Internet access for computers with 2 NICs sitting in DMZ


I currently have a group of computers that are used for public internet access and sit on my internal network.  They are locked down by a client/server kiosk type of application.  I would like to move the systems from my internal network to secondary internet connection that is used for guest/public use....but I still need to maintain the client/server connection.

The environment consists of Windows XP and Server 2003, with a Cisco ASA 5510 (dmz) and there is an ISA 2004 server.

My thought is to put 2 NICs in the computers, and have one connected to the public internet, and the other to the DMZ for the client/server communication.

I have already created rules for the client/server ports, and it is working in the DMZ...but I cannot surf.

Any comments/advice on this are greatly appreciated!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can any machine in the DMZ get outbound internet access?   If yes, then there is no reason why these couldn't also.  

Take the machine's out of kiosk mode.   Check your ip/dns/default gateway settings.   ARe these mahcines getting a dhcp or static address?   Can you ping a dns name and get resolution?   Can you ping out to     Does the ASA "SHOW LOGGING" show any dropped packets on outbound attempts?
lor1974Author Commented:
all other machines in the DMZ are single NIC and do not have outbound internet access.

My DMZ NIC has static IP settings and the other NIC for internet access is DHCP.....which is pulling the correct IP info and works fine if I unplug the DMZ connection.

I was foolishly hoping that they would not conflict with each other, but the DMZ connection is blocking the other.
That's an odd setup....  Usually you wouln't want a host to straddle a public network to internal/dmz network.    Kind of defeats the purpose of having a firewall.  

But anyway....  

Now that I understand that, my guess is that you have 2 NICs each on its own subnets.    If you do an IPCONFIG /ALL you would get a listing of the ip info for each interface.     Now do a ROUTE PRINT.  This shows the routes for all subnets.  

Understand that you can only ever have 1 default gateway, regardless of the number of NICs in the machine.    You default gateway with the lower metric from the ROUTE command is probably the DMZ NIC.   When you pull the connection, the default gateway now becomes the internet NIC and traffic  starts flowing that way.  

To fix this.  Remove the default gateway from the static DMZ NIC.   IF your internal servers are routed internally, you can add a manual ROUTE to handle it.  

So, post a IPCONFIG /ALL and a SHOW ROUTE.  Tell me what path is what and we can look it over.  
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

lor1974Author Commented:
you are correct on the gateway, if I remove it, the machine can surf...but I lose my connection to the internal server.  Here is the info...thanks

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapte (DMZ)
        Physical Address. . . . . . . . . : 00-A0-CC-3D-53-1C
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont (Internet)
        Physical Address. . . . . . . . . : 00-1E-C9-56-9B-57
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Lease Obtained. . . . . . . . . . : December 8, 2011 11:24:40 AM
        Lease Expires . . . . . . . . . . : December 9, 2011 11:24:40 AM

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 a0 cc 3d 53 1c ...... NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) -
 Teefer2 Miniport
0x3 ...00 1e c9 56 9b 57 ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       20       1       20       20       20       20       20       20       20       20       1       1
Default Gateway:
Persistent Routes:
I assume is the gateway to the DMZ....  

So to fix this I need to know the subnets that sit behind the DMZ gateway because you would have to do a manual route for each.  

First you need to remove the static gateway from the DMZ interface.   Just leave it blank.  
Then, lets say that you had and behind the DMZ gateway.   It would look like this.


IT removes the catch all route pointing toward the DMZ gateway.   Now all traffic flows through the internet gateway.    Next we give it explicit routes to internal subnets and tell it where to forward the packets (here its the gateway IP to the DMZ).  

The '-p' makes the route stick through a reboot.

lor1974Author Commented:
the dmz gatewat is
lor1974Author Commented:
lor1974Author Commented:
the internal server IP is and has a mask of

should the command be:


Right, then just replace the in my example with  

For your question:
You should probably do the entire subnet....  

Or the single host

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lor1974Author Commented:


I can surf and the software is working

Thank you very much for your help!!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.