Public and a Private network on one Win2k Server box

[mgm]

Is this possible and what is the best way to accomplish the following:

I've attempted and run into difficulty when using 2 nics on my win2k server.
I use the public network (straight from cable modem, DHCP and AutoConfig
used) for my internet connection and the private network (behind a router,
static IPs assigned and NetBios over TCP/IP used) for my local network. The
connections were established and succeed for both when each of the networks
are enabled by themselves. Neither pub or private netwrk will stay
connected while the other network is enabled. I contacted the ISP, their 2nd
level support states that this is a known limitation of windows and that I
should use a Linux OS for such a hardware configuration. I am more familiar
with and would like to stay with the windows OS, but I don't know of any
work-around for this config. TIA for any and all assistance

 

[DS]

Is this possible and what is the best way to accomplish the following:

I've attempted and run into difficulty when using 2 nics on my win2k
server. I use the public network (straight from cable modem, DHCP and
AutoConfig used) for my internet connection and the private network
(behind a router, static IPs assigned and NetBios over TCP/IP used)
for my local network. The connections were established and succeed for
both when each of the networks are enabled by themselves. Neither pub
or private netwrk will stay connected while the other network is
enabled. I contacted the ISP, their 2nd level support states that this
is a known limitation of windows and that I should use a Linux OS for
such a hardware configuration. I am more familiar with and would like
to stay with the windows OS, but I don't know of any work-around for
this config. TIA for any and all assistance

I would assume the NIC connected to the cable modem would be assigned the
only public IP address, so the Win2K server is acting as a router and doing
NAT ?

Cable modem -> W2K-NIC1 -> W2K-NIC2 -> Router (WAN port ?)-> Router E-Net
-> PC(s).

What is the known limitation that they cited ? It seems like it should
work, although it does involve 3 subnet's counting the Internet and some
manual routing. Maybe not. Let me think.......


DS

 

[mgm]

Yes, the pub nic is configured for DHCP, the private nic has assigned
private ip's. I don't have a 3rd sub-net?? Unsure how that would figure into
the equation.... again thanks for the assistance

 

[mgm]

p.s... the limitation of Windows os's is that they can't directly specify
which nic will handle which application; i.e. Internet Explorer. If I
understood the isp tech support correctly, Linux does have this ability. He
stated that he has heard this prob. numerous times. He diagnosed this issue
right away and had me enable/disable each network to zero in on the prob.

 

[DS]

Yes, the pub nic is configured for DHCP, the private nic has assigned
private ip's. I don't have a 3rd sub-net?? Unsure how that would
figure into the equation.... again thanks for the assistance

OK, I thought some more. Here's the issue I'm not to sure about, ICS on
the Win2K box. I tried using ICS back in Win98 days and it really does a
bunch of stuff to the IP config.

Here: http://www.starbandusers.com/ncs.htm this page has a sample
configuration of EXACTLY what you are trying to do. I didn't read over
the whole thing, but give it a shot. I think they are still using NAT on
the rtr, and then NAT'g agin on the Win2K box, which I wouldn't do, but
it apparently works. I'm sure I could come up with a more clean config,
with a little time.

The issue is subnetting. This setup requires 2 subnets in the private
segment, not only 1. Maybe you could have got this working already if you
spoke with their '3rd level support'. They may have known this. Feel free
to e-mail me with any more questions if you need to. Use the listed e-
mail and just remove all the dots except for one of the doubles.

And with you're ISP's tech support........'it's a known issue' that ISP
tech support usually sucks. I've found that 95% of the people are
incompetant. My wife called our cable ISP one day, I was at work, because
the internet wasn't working. My setup is straight forward cable modem ->
d-link rtr -> lan. The problem was the link between the cable companies
headend and my modem. The LED on the modem indicated that there was no
connection between the modem and them. So this guy had her on the phone
for 30 minutes checking all the PC's IP configuration's, the router, etc.
Whenever I call, I tell them straight out, I know what I'm doing, I'm in
the IT field, don't talk to me like I'm grandma, and here's YOUR problem,
since I never call before I rule out any chance that I may have a network
problem.

Let me know here or by e-mail how it goes. That's the one thing about
usenet, you try to help people out answeing question's, and then wonder
if they got it worked out. I don't see a lot of (I do see some here and
there) people posting....'I got it working, the issue was......, thank's
for the help'.


Regards,

DS

 

[DS]

Yes, the pub nic is configured for DHCP, the private nic has assigned
private ip's. I don't have a 3rd sub-net?? Unsure how that would
figure into the equation.... again thanks for the assistance

So I just got off the phone with a developer friend, who wrote a true NAT
function for an OEM wireless company that we used to both work for. The
following should work ONLY if NAT can be disabled on the rtr. The d-link
rtr I have does NOT enable you to disable NAT.

