could (from the outside machine). We're confused as to why the Windows 2003 will work ONLY when connected directly to the network but not behind the firewall and less importantly, why these machines can't see each other. We didn't want to put the Windows 2000 machines directly on the network without a firewall due to having previous issues with hackers. The Windows 2003 machine at least has the built in firewall, so we felt more comfortable in leaving it on a direct connection. We're sure if they are all on the same network with no firewall, they'd probably see each other. So, it would seem that the firewall is the issue, but given that the two firewalls work fine with other servers and computers (both of the firewalls was actively pulled from different networks that had a mix of workstations and servers), it seems the firewalls aren't the problem, but rather it's a configuration issue with Windows 2003 server. Since the network configuration pages are very similar to Windows 2000, we set them up alike (obviously with different IP's). We aren't sure if we're missing something. We are looking for possible reasons/solutions to make the Windows 2003 server work behind a firewall appliance (not using it's own built-in firewall). Thank you.

Question by:matrixracing

Expert Comment

ID: 11909483
To me, it sounds like your NICs are the problem, not the switch or the firewall. Try forcing the speed of the NIC on the Win2k3 server to 100Mbit in the Advanced tab (while viewing the properties of the connection, click configure next to the NIC). One of the options should be to set the connection speed, duplex settings, etc.

Expert Comment

ID: 11918975
There is a classic issue with your network design.
You have two cards that are independent devices and you have configured them as two doors into one adjacent room.
Basically you cannot do that.
If you want to use them in load balancing or fail-over mode, then use the utils to set that up.
If you have two networks then it is allowed, else you will need to turn one off.

Nic 1

gw ip address of the soho
dns ip of the dns server or itself if it has dns running on it or the ip of the soho if it has dns capabilities,however this can be a problem for internal resolutions....so it is best to use an internal dns server.

Nic 2 (if seperate network)
gw empty if that network does not have a router else nic one needs to be empty and you put the routers ip here
dns as above


Author Comment

ID: 11919032
Thanks for both of your answers. I have yet to try this, but I will in the next couple days.

wparrot: The setting is currently on "auto detect." The choices are 10mb/s half or full duplex and 100mb/s half or full duplex. I assume you mean to forced it at 100mb/s. Assuming the second answer works below, it might be best to leave it at auto detect.

brian_appliedcpu: I assume your IP's are for example (not nat related as we use straight external IP's). Yes, you're right. Both NICs have the network settings of being on the same subnet and gateway, just differnet IP's (one NIC has .182, .183 in the last octet, and the other has .188), The second one is not used (it has a red X on it since it has no connection). This still would conflict? There is only one network, hence no need to run the other NIC. Should we blank out the settings or disable it in the bios (they are both onboard nics).  The other two W2k servers have only single NICs and work fine.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 11921087
Yes you are correct, set the card to disabled even in windows is fine.
Be sure to clear out the settings first, as windows will try to hang on to this information.
Turning it off in the bios is a good idea also, but not necessary.

Multihomed master browser may cause Event ID 8021 and 8032

Why are you not using NAT, you should be at least using Static NAT.  To put a server out on it's own is crazy.  You cannot turn off all the ports a 2000 server uses as you will criple the server.
At a cmd prompt type netstat -a displays all connections and listening ports.

Can you post your   (xxx out the first two octets of the ip, gw and dns)
IP xxx.xxx.    .

Accepted Solution

web4net earned 1000 total points
ID: 11938275

It is YudaVision speaking.

I suggest you give brian's idea a try.

I have checked your Motherboard's specs. Your NIC supports Gigabit Ethernet.

• Dual Port Intel® 82546EB Gigabit Ethernet
• Supports 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45 output

I left you a V.M. Call me when you get a chance.

(I have a meeting with Ivette tomorrow)

Author Comment

ID: 11948189
We're using external addresses due to the fact that commerce website has hard-coded IP address entries in the asp scripts. Not the most elegant programming, but we have to live with it for now until we get a new site made. We previously were using a firewall on the 2000 servers closing off all ports and selectively opening some with IP address restrictions. But the 2003 server has been a problem working behind a firewall (except using it's own built in one).

IP xxx.xxx.173.182
GW xxx.xxx.173.1

I tried your solution of disabling changing the IP information of the second NIC to an internal IP (completely different than the other NIC) and then disabling the NIC altogether. I also rebooted the machine and went into the BIOS to see if I could disable the NIC, but there wasn't any area there to do that. I also tried wparrot's solution of forcing the card into 100 mb/s or 10 mb/s mode in both full or half duplex. It didn't seem to make a difference in the machines ability to see in our out.  After trying the solution of disabling the NIC through the control panel, I then tried to put it behind the firewall. The computer was able to see the other two W2k servers and vice versa. It was also able to go out to the internet and see any website. The problem was that the outside world couldn't see the Windows 2003 server behind the firewall.  We couldn't ping it from outside the firewall. Inside the firewall, it was reachable from the other two servers that were behind it. The rules on the firewall are set to allow all traffic in and out on all ports. So, it's still a mystery. We're using one connection to the colo's switch (which is at 100 mb/s) and using a switch to divide the traffic. The 2003 server is in front of the firewall, the firewall connects to the same switch and the other two machines are behind the firewall. This the only way we can have all 3 running at the same time. The problem is they can't see each other and ultimately, we'd like to put the Windows 2003 server behind the firewall as the firewall device is much better than the one installed with the OS.

Any other ideas? Thank you.

Assisted Solution

brian_appliedcpu earned 1000 total points
ID: 11948350
The firewall is set to allow the traffic in and out but does it know where to send it once it gets there?
By this I mean is there a route statement?
How can the firewall route the traffic from the outside interface to the inside interface using the same IP address?
Normally one would need to translate from public to private or if it was just a router, then you could route the entire block thru but the network on the outside of the router cannot be the same network as on the inside of the network.  It violates the rules of routing.

Public IP Network --------Firewall or Router-------- Private Network Hub/Switch ---Servers
Public IP Router Provided by ISP -----------Hub/Switch ------Servers

Expert Comment

ID: 12578223
I believe he was given sufficient information to at least test out the proposed solutions.
I tried to give him a basic understanding of routing.

Author Comment

ID: 12708798
Apologies for the lack of replies. The answer lie in the firewall. The Windows 2003 machine needed explicit rules to its IP vs. the blanket "*" rule when used for blocks of IPs. This was found out within extensive tech support with a level 2 tech support person. They initially they thought the firewall had a problem and it's firmware was cleared and reinstalled, but they didn't fix the problem. They didn't have a good explanation why as the Windows 2000 machines would work with blanket ranges and the 2003 machine would not. When we applied a single IP and referenced the rules to the IP, it worked after that. We had tried the other alternatives described above and none fixed it. I thank you for your help and this thread can be closed and points split accordingly.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question