Solved

No access between 2 private networks sharing a single WAN connection

Posted on 2007-03-17
34
947 Views
Last Modified: 2012-05-05
I have two internal networks and I cannot Connect/ping 1 from the other.  Here's the situation:

Using Verizon Fios w/ActionTec MI424WR router (LAN 192.168.1.1, DHCP 192.168.1.3-10)

Local LAN 1 has SBS 2003 Server with 2 NICS.
NIC1: 192.168.1.2 GWY: 192.168.1.1 -> ActionTec router (connectoin to WAN)
NIC2: 192.168.254.219 GWY: None -> Local LAN 1 (192.168.254.x)
Note: Running ISA 2004 protecting internal network (LAN1) from WAN traffic

Local LAN 2 has Win 2003 Enterprise Server.
NIC: 192.168.0.2 -> Connected to Netgear FVS114 firewall appliance
GWY: 192.168.0.1 (Netgear FVS114)

FVS114 Firewall Appliance
WAN Connection to ActionTec router: 192.168.1.5
LAN Connection to Win2003 Server: 192.168.0.1

I can connect to the Internet from either the 192.168.0.x internal LAN or the 192.168.254.x internal LAN. Everything works except for communication between 2 internal LANs

I cannot figure out how to communicate between the internal LANs. I cannot even ping 192.168.1.5 (Netgear FVS114 WAN port) from the SBS 2003 Server (192.168.1.2 WAN Nic) even though they are on the same subnet.

Question: How can I do this?  Add DNS rules on both servers?  IP forwarding somehow? Add rules on ISA2004 and/or ActionTec router and/or FVS114 firewall appliance? Other?

Note: I can ping 192.168.1.1 (ActionTec LAN IP) from SBS 2003 (192.168.1.2/192.168.254.219) or Win 2003 (192.168.0.2) Servers. I can ping 192.168.1.5 from the Win2003 Server but not from the SBS 2003 Server. I can ping 192.168.0.1 from the Win2003 Server (192.168.0.2) but not from the SBS 2003 Server (192.168.1.2).
0
Comment
Question by:searcygr
  • 20
  • 13
34 Comments
 

Author Comment

by:searcygr
Comment Utility
    Internet (via Verizon Fios)
                |
                |
+------------------------------+
|    ActionTec                      |
|     MI424WR                      |
|     Router                          |<------> Wireless Devices
|  LAN IP: 192.168.1.1        |                    on
|    DHCP: 192.168.1.3-10  |           192.168.1.x subnet
+------------------------------+
      |         |
      |         |
      |        +------------------------------- SBS 2003 w/ISA2004
      |          WAN NIC: 192.168.1.2 <--------> Direct connected to ActionTec Router
      |                GWY: 192.168.1.1
      |           LAN NIC: 192.168.254.219 <------> Connected to Netgear GS108
      |                GWY: NONE                                    UnManaged Switch
      |                                                                                   /|\
      |                                                                                    |
      |                                                                                   \|/
      |                                                                       Local LAN 1 Clients
      |
     +--------------------------- NetGear FVS114 Firewall Appliance
        WAN: 192.168.1.5       +       +   Note: Both Server/Client connected directly into FVS114
         LAN: 192.168.0.1        |        |
                                             |        |
                                             |       +-------- WinXP Laptop 192.168.0.4
                                             |
                        Win2003 Enterprise Server
                            NIC1: 192.168.0.2
                            NIC2: 192.168.0.3
                           GWY:  192.168.0.1 (for both NICS)

I can successfully connect to the Internet from both 192.168.0.x & 192.168.1.x & 192.168.254.x subnets.  I cannot communicate between 192.168.0.x & 192.168.254.x.

