Routing between two networks, ISA gateway

Please point me in the right direction if I'm not posting this right but here goes...  
I'm currently administering a small office network, roughly 4 servers and 50 machines.  
The four servers are as follows 2 DCs, 1 Exchange, 1 ISA server.  
All the servers except the exchange server are multi homed (I just started this job and inherited this mess).  
There are two internal networks, 10.8.x.x is our main internal network which we use for clients, printers, etc, and there is another internal network 192.168.x.x which the servers are multi-homed to and this network also has our watchguard firebox and router.  
We are using the ISA server as the gateway with two nics with the addresses of (internal side) and (external side).  
We also have two small remote sites (5-7 users each) with an active VPN connection to our firebox, but the traffic is not being routing from the 10.x network to the 192.x network in any way so it makes it impossible fo rme to manage any of the remote machines without logging onto the ISA server and in addition they have problems communication with the domain becaus of this.  
I'm more of a deployment guy, so help steer me in the right direction with what I need to do to get traffic routed between these two networks?  
RRAS is install on the ISA server but doesn't appear to be doing a whole lot.  
Thanks in advance and let me know if you need any more info!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you dump the settings (minus any sensative data) of the Firebox so we can get an idea of how it is handling traffic? That could be a dump of the telnet session into it, or a screen capture (or several) of the UI.
hi jmtoman,

Are you familiar with the route.exe ? I think you can just use a static route to be able to access remote connections via 10.x network.

check out the route/?

good luck, let me know if you need more info.
jmtomanAuthor Commented:
Here is the main splash of the firebox attached... let me know if you need anything else.  Where would I run that route.exe command? the gateway server?
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

jmtomanAuthor Commented:
I typed a long comment and then accidently hit back in my browser... some expert eh? =P

So basically on that Routes screen you need to add two routes.

The first route will say to get to the / network you have to go to

The other will say to get to the / network you have to go to

Once you hit "Add..." in the Routes window you should be able to figure it out based on the numbers I gave you, if not just post a screen shot of it and we can work through it.

On a side note (one I am sure you are aware of) this network setup is FUBAR. How many users are you supporting? Who set up such a convaluded mess? Your boss should up your pay if you are having to untangle this web. If you get to the point of trying to get the network consolidated and back in shape please post back and everyone over here would be happy to help.
jmtomanAuthor Commented:
Yeah the network is severely fubared beyond what you can see.  No naming scheme, no licensing (whcih means no imaging), GPOs all over the place, static IPs for every device on the network, multi-homed servers, incorrectly configured DNS, about 4 different backup solutions (aka backup exec for one server, arc serve for another instead of centralized backup).  No spam filter for email... there were two IT guys before me in this position who, from all the reading i've done on their documentation had not a clue about much.  I support roughly 70 users, 40 here at the main site, and the rest spread between two soho sites.  Imaging my aggravation when trying to remotely support users who I can't connect to very easily.

Do you think adding these routes will require a reboot of the firebox or can it be done on the fly?
It shouldn't require a reboot.

That sucks man, there is nothing worse than inheriting a shitty network.
jmtomanAuthor Commented:
Ok few more questions, before I make this change, will I have to do anything on the remote soho boxes?  Also, the address doesn't appear to be active.  I know it states that under optional network but is this correct?  And since the remote site is on 192.168.100.x respectively wouldn't I use instead?  Sorry my ignorance, I'm still new with ip/routing/etc

Try to think about it like this:

If a client can resolve a name to an IP address it has to have routing to that IP address. If the address is in the same subnet (I.E. and then this isn't a problem, as they can communicate directly.

If the IP address is not on the same network (for example when your browser resolves it uses the DEFAULT GATEWAY. It is basically saying "I can't see the IP, but my network card says for everything I can't see, send the packets to <DEFAULT GATEWAY ADDRESS>". The default gateway then does the same thing, defaulting out until it hits a router that has a path to the network you want.

So if the remote site's clients have the default gateway that is pointing toward their modem out to the internet the will not be able to see any of your network's internal IP addresses EXCEPT THE NETWORK that is defined in the persistant VPN connection because the firebox has routing rules that knows how to route packets DESTINED for that particular network.

