Re: ICS quandary
From: Kurt (kurtl_at_olypen.com)
Date: 02/25/04
- Next message: Sharoon Shetty K [MSFT]: "Re: Best 4 port RAS modem solution"
- Previous message: Aaron Seet: "Re: Resolving hostnames in remote VPN network"
- In reply to: Bill Grant: "Re: ICS quandary"
- Next in thread: Andrew W: "Re: ICS quandary"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 24 Feb 2004 21:45:16 -0800
I Agree, and RRAS allows interfaces (like demand dial) to be created as
virtual, i.e. a demand dial vpn. Just to illustrate. I have a windows 2000
box with ICS providing NAT and public routing for the other 5 computers on
my LAN (3 XP pro, a 2k server domain controller, and a redhat 9). It has the
windows default Inside address of 192.168.0.1, and we'll call it server1. On
my other 2k server at 192.168.0.100 (server2), I have a VPN to my LAN at
work. The VPN uses ICS on the other server for its link to the Internet.
When the VPN is up, server2 has an IP address on my work LAN for the virtual
interface-the "VPN adapter" (10.x.x.x). Now for the tricky part. I share the
VPN connection with ICS on server2 just as I would share a real internet
connection, and I have a static route on server1 as:
route add 10.0.0.0 mask 255.0.0.0 192.168.0.100
which routes any traffic bound for the 10.0.0.0/8 network to server2, which
in turn NATs it to it's 10.x.x.x address and forwards it through the tunnel
to my work LAN (would that be a backward forward? : ) )
This enables me to access the work LAN from any of the computers on my LAN,
and a tracert to 10.z.z.z turns up something like:
192.168.0.1
192.168.0.100
10.y.y.y
10.z.z.z
where 10.y.y.y is the remote end of the VPN tunnel, and 10.z.z.z is some
host on the network at work.
So my reasoning is that if the remote machine has an IP address on his home
LAN, as with a VPN connection, then the private interface of the ICS box
should appear to be a local address to the remote box. By specifying that
private interface as the remote's default gateway, it should pass through
the ICS NAT and back just as if it were a local computer on the home LAN.
Now this might require a computer other than the ICS box for the dial-in
connection, and I've never tried this with a dial-in, but it might work. I'm
certain it would work with a separate remote access dial-in server as long
as the remote gets a local IP address.
...kurt
"Bill Grant" <not.available@online> wrote in message
news:uN97iL0%23DHA.2184@TK2MSFTNGP12.phx.gbl...
> The problem isn't the routing, it is address translation. The packet may
> be routed to the Internet, but it will then be lost because it is a
private
> IP. Because the client and the LAN machines are already in the same IP
> subnet, you can't really use routing. The client uses proxy ARP to contact
> LAN machines in the same subnet.
>
> NAT and ICS enable the private packet to use the "server's" public IP.
> In ICS, this just happens and is not configurable. In RRAS/NAT, you
> configure which interfaces are the private side input to NAT, and which
> interface(s) are public.
>
> The netsh command described in KB 310888 is a method to make the
> "internal" interface (to which the RAS client connects) an input to NAT,
so
> that it uses a public IP externally. This is required because you cannot
> "see" this interface in the NAT display in the RRAS console. (This has
been
> fixed in W2k3. You can now do it from the console.)
>
> The only other method which works involves using demand-dial
interfaces.
> But this solution is only possible with RRAS/NAT, not ICS.
>
> "Kurt" <kurtl@olypen.com> wrote in message
> news:103mnis9i0b6kb8@corp.supernews.com...
> >
> > Sorry, that command line to add a default route in windows is
> >
> > route add 0.0.0.0 mask 0.0.0.0 <ip address of NIC2>
> >
> > Got routers on the brain.
> >
> >
> > "Kurt" <kurtl@olypen.com> wrote in message
> > news:103lnijg2boj137@corp.supernews.com...
> > > I've never tried it, but I'll take the role of the protagonist here
and
> > say
> > > that I think you could get it to work, but it'll take a little
> > > unconventional thinking. When you dial in, do you get an IP address on
> the
> > > LAN (you can ping the W2K box)? If that is the case, you should be
able
> to
> > > manually specify the default route as the private interface (NIC2) as
> the
> > XP
> > > pro's default gateway. (from command line > ip route 0.0.0.0 mask
> 0.0.0.0
> > > <NIC2 IP Address>). You would also need to manually set your DNS
server
> to
> > > point to your ISP's (cable provider's) DNS server. That might route
> > packets
> > > via the shared connection. It's worth a try.
> > >
> > > ...kurt
> > >
> > > "Brian" <Brian@NOSPAMparishmotel.com> wrote in message
> > > news:auVZb.37518$um1.4484@twister.nyroc.rr.com...
> > > > It sure seems like I should be able to do this but I cannot get it
to
> > > work.
> > > > I have a Win2K Pro machine connected via cable modem and static IP
> with
> > 2
> > > > NICs. Nic 1 to the cable modem/static IP and Nic 2 to an internal
> > network
> > > > pulling an IP from winproxy. I can easily live without Nic 2 if it
> would
> > > > help.
> > > > I connected a brand new USR v.92 to the 2K Pro machine and set up an
> > > > Incoming Connection. I set Nic 1 to share it's stuff and play nice.
> > Taking
> > > > Nic 2 out of the machine causes Nic 1 not to have a sharing tab btw.
> > > > Now I dial into 2K pro from XP pro, make a nice quick clean
connection
> > > that
> > > > shows data moving to and fro in the status box BUT I can't do
anything
> > > over
> > > > the net from the XP machine. It acts like there is no DNS, it just
> > cannot
> > > > find hosts.
> > > >
> > > > All I want to do is connect to my own network from hotels to avoid
> > paying
> > > > for an isp and hotel phone charges. If I get this working I'll put a
> > toll
> > > > free # on the modem.
> > > >
> > > > Thanks for any help
> > > > Brian
> > > >
> > > > P.S. No virus scanners or firewalls involved.
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Sharoon Shetty K [MSFT]: "Re: Best 4 port RAS modem solution"
- Previous message: Aaron Seet: "Re: Resolving hostnames in remote VPN network"
- In reply to: Bill Grant: "Re: ICS quandary"
- Next in thread: Andrew W: "Re: ICS quandary"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