I run ZoneAlarm 6.5.737 on all clients. Some also run ISA Firewall Client
ISA2004 protects the 192.168.254.x LAN & FVS114 Firewall protects the 192.168.0.x LAN
I cannot even ping the FVS114 Netgear device from the SBS 2003 Server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
For starters, you cannot have a gateway on both nics, this is a non-starter.
<<
Win2003 Enterprise Server
                            NIC1: 192.168.0.2
                            NIC2: 192.168.0.3
                           GWY:  192.168.0.1 (for both NICS)
>>


How does the win2003 server 'think' it gets to the SBS server?
0
 

Author Comment

by:searcygr
Comment Utility
I actually disabled the 2nd NIC until I get this problem solved. So far, I have been unsuccessful getting from 192.168.0.3 to the SBS 2003 server. I have tried setting up static routing  but haven't got that figured out yet since there are so many places to setup static routing and I'm not sure the correct way to do this.
0
 
LVL 5

Expert Comment

by:dr_shivan
Comment Utility
My non-profesionnal advise is to ensure that ping is enabled on your firewall. (1.5) Most firewalls have ping disable for security purposes.
Add static route in the SBS2003 server, if it fails try publish the route.

Good Luck
0
 

Author Comment

by:searcygr
Comment Utility
I did all the above.  I also shutdown ISA 2004 and was able to ping across my private networks.  The problem seems to be with ISA 2004 rules. However, I have tried different scenarios/rules with both networks, computer sets and network sets without success.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 500 total points
Comment Utility
As abve

For starters, you cannot have a gateway on both nics, this is a non-starter.
<<
Win2003 Enterprise Server
                            NIC1: 192.168.0.2
                            NIC2: 192.168.0.3
                           GWY:  192.168.0.1 (for both NICS)
>>


How does the win2003 server 'think' it gets to the SBS server?

I am happy to work this through with you but we need to get the basics right first.  Otherwise I'll leave it to someone else
0
 

Author Comment

by:searcygr
Comment Utility
I disabled NIC1 until I resolve the issues.  My Win2003 Enterprise Server only has 1 NIC active.

The problem appears to be in my ISA 2004 rules.  I'm going to close this question and rewrite/place it in the ISA group.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Your call but it will still be me who deals with it for you :)
I deal with a number of the more well-known forums sites on ISA so if you use the same name I will say hi before we start lol
0
 

Author Comment

by:searcygr
Comment Utility
okay.  Is there any way to send you a detailed Visio Diagram of my network? Any other information that might be helpful? (route print?)  I have RIP set on the Linksys and it tries to update the SBS 2003 server, but those are rejected/denied.  I have enabled the ActionTec & Linksys WRT54GS to accept Pings/ICMPs. When I installed/setup the Win2003 Enterprise Server, it set the GWY as 127.0.0.1 on my active NIC (that seemed odd to me).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
0
 

Author Comment

by:searcygr
Comment Utility
Thanks. Is there a secure way to upload this so only you can view it?  It is rather detailed. Sorry to be such a pain, but I don't want this to be publicly available. If not, then I will update the TXT version above and post a new comment.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Look at my profile (click my name on the message and use that email address).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Found it?
0
 

Author Comment

by:searcygr
Comment Utility
Please note that I am currently trying to ping the 192.168.1.1 ActionTec LAN IP address from my client desktop inside the SBS2003/ISA2004 Server.  I can ping 192.168.254.219 & 192.168.1.2 (the 2 NICs on the SBS 2003 server). I cannot get past to 192.168.1.1.  Interestingly, when I shutdown the ISA2004 services, I still cannot ping 192.168.1.1, so I have changed something on my Desktop? that stopped this from happening.  The current goal is to try to get through to 192.168.0.3 (Win2003 Server) from my 192.168.254.221 Desktop.  After succesful connection I want to reverse the process and try to come back from my client laptop (192.168.0.51 to 192.168.254.221).  I use Remote Admin v2.2 (port 4899) to remote control my systems and hope to use it back and forth between the networks.

