Two-NIC, two-gateway setup

  • Thread starter Thread starter Academician
  • Start date Start date
A

Academician

We have a setup in a colocation facility with a server running Windows
2003 (Web Edition) and a Netscreen-5GT firewall/VPN. The Windows
machine has two network cards, one of which is plugged directly to the
Internet, the other of which is plugged into the Netscreen. Here is a
diagram:

___ Key:
------------------ NIC1| | NS = Netscreen-5GT FW
/ | | W = W2K3 server
Internet | W | NIC1 = 1st NIC (live net)
\ | | NIC2 = 2nd NIC (private net)
--------NS-------- NIC2|___| (u) = "Untrust" zone on NS
(u) (t) (t) = "Trust" zone on NS

Network config:
NIC1 = 66.66.66.214, MASK 255.255.255.192, GW 66.66.66.193
NIC2 = 192.168.1.100, MASK 255.255.255.0, GW 192.168.1.1
NS(u) = 66.66.66.213, MASK 255.255.255.192, GW 66.66.66.193
NS(t) = 192.168.1.1, MASK 255.255.255.0

The external IPs are not real, of course, but they should be good for
an example.

So the problem here is that when I try to connect either to the VPN on
the firewall or to forwarded ports (or masqueraded IPs) on the
firewall, it sends the data to NIC2 on the server (W) but then the
server tries to send the data back through NIC1. What I need it to do
is send data back through NIC2 (to the firewall) that was sent to it
through the firewall originally. If I delete and try to add the
192.168.1.1 gateway to NIC2, then NIC2 takes over as primary
"internet" card and all data goes through it - which is likewise
undesirable, since if I try to send data to 66.66.66.214 it tries to
reach back through NIC2 (which does not work).

I hope this problem description makes sense. I know it is a rather
odd setup, but I am sure that it is what I want. Right now we only
want to route certain traffic through the Netscreen, but not ALL
traffic since the last one we had before it turned out to be
unreliable. Thus, this is sort of a "testing" period for the
non-critical traffic.

I've tried setting up persistent routes through the "route" command on
the command-line but haven't been able to figure out one that helps
me. I am not the greatest at networking (I took the Cisco classes 1
and 2 about 4 years ago, and have forgotten quite a bit), so I am
hoping someone more familiar with Windows networking will be able to
help me out here. Thanks!

--Academician
 
Uzytkownik "Academician said:
We have a setup in a colocation facility with a server running Windows
2003 (Web Edition) and a Netscreen-5GT firewall/VPN. The Windows
machine has two network cards, one of which is plugged directly to the
Internet, the other of which is plugged into the Netscreen. Here is a
diagram:

___ Key:
------------------ NIC1| | NS = Netscreen-5GT FW
/ | | W = W2K3 server
Internet | W | NIC1 = 1st NIC (live net)
\ | | NIC2 = 2nd NIC (private net)
--------NS-------- NIC2|___| (u) = "Untrust" zone on NS
(u) (t) (t) = "Trust" zone on NS

Network config:
NIC1 = 66.66.66.214, MASK 255.255.255.192, GW 66.66.66.193
NIC2 = 192.168.1.100, MASK 255.255.255.0, GW 192.168.1.1
NS(u) = 66.66.66.213, MASK 255.255.255.192, GW 66.66.66.193
NS(t) = 192.168.1.1, MASK 255.255.255.0

The external IPs are not real, of course, but they should be good for
an example.

So the problem here is that when I try to connect either to the VPN on
the firewall or to forwarded ports (or masqueraded IPs) on the
firewall, it sends the data to NIC2 on the server (W) but then the
server tries to send the data back through NIC1. What I need it to do
is send data back through NIC2 (to the firewall) that was sent to it
through the firewall originally. If I delete and try to add the
192.168.1.1 gateway to NIC2, then NIC2 takes over as primary
"internet" card and all data goes through it - which is likewise
undesirable, since if I try to send data to 66.66.66.214 it tries to
reach back through NIC2 (which does not work).

I hope this problem description makes sense. I know it is a rather
odd setup, but I am sure that it is what I want. Right now we only
want to route certain traffic through the Netscreen, but not ALL
traffic since the last one we had before it turned out to be
unreliable. Thus, this is sort of a "testing" period for the
non-critical traffic.

I've tried setting up persistent routes through the "route" command on
the command-line but haven't been able to figure out one that helps
me. I am not the greatest at networking (I took the Cisco classes 1
and 2 about 4 years ago, and have forgotten quite a bit), so I am
hoping someone more familiar with Windows networking will be able to
help me out here. Thanks!

Have You tried to delete gateway on NIC 2 ? and what adrssess does VPN
clients get? from NIC2 IP class ?
 
Back
Top