I say TRUE NAT because M$ ICS is NAT but only god knows if it is TRUE NAT
as it was developed by M$. Which brings up a joke....how many M$
engineers does it take to change a lightbulb........none, they just make
darkness the standard. According to my friend, there should not be an
issue NATting packets from a different subnet than the NATted interface.
NAT is accomplished thru the interface the packet came through on, not on
the source IP. Whether or not this is true with M$ ICS, I don't know.

So anyway, based on TRUE NAT standards.....

NIC1- Globally assigned from ISP thru DHCP.

NIC2- 192.168.1.1 g/w-should be the NIC1 IP. Again, not being familiar
with ICS, I'm not sure if this is done automatically.

Rtr- Disable NAT

Rtr- WAN 192.168.1.2 g/w: 192.168.1.1

Rtr- E-Net 192.168.10.1 (My rtr does not have a g/w setting for the e-
net, so everything g/w's to the WAN's g/w automatically, an effect of NOT
being able to turn off NAT. If the rtr can disable the NAT function and
still act as a rtr between two different networks, there HAS to be a g/w
setting for the E-Net interface, in which case it would be 192.168.1.1)

PC's - 192.168.10.x (other than 1) g/w: 192.168.10.1

Now, in IP the default g/w is used to forward packets that are not on the
local subnet, therefore, a PC, 192.168.10.5, want's to send a packet to
an internet address for yahoo, 216.109.127.29. Since the yahoo IP is not
in the same subnet as the PC, it forward's the packet to the def. g/w.

So you do a ping to yahoo.com. This ping packet is sent to the PC's def.
g/w, 192.168.10.1, the rtr e-net interface. Since it is not in the PC's
subnet. The rtr will get the packet, see that it is not intended for
either of it's local subnets, therefore it will send it to it's def. g/w,
192.168.1.1, then Win2K NIC2, which g/w's it to NIC 1 to the internet.

Now on the return trip, it comes to NIC1, which is where the issue is.
Since the source IP after un-NATting, 192.168.10.5 is not on a subnet
directly attached to the Win2K box, it needs to be routed. From a command
prompt you need to manually add a route for the Win2K box to be able to
forward the packet:

route add 192.168.10.0 mask 255.255.255.0 192.168.1.2 , the rtr wan port.

Now the Win2K box knows that packets destined for 192.168.10.x should be
sent to 192.168.1.2, the rtr WAN port. Since the rtr e-net is
192.168.10.1, that is a local port, so it should then be sent directly to
the PC's. End of Story, privided you have enough configuration options on
the rtr.

That shouold do it.

Regards,

DS

 

[Guest]

I used a similar configuration at a telecomm company a
couple of years back. We had several W2KAS systems and
needed to access the internet unobstructed by firewalls
to monitor customer networks, but we also needed the
server to communicate with the corporate network. This
presented some obvious security problems.

We ultimately ended up with two NIC's in the server that
existed in both networks (one for the public side, and
one for the private side), disabled IP forwarding (for
security reasons), then entered manual route entries that
pointed all traffic with local (corp network) traffic to
the NIC with the local address, and all other traffic to
the public side. The route entries were made persistent,
and all unnecessary services were disabled to reduce
exposure to hackers. The IT department was not thrilled
with this setup, but it worked.

MR

(e-mail address removed)

 

[Phillip Windell]

Guys!
Don't use ICS!!
Before everyone goes rushing off in five directions.....here's all that has
to be done in Win2k Server. I believe they are both basically the same
article.

299801 - HOW TO: Configure a Windows 2000 Server as a Network Address
Translation Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299801

310357 - HOW TO: Configure the NAT Service in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;310357

 

[DS]

http://support.microsoft.com/default.aspx?scid=kb;en-us;310357

Phil,

I wasn't aware of the NAT protocol being part of Windows 2000 Server. I
agree ICS sucks. I recommend a hardware router all the time over ICS.

Does W2K Server it support NATting addresses that are not on the local
inteface subnet, as in the PC's in my example, I would assume it does.


DS

 

[Phillip Windell]

I didn't see anything about Laptops in the past messages I have. I did see
where you were wondering if ICS was true NAT or not. Maybe I can explain how
NAT works and that will answer the whole thing.

Prerequisits:
1. Cable/DSL Routers are not true routers. They are simply NAT Devices with
a DHCP service with a typical switch (usually 4 port) built into the same
case.

2. All real Routers (Cisco 2501, 2600, etc.) can all be used as NAT based
Firewalls box by simply enabling the NAT features (disabled by default) and
assigning ACLs. They are clumsy and awkward to do it with, but the ability
is there. They can usually also do DHCP but typically are not used for that.

