Multihomed server 2000

Discussion in 'Server Networking' started by DPM, Mar 24, 2006.

  1. DPM

    DPM Guest

    Hello,

    I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
    connected to the LAN, the other is set to 192.168.200.1 (both masks
    255.255.255.0). The first works fine; I want to use the second for VPNs,
    but I can't ping it. It's enabled, I can see pings arriving, but no
    response. Any idea why? (No firewalls, BTW).

    Thanks for any suggestions.
     
    DPM, Mar 24, 2006
    #1
    1. Advertisements

  2. DPM

    Bill Grant Guest

    Two questions.

    1.Why do you want a second NIC in the server? VPN clients connect to a
    "virtual" interface. They do not need a separate NIC. On a private LAN the
    encapsulated VPN traffic can be directed to the LAN NIC from the
    router/NAT-device/firewall.

    2. The 192.168.0.5 NIC is connected to the LAN. What is the second NIC
    connected to?
     
    Bill Grant, Mar 24, 2006
    #2
    1. Advertisements

  3. DPM

    DPM Guest

    Bill,

    Here's the scenario: I've got one NIC connected to my internal LAN; the plan
    was to attach a wireless AP to the other, and only allow VPN connections
    through it. The idea was that if I only accepted VPN connections on the
    second port, I could control who got wireless access to a much greater
    degree.

    Now, in theory this seems identical to a classical dial-in configuration:
    clients dial in to a modem, through which they establish a VPN which is
    routed to internal resources. I'm just substituting an AP for the modem.

    What I'm puzzled about is the fact that I can't ping the "wireless"
    interface externally. If I ping it from the server console, no problem.
    But if I attach my laptop to the interface, set the laptop's IP to
    192.168.200.200 and try to ping I get no response. I can see the pings
    arriving at the server, but the server doesn't respond. In this test setup
    neither the server nor client have firewalls.

    Bob Lin asked to see ipconfig reports for both server and client; I've
    provided them below :

    Server:

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : server
    Primary DNS Suffix . . . . . . . : internal.inc.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : internal.inc.com
    inc.com

    Ethernet adapter Intel: (attached to internal LAN)

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
    Physical Address. . . . . . . . . : 00-03-47-A3-93-5A
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.5
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.7
    Primary WINS Server . . . . . . . : 192.168.0.7

    Ethernet adapter Realtek: (wireless AP interface)

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8139(A)-based PCI Fast
    Ethernet Adapter
    Physical Address. . . . . . . . . : 00-40-33-AF-D8-46
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.200.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

    Client:

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : dpm-lt
    Primary DNS Suffix . . . . . . . : internal.inc.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : internal.inc.com
    inc.com

    Ethernet adapter LAN:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel 21143 Based PCI Fast Ethernet
    Adapter #2
    Physical Address. . . . . . . . . : 00-C0-F0-3E-40-C4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.200.200
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.0.7
    151.197.0.38
    Primary WINS Server . . . . . . . : 192.168.0.7

    Ethernet adapter {61A9DB95-4C1E-4641-A501-274A1D016308}:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : NOC Extranet Access Adapter
    Physical Address. . . . . . . . . : 44-45-53-54-42-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 0.0.0.0
    Subnet Mask . . . . . . . . . . . : 0.0.0.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

    Thanks for your help.

    Regards,
    Dean
     
    DPM, Mar 27, 2006
    #3
  4. DPM

    Bill Grant Guest

    Default routing falls down when there are multiple routers involved. The
    main