Solved

Network Configuration with Comcast Business Class modem

Posted on 2012-03-26
16
4,659 Views
Last Modified: 2012-04-20
I recently installed Comcast Business Class service, and the tech installed an SMCD3G modem, which includes 4 LAN ports.

I also have a Cisco RVS4000 router/firewall which I'm using as my main router. I also have a wireless access point, but at the moment I'm not concerned with that.

The basic setup works fine, and I'm able to use the internet, get email, etc etc. However, I have a hosted remote access utility (ScreenConnect) which I use to provide remote support to my clients, and after the Comcast install I need to re-configure for this. Note that previously, with my Motorola Modem + RVS4000 everything worked well.

I cannot get external internet traffic routed to my Screenconnect utility. The configuration is like this:

Comcast Modem
V
Cisco RVS4000
V
All internal network resources, including the machine hosting ScreenConnect utility

The Comcast modem is set to use the standard 10.1.10.xx IP ranges, but the RVS4000 is using the 192.168.1.xx ranges. If I change the RVS to use a 10.1.10.xx address, I can't get the boxes to talk to each other, and I cannot do anything internet-related.

I've exhausted my knowledge of network setup, and would like to ask for your assitance in the best way to configure this. I'd much prefer that all my internal network resources flow from the RVS4000, since I have much greater faith in the firewall there than I do in the Comcast modem. I'm not sure if I need to somehow "bridge" the Comcast modem with the RVS box.

How can I configure the two components so that they can co-exist on the same network, and so that I can forward traffic to my ScreenConnect utility?

I've set the Comcast modem as the DHCP server, and disabled the firewall on that device (the firewall on the RVS is active). I've disabled the DHCP server on the RVS box. On that box, the appropriate ports are forwarded for the ScreenConnect traffic (and remember this worked well before the install of the Comcast modem).

Note too that if I connect directly using my current WAN address, I see the Comcast Modem sign in screen, so I'm confident that I can reach that (and I've done this from a remote network as well). However, if I enter my ScreenConnect port (i.e. 99.99.99.99:8040) then I get the "interent explorer cannot display the page" error.
0
Comment
  • 8
  • 4
  • 2
  • +1
16 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 167 total points
ID: 37766664
Well you want to configure the Comcast Modem to do pass-through only and not be a router for your network. Look in the Comcast modem you should have a option to configure the modem to be a modem only and not a router. If you can't find this call Comcast they should be able to direct you to the configuration that needs to be implemented this is very common
0
 
LVL 7

Expert Comment

by:raeldri
ID: 37766770
Login to the modem via it's IP with the bellow creditionals

user: cusadmin
password: highspeed

Open in new window


Click on "Firewall" on the left then "Port Forwarding" across the top/middle of the screen and forward the ports required to the IP of your RVS4000

If the user has a static IP the proccess is slightly different.

Click on firewall and on the right hand side check the boxes for "Disable firewall for true static IP subnet only"

Assign the static IP to the RVS4000 with the information provided from comcast and you shouldnt have any issues
0
 
LVL 84
ID: 37768808
Thanks very much for your time.

I can't figure out how to tell my Comcast modem to be a passthrough, but I'll contact Comcast support to see if they can shed some light on that.

I did configure my boxes as described by raeldri, but that didn't work either. I had tried that before posting here, but to be thorough I tried it again, and I still cannot get to my ScreenConnect utility. I've resinstalled ScreenConnect to be sure there was nothing that needed to be reconfigured.

I did make these changes:

Changed the Comcast modem's IP address to 192.168.1.1 and enabled the DHCP server there, and then set the RVS4000 to be a Router only (with a static IP of 192.168.1.20). This allowed me to have the two boxes recognize each other, but I still cannot get to the ScreenConnect utility. I've forwarded ports 8040 and 8041 to both 192.168.1.10 (the LAN IP of the machine running the ScreenConnect utility) and to 192.168.1.20 (the LAN IP of the RVS4000 router). Neither of those configurations work.

