lor1974
asked on
Internet access for computers with 2 NICs sitting in DMZ
Hello,
I currently have a group of computers that are used for public internet access and sit on my internal network. They are locked down by a client/server kiosk type of application. I would like to move the systems from my internal network to secondary internet connection that is used for guest/public use....but I still need to maintain the client/server connection.
The environment consists of Windows XP and Server 2003, with a Cisco ASA 5510 (dmz) and there is an ISA 2004 server.
My thought is to put 2 NICs in the computers, and have one connected to the public internet, and the other to the DMZ for the client/server communication.
I have already created rules for the client/server ports, and it is working in the DMZ...but I cannot surf.
Any comments/advice on this are greatly appreciated!
I currently have a group of computers that are used for public internet access and sit on my internal network. They are locked down by a client/server kiosk type of application. I would like to move the systems from my internal network to secondary internet connection that is used for guest/public use....but I still need to maintain the client/server connection.
The environment consists of Windows XP and Server 2003, with a Cisco ASA 5510 (dmz) and there is an ISA 2004 server.
My thought is to put 2 NICs in the computers, and have one connected to the public internet, and the other to the DMZ for the client/server communication.
I have already created rules for the client/server ports, and it is working in the DMZ...but I cannot surf.
Any comments/advice on this are greatly appreciated!
ASKER
all other machines in the DMZ are single NIC and do not have outbound internet access.
My DMZ NIC has static IP settings and the other NIC for internet access is DHCP.....which is pulling the correct IP info and works fine if I unplug the DMZ connection.
I was foolishly hoping that they would not conflict with each other, but the DMZ connection is blocking the other.
My DMZ NIC has static IP settings and the other NIC for internet access is DHCP.....which is pulling the correct IP info and works fine if I unplug the DMZ connection.
I was foolishly hoping that they would not conflict with each other, but the DMZ connection is blocking the other.
That's an odd setup.... Usually you wouln't want a host to straddle a public network to internal/dmz network. Kind of defeats the purpose of having a firewall.
But anyway....
Now that I understand that, my guess is that you have 2 NICs each on its own subnets. If you do an IPCONFIG /ALL you would get a listing of the ip info for each interface. Now do a ROUTE PRINT. This shows the routes for all subnets.
Understand that you can only ever have 1 default gateway, regardless of the number of NICs in the machine. You default gateway with the lower metric from the ROUTE command is probably the DMZ NIC. When you pull the connection, the default gateway now becomes the internet NIC and traffic starts flowing that way.
To fix this. Remove the default gateway from the static DMZ NIC. IF your internal servers are routed internally, you can add a manual ROUTE to handle it.
So, post a IPCONFIG /ALL and a SHOW ROUTE. Tell me what path is what and we can look it over.
But anyway....
Now that I understand that, my guess is that you have 2 NICs each on its own subnets. If you do an IPCONFIG /ALL you would get a listing of the ip info for each interface. Now do a ROUTE PRINT. This shows the routes for all subnets.
Understand that you can only ever have 1 default gateway, regardless of the number of NICs in the machine. You default gateway with the lower metric from the ROUTE command is probably the DMZ NIC. When you pull the connection, the default gateway now becomes the internet NIC and traffic starts flowing that way.
To fix this. Remove the default gateway from the static DMZ NIC. IF your internal servers are routed internally, you can add a manual ROUTE to handle it.
So, post a IPCONFIG /ALL and a SHOW ROUTE. Tell me what path is what and we can look it over.