NAT is extremely simple. There really isn't any "true nat", "untrue nat", or
"kind-sorta nat". NAT is just NAT,...it is or it isn't. It has two logical
interfaces, Trusted & Untrusted. When a packet passes through from the
Trusted to the Untrusted the Source IP# is changed to the IP# of the
Untrusted interface of the NAT Device. The packet passes through just like
in regular routing except that with regular routing the IP#s are never
touched. The record is stored in a NAT Table in memory using the Source
Port (aka Client Port) as the unique identifier. Technically this is called
NAT Overload but no one calls it that any more. NAT does not work in reverse
(Untrusted to Trusted), don't confuse it with Static NAT or One-to-One NAT
mentioned below,...those are totally different processes.

The old original "straight" NAT had to have the same number of Untrusted
IP#s (external IP#s) as there were users and each user was assigned a
relationship between thier Trusted IP# and an Untrusted IP# that was stored
in the NAT Table with a time-to-live stamp. This was not very effiecient.
Now using the Client Port as a unique identifier (NAT Overload) allows, in
theory, over 60,000 users per single Untrusted IP#, much more efficient.

ICS is 100% pure NAT Overload. That is not the downside of it. The downside
of ICS is the weak or non-existent packet filtering, and the built in DHCP
that is set to use only the 192.168.1.x network (neither of which are part
of NAT). You have the hack up the registry to make the DHCP functions use a
different address set. I don't have the specs, but I believe it only uses a
certain range up to a certain address, so you can statically assign your
client machines if you stay above that number. I have also heard that you
can statically assign machines even in the lower numbers that ICS uses
because ICS will test to see if something is using that # before assigning
it. However if you leave the static machine turned off, something may get
its number.

Static NAT & One-to-One NAT
Static and One-to-One NAT are similar and are both "static". With Static
Nat you can have, say a web server, on an internal address of 192.168.1.5
and setup Static Nat so that anything coming to port 80 on the NAT Device's
Untrusted interface is passed to port 80 on 192.168.1.5 which would be the
website. Static NAT can also combine Port Address Translation into it (PAT),
so in the same exact example you can have the traffic passed to a different
port, say 8080, on the webserver when it actually came in on port 80 on the
Untrusted interface.

One-to-One NAT is used when you can bind multple IP#s to the Untrusted
interface and wish to have *all* traffic (reguardless of port) that comes to
a particular IP in the Untrusted side to be passed to an address on the
Trusted side (also reguardless of port).

The Windows 2000 RRAS obviously does NAT Overload (now just commonly called
"NAT") and will also do Static NAT. I am not sure about the PAT aspect, and
am even less sure about the One-toOne NAT. But I consider those last two to
be not that commonly used in situations where RRAS is used and so at least
in my opinion is not that big a deal. Typically it is small office networks
using RRAS for NAT and they do fine with it. RRAS also "beefs up" the
standard packet filtering abilities and improves them.

I've seen small networks do fine with RRAS NAT that have never been "hacked"
because there is a lot more to security than "firewalls". Security is based
on a bigger picture of what Applications you run, how you run them, and who
you make them available to,...not just whether or not you stick a firewall
in there somewhere.

 

[DS]

Hi Phil, thatnks for your explaination below. There wer a couple facts I
was un-aware of.

I didn't see anything about Laptops in the past messages I have. I did
see where you were wondering if ICS was true NAT or not. Maybe I can
explain how NAT works and that will answer the whole thing.

I couldn't find anything about a laptop either, did I mention that ?

Prerequisits:
1. Cable/DSL Routers are not true routers. They are simply NAT Devices
with a DHCP service with a typical switch (usually 4 port) built into
the same case.

I agree, everyone calls then router's so I do. The only one I ever played
around with is an older D-Link that I have. Other's have told me that
there are a few model's that you can actually telnet into and have a
Cisco IOS-like firmware that allows yo to set static routes. All of my
other experiences have been with actual Cisco or Cabletron 'real'
routers.

I've seen small networks do fine with RRAS NAT that have never been
"hacked" because there is a lot more to security than "firewalls".
Security is based on a bigger picture of what Applications you run,
how you run them, and who you make them available to,...not just
whether or not you stick a firewall in there somewhere.

That is an excellent point. I find it kind of funny, well not really cuz
I'm the guy everyone calls to fix it, that people do get viruses or
hacked. I was trying to get our company to get away from using Outlook,
and into some other POP3 client due to the security issues, especially
since it was only used for e-mail and nothing else. In my setup, I have
the D-Link rtr, and run AV, and that's it. Using NAT is *ALMOST* enough
protection for the average user, if you don't set up port maps all of
that traffic is blocked at the NAT box anyway. The real problems are
people blindly running attachments, and browsing the web with everything
enabled like active scripting. I try to get people to look at the
processes running in the task manager, which after a few look-overs it
should be obvious when something is running that's not supposed to be.