Any other suggestions?
0
 
LVL 84
ID: 37770587
On a further note, if I test my ports (8040 and 8041) from the ScreenConnect site's tool, they report back that the ports are open and configured properly. It's only when they hit my Comcast modem that they seem to be having troubles.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37771192
Right because Comcast modem is not setup to do pass through and\or comcast mode is not port forwarding to the proper internal IP addresses on your router then your router would have those ports open or port forwarded to your server. Really want a pass through on your modem so you won't have to configure twice once on Cisco and once on comcast router
0
 
LVL 84
ID: 37771256
Another oddity - if I connect my machine directly to the Comcast modem, I have the same issues, even with the ports forwarded directly to that machine. In this case, my machine is the only thing connected to the Comcast modem, and I still cannot get to my ScreenConnect program from an external browser.

I can run it from my internal system (i.e. directly on the machine, of course) so it would seem that the SC program is installed correctly, but I'm wondering now if it's setup correctly. I've got a support ticket open with SC to be sure of this.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37771291
Again the configuration is not correct on the Comcast modem this is why it is not working. If you have the server plugged into the Comcast modem you must remember you are running a different IP Scheme so, internally you would not be able to connect properly
0
 
LVL 7

Assisted Solution

by:raeldri
raeldri earned 167 total points
ID: 37771642
your Comcast modem and RVS4000 should not be in the same network range if both are running NAT you'll just cause yourself headaches. Leave the comcast modem in the 10. range.

Assign the RVS an IP statically in the 10 range on its external interface. configure the comcast modem as described above to forward to the IP configured on the RVS external interface. ensure the forwarding is configured on RVS to the local client machine inside of the network.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 84
ID: 37772440
Thanks again for all of your assistance. I think I'm beginning to understand what you're saying:

The Comcast modem should be in the 10.1.xx.xx range, and should not be set to be a DHCP server. I should plug the RVS4000 into that modem, and assign it an external (WAN?) address in the same range as the Comcast modem (something like 10.1.10.2, perhaps).

Then, I will enable the DHCP server on the RVS box, and attach all internal machines to that box, and allow the RVS to dynamically assign IP addresses to those machines.

I'll then forward all traffic on port 8040 and 8041 to the WAN IP of the RVS box. On the RVS Box, I'll further forward that traffic to the internal machine that will be used to handle those requests.

I did find some issues when I spoke with ScreenConnect support today. I use DynDNS to allow my clients a friendly URL to get to my utility, and the URL I was using for that has not been updated to show my new Comcast WAN IP address. After updating that, with the machine plugged directly into the Comcast modem, the ScreenConnect tech was able to connect to my ScreenConnect program.

So I may have some issues with DynDNS, but if so I'll ask that under another question.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37772848
Correct you want your cisco router to be your router for the network. The config you have now is with technically two routers
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 166 total points
ID: 37779275
The Network that is between the Comcast Firewall and the Cisco Firewall is a Back-to-Back DMZ.  If you understand what a Back-to-Back DMZ is and how to work with one than the whole thing becomes a no-brainer to deal with.

I called both Devices a "Firewall" because functionally that is what they are doing,...I don't see anything in the above thread that indicates anything is doing any real routing,...your actual LAN appears to have only ONE segment,...therefore there is nothing to route to or from.       All the traffic going in and out of your LAN is either NAT'ed (outbound) or Reverse-NAT'ed (inbound),...I see nothing being routed, nor should it be expected to be.
0
 
LVL 84
ID: 37791599
Thanks for you attention to this, and sorry I've been absent for a few days.

I have since been able to determine that, for the most part, my ScreenConnect installation works as expected. I can connect to a client, and I can conduct a remote support session. My only sticking point now is when I try to install an "unattended client" on those machines. These unattended clients must ping back to an externally available internet resource, and using my current configuration that does not seem to be available with the equipment provided by Comcast. For example, I've been pointing to support.infotrakker.com, which further points to a DynDNS WebHop (ifs.webhop.net), which hops to my Comcast-provided IP. Before moving to Comcast Business Class, this worked fine behind my Motorola Surfboard modem.

