Routing Issue

[LLudlow]

Hi,

I have set up a Windows 2000 Server as a Router by configuring Routing and Remote access. What I am trying to do is to create a DMZ. I have two subnets. My workstations and main servers are on a 10.0.10.0 subnet and my outside firewall and Webserver are on a 10.0.90.0 subnet. I can ping from the 10 subnet to the 90 subnet but when i try to browse the web from a workstation no traffic reaches the firewall which is using NAT. I can ping a website and get a response from my firewall but from any other workstation on any subnet I cannot ping a website. I have talked to support for my firewall which is Borderware and they assure me that it has to be a routing issue. Does any one have any suggestions?

Thanks
Elway07

 

[danbiggs]

Can you post an ipconfig /all from the server and a machine on the 10 subnet?

 

[LLudlow]

Sure here u go:

Server
IP: 10.0.10.12
Subnet mask: 255.255.255.0
Gateway: 10.0.10.1
DNS: 10.0.10.12

Workstation:
10.0.10.51
255.255.255.0
10.0.10.1
10.0.10.12
DHCP Server: 10.0.10.12

I then have a default route on my gateway sending all default requests to 10.0.90.3(Nat firewall to outside world)
And the gateway router goes to the 90 subnet through the Windows 2000 server Router through 10.0.10.5.

 

[ricpinto]

OPEN FILES WOES

I notice that open excel files in the OPEN FILES folder (Computer Management) will only be closed when the client XP user logs off. Is there a way that if MS Excel program closes on the client PC so is the open xls file in the W2K server.

Actually the user will complain that he can't delete the file because it's being used by somebody. I'm sure he's the only somebody there. If I closed the file from the server that's the only time he can delete it.. Is there something to do with file sychronization?

Help will be much appreciated.

 

[ricpinto]

I'm sorry Man . . . I wrongly post it . . . i should have started a new Thread

 

[wbg34]

Ricpinto,
Pls open a seperate thread for this issue.

lludlow,

How is your network physically set up?

I.e. __---- Firewall --- Web server
Internet --- Gateway __
---- Win2K server – Lan

also What equip are you using for a gateway?

 

[LLudlow]

Here is my setup

internet
-->Cisco Router on the 10.0.10.0 subnet
-->10.0.90.0 which includes Firewall
-->windows 2000 router
-->10.0.10.0
-->Workstations

But i have a route in my cisco router to frwd all default traffic out through firewall(10.0.90.3)

 

[wbg34]

How many network adapters are on your firewall?

 

[LLudlow]

I have 2 nics on the Firewall:
One for the 10.0.90.0 subnet and one as my external IP address to the outside world

 

[wbg34]

Please correct me if I am wrong, but you network would be setup as follows. (Cisco router 10.0.10.1) -- (10.0.10.0 address Firewall 10.0.90.0) address -- (10.0.10.0 address Win2k server 10.0.10.0 address) -- 10.0.10.0 Lan. Is that basically correct. Is your webserver running on the firewall server? If not where is it in the network config.

 

[LLudlow]

Here is the way a packet travels from a workstation:

source (10.0.10.51)
-->10.0.10.1
-->10.0.10.5
-->10.0.90.1
-->10.0.90.3 (Firewall/Nat)
-->Outside World

Does this help?

 

[wbg34]

10.0.10.1 = Cisco router correct or is it win2k router.
what is 10.0.10.5?
what is 10.0.90.1?

 

[LLudlow]

10.0.10.5 and 10.0.90.1 are the interfaces on the windows 2000 server Router.
10.0.10.1 is the Cisco Router

 

[wbg34]

The problem you are having is in the routing.
your physical setup is
internet
-->Cisco Router on the 10.0.10.0 subnet
-->10.0.90.0 which includes Firewall
-->windows 2000 router
-->10.0.10.0
-->Workstations

but when you connect to the internet your route is
source (10.0.10.51)Workstation
-->10.0.10.1 router
-->10.0.10.5 Win2k
-->10.0.90.1 win2k
-->10.0.90.3 (Firewall/Nat)
-->Outside World

Before we can address that I need to know where your webserver is? Is it on the 10.0.90.3 server or does it have a seperate ip?

 

[LLudlow]

The Webserver is on the 10.0.90.0 subnet. It is not set up yet. I want to set up the DMZ before i put it into production. But i need to know that users are still going to be able to browse the internet with the above setup

 

[wbg34]

The above setup will work (with some manipulation) but not as a DMZ unless you add another nic to the firewall (Ideal) or the win2k server(workable). Another possibility would be to add another lan card to your cisco router, but that would be more expensive.

 

[LLudlow]

If I add another nic to the firewall what should i set its ip as? And i plan on having two firewalls. The existing one to protect from the outside world and a SonicWall Soho3 to separate my internal network from the webserver and such.

Internet
borderware(exisiting)
dmz
Sonicwall
LAN

 

[wbg34]

Ok if you would add another nic to the firewall then I would set up the ip's as follows. Cisco router Internal ip 10.0.0.1. Firewall ip's as 10.0.0.2 (connected to router) 10.0.90.3 connected to DMZ 10.0.10.1 connected Internal network. On the router allow all all from 0.0.0.0 to 10.0.0.2. I would disable routing on win2k server and connect both it and firewall to a switch. Set up NAT on the 10.0.0.2 interface. You should be able to set up policies on the firewall that take all incoming web mail and dns requests to your external ip and allow them to the 10.0.90. addresses.

 

[LLudlow]

We haven't attempted to come into the firewall yet. We have a routing issue browsing out.

What we want to do is place our existing firewall on a separate subnet than our LAN now. We are then hoping to use the WIN 2K router to route internal traffic to the firewall.

The exisiting network with the BW firewall set to 10.0.10.3 functions normally allowing traffic out and in (web access to mail).

We want to move the BW Firewall to 10.0.90.3. We put the WIN 2K router in the network with a 10.0.90.1 nic card connected to the same switch as the BW Firewall's internal nic (10.0.90.3). The WIN2k Router has another nic with an address of 10.0.10.5 connected to the same switch as the Cisco router(10.0.10.1) and the rest of the LAN(which consists of work stations etc all with a 10.0.10.address) This gives us a LAN of 10.0.10.0 - 10.0.10.255 and another of 10.0.90.0 - 10.0.90.255. The routing between the two of the networks is handled by the WIN 2K router.

The WIN 2K router hasn't any static routes - just the routes it discovers. The Cisco router has a static route of 0.0.0.0 (subnet 0.0.0.0) to 10.0.90.3. The Cisco router also has a route of 10.0.90.0 (subnet 255.255.255.0) to 10.0.10.5.

With this setup we are able to ping the outside world from the BW firewall but we are unable to ping the outside world from anywhere else on either subnet. We can ping the BW firewall (10.0.90.3) from either subnet. When we attempt to browse the firewall doesn't see anything hit it from either subnet. THE BROWSE REQUEST IS LOST IN THE ROUTING. WHY??? I would think that since I can ping the 10.0.90.3 address of the BW firewall that I would be able to browse.

 

[wbg34]

Can you telnet (Open a cmd prompt and type telnet 10.0.90.3)the BW firewall from a win2k workstation. When you do that do you get a login prompt?