Internet access for computers with 2 NICs sitting in DMZ

Hello,

I currently have a group of computers that are used for public internet access and sit on my internal network.  They are locked down by a client/server kiosk type of application.  I would like to move the systems from my internal network to secondary internet connection that is used for guest/public use....but I still need to maintain the client/server connection.

The environment consists of Windows XP and Server 2003, with a Cisco ASA 5510 (dmz) and there is an ISA 2004 server.

My thought is to put 2 NICs in the computers, and have one connected to the public internet, and the other to the DMZ for the client/server communication.

I have already created rules for the client/server ports, and it is working in the DMZ...but I cannot surf.

Any comments/advice on this are greatly appreciated!
lor1974Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Can any machine in the DMZ get outbound internet access?   If yes, then there is no reason why these couldn't also.  

Take the machine's out of kiosk mode.   Check your ip/dns/default gateway settings.   ARe these mahcines getting a dhcp or static address?   Can you ping a dns name and get resolution?   Can you ping out to 4.2.2.2?     Does the ASA "SHOW LOGGING" show any dropped packets on outbound attempts?
0
lor1974Author Commented:
all other machines in the DMZ are single NIC and do not have outbound internet access.

My DMZ NIC has static IP settings and the other NIC for internet access is DHCP.....which is pulling the correct IP info and works fine if I unplug the DMZ connection.

I was foolishly hoping that they would not conflict with each other, but the DMZ connection is blocking the other.
0
MikeKaneCommented:
That's an odd setup....  Usually you wouln't want a host to straddle a public network to internal/dmz network.    Kind of defeats the purpose of having a firewall.  

But anyway....  

Now that I understand that, my guess is that you have 2 NICs each on its own subnets.    If you do an IPCONFIG /ALL you would get a listing of the ip info for each interface.     Now do a ROUTE PRINT.  This shows the routes for all subnets.  

Understand that you can only ever have 1 default gateway, regardless of the number of NICs in the machine.    You default gateway with the lower metric from the ROUTE command is probably the DMZ NIC.   When you pull the connection, the default gateway now becomes the internet NIC and traffic  starts flowing that way.  

To fix this.  Remove the default gateway from the static DMZ NIC.   IF your internal servers are routed internally, you can add a manual ROUTE to handle it.  

So, post a IPCONFIG /ALL and a SHOW ROUTE.  Tell me what path is what and we can look it over.  
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

lor1974Author Commented:
you are correct on the gateway, if I remove it, the machine can surf...but I lose my connection to the internal server.  Here is the info...thanks


        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapte (DMZ)
r (NGRPCI)
        Physical Address. . . . . . . . . : 00-A0-CC-3D-53-1C
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.100.71
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.100.1

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont (Internet)
roller
        Physical Address. . . . . . . . . : 00-1E-C9-56-9B-57
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.46
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 24.201.245.77
                                            24.200.0.1
                                            24.53.0.2
        Lease Obtained. . . . . . . . . . : December 8, 2011 11:24:40 AM
        Lease Expires . . . . . . . . . . : December 9, 2011 11:24:40 AM


Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 a0 cc 3d 53 1c ...... NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) -
 Teefer2 Miniport
0x3 ...00 1e c9 56 9b 57 ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.46       20
          0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.71       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.46    192.168.1.46       20
     192.168.1.46  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.46    192.168.1.46       20
    192.168.100.0    255.255.255.0   192.168.100.71  192.168.100.71       20
   192.168.100.71  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.100.255  255.255.255.255   192.168.100.71  192.168.100.71       20
        224.0.0.0        240.0.0.0     192.168.1.46    192.168.1.46       20
        224.0.0.0        240.0.0.0   192.168.100.71  192.168.100.71       20
  255.255.255.255  255.255.255.255     192.168.1.46    192.168.1.46       1
  255.255.255.255  255.255.255.255   192.168.100.71  192.168.100.71       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
0
MikeKaneCommented:
I assume 192.168.1.1 is the gateway to the DMZ....  

So to fix this I need to know the subnets that sit behind the DMZ gateway because you would have to do a manual route for each.  


First you need to remove the static gateway from the DMZ interface.   Just leave it blank.  
Then, lets say that you had 192.168.2.0 and 192.168.3.0 behind the DMZ gateway.   It would look like this.

ROUTE DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
ROUTE -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.1
ROUTE -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.1.1


IT removes the catch all route pointing toward the DMZ gateway.   Now all traffic flows through the internet gateway.    Next we give it explicit routes to internal subnets and tell it where to forward the packets (here its the gateway IP to the DMZ).  

The '-p' makes the route stick through a reboot.


0
lor1974Author Commented:
the dmz gatewat is 192.168.100.1
0
lor1974Author Commented:
*gateway
0
lor1974Author Commented:
the internal server IP is 192.168.128.10 and has a mask of 255.255.252.0

should the command be:

ROUTE -p ADD 192.168.128.10 MASK 255.255.252.0 192.168.100.1

?
0
MikeKaneCommented:
Right, then just replace the 192.168.1.1 in my example with 192.168.100.1  



For your question:
You should probably do the entire subnet....  
ROUTE -p ADD 192.168.128.1 MASK 255.255.252.0 192.168.100.1

Or the single host
ROUTE -p ADD 192.168.128.10 MASK 255.255.255.255 192.168.100.1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lor1974Author Commented:
ROUTE -p ADD 192.168.128.10 MASK 255.255.255.255 192.168.100.1

worked

I can surf and the software is working

Thank you very much for your help!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.