With the new one, I cannot browse locally to support.infotrakker.com. If I do, I get a blank screen. The Comcast tech said this is because the SMCD3G-CCR modem does not support loopbacks, and that I must purchase a static IP. I've gone ahead and done that, since it will also solve some other issues I've been having, but it just seems odd that I can't do the same thing with a dynamic IP address as I can with a static IP address.
0
 
LVL 84
ID: 37791609
By the way, I found this very cool blog site about Back-To-Back DMZ:

http://phillipwindell.wordpress.com/2011/01/04/simple-back-to-back-dmz-example/

:)

I've been reading through those very easy-to-read tutorials and writeups, and found them to be very helpful in figuring out the dark arts of network setup and management!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37796937
Thanks!  :-}

I'm not sure I agree with the Comcast "guy" (which is nothing new for me and them).  Dynamic -vs- static should not have anything to do with it.  There is no loop-back happening here that I can see (nor does there need to be).  Besides that most Firewalls will not allow Loop-backing.  It is a bad idea to loop-back anyway (also called Hair Pinning).  NAT by the very nature of how it works will not loop-back because it creates a situation where the Source MAC and Destination MAC in the packets are the same address,..it then has a "identity crisis",..shoots itself in the head and fails.  The only Firewalls that allows Hair Pinning (and there are very few) have to have an additional software (firmware) layer that operates at the Application Level to overcome NAT's inability to do this.

The Unattended Client (as I take it) is running on a machine on the internal LAN,...it then "phones home" to Momma at ScreenConnect and registers itself on one of their Servers. When you run your Remote Access Client on your end to make a connection you actually connect to the ScreenConnect Server as well,... and the ScreenConnect Server(s) "brokers" the connection and acts as a middleman between you and the target machine.  So in the end, everything is an Outbound connection,...the unattended Client makes an outbound connection to the ScreenConnect Server,...then you connect outbound to the ScreenConnect Server,...then the ScreenConnect Server manages the remote access over the already established connections.

That is how all these Remote Access Tools work,...and that is how all of them get around firewall by using only outbound connections,...there are no inbound connections,...so the firewalls don't get in the way.

So you need to look at why the Unattended Tools if failing to get outbound to the ScreenConnect Server.

Maybe you need to try a second Tool for the sake of comparison,...because maybe the problem is with the Tool you are using.  Some are better than others,...I have had issues with some of them,...such as GoToAssist.   Try TeamViewer (www.teamviewer.com),...it is lightweight and has worked well for me, and it does have an Unattended Component that is built right into it with no need to download a different App. It is free for non-commercial use,..which means you can try it out for free...

I have also had good luck with LogMeIn  (www.logmein.com) with is also free for non-commercial use.
0
 
LVL 84
ID: 37849370
The ScreenConnect program is hosted entirely on my machines. ScreenConnect doesn't provide any sort of hosting or anything of that nature. You install it on your machine, and the remote clients "phone home" to your machine (based on the IP address that is provided when the remote client is installed).

I have used TeamViewer in the past, but the cost was too steep for me (and I use it for commerical purposes).

In the end, I ended up modifying my Hosts file to point my support URL (support.infortakker.com) back to 127.0.0.1, which allowed me to see my SC program locally, and allowed me to deploy the unattended clients (and have them phone back home correctly). I also ended up with a static IP from comcast, which certainly resolved the issue.

Thanks again for all your help. I've learned quite a lot on this adventure, the most important of which is - I don't want to be on the "hardware" side of the IT business! Much respect for you guys who figure all this stuff out so we can play on the 'Net!!
0
 
LVL 84
ID: 37871509
Thanks to all of you who helped. In the end, the combination of the 3 comments above proved to be the most helpful in regard to getting my program to run behind the Comcast business gateway. I did end up purchasing a static IP, but before that properly configuring my network, setting the correct Ports to forward to the right place, and editing the HOSTS file allowed me to have most of the functionality I wanted.

Thanks again.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now