The route should be 192.168.254.221 (Desktop) ->192.168.254.219->ISA2004->192.168.1.2->192.168.1.1 (ActionTec LAN) -> 192.168.1.7 (Linksys WAN) ->192.168.0.1 (Linksys LAN) -> 192.168.0.3 (Win2003 server)

C:\>ipconfig /all
Windows IP Configuration
        Host Name . . . . . . . . . . . . : CLIENTHOST
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : Yes

Ethernet adapter CLIENTHOST:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Network Connection
        Physical Address. . . . . . . . . : xxxxxxxxxxxxx
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.254.221
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.219
        DNS Servers . . . . . . . . . . . : 192.168.254.219
        Primary WINS Server . . . . . . . : 192.168.254.219

Ethernet adapter BlueTooth PAN:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
        Physical Address. . . . . . . . . :  xxxxxxxxxxxxxxxxxxxx
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.254.226
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.219
        DNS Servers . . . . . . . . . . . : 192.168.254.219

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 f3 36 fe f0 ...... Intel(R) 82562V 10/100 Network Connection - Packet Scheduler Miniport
0x3 ...00 11 67 1a a1 a6 ...... Bluetooth PAN Network Adapter - Packet Scheduler Miniport
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.254.219  192.168.254.226      40
          0.0.0.0          0.0.0.0  192.168.254.219  192.168.254.221      20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.254.0    255.255.255.0  192.168.254.221  192.168.254.221      20
    192.168.254.0    255.255.255.0  192.168.254.226  192.168.254.226      40
  192.168.254.221  255.255.255.255        127.0.0.1       127.0.0.1               20
  192.168.254.226  255.255.255.255        127.0.0.1       127.0.0.1               40
  192.168.254.255  255.255.255.255  192.168.254.221  192.168.254.221  20
  192.168.254.255  255.255.255.255  192.168.254.226  192.168.254.226  40
        224.0.0.0        240.0.0.0  192.168.254.221  192.168.254.221              20
        224.0.0.0        240.0.0.0  192.168.254.226  192.168.254.226      40
  255.255.255.255  255.255.255.255  192.168.254.221  192.168.254.221      1
  255.255.255.255  255.255.255.255  192.168.254.226  192.168.254.226      1
Default Gateway:   192.168.254.219
===========================================================================
Persistent Routes:
  None
C:\>route add 192.168.1.2 mask 255.255.255.255 192.168.254.219 metric 20
C:\>route add 192.168.1.1 mask 255.255.255.255 192.168.1.2 metric 20
The route addition failed: Either the interface index is wrong or the gateway do
es not lie on the same network as the interface. Check the IP Address Table for
the machine.
0
 

Author Comment

by:searcygr
Comment Utility
I'm having trouble getting the Visio emailed to you. Got a Recipient address rejected this time...
0
 

Author Comment

by:searcygr
Comment Utility
Just cleaned ISA2004 of all my networks and network sets that I added since I began this saga.  I then made changes to ISA2004 Configuration/Networks/Internal.  

I added the additional network ranges so that Internal is now: 192.168.0.0-192.168.0.254, 192.168.1.0-192.168.1.254 and 192.168.254.0-192.168.254.254 and now the three networks are viewed as Internal.  

I still cannot ping from 192.168.254.219 to 192.168.1.1 but now it seems to be a routing issue instead of an ISA2004 issue.

I will now stop all changes until you have a chance to review & make suggestions. Thanks for your patience & assistance.
0
 

Author Comment

by:searcygr
Comment Utility
The simple change I made to ISA2004 has made a big difference. I can now ping:

From 192.168.254.219/192.168.1.2 SBS 2003 server
     to (192.168.1.1/7) (192.168.0.1/3/51/52)
From 192.168.0.3 Win2003 Server
     to 192.168.0.x (any address on subnet)
     to 192.168.1.1/7
     but NOT 192.168.1.2 (ISA 2004 doesn't show this incoming traffic)

I cannot ping from any client past it's associated Domain Server.

