Defualt gatway - internet connection - server 2003 ent edition domain
Hi
I need to understand what is a default gateway. Till now to me a default gateway is a server which is the only server allow clients access to the internet? Undermentioned is a scenario where the clients are getting the first IP as default gateway from 003 Router entry:
I am running server 2003 ent domain, 2 domain controllers (One NIC each) with AD, DNS, DHCP. On my DHCP under scope options I have:
003 Router 10.10.10.3, 10.10.10.1
006 DNS servers 10.10.10.3, 10.10.10.1
015 DNS Domain name mydomain.com
Under my clients NIC the value of default gateway as they get is 10.10.10.3. I think it is coming from 003 Router? am I right?
How and where can I set only 1 default gateway settings for my domain (is my setting above for DHCP correct?). Also how can I make other servers not to allow any internet connection to clients?
Help
I need to understand what is a default gateway. Till now to me a default gateway is a server which is the only server allow clients access to the internet? Undermentioned is a scenario where the clients are getting the first IP as default gateway from 003 Router entry:
I am running server 2003 ent domain, 2 domain controllers (One NIC each) with AD, DNS, DHCP. On my DHCP under scope options I have:
003 Router 10.10.10.3, 10.10.10.1
006 DNS servers 10.10.10.3, 10.10.10.1
015 DNS Domain name mydomain.com
Under my clients NIC the value of default gateway as they get is 10.10.10.3. I think it is coming from 003 Router? am I right?
How and where can I set only 1 default gateway settings for my domain (is my setting above for DHCP correct?). Also how can I make other servers not to allow any internet connection to clients?
Help
ASKER
brittony:
Thanks for the response.
I tried finding 'Default Gateway' under configure scope but there is none. How and where can I find the 'default gateway scope option'? The article defines how the scope should look like.
.Help!
*******To deny access to your resources, you need a firewall.********I meant how to prevent other member servers from becoming default gateway
-Help!
Thanks
Thanks for the response.
I tried finding 'Default Gateway' under configure scope but there is none. How and where can I find the 'default gateway scope option'? The article defines how the scope should look like.
.Help!
*******To deny access to your resources, you need a firewall.********I meant how to prevent other member servers from becoming default gateway
-Help!
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
brittonv:
Thats ok.
Some of my clients find other member servers on the domain and point their NIC configuration to be as 'Default gateway = Member server IP' and gain access to internet. What precautionary measures, and how can I stop this from happening. May be they have some malicious programs which find other member servers addresses for them and they use those IP addresses as their default gateway and set it manually in their NICs. Which ports I have to disable in those member servers?
Help
Thats ok.
Some of my clients find other member servers on the domain and point their NIC configuration to be as 'Default gateway = Member server IP' and gain access to internet. What precautionary measures, and how can I stop this from happening. May be they have some malicious programs which find other member servers addresses for them and they use those IP addresses as their default gateway and set it manually in their NICs. Which ports I have to disable in those member servers?
Help
It's not a "port" as it is a routing protocol. Windows server by default (off the top of my head) run routing and remote access service. This service performs routing between multiple IP addresses on a machine, but is not port restricted. It is a layer 3 service which applies before a layer 4 port restriction coming from a firewall.
Also, an important definition, is a "gateway" device. This is a device which typically has two or more network cards, with one being denoted as public and one (or more) being denoted as private.
like this: <network>------><gateway><
A public ip address will be applied to the internet side of the gateway.
A private ip will be on the network side of the gateway.
thus, most off-the-shelf residential routers are gateway devices. <lan>--192.168.0.1<router>
so, what the above statement, "003 Router 10.10.10.3, 10.10.10.1" is saying, is to use 10.10.10.3 as the default gateway (aka primary gateway), and to use 10.10.10.1 as a fallback or backup gateway.
if the client sees 10.10.10.3 is not available (powerdown/crash/etc...) it will try to use 10.10.10.1 instead, basicly.
I dont have a 2003 server available to me right now to get you an exact click-by-click but basicly you want to go into your DHCP configuration, select the scope in which the DHCP pool is defined, right click on that scope, and select "configure scope" or "configure scope options" or something simmilar.
Then scroll down the list (should be at or near the top actually) and check off and define rule 003 with 10.10.10.3 set as the only gateway.
Finally, if your feeling paranoid, stop the "routing and remote access" service on 10.10.10.1 if you feel so inclined. (its 99% probable that it's not running anyway).
-- Chris
Also, an important definition, is a "gateway" device. This is a device which typically has two or more network cards, with one being denoted as public and one (or more) being denoted as private.
like this: <network>------><gateway><
A public ip address will be applied to the internet side of the gateway.
