Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Routing Problem In Windows 2000

Status
Not open for further replies.
webuser

webuser

MIS
Jun 1, 2001
202
US
Here is the setup:

I set up a Windows 2000 Server machine. The machine has 2 NICs, on 2 subnets. The subnets are 192.168.102.x for the internal network and 192.168.10.x for the external network. The 2 NICS' IP addresses are 192.168.102.243 and 192.168.10.2 respectively.
On the external subnet, there is a firewall, with an internal address of 192.168.10.1. I also set up a workstation on this subnet with IP address 192.168.10.3.
On the Win2000 machine, the internal NIC does not have a default gateway, while the external one's default gateway is set to the IP address of the firewall. I think this is a normal config for this type of thing.

WS (10.3) WS(102.60)
| |
[Intrnt]--[Firewll]--[Win2000Router]--[192.168.102.x]
.10.1 .10.2 .102.243
The problem:

First of all, I can ping anything from the Win2000 machine, meaning that I can ping the firewall, past the firewall etc. But if I try to ping from say address 192.168.102.60, I can ping the Win2000 machine's IP addresses (both) as well as the workstation (10.3) on the other side but not the internal address of the firewall (which is set as the default gateway) or anything beyond the firewall. As a test, I tried changing the default gateway on the external NIC to the IP address of the workstation and lo and behold, I was now able to ping the firewall (not beyond it ofcourse), BUT NOT THE workstation.

To summarize, for some reason, I can't ping the default gateway address of the external NIC, and since I need to do that to get past the firewall, this is obviously a problem. I did a Route Print, and everything seems pretty much OK.
The strange thing is that I can do everything from the router itself, which indicates that the routing table is correct, and I can also ping across the router to the subnet of the external NIC, but somehow the default gateway is not working. I have enable Routing and Remote Access, and remember, I am able to route packets across the machine, just not past the immediate subnet. From my understaning, the route print's 0.0.0.0 0.0.0.0 route sends everything that is not destined for the local subnet to the default gateway, and this IS in the route table.

Please HELP!!! Thank you in advance.

 
Sort by date Sort by votes
On the workstations, did you try putting the ip of the internal NIC address of the server, as the gateway.

See if it'll work.
 
Upvote 0 Downvote
HI!

First, as mentioned, the Default Gateway of the internal clients should be
192.168.102.243

Now, remember the in IP routing, there are 2 directions for the trafic.
Your problem could be with the return route.
If you get PING timeouts (and not another error), this supports my assumption,
and means that the PING goes out, but the PONG doesn't come back.

So, you should simply add a route to 192.168.102.0 in your firewall routing table. Ask the firewall administrator if you don't know how.

These 2 steps should solve the problems for my opinion.

And please tell us what's the idea and the purpose of the W2K router?
Why not connect all workstations to the firewall?
Is the W2K server going to be a Proxy server (if so, it doesn't have to be a router)?

Bye
Yizhar

Yizhar Hurwitz
 
Upvote 0 Downvote
Thank you very much! I did have the workstations pointing to the correct default gateway, but I was missing the entry in the firewall that pointed back to my network. When the firewall was pinged, it was responding out the untrusted interface and so I was not getting a reply. As soon as I added the route in the firewall, everything worked. You made my day! By the way, the router is being used to control web access using the 'Surfcontrol' software. If you have any other ideas about a better way to implement this, I will be happy to hear it. Again, thank you very much.

 
Upvote 0 Downvote
HI!

There are solutions like WEBSENSE and other products the work in conjuction with your firewall to filter/screen URLs.
Ask your ISP or other security experts, or browse the net.
(Ask here also in the security forums. I myself have no experience with these).

This approach has some advantages I can think of:

1) Simplier network design (less "levels") - means less problems, and easier troubleshooting.
You have just seen an example.
In the current configuration you have more points of failiure and more points to check when you have problems.
The FireWall-WebSense approach also has 2 points of failiure but still it's more resionable for my opinion.

2) You can get better performances in my suggested approach - again this is my opinion not based on testing.

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
475
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
268
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
314
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
225
antonio_dsanchez
antonio_dsanchez
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
397
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top