From client 192.168.0.51/52 (not sure what metric is being used), I can ping:
      192.168.0.1/3 (LInksys LAN/Win2003 Server)
      192.168.1.1/7 (ActionTec LAN/Linksys WAN)
      but NOT 192.168.1.2 (ISA2004 Local Host)

From client 192.168.254.221 I can ping:
      192.168.254.x (any address on subnet)
      192.168.1.2 (ISA 2004 local host)
       but not 192.168.1.1 (ActionTec LAN)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Checked your diag. I think I have it clear but its quite late here in the UK now. I will re-read it in the AM and post up; if I do it now I know I will miss something.
0
 

Author Comment

by:searcygr
Comment Utility
thanks. I am making headway. Clearing up ISA2004 helped a lot & seemed to have removed it from the equation. It appears to be routing issues now....
0
 

Author Comment

by:searcygr
Comment Utility
I am working on client 192.168.254.221.  I can ping 192.168.254.219 & 192.168.1.2 (NIC1/2 in SBS 2003 Server).  I see that my pings to 192.168.1.1 & 192.168.0.3 are being blocked by the ActionTec router.
The incoming pings is accepted but the outgoing is blocked. The documentation I have on the actiontec doesn't assist me in solving this problem. However, the routing appears to be working.
Security Log on ActionTec.
Apr 6 08:15:53 2007 Outbound Traffic Blocked - NAT out failed ICMP type 0 code 0 192.168.0.3->192.168.254.221 on ixp0
Apr 6 08:15:53 2007 Inbound Traffic Accepted - Advanced Filter Rule ICMP type 8 code 0 192.168.254.221->192.168.0.3 on br0
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
Understood.

The basis of the problem though from what I can see is the NATting. ie the changing of the addresses used as the traffic leaves the external interface to protect the internal ip address of the client. I have had a simialr issue previously with two ISA servers. Each protected their own domain but the two groups also needed to ashre information whilst still using the single internet router/firewall. What we did to get around it was to create a vpn connection between the outside nic of each ISA server so that internally they were the same system but controlled by the necessary access control/firewall policy rules but from outside they were two completely seperate entities. I am just looking through one of the userguides to see how to approach this.

Very neat set up by the way.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 500 total points
Comment Utility
PS, still don't like the two gateways on the w2003 box; these cards really should be teamed together so they present a single ip (ie neither card has an ip address or gateway but you assign the address and the gateway to the teamed/virtual crad it creates. This gives you twice the throughput to that server as it balances the traffic over both cards.



0
 

Author Comment

by:searcygr
Comment Utility
Thanks. My neighbor told me I have more computing power & a better setup than their testing group.  
%^)
I am currently trying to setup Port Forwarding rules for ICMP echo replys & also Outbound rules. Nothing I have tried works so far.  I believe once I get this action router setup properly (if possible) my communication problem will be resolved and I will be able to do what I want.  

BTW, I have 3 IP addresses that I can ping from my SBS2003 server that shouldn't exist (nor can I find the devices on my network). However, that is another question to create once this is resolved.
0
 

Author Comment

by:searcygr
Comment Utility
Interesting about the 2 NICS teaming. I don't have a clue how to do that and one nic is disabled. A good portion of my network is gigabit, but I have the gigabit card disabled on the Win2003 server since my second LAN isn't gigabit capable (the ActionTec & Linksys max out at 100mb).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Hit me with the addresses. I might as well see if I can enlighten you whilst I am reading.
0
 

Author Comment

by:searcygr
Comment Utility
The SBS2003 Routing table (route print) shows:
169.254.0.0 255.255.0.0 192.168.1.2 192.168.1.2 Metric 1

ISA2004 log shows constant denied connection of 169.254.1.240 to External 255.255.255.255 port 21302.  A scan for IPs on SBS2003 shows 169.254.1.161/234/240.  As far as I can tell, their are no physical devices associated with these addresses.