A private ip will be on the network side of the gateway.
thus, most off-the-shelf residential routers are gateway devices. <lan>--192.168.0.1<router>
so, what the above statement, "003 Router 10.10.10.3, 10.10.10.1" is saying, is to use 10.10.10.3 as the default gateway (aka primary gateway), and to use 10.10.10.1 as a fallback or backup gateway.
if the client sees 10.10.10.3 is not available (powerdown/crash/etc...) it will try to use 10.10.10.1 instead, basicly.
I dont have a 2003 server available to me right now to get you an exact click-by-click but basicly you want to go into your DHCP configuration, select the scope in which the DHCP pool is defined, right click on that scope, and select "configure scope" or "configure scope options" or something simmilar.
Then scroll down the list (should be at or near the top actually) and check off and define rule 003 with 10.10.10.3 set as the only gateway.
Finally, if your feeling paranoid, stop the "routing and remote access" service on 10.10.10.1 if you feel so inclined. (its 99% probable that it's not running anyway).
-- Chris
ASKER
asdlkf:
Thanks for the description:
I have installed server 2003 ent edition many times and RRAS never comes on as default. I thought RRAS is only required for VPN only? since I am running VPN I had to enable RRAS on 10.10.10.3. If I understood you correctly, RRAS makes a machine a 'default gateway'??, if a server is not running RRAS and clients put its IP into their NIC they will not be able to go to internet?
In my situation:
I have Cisco 2811........>>>>My two servers 10.10.10.3 and 10.10.10.1 >>>>>clients. According to your defination of default gateway so my two servers are NOT as both of them have one NIC each and cannot be assigned external IP as my NAT is performed at the router.
I 100% aggree with you on the scope level of 003 router where 2 addresses mean the next one is the backup one.
Sorry to ask you many questions, I would like to clear myself before I start 'stopping and enabling services' at the router or on the servers.
Summary:
-A server running RRAS is the default gateway?, it should have 2 NICs? (according to microsoft they always suggest never to put 2 NICs on a domain controller). My 2 servers are domain controllers, I had some trouble putting in 2 NICs in them in past.
Thanks for the description:
I have installed server 2003 ent edition many times and RRAS never comes on as default. I thought RRAS is only required for VPN only? since I am running VPN I had to enable RRAS on 10.10.10.3. If I understood you correctly, RRAS makes a machine a 'default gateway'??, if a server is not running RRAS and clients put its IP into their NIC they will not be able to go to internet?
In my situation:
I have Cisco 2811........>>>>My two servers 10.10.10.3 and 10.10.10.1 >>>>>clients. According to your defination of default gateway so my two servers are NOT as both of them have one NIC each and cannot be assigned external IP as my NAT is performed at the router.
I 100% aggree with you on the scope level of 003 router where 2 addresses mean the next one is the backup one.
Sorry to ask you many questions, I would like to clear myself before I start 'stopping and enabling services' at the router or on the servers.
Summary:
-A server running RRAS is the default gateway?, it should have 2 NICs? (according to microsoft they always suggest never to put 2 NICs on a domain controller). My 2 servers are domain controllers, I had some trouble putting in 2 NICs in them in past.
ASKER
Hello asdlkf:
Correction I just checked my 10.10.10.1 is also running RRAS. I just changed the default IP of my laptop to the IP of a member server which is not running RRAS and I was not able to browse the internet. I could ping others, etc but NO internet.
Correction I just checked my 10.10.10.1 is also running RRAS. I just changed the default IP of my laptop to the IP of a member server which is not running RRAS and I was not able to browse the internet. I could ping others, etc but NO internet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
asdlkf:
Excellent description, how to bridge 2 NICs on a server I will find out or you can tell me how, in the past I had 2 NICS in each server and I am using 1 in each at the moment, it will be good to know how to bridge them.
Correct my diagram is exactly like that. (I have a detailed one I can send it to you, I have to hide some names over it)
-I have 2 servers at the moment running dhcp on my site and one on another site, will be good to know how to enable dhcp on my cisco 2811. Please send the config script with commands so that I can enable it, please note that I have many 'manually assigned IP's which I want to set in the cisco 2811 as well (the same way exactly as I am running now).
****but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)
******* so it means it does not matter what ever I write in my 003 entry in DHCP my default gateway is my cisco. Good to know.
-Good to know that RRAS is providing vpn connection.
****A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...
******** PLease let me know how to configure this IPsec tunnel from my cisco?
-Will be good to know how to install the proxy to authenticate for my cisco connections.
-You are not at all off the base. I am enclosing my config.
expertaccesslist.txt
Excellent description, how to bridge 2 NICs on a server I will find out or you can tell me how, in the past I had 2 NICS in each server and I am using 1 in each at the moment, it will be good to know how to bridge them.
Correct my diagram is exactly like that. (I have a detailed one I can send it to you, I have to hide some names over it)
-I have 2 servers at the moment running dhcp on my site and one on another site, will be good to know how to enable dhcp on my cisco 2811. Please send the config script with commands so that I can enable it, please note that I have many 'manually assigned IP's which I want to set in the cisco 2811 as well (the same way exactly as I am running now).
