Re: 2 nics DMZ

---

• From: "Bill Grant" <not.available@online>
• Date: Sat, 11 Feb 2006 12:01:36 +1100

---

1. Good.

2. Understood.

3. OK.

Then what exactly is your problem. What doesn't work?

JD wrote:

Thanks for the respose Bill. Here are the answers..

1. No routing and remote access installed. I added the routes for the
internal network via the command line ( Route Add command )

2. Since I have 2 network cards I can only have 1 gateway. The
gateway was installed on Nic #2 External. Nic #1 Internal does not
have a gateway so I have to tell the nic how to route internally to
other subnets. My 172 network is routed via ciso routers / vlans.

3. The external nic really dosent need to be pinged. I was unable to
ping the interface from another machine on the 192.x network. That
kinda told me there was somthing wrong. This only happened when I
turned on the windows firewall. I enabled ICMP pings on the external
interface still not pingable from the external network side. I am
just wondering what I did or didn't do to make this work.

Thanks again for the respone.....


JD


"Bill Grant" <not.available@online> wrote in message
news:uz$KosgLGHA.1124@xxxxxxxxxxxxxxxxxxxxxxx

JD wrote:

Hello out there guru's.... I have a question about windows 2003
server with 2 network cards. #1 network card is attached to my local
network 172.X. Netowork card #2 is hooked onto my DMZ 192.X with
netowork load balancing. My goal is to have a website for external
users and internal users. Since I use an external DNS I have to make
my own DNS entries for websites and I use the internal Network #1
card. I use Network Card #2 for dmz -> PIX to Internet.

Problem?

Since I can only have 1 gateway I used the network card
#2 to add my default gateway. I then wanted to use the RAS lan
routing to add static routes for the internal network #1. When going
to configure the app RAS told me I needed to stop ICS firewall
service and disable it. I ended up just adding the static routes via
the command line ( route add command with -p ) Now when I turn on
the firewall I am unable to ping the #2
adapter from a machine on #1 network? ICMP is on and I can ping the
internal adapter #1. Does the firewall take out my static routes or
disable my #2 adapter. What am I doing wrong?

Goal...

To have web serverices via #2 network card with network
load balancing. Windows 2003 firewall services to filter traffic
from internet to prevent #2 network from exposing my internal
network #1 in the event IIS is hacked or compremised.

I have this configuration on 2 other web servers and they run fine
with no firewall just a pin hole in the pix for http traffic. I
would love to just keep the servers in the DMZ however for backups
the 1 gig network is great and the pix is only 100mb and we cant
afford a new pix. I was hoping there was a way to use the firewall
to help ward off attackers that may have some sort of IIS hack that
may lead to remote execution code being run on my server and
exposing my internal network. Any information that i might be able
to use would be appreciated.



Network Card #1 172.X Internal network -> to internal network switch
on servers subnet.

Network Card #2 192.X vlan with network load balancing.external
work -> pix -> border router -> internet

Thanks in advance.

JD

That mostly makes sense. I am not sure why you want to use RRAS,
but you can't enable RRAS with the firewall service running. They
would interfere with each other. But I have a few queries.

1. RRAS is an IP router. Do you have IP routing enabled on this
machine? If so, why?

2. I don't understand the bit about static routes. What static
routes were you trying to add to the machine? What were they
supposed to do? Is your 172. network a routed network?

3. Why do you want to be able to ping the external NIC from
the LAN? What would you need to do that for? The LAN machines have
no reason to use the external NIC. They can access the web server
from the internal NIC.

.

---

• References:
  • 2 nics DMZ
    • From: JD
  • Re: 2 nics DMZ
    • From: Bill Grant
  • Re: 2 nics DMZ
    • From: JD

• Prev by Date: replacement for AngryIP Scanner?
• Next by Date: Re: funky SID?
• Previous by thread: Re: 2 nics DMZ
• Next by thread: dhcp mmc console
• Index(es):
  • Date
  • Thread

---

Relevant Pages drone armies C&C report - July/2005 ... 3356 LEVEL3 Level 3 Communications ... 3491 BTN-ASN - Beyond The Network A ... 3801 MISNET - Mikrotec Internet Ser ... 15857 DIALOG-AS DIALOG-NET Autonomuo ... (Bugtraq) Masquerading problem... can you help? ... server to masquerade a simple network and allow access to ... My server uses a modem to dial the internet. ... `SuSE-FW-DROP-DEFAULT' ... (comp.os.linux.security) Re: Verizon rules the World? Or just the U.S.? ... Internet these days? ... network can now branch anywhere, and network data transfer is a piece ... Nearly all computer science departments and many private computer ... all these networks have gateways to the NSF backbone.) ... (rec.arts.mystery) Re: "Backwards" Default Gateway on ISA? ... local and remote routes are clearly defined. ... Make sure that no network falls into the "external" range, because ISA ... Internet. ... (microsoft.public.isa.configuration) RE: can ping but not browse ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ... (Fedora)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2006-02