ASKER
you are correct on the gateway, if I remove it, the machine can surf...but I lose my connection to the internal server. Here is the info...thanks
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapte (DMZ)
r (NGRPCI)
Physical Address. . . . . . . . . : 00-A0-CC-3D-53-1C
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.71
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont (Internet)
roller
Physical Address. . . . . . . . . : 00-1E-C9-56-9B-57
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 24.201.245.77
24.200.0.1
24.53.0.2
Lease Obtained. . . . . . . . . . : December 8, 2011 11:24:40 AM
Lease Expires . . . . . . . . . . : December 9, 2011 11:24:40 AM
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 a0 cc 3d 53 1c ...... NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) -
Teefer2 Miniport
0x3 ...00 1e c9 56 9b 57 ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 20
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.71 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.46 192.168.1.46 20
192.168.1.46 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.46 192.168.1.46 20
192.168.100.0 255.255.255.0 192.168.100.71 192.168.100.71 20
192.168.100.71 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.71 192.168.100.71 20
224.0.0.0 240.0.0.0 192.168.1.46 192.168.1.46 20
224.0.0.0 240.0.0.0 192.168.100.71 192.168.100.71 20
255.255.255.255 255.255.255.255 192.168.1.46 192.168.1.46 1
255.255.255.255 255.255.255.255 192.168.100.71 192.168.100.71 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapte (DMZ)
r (NGRPCI)
Physical Address. . . . . . . . . : 00-A0-CC-3D-53-1C
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.71
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont (Internet)
roller
Physical Address. . . . . . . . . : 00-1E-C9-56-9B-57
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.46
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 24.201.245.77
24.200.0.1
24.53.0.2
Lease Obtained. . . . . . . . . . : December 8, 2011 11:24:40 AM
Lease Expires . . . . . . . . . . : December 9, 2011 11:24:40 AM
Interface List
0x1 ..........................
0x2 ...00 a0 cc 3d 53 1c ...... NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) -
Teefer2 Miniport
0x3 ...00 1e c9 56 9b 57 ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 20
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.71 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.46 192.168.1.46 20
192.168.1.46 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.46 192.168.1.46 20
192.168.100.0 255.255.255.0 192.168.100.71 192.168.100.71 20
192.168.100.71 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.71 192.168.100.71 20
224.0.0.0 240.0.0.0 192.168.1.46 192.168.1.46 20
224.0.0.0 240.0.0.0 192.168.100.71 192.168.100.71 20
255.255.255.255 255.255.255.255 192.168.1.46 192.168.1.46 1
255.255.255.255 255.255.255.255 192.168.100.71 192.168.100.71 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
I assume 192.168.1.1 is the gateway to the DMZ....
So to fix this I need to know the subnets that sit behind the DMZ gateway because you would have to do a manual route for each.
First you need to remove the static gateway from the DMZ interface. Just leave it blank.
Then, lets say that you had 192.168.2.0 and 192.168.3.0 behind the DMZ gateway. It would look like this.
ROUTE DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
ROUTE -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.1
ROUTE -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.1.1
IT removes the catch all route pointing toward the DMZ gateway. Now all traffic flows through the internet gateway. Next we give it explicit routes to internal subnets and tell it where to forward the packets (here its the gateway IP to the DMZ).
The '-p' makes the route stick through a reboot.
So to fix this I need to know the subnets that sit behind the DMZ gateway because you would have to do a manual route for each.
First you need to remove the static gateway from the DMZ interface. Just leave it blank.
Then, lets say that you had 192.168.2.0 and 192.168.3.0 behind the DMZ gateway. It would look like this.
ROUTE DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
ROUTE -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.1
ROUTE -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.1.1
IT removes the catch all route pointing toward the DMZ gateway. Now all traffic flows through the internet gateway. Next we give it explicit routes to internal subnets and tell it where to forward the packets (here its the gateway IP to the DMZ).
The '-p' makes the route stick through a reboot.
ASKER
the dmz gatewat is 192.168.100.1
ASKER
*gateway
ASKER
the internal server IP is 192.168.128.10 and has a mask of 255.255.252.0
should the command be:
ROUTE -p ADD 192.168.128.10 MASK 255.255.252.0 192.168.100.1
?
should the command be:
ROUTE -p ADD 192.168.128.10 MASK 255.255.252.0 192.168.100.1
?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ROUTE -p ADD 192.168.128.10 MASK 255.255.255.255 192.168.100.1
worked
I can surf and the software is working
Thank you very much for your help!!!
worked
I can surf and the software is working
Thank you very much for your help!!!
Take the machine's out of kiosk mode. Check your ip/dns/default gateway settings. ARe these mahcines getting a dhcp or static address? Can you ping a dns name and get resolution? Can you ping out to 4.2.2.2? Does the ASA "SHOW LOGGING" show any dropped packets on outbound attempts?