Defualt gatway - internet connection - server 2003 ent edition domain

I need to understand what is a default gateway.  Till now to me a default gateway is a server which is the only server allow clients access to the internet?  Undermentioned is a scenario where the clients are getting the first IP as default gateway from 003 Router entry:

I am running server 2003 ent domain, 2 domain controllers (One NIC each) with AD, DNS, DHCP.  On my DHCP under scope options I have:
003 Router,
006 DNS servers,
015 DNS Domain name
Under my clients NIC the value of default gateway as they get is  I think it is coming from 003 Router? am I right?
How and where can I set only 1 default gateway settings for my domain (is my setting above for DHCP correct?).  Also how can I make other servers not to allow any internet connection to clients?
amanzoorNetwork infrastructure AdminAsked:
Who is Participating?
asdlkfConnect With a Mentor Commented:
well, 2 things:

2 nic's is for redundancy, not for two physical connections. What they want you to do is to put a 2nd nic in each machine and then bridge those two connections so your server has one IP address, but two physical connections to provide physical fault tolerance(and cable redundancy). But this is entirely optional.

I'm fairly sure that what you have is simmilar to this picture:

If thats correct, then what you need to do is stop thinking that your clients need to go through your servers. the 003 option (router/default gateway) can just be your cisco box.

Depending on how many clients you have setup and how you are doing active directory, I would actually turn off dhcp and routing and remote access/etc/etc/etc on the windows boxes and implement that on the cisco boxes. (i can write you a config script for the cisco box if you want).

The cisco box is capable of running DHCP (instead of doing it on windows) and it is more granular and precise than the windows implementation of the dhcp server.

but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)

What the RRAS does is allow vpn connectivity into you rnetwork

I imagine you have use cases where you want to permit users on the internet to access your network resources and they do so by connecting a PPPoE connection to your servers running RRAS through a port-forward through your router. A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...

You can even install a proxy authentication agent that will support radius or tacacs+ on your windows servers to allow the cisco's VPN connection to authenticate against windows AD.

If I am way off base here, please draw a network diagram and (if available) post the output of "show run brief | exclude !" (remove any passwords/public IP addresses and replace with XXXXX or something).

-- Chris

The default gateway is the IP address by which your network access external resources (the internet).

You need to get rid of that router entry and specify the "Default Gateway" scope option.

To deny access to your resources, you need a firewall.
amanzoorNetwork infrastructure AdminAuthor Commented:
Thanks for the response.
I tried finding 'Default Gateway'  under configure scope but there is none.  How and where can I find the 'default gateway scope option'?  The article defines how the scope should look like.
*******To deny access to your resources, you need a firewall.********I meant how to prevent other member servers from becoming default gateway
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

brittonvConnect With a Mentor Commented:
I appolgize, I haven't used windows DHCP in a while.  Yes the router entry is the default gateway.  You need to change it to list only your intended default gateway.

You need to specify the default gateway server.  This is the server or device that has the internet connection?  Only the server that has the Internet connection can act as the default gateway, so I don't really understand your question.
amanzoorNetwork infrastructure AdminAuthor Commented:
Thats ok.  
Some of my clients find other member servers on the domain and point their NIC configuration to be as 'Default gateway = Member server IP' and gain access to internet.  What precautionary measures, and how can I stop this from happening.  May be they have some malicious programs which find other member servers addresses for them and they use those IP addresses as their default gateway and set it manually in their NICs.  Which ports I have to disable in those member servers?
It's not a "port" as it is a routing protocol. Windows server by default (off the top of my head) run routing and remote access service. This service performs routing between multiple IP addresses on a machine, but is not port restricted. It is a layer 3 service which applies before a layer 4 port restriction coming from a firewall.

Also, an important definition, is a "gateway" device. This is a device which typically has two or more network cards, with one being denoted as public and one (or more) being denoted as private.

like this:    <network>------><gateway><-------<internet>
A public ip address will be applied to the internet side of the gateway.
A private ip will be on the network side of the gateway.

thus, most off-the-shelf residential routers are gateway devices. <lan>--<router>PUB.LIC.IPA.DDY--<ISP>

so, what the above statement, "003 Router," is saying, is to use as the default gateway (aka primary gateway), and to use as a fallback or backup gateway.

if the client sees is not available (powerdown/crash/etc...) it will try to use instead, basicly.

I dont have a 2003 server available to me right now to get you an exact click-by-click but basicly you want to go into your DHCP configuration, select the scope in which the DHCP pool is defined, right click on that scope, and select "configure scope" or "configure scope options" or something simmilar.

Then scroll down the list (should be at or near the top actually) and check off and define rule 003 with set as the only gateway.

Finally, if your feeling paranoid, stop the "routing and remote access" service on if you feel so inclined. (its 99% probable that it's not running anyway).

