Link to home
Start Free TrialLog in
Avatar of lor1974
lor1974Flag for Canada

asked on

Internet access for computers with 2 NICs sitting in DMZ

Hello,

I currently have a group of computers that are used for public internet access and sit on my internal network.  They are locked down by a client/server kiosk type of application.  I would like to move the systems from my internal network to secondary internet connection that is used for guest/public use....but I still need to maintain the client/server connection.

The environment consists of Windows XP and Server 2003, with a Cisco ASA 5510 (dmz) and there is an ISA 2004 server.

My thought is to put 2 NICs in the computers, and have one connected to the public internet, and the other to the DMZ for the client/server communication.

I have already created rules for the client/server ports, and it is working in the DMZ...but I cannot surf.

Any comments/advice on this are greatly appreciated!
Avatar of MikeKane
MikeKane
Flag of United States of America image
Can any machine in the DMZ get outbound internet access?   If yes, then there is no reason why these couldn't also.  

Take the machine's out of kiosk mode.   Check your ip/dns/default gateway settings.   ARe these mahcines getting a dhcp or static address?   Can you ping a dns name and get resolution?   Can you ping out to 4.2.2.2?     Does the ASA "SHOW LOGGING" show any dropped packets on outbound attempts?
Avatar of lor1974
lor1974
Flag of Canada image

ASKER

all other machines in the DMZ are single NIC and do not have outbound internet access.

My DMZ NIC has static IP settings and the other NIC for internet access is DHCP.....which is pulling the correct IP info and works fine if I unplug the DMZ connection.

I was foolishly hoping that they would not conflict with each other, but the DMZ connection is blocking the other.
Avatar of MikeKane
MikeKane
Flag of United States of America image
That's an odd setup....  Usually you wouln't want a host to straddle a public network to internal/dmz network.    Kind of defeats the purpose of having a firewall.  

But anyway....  

Now that I understand that, my guess is that you have 2 NICs each on its own subnets.    If you do an IPCONFIG /ALL you would get a listing of the ip info for each interface.     Now do a ROUTE PRINT.  This shows the routes for all subnets.  

Understand that you can only ever have 1 default gateway, regardless of the number of NICs in the machine.    You default gateway with the lower metric from the ROUTE command is probably the DMZ NIC.   When you pull the connection, the default gateway now becomes the internet NIC and traffic  starts flowing that way.  

To fix this.  Remove the default gateway from the static DMZ NIC.   IF your internal servers are routed internally, you can add a manual ROUTE to handle it.  

So, post a IPCONFIG /ALL and a SHOW ROUTE.  Tell me what path is what and we can look it over.  
Avatar of lor1974
lor1974
Flag of Canada image

ASKER

you are correct on the gateway, if I remove it, the machine can surf...but I lose my connection to the internal server.  Here is the info...thanks


        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapte (DMZ)
r (NGRPCI)
        Physical Address. . . . . . . . . : 00-A0-CC-3D-53-1C
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.100.71
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.100.1

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont (Internet)
roller
        Physical Address. . . . . . . . . : 00-1E-C9-56-9B-57
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.46
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 24.201.245.77
                                            24.200.0.1
                                            24.53.0.2
        Lease Obtained. . . . . . . . . . : December 8, 2011 11:24:40 AM
        Lease Expires . . . . . . . . . . : December 9, 2011 11:24:40 AM


Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 a0 cc 3d 53 1c ...... NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) -
 Teefer2 Miniport
0x3 ...00 1e c9 56 9b 57 ...... Broadcom NetXtreme 57xx Gigabit Controller - Tee
fer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.46       20
          0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.71       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.46    192.168.1.46       20
     192.168.1.46  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.46    192.168.1.46       20
    192.168.100.0    255.255.255.0   192.168.100.71  192.168.100.71       20
   192.168.100.71  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.100.255  255.255.255.255   192.168.100.71  192.168.100.71       20
        224.0.0.0        240.0.0.0     192.168.1.46    192.168.1.46       20
        224.0.0.0        240.0.0.0   192.168.100.71  192.168.100.71       20
  255.255.255.255  255.255.255.255     192.168.1.46    192.168.1.46       1
  255.255.255.255  255.255.255.255   192.168.100.71  192.168.100.71       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
Avatar of MikeKane
MikeKane
Flag of United States of America image
I assume 192.168.1.1 is the gateway to the DMZ....  

So to fix this I need to know the subnets that sit behind the DMZ gateway because you would have to do a manual route for each.  


First you need to remove the static gateway from the DMZ interface.   Just leave it blank.  
Then, lets say that you had 192.168.2.0 and 192.168.3.0 behind the DMZ gateway.   It would look like this.

ROUTE DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
ROUTE -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.1.1
ROUTE -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.1.1


IT removes the catch all route pointing toward the DMZ gateway.   Now all traffic flows through the internet gateway.    Next we give it explicit routes to internal subnets and tell it where to forward the packets (here its the gateway IP to the DMZ).  

The '-p' makes the route stick through a reboot.


Avatar of lor1974
lor1974
Flag of Canada image

ASKER

the dmz gatewat is 192.168.100.1
Avatar of lor1974
lor1974
Flag of Canada image

ASKER

*gateway
Avatar of lor1974
lor1974
Flag of Canada image

ASKER

the internal server IP is 192.168.128.10 and has a mask of 255.255.252.0

should the command be:

ROUTE -p ADD 192.168.128.10 MASK 255.255.252.0 192.168.100.1

?
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lor1974
lor1974
Flag of Canada image

ASKER

ROUTE -p ADD 192.168.128.10 MASK 255.255.255.255 192.168.100.1

worked

I can surf and the software is working

Thank you very much for your help!!!