Problem with 2 NICs

[Nadeem Attari]

hi MVP,

I have a following scenario:

I am running a LAN with windows 2000 advanced server as an
authentication server with AD up and perfectly running for
last 4 years. IP of this server is 192.168.1.1

users are provided with the Internet facility, for this
purpose we have proxy server which is a win2000 server
based machine with two network adapters and with ISA as a
proxy server.we have a DSL connection, which is terminated
at our end in a DSL router, provided by the local ISP.

1.follwing is the tcp/ip settings of eth0 on the proxy
server provided by the ISP.

Ip address: 192.168.1.235
subnet mask 255.255.255.0
default gateway: 192.168.1.212 ( provided
by ISP)
preferred DNS 202.141.224.34 ( provided by ISP)
preferred DNS 202.141.229.34 ( provided by ISP)

natwork cable from eth0 is terminated in the DSL router
with above tcp/ip settings.

2.tcp/ip settings of eth1 which serves the internal LAN.

Ip address: 192.168.1.226 (for LAN)
subnet mask: 255.255.255.0
default gateway: 192.168.1.235 (ip address
of eth0)
preferred DNS: 192.168.1.1
no alternate DNS

the problem we are having with this setup is:

when both NICs are enabled I am unable to ping my ISP's
DNS or its gateway which is on eth0 and message I recieve
is "request timed out".

when I disable eth1 which is for LAN, I am perfectly able
to ping and browse the internet.

what I have already tried out is:

I've used ip address of eth0 on eth1 as its default
gateway which is mentioned above.

desperately waiting for your reply with solution.

thank you.

nadeem

Karachi, Pakistan

 

[Bill Grant]

You cannot have the "public" and "private" sides of your ISA server
running in the same IP subnet. The router and the public side of the ISA
server should be in one IP subnet and the LAN machines and the private side
of the ISA server in another.

If the ISP insists on using 192.168.1.235 for the "public" IP, you will
either have to change the LAN machines to some other subnet, or use further
subnetting with a longer subnet mask. For instance, you could use
192.168.2.0 netmask 255.255.255.0 (ie 192.168.2.0/24 where /24 indicates a
24 bit netmask). Or to use 192.168.1 addresses, use the addresses from
192.168.1.1 to 192.168.1.126 with a subnet mask of 255.255.255.128 (ie
192.168.1.0/25). In the latter case, your network would look like this

Internet
router
192.168.1.212/24
|
192.168.1.235/24
ISA
192.168.1.126/25 dg blank
|
server
192.168.1.1/25 dg 192.168.1.126
|
workstations
192.168.1.x/25 dg 192.168.1.126

The default gateway settings on the LAN clients is not really important
if you are using the proxy service, but they are required to use the
SecureNAT service of ISA.

If you are running AD, you must have your clients pointing to your local
DNS server only (as you have set the private interface of your server). Set
up forwarders on your local DNS server to forward requests to the ISP DNS
servers. Having the ISP DNS servers configured on the public interface of
the ISA server works OK for a workgroup, because you can have the ISA server
set as a DNS proxy. But it won't work for AD. The AD clients (ie your
workstations) must use your local DNS to access the AD services which have
SRV records in your local DNS.

Bill Grant
MVP - Networking
Sydney