So if remote site A has a persistant VPN connection with a 192.168.100.X address scheme it will only know how to get out to the internet (via the default gateway) and how to get to the 192.168.100.x network. If you want it to be able to get to your 10.1.x.x network or your other 192.168.x.x network then you have to put a rule on the Firebox in the remote office that says "Hey, if you want to go to anything in the network, you have to go out THIS address (the VPN's gateway) and NOT your default gateway.

This is a routing rule. I don't know if my explaination makes sense or not...

Network Routing Basics:

Understanding IP Routing Tables:
jmtomanAuthor Commented:
Thanks for all the help, that makes things a bit more understanable.  Now what im gathering here is the Optional portion of the watchguard config is basically another word for DMZ?  It seems as if this network created its own ghetto dmz by multi-homing all the servers.  So with that being said and assuming i cant fix any of that would I still use that address?  It doesn't look like it is even active in the options box and i certainly cant get to it.  The firebox at the other end however is using the optional network portion with i post the option settings down below
Holy sh*t man. Can you give us the address of the former IT guy(s) so we can beath them to death with these Firewatch boxes?

From Watchguards Site RE: Optional Networks:

"A network architecture used by an organization that wants to host its own Internet services without allowing unauthorized access to its private network. Typically, the Optional network contains devices accessible to public Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers. Access from the Optional network to the Trusted network can then be appropriately restricted by the firewall. For that reason, some refer to the Optional network as a "semi-public" network. "

So yes, it appears to be their term for "DMZ".

Perhaps it would be worthwhile if you could use Visio to map out the network layout so we can look at it in a contextual sense. Do you have Visio?
jmtomanAuthor Commented:
Yeah I have Visio, I'll have to post everything on Monday since this will probably take me a few hours to put together.  And yes I'd like to "talk" to anyone who had a hand in actually designing this network.
I am around on the weekend, althought I may not be so quick to reply. So if you get done and its past the end of day, post it up and I will get back to you in a few hours (don't sleep a whole lot).
Hi jmtoman,

my apology, I assumed you where using windows 2003 or 2000 on server as a gateway for your networks (which you can use route.exe to add static routes).

i agree with dfxdeimos a simple visio diagram would help alot.
jmtomanAuthor Commented:
Yeah I should have explained everything a bit more clearly.  Tomorrow I should be able to get the Visio diagrams up so you guys get a better picture of what I'm working with.
Cool, I will be waiting for your reply.
jmtomanAuthor Commented:
Here are the two internal diagrams, and we have one of the outside if you need it, I actually found these and they are old, but its basically the same just a few external IPs may be different.  One thing I've found is I have at least 1 extra firebox x5 sitting around, so if we need to completely reconfigure any of these I at least have that going for me.  Int he diagrams you can see the CSCSERVER is connected directly to the firebox; this server is multi homed on the 192.168.x network and is the only server I can use to access the remote fireboxes or ping the remote workstations.  The CELTIC-X902834092 server is also on the 192.168 network but can only ping the CSCSERVER and not any remote workstations.
jmtomanAuthor Commented:
One more thing, in the first picture it shows the firebox being connected to a secondary dsl line, which doesn't exist anymore.  The firebox is connected directly to the 'external' switch that comes off the cisco router.  I've confirmed that our remote office uses 2 applications that hosted on that cscserver and they access via the secondary nic/192.168 network over the vpn.  
BTW I can't seem to find a way to edit my old posts?
Ok, so what you are going to have to do at each branch location is create a route for each network that isn't connected to it.

So first you have to define what all your networks are:

192.168.1.x /
10.1.x.x /

Then define what you can reach and what you can't reach on a per site basis:

192.168.1.x /
10.1.x.x /

10.16.x.x /

Once you list that out I can tell you how many routes you are going to have to create.
jmtomanAuthor Commented:

Main site: 10.8.x.x/
Remote site: 192.168.100.x/

Lets assume we are starting from scratch though.  I have an extra Firebox X5 I will use at my main site, and I also have an extra Watchguard SOHO6 I will use at my remote site.  I'm not going to use to DMZ portion of either box since they really aren't in use right now.  I will be assigning to my Firebox X5 for use in the main office, and I will leave the address for my remote SOHO.