-- Chris

amanzoorNetwork infrastructure AdminAuthor Commented:
Thanks for the description:
I have installed server 2003 ent edition many times and RRAS never comes on as default.  I thought RRAS is only required for VPN only? since I am running VPN I had to enable RRAS on  If I understood you correctly, RRAS makes a machine a 'default gateway'??, if a server is not running RRAS and clients put its IP into their NIC they will not be able to go to internet?
 In my situation:
I have Cisco 2811........>>>>My two servers and >>>>>clients.  According to your defination of default gateway so my two servers are NOT as both of them have one NIC each and cannot be assigned external IP as my NAT is performed at the router.  
I 100% aggree with you on the scope level of 003 router where 2 addresses mean the next one is the backup one.
Sorry to ask you many questions, I would like to clear myself before I start 'stopping and enabling services' at the router or on the servers.
-A server running RRAS is the default gateway?, it should have 2 NICs? (according to microsoft they always suggest never to put 2 NICs on a domain controller).  My 2 servers are domain controllers, I had some trouble putting in 2 NICs in them in past.  
amanzoorNetwork infrastructure AdminAuthor Commented:
Hello asdlkf:
Correction I just checked my is also running RRAS.  I just changed the default IP of my laptop to the IP of a member server which is not running RRAS and I was not able to browse the internet.  I could ping others, etc but NO internet.
amanzoorNetwork infrastructure AdminAuthor Commented:
Excellent description,  how to bridge 2 NICs on a server I will find out or you can tell me how, in the past I had 2 NICS in each server and I am using 1 in each at the moment, it will be good to know how to bridge them.
Correct my diagram is exactly like that.  (I have a detailed one I can send it to you, I have to hide some names over it)
-I have 2 servers at the moment running dhcp on my site and one on another site, will be good to know how to enable dhcp on my cisco 2811.  Please send the config script with commands so that I can enable it,  please note that I have many 'manually assigned IP's which I want to set in the cisco 2811 as well (the same way exactly as I am running now).
****but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)
*******  so it means it does not matter what ever I write in my 003 entry in DHCP my default gateway is my cisco.  Good to know.
-Good to know that RRAS is providing vpn connection.
****A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...
********  PLease let me know how to configure this IPsec tunnel from my cisco?
-Will be good to know how to install the proxy to authenticate for my cisco connections.
-You are not at all off the base.  I am enclosing my config.

amanzoorNetwork infrastructure AdminAuthor Commented:
This diagram will help you.  I made it few years back.
Um, well, to be fair, you have several questions now that really should be looked at separtly.

ultimately, thats still not enough information for me to say what should be what.

basicly I would need to know what network services are running where in order to define all of that for you.

If this information can't be provided (for legal/other reasons) what you need to do is determine where all of your:

collision domains
broadcast domains
gateway devices
VPN endpoints
DNS servers
DHCP servers
Authentication servers
Application servers


Once you know where all of these things running on your network are (physicly and logically), you will need to know the following for each of them:

ip address / subnet mask
default gateway
what services are running here

Then, I would ask new questions on EE with the relevent details. For example, From looking at your cisco config file, you have no isakmp crypto key defined, but you have a wan address

You should ask one question to start:
"How do I configure an IPSEC gateway to receive inbound IPSEC connections from the internet/remote sites on a cisco 2811. I want it to accept inbound connections from <LOCATIONS> and I probably want a GRE over IPSEC tunnel to support a broader range of protocols. I also want to use TACACS+ or RADIUS or another method and ultimately have the VPN server authenticate against a windows 2003 AD database." (include the above picture, the just requested documentation, and your cisco config file).

then, another question:
"How do I configure a DHCP pool on a cisco 2811 to give out addresses in the 10.x.x.0 range (mask /24, on a router that is already configured as a VPN gateway? I need to exclude the following IP addresses: (list your staticly assigned addresses (servers/gatway devices/other things that don't use DHCP)"

One last point: I realize it can be intimidating to release information to the internet, but some of it is still needed (i.e. in pictures like the one just posted, black out the destination, but then just use an arrow to point to where it is or something). Also, where do the wireless links connect to?

for the level of questions your going to be asking, you probably want a much more detailed network diagram so that people can give you the correct answers.

Oh, and as to how to bridge - just select one of the NIC's, hold down CTRL, select the other NIC (so they are both selected), right click one of them and select bridge. Then assign the IP address that the first NIC WAS using to the new "bridge" device that will appear.

-- Chris
amanzoorNetwork infrastructure AdminAuthor Commented:
Thanks asdlkf I really appreciate your time.  At least I have some specific questions to ask at EE.  Also I know which direction I should take to resolve few of my issues.  Thanks brittnov for pointing out and clarifying for default gateway.  Regards!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.