****but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)
******* so it means it does not matter what ever I write in my 003 entry in DHCP my default gateway is my cisco. Good to know.
-Good to know that RRAS is providing vpn connection.
****A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...
******** PLease let me know how to configure this IPsec tunnel from my cisco?
-Will be good to know how to install the proxy to authenticate for my cisco connections.
-You are not at all off the base. I am enclosing my config.
expertaccesslist.txt
ASKER
This diagram will help you. I made it few years back.
Diagram-without-names.jpg
Diagram-without-names.jpg
Um, well, to be fair, you have several questions now that really should be looked at separtly.
ultimately, thats still not enough information for me to say what should be what.
basicly I would need to know what network services are running where in order to define all of that for you.
If this information can't be provided (for legal/other reasons) what you need to do is determine where all of your:
collision domains
broadcast domains
gateway devices
VPN endpoints
DNS servers
DHCP servers
Authentication servers
Application servers
are.
Once you know where all of these things running on your network are (physicly and logically), you will need to know the following for each of them:
ip address / subnet mask
default gateway
what services are running here
Then, I would ask new questions on EE with the relevent details. For example, From looking at your cisco config file, you have no isakmp crypto key defined, but you have a wan address
You should ask one question to start:
"How do I configure an IPSEC gateway to receive inbound IPSEC connections from the internet/remote sites on a cisco 2811. I want it to accept inbound connections from <LOCATIONS> and I probably want a GRE over IPSEC tunnel to support a broader range of protocols. I also want to use TACACS+ or RADIUS or another method and ultimately have the VPN server authenticate against a windows 2003 AD database." (include the above picture, the just requested documentation, and your cisco config file).
then, another question:
"How do I configure a DHCP pool on a cisco 2811 to give out addresses in the 10.x.x.0 range (mask /24, 255.255.255.0) on a router that is already configured as a VPN gateway? I need to exclude the following IP addresses: (list your staticly assigned addresses (servers/gatway devices/other things that don't use DHCP)"
One last point: I realize it can be intimidating to release information to the internet, but some of it is still needed (i.e. in pictures like the one just posted, black out the destination, but then just use an arrow to point to where it is or something). Also, where do the wireless links connect to?
for the level of questions your going to be asking, you probably want a much more detailed network diagram so that people can give you the correct answers.
Oh, and as to how to bridge - just select one of the NIC's, hold down CTRL, select the other NIC (so they are both selected), right click one of them and select bridge. Then assign the IP address that the first NIC WAS using to the new "bridge" device that will appear.
-- Chris
ultimately, thats still not enough information for me to say what should be what.
basicly I would need to know what network services are running where in order to define all of that for you.
If this information can't be provided (for legal/other reasons) what you need to do is determine where all of your:
collision domains
broadcast domains
gateway devices
VPN endpoints
DNS servers
DHCP servers
Authentication servers
Application servers
are.
Once you know where all of these things running on your network are (physicly and logically), you will need to know the following for each of them:
ip address / subnet mask
default gateway
what services are running here
Then, I would ask new questions on EE with the relevent details. For example, From looking at your cisco config file, you have no isakmp crypto key defined, but you have a wan address
You should ask one question to start:
"How do I configure an IPSEC gateway to receive inbound IPSEC connections from the internet/remote sites on a cisco 2811. I want it to accept inbound connections from <LOCATIONS> and I probably want a GRE over IPSEC tunnel to support a broader range of protocols. I also want to use TACACS+ or RADIUS or another method and ultimately have the VPN server authenticate against a windows 2003 AD database." (include the above picture, the just requested documentation, and your cisco config file).
then, another question:
"How do I configure a DHCP pool on a cisco 2811 to give out addresses in the 10.x.x.0 range (mask /24, 255.255.255.0) on a router that is already configured as a VPN gateway? I need to exclude the following IP addresses: (list your staticly assigned addresses (servers/gatway devices/other things that don't use DHCP)"
One last point: I realize it can be intimidating to release information to the internet, but some of it is still needed (i.e. in pictures like the one just posted, black out the destination, but then just use an arrow to point to where it is or something). Also, where do the wireless links connect to?
for the level of questions your going to be asking, you probably want a much more detailed network diagram so that people can give you the correct answers.
Oh, and as to how to bridge - just select one of the NIC's, hold down CTRL, select the other NIC (so they are both selected), right click one of them and select bridge. Then assign the IP address that the first NIC WAS using to the new "bridge" device that will appear.
-- Chris
ASKER
Thanks asdlkf I really appreciate your time. At least I have some specific questions to ask at EE. Also I know which direction I should take to resolve few of my issues. Thanks brittnov for pointing out and clarifying for default gateway. Regards!
You need to get rid of that router entry and specify the "Default Gateway" scope option.
ref: http://support.microsoft.com/kb/139904
To deny access to your resources, you need a firewall.