So here is what I think it should look like after I configure it:

(Main office) <-> External/ (Remote)

I'm assuming the routes will be easier to create without the 192.168 network in plat at my main site, and also without the DMZ portion enabled at my soho
Yes, they will be much easier to make once you have 1 network per site.

Once you have that setup, you will only have to create a route on each of the remote sites so data can flow to the other (since they aren't directly linked).

Also, if you can I would get rid of that 10.8.x.x networking scheme. It is technically a private IP address, but if you have less than 253 devices that are going to need network addresses than it is overkill.

Something like:

Main Office: - .254 /
Remote Office 1: - 254 /
Remote Office 2: - 254 /

would be ideal for ease of management and routing.
jmtomanAuthor Commented:
I agree with the 10.8.x.x being overkill, and have already somewhat planned on getting rid of it (after they let me get rid of ISA server, and use DHCP).  Ok so I have configured an identical Firebox for my main site here with the IP  Now if I read what you said correctly you're saying I won't need to actually put a static route in watchguard boxes after I reconfigure to not use the DMZ?

I have my new Firebox configured with the following route:
Type: Network
Address: (remote lan)
Gateway: (ip of main firebox)

Now with these fireboxes, do you know if there will be any adverse effect if i simply turn off the DMZ on my soho site?
You will only need to put a static route in for the remote sites to be able to route to each other (as they aren't directly connected via VPN).

------------------------------                             ----------------------------------                      -----------------------------------
|        Remote 1             |                            |              MAIN SITE           |                     |             Remote 2              |
|      192.168.2.X           |============ |              10.8.X.X              |========= |         192.168.3.X              |
------------------------------                             -----------------------------------                     -----------------------------------

= EQUALS Persistant VPN Connection

So you can see here that with Remote Site 1 connected to the MAIN SITE via a VPN you will have routing between the two. You can also see that with Remote Site 2 connected to the MAIN SITE via a VPN you will have routing between those two.

So all you would have to do (if the two remote sites needed to communicate) is add a route on Remote Site 1's Router that says to get to Remote Site 2's addresses go through the main site and vice versa (Site 2 to Site 1).

Which site is the SOHO that you want to disable the DMZ on at?
jmtomanAuthor Commented:
Its the site I have listed as remote-optional on the picture.  They are using the 192.168.100.x network.  They have the DMZ option enabled, all I want to do is disable it so its not in use, I just want to make sure it shouldn't cause any issues by simply disabling it.  For the heck of it, I threw in an old diagram of that site, not that it provides any useful information.  And ignore the static IPs on the clients, they're going to be put on dhcp

BTW - thanks for all the help you've given me with my many questions.  I've def got a much better handle on things after talking it over and looking over things.
Glad you feel more comfortable with the concepts. =]

You should be able to disable the DMZ without issue (Provided there are no operating devices within whatever its address space is).
jmtomanAuthor Commented:
Thats what I figured.  I'm going to implement all these changes tomorrow morning and I'll report back to let you know if its all working.  Again, thanks for all the help.
Yeah, no worries, glad I could be helpful.

Make sure you record all the settings (or back up the configs) of the items you change. =]
Any luck?
jmtomanAuthor Commented:
Well I ended up being out sick yesterday so I got to try it this morning.  Sad to say it didn't work.  Is there something I have to manually do to reestablish a new VPN connection or something?  As soon as I plugged in my other firebox the connection came right back.  It must be a config issue on their side or mine...
If you pulled a firebox and put one in its place then you will have to re-establish the VPN connection based on the settings on the now gone firebox. Mirror those VPN settings onto the new device.
jmtomanAuthor Commented:
I mirrored all the settings exactly as the one i replaced.  Do i literally have to find an option that says 'establish vpn link' or something along those lines?
You *may* have to. I am not familiar with the Firebox specifically, but I would look for the VPN settings area and triple check all those settings.
jmtomanAuthor Commented:
Well, I'm at a loss.  I rechecked all the settings, and plugged the watchguard back in.  It actually shows the tunnel active, although the data it displays is a bit different than it was before.  So it seems like it may be active but I just can't get to the remote network?
What happens when you try to PING an IP address that is across the VPN tunnell? TRACERT?
jmtomanAuthor Commented:
Well, I did the tracert and of course it used my ISA server as gateway which is why I couldn't get to the other network.  For testing I changed my gateway to the IP of the firebox and instantly I was able to get to the 192 network.  So I'm assuming now, I have to add a network route on the isa server (gateway) that says for use (firebox)?
jmtomanAuthor Commented:
Well I added a static route on my ISA server.  It is setup for: Network: 192.168.100.x/ Gateway: (firebox) NIC: Internal

