Re: 2 NICs Configuration Problem

Thanks for joining in. My main concern here (see my first post) is the
fact that the setup could bypass the firewall filtering by establishing an
alternate path (and I note that you agree with that). Even if IP routing is
not enabled on this server, I would regard it as an unsafe config and would
avoid it.

If the DMZ subnet can be NATed, it would be technically possible to run
the server as Paul envisaged it. The server really only needs one default
gateway (to the Internet through the NIC connected to the Sonicwall DMZ
port). It can communicate directly with the LAN machines through the LAN NIC
and doesn't need a dg on that interface. The other LAN machines would still
access the Internet through the Sonicwall LAN gateway.

The old problem of multihomed servers raises it head. You would need to
ensure that the IP address of the "public" NIC did not appear in the local
DNS and you would also need to disable Netbios over TCP/IP on it so that the
name of the server always resolved to the "private" NIC.

If the LAN is running AD with SBS the DNS server should already be
forwarding to a public DNS, so this new server should be able to resolve
"foreign" URLs using the local DNS service. If the default gateway and IP
address of the "public" NIC is set correctly it should be able to access the
Internet by name as well as by IP address.

So to sum up I would never do it, but it should be possible.

<john.lasersohn@xxxxxxxxx> wrote in message
news:1176424890.642246.235140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Bill makes a good point about private IP space trying to route to the
internet on a public network. SonicWALLs can use public, transparent
DMZs or private NAT'd DMZs on all models, though. There is a bigger
reason that internet access is failing. You cannot use two NICs the
way you are using them, sorry.

Ask Microsoft and they will tell you that any Windows server with two
NICs should not have default gateways configured for both. You can
have 10 NICs if you want in one server and all but one can be used to
talk to other devices locally, but only one can be use to route
traffic upstream (that is what default gateways are for).

Why? Because the OS doesn't know how to decide which valid path to
use when going to any random destination on the internet (like when
you ping cbs.com or google.com). Trust me, your Windows server is
confused about where to send its traffic.

Another thing: your server, if it has NICs connected to the LAN and
DMZ ports of any firewall, is an alternative path that cause great
havoc on your network, and this is not officially supported by
SonicWALL. (p.s., I have worked at SonicWALL for 8 years and
currently work as the Escalation Manager for Firewall and other
product lines here, which means I am part of the road the rubber meets
when a possible bug is reported)

By the way, intel.com is not a pingable host, so don't test internet
connectivity with that.

H:\>ping intel.com
Pinging intel.com [198.175.96.33] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

H:\>ping cbs.com
Pinging cbs.com [170.20.0.25] with 32 bytes of data:
Reply from 170.20.0.25: bytes=32 time=87ms TTL=47
Reply from 170.20.0.25: bytes=32 time=100ms TTL=47
Reply from 170.20.0.25: bytes=32 time=82ms TTL=47
Reply from 170.20.0.25: bytes=32 time=85ms TTL=47


On Apr 11, 5:12 am, Paul <paulbockm...@xxxxxxxxxxxxx> wrote:
Bill,
Thanks you for the clarification - you need a job at Sonicwall; I have an
open case on this and they have been working with me to no avail. This
article certainly helps me to clear things up, now I need to talk to
Sonicwall and see to setting up the DMZ properly.
Many thanks for your assistance

Paul Bockmann

"Bill Grant" wrote:
See this diagram which shows more clearly what I am talking about.
Servers on the DMZ are public, not private.

http://www.ssimail.com/Zoneguard.htm

"Bill Grant" <not.available@online> wrote in message
news:OQoc3bCfHHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
It also explains why your server cannot access the Internet. The
firewall
provides NAT for the LAN machines, allowing them to reach the
Internet
using the firewall's public IP. Machines in the DMZ are not behind
the
NAT, so they neeed a routable public IP to access the Internet
directly.
Private IPs cannot cross the Internet. The Internet routers are
programmed
to drop packets with private IP addresses.


Physical Address. . . . . . . . . : 00-03-47-30-63-68
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
*******************************************
I would like to add amember server2003 with 2 nics - 1 for
Internal >
switch(WSUS, Backup Exec, Aux storage) and 1 for External >
Firewall
DMZ
port (websites, WSUS updates) as follows:

Host Name . . . . . . . . . . . . : Quigley
Primary Dns Suffix . . . . . . . : Removersgroup.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Removersgroup.local

Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual
Port
Network Co
nnection
Physical Address. . . . . . . . . : 00-03-47-32-EE-EF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled





.

Relevant Pages

  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: ConnectComputer Problem
    ... modem plugs into the linksys router and the router connects the internet to ... the server internal nic with a generic setting of 192.168.16.2. ... NICs ... Add the ConnectComputer server's IP address or FQDN to the ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS & NAT
    ... When I have both of the NIC cards active, I get no internet activity ... on the server or any of the clients. ... But this won't fix the main issue that AD will register both NICs as a GC ... After you set this value, you must manually register your publicly available IP addresses for your domain to appear as: Same as parent folder Host "publicIP" DO that by just rt-clicking, new host, leave the hostname blank, and enter the IP of the internal NIC. ...
    (microsoft.public.windows.server.dns)
  • Re: ConnectComputer Problem
    ... name (not one that you use to connect the server from a remote location, ... NICs ... Add the ConnectComputer server's IP address or FQDN to the ... Start Internet Explorer. ...
    (microsoft.public.windows.server.sbs)