The 169.254.1.xxx IPs may be associated with the 3 FIOS cable Boxes that also route through the ActionTec.  I haven't had time to try & hook into these boxes to determine their IP setup.  However, Verizon did confirm the 192.168.1.100-102 IPs when I went tracking them down. I don't like unknown IPs on my network... I would like to do these types of things as separate questions so you can get the points!   %^)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
George, 169.254.x.y are the addresses assigned as part of the apipa. For example, if you have a card set for dhcp but it cannot find a dhcp server for that nic, MS assigns these addresses to the card instead. That is saying there are three nics somewhere in the setup that are configured for dhcp but cannot see a dhcp server. The fast that you have three different ips suggests that all three nics are in the same broadcast area; if they were not they would have each got the same ip address.

Thanks for the tought but personally the points are just fun. There is no 'reward' for points gained, for example, its a play thing to check against your peers is all. I have to say that some do take it more seriously than others lol.

0
 

Author Comment

by:searcygr
Comment Utility
Interesting.  When I open Network Connections on the SBS 2003, I see 2 (both connected, 1 WAN & 1 LAN).  I don't see another network card listed (for example, on some of my systems I see 1394 Connection which I disable since I don't use that feature on my systems).
I temporarily enabled the 1394 connection on my 192.168.254.221 desktop, set it's IP/DNS to be valid and then disabled it again.  

The 169.254.1.240 IP uses port 21302 twice per minute (10 second interval) and then again in 3 minutes. It does this constantly 24 hours a day.

Why don't I see this network device listed in Network Connections?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
do an ipconfig /all from a cmd prompt - see anything?
In the device manger, is it set to show hidden devices?
0
 

Author Comment

by:searcygr
Comment Utility
Wow. Show Hidden listed a LOT of Network Adapters. Primarily WAN Miniport (IP, L2TP, Network Monitor, PPPOE, PPTP), a Direct Parallel & a Westell WireSpeed Dual Connect Modem (Packet Scheduler Miniport).
0
 

Author Comment

by:searcygr
Comment Utility
I replaced the Netgear FVS114 with a Sonicwall SOHO3 that I quit using a long time ago.  It gives me the flexibility to do what needs to be done and is a superior firewall to the FVS114. Everything else in my Network Diagram previously sent is exactly the same (except MAC addresses, of course).  

I was able to ping 192.168.254.221 (client) from 192.168.0.11 (Win2003 Enterprise Server) so routing is occuring. I can also use RAdmin from my wireless (192.168.1.51) to all my systems.

The only issue I have left is getting to 192.168.1.51 (wireless laptop) from 192.168.0.11 (Win2003 ES) via the Linksys WRT54GS (WAN 192.168.0.50, LAN 192.168.1.51).

However, I do believe we have success! Thanks much for all your help.
0
 

Author Comment

by:searcygr
Comment Utility
BTW, do you have any suggestions on sites/reading that would fully explain static routing for Windows? Most of what I have encountered is for Unix and doesn't have very good examples, particularly for multiple private LANS & external WANs.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
What do you want to know George? Is it specifically static routing or routing & routing protocols in general?
0
 

Author Comment

by:searcygr
Comment Utility
Static Routing tops the list.  I would like to know how to setup static routes in Windows with good networking examples.  For example:

If I want to setup a static route (192.168.0.11) to access a wireless laptop (192.168.1.51) that has an intervening router (LAN: 192.168.1.50 WAN: 192.168.0.50), would I be correct to add the following route on 192.168.0.11:
c:> route add 192.168.1.51 mask 255.255.255.255 192.168.0.50 metric 20  
(metric determined from route print showing the correct NIC to use?

The more routers between destination 1 and destination 2, the more confusing (to me) of how to create the appropriate static routes (what machine they should be done on, what entries should be made, etc.)

Beyond that knowledge is the routing protocols (RIP) and how routing in general works.  I have several O'Reilly books (including DNS/BIN & TCP/IP Networking) but there explanations/examples are geared towards UNIX and simply didn't help that much.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now