Still didn't work.  I'm assuming this means I'll have to add a similar static route on the remote firebox for the data to get back correctly?
Yes, the data needs a return path.
jmtomanAuthor Commented:
Well I've got a static route configured on my ISA server and a static route configured on the remote firebox.  I still can't get to the remote network unless i statically tell my machine to use my local firebox as the gateway.  Tracert on the remote IP shows it trying to go out through my ISA server even though im defined a route for the remote network to use my firebox as the gateway.  I'm stumped and there must be something I'm missing here
Hmm... can you submit a "Request for Attention" and note that the person who was helping you with the question (me) would like someone else with more networking / routing experience to come in and take a look at your situation?

In the meantime, can you open a command prompt on the ISA server and type "route print" and then post the output here.
jmtomanAuthor Commented:
IPv4 Route Table
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 14 c2 44 f3 0c ...... Intel(R) PRO/1000 MT Network Connection
0x10004 ...00 14 38 b9 a0 d4 ...... HP NC1020 ProLiant Gigabit Server Adapter 32
Active Routes:
Network Destination              Netmask          Gateway            Interface           Metric
                     20                 20     10             10     10
                        1                1
               10                 1      1
Default Gateway:
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric       1

How do I submit the request for attention?  I coulnd't find the option anywhere.
In the body of the question (at the top of this page) right above the "Translate:" box.

Also, I am somewhat confused. What is the address of the network you are currently on and the one that you can't get to?
jmtomanAuthor Commented:
Address I'm currently on is, Remote network is, VPN connection is active.
Ok, the applicable route should be:                10 (change the weight from 1 to 10)

So let us confirm that "" is the IP address of the Firebox and "" is the interface on the ISA server that can contact the Firebox.

You also will need a route on the remote site that says:                  <IP ADDRESS OF FIREBOX> <IP ADDRESS OF INTERFACE> 10

Perhaps you should read through this:

to make sure we are all on the same page as to how the route structure works.
jmtomanAuthor Commented:
I actually just read that article earlier thats kinda funny.  About the only thing I changed was the metric from 1 to 10.  On the remote site, there is no section to choose an interface or metric since the static route is defined on the firebox.  it is just Network Route: Gateway:

My brain is stuck. Did you submit the request for attention?
jmtomanAuthor Commented:
Yeah I did.  Again I appreciate all the help you've given me.  I almost am thinking I may try to eliminate the firebox on my side all together and do the site to site vpn from my isa server to the firebox at remote site.
That may make sense, just eliminate the complexity.
Keith AlabasterEnterprise ArchitectCommented:
Crikey - what a mess. Vic, it will take me a bit of time to read through all the posts and the attachments and get up to speed with this but I'll take it on. I'll also add it to the ISA TA area.

jmtomanAuthor Commented:
Not sure if anyone is still reading up on this, but my situation has somewhat changed since the beginning of the thread.  I was at first trying to run my network with two gateways.  Now I'm simply dealing with a VPN Site-to-Site connection between ISA/Watchguard.  I've actually got the tunnel active, just having issues getting the traffic across now.  Maybe I can update this thread with all the important information, or create a new one?
Yeah, I am stilll watching. I was waiting for another comment. Perhaps a new thread would be in order... it may get more attention.
Keith AlabasterEnterprise ArchitectCommented:
Yes - still here. If you have more info, please post it. Just got up - its now 5.25AM. When I get home from work. I'll post.
jmtomanAuthor Commented:
Well my situation has changed drastically and I decided to simplify everything.  So now I'm dealing with a Site-to-Site VPN from ISA Server 2004 to a Watchguard X5.  It seems like the tunnel is active (according to firebox) but when I try to ping from ISA server i get "Negotiating IP Security".  My guess is it is some type of setting i'm missing.  Below I'll post all the settings from both machines:

Local Network:
Remote Network:

ISA Server Settings:
Local Tunnel Endpoint: xx.xx.xx.xx
Remote Tunnel Endpoint: xx.xx.xx.xx
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
   Mode: Main mode
   Encryption: DES
   Integrity: SHA1
   Diffie-Hellman group: Group 1 (768 bit)
   Authentication method: Pre-shared secret (Cardinal1)
   Security Association lifetime: 28000 seconds
IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: OFF
   Diffie-Hellman group: Group 2 (1024 bit)
   Time rekeying: ON
   Security Association lifetime: 3600 seconds
   Kbyte rekeying: ON
   Rekey after sending: 28000 Kbytes
Remote Network 'TINLEY-PALOS' IP Subnets:
Local Network 'Internal' IP Subnets:

Watchguard X5 Settings:
Local IP: xx.xx.xx.xx
Remote IP: xx.xx.xx.xx

Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: DES-CBC
Negotiation expiration in kilobytes: 0
Negotiation expiration in hours: 24
Diffe-Helman Group: 1
Generate IKE Keep Alive Messages: Yes

Phase 2 Settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
Enable Perfect Forward Secrecy: No
Key expiration in kilobytes: 28000
Key expiration in hours: 24
Local Network:
Remote Network:
jmtomanAuthor Commented:
I just looked in the event viewer and I am getting this error now:

ISA Server detected routes through the network adapter External Network (Internet) that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters:;;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

So apparently its a route/network setting somewhere on the ISA server.  I just have no clue where to look now.
I would post a new question with your current situation, as people may be hesitant to jump in on a discussion with 50+ threads.
jmtomanAuthor Commented:
Yeah I actually created a new question here:

I'm going to update it with the useful info and hopefully get some hits.
Keith AlabasterEnterprise ArchitectCommented:
OK - home now.

looks like you have not included the network IDs and the broadcast addresses in your LAT tables - open the internal LAT on the ISA gui (configuration - networks - internal - addresses - make sure you have the appropriate .0 and .255 addresses added to the ranges.
jmtomanAuthor Commented:
I apologize for the slow response but I was out of town.

Ok the tunnel is working now.  I can successfully ping and scan the remote network, however when I'm at the remote site I can't ping anything at my main site.  I can also remote desktop into a machine at my remote site using local credentials which also leads me to believe there is a DNS issue too.
Keith AlabasterEnterprise ArchitectCommented:
Have you added an access rule allowing protocols from vpn to internal?
What are you seeing in the ISA log monitor now?
jmtomanAuthor Commented:
I have two network rules (route) set, one that has internal as the source network with my remote site as destination, and one that has my remote site as the source with my internal site as the destination.

I'm not sure how to view any logs with ISA... is there anyway I can just export a list of all settings for you to look over?  That may make this easier.
jmtomanAuthor Commented:
Another thing I noticed is I can't ping the remote network from my ISA server, i get the response 'negotitating ip security'.  I can however ping from other machines on my internal network.
Keith AlabasterEnterprise ArchitectCommented:
Have you added localhost to the source and destination rules? ISA is not included within internal or external.
Have you amended the system policy rules?
jmtomanAuthor Commented:
Yeah I realized the problem with ISA pinging after I posted.  What do you mean by amnded the system policy rules?

I've done some more tinkering and basically I still can only access resources by going from my main site to my remote site.  If i try to view shares, ping, etc from my remote site it just errors out/times out.  Firewall rule for pinging appears to be off, and there really isn't any rules limiting incoming traffic from my remote site.
Keith AlabasterEnterprise ArchitectCommented:
lol - you really don't know anything about ISA do you :)

Install net mon 3.1 on ISA. You can get it from the MS web site in the down loads area.
Start a capture running and lets see what happens when you receive requests from the remote site. What traffic is arriving and which of those are not covered in your ISA rules.

jmtomanAuthor Commented:
Ok, installed and ran the network monitor twice.  Both files are coming in at 30 megs.  How do you want me to post the results?
Keith AlabasterEnterprise ArchitectCommented:
Wow - did you put a filter on to only capture data from a single ip address? This will make it much more manageable for you. Sorry, my fault for not pointing that out.
jmtomanAuthor Commented:
Well I filted all the data from my capture earlier.  Honeslty the only thing it shows is information from my exchange server going to the external IP of my remote site, which is strange because I was actually remoted into a machine over there during the time of the capture.  

It still seems like a firewall policy though; I added my remote network specifically under ping portion of system policy and now my remote site can ping my ISA server.  If I post up the XML for my firewall policy is there anyway you can view that?

And to answer your previous statement, I know NOTHING about ISA.
jmtomanAuthor Commented:
I hate to keep adding comments, but I can now ping any workstation and most of my servers from the remote site.  I can even view shared printers on my file server and do \\xx.xx.xx.xx and view installed printers, etc

I can't however ping or access my two domain controllers (which are also the DNS servers).  
Keith AlabasterEnterprise ArchitectCommented:
No problem, it wasn't a dig at you, just a statement. :)

The XML won't help and no, don't post your policy - dodgy thing to do here. you can see why I get all the ISA/IAG questions - they are rarely one-sentence answers and the majority of other experts get bored lol.

Can the DC's be resolved from the other site?

Keith AlabasterEnterprise ArchitectCommented:
What do you see different in the capture when a ping is made to the ISA box opposed to what you see when an attempt is made to ping the dc's?
jmtomanAuthor Commented:
Ok so I ran network monitor on both sides (remote and main).  I can see the echo requests and responses when pinging from my remote site to my ISA server and my workstation.  

I also ran network monitor on my ISA, and tried to ping my DC from my remote site.  I saw the echo request get across the tunnel, there was just no response back.

And I spoke too soon earlier, from my main site I can only scan roughly half the machines at my remote site, and from my remote site I can only scan roughly half the machines at my main site.  Weird =/
Keith AlabasterEnterprise ArchitectCommented:

Please provide the output from 'ipconfig /all' AND the output from a 'route print' on a working machine (that you can scan OK) and the same again from one that is not working as expected. lets see if we have a difference in gateways, static routes.

The next step will be a process-walk - we are getting there :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmtomanAuthor Commented:
well now i feel dumb.  I just realized that the only machines i scan scan from both networks are the ones I've physically fixed and put on DHCP (they used static here prior to my arrival).  All of the machines were using my DC as the gateway and not my ISA server.. In fact both my DCs have the gateway set at the primary DC and not the ISA server.  In fact here is the ipconfig/all from my primary DC (ignore the 192.x, for some reason they had it set multihomed on two networks previously)

Windows IP Configuration

   Host Name . . . . . . . . . . . . : xxxx
   Primary Dns Suffix  . . . . . . . : xxxx
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : xxxxxxx

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0B-CD-CB-B3-09
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   Primary WINS Server . . . . . . . :
Keith AlabasterEnterprise ArchitectCommented:
yes, you can see where I was taking this......

So - the obvious question 'What is the difference between the static and dhcp devices?'

Gateway? Routing information? DNS? WINS?
Keith AlabasterEnterprise ArchitectCommented:
So - gateway it is and that should be job done now?
jmtomanAuthor Commented:
When these static devices were setup they did all types of weird stuff.  They would set the gateway as a domain controller, they would statically set DNS to an outside dns server, all types of weird stuff.  Now that I know what the problem is, I justt need to wait until I can change the info on these domain controllers now.

Keith AlabasterEnterprise ArchitectCommented:
As an aside, you should NOT have the external DNS ip listed in the tcpip settings. All of the addresses should be your internal DNS ip addresses. the external IP addresses (such as your ISP) should be entered into the Forwarders tab in the DNS manager on your internal DNS servers
Keith AlabasterEnterprise ArchitectCommented:
lol - overtyped
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
jmtomanAuthor Commented:
yeah, i tried explaining that to the current IT manager here and explaining thats why people have trouble connecting to printe shares, file shares, etc.  He didn't understand =]
jmtomanAuthor Commented:
BTW - thanks for everyones help working through this tangled web of issues!
Keith AlabasterEnterprise ArchitectCommented:
a B grade? Wow - you sure are a hard man to please :)  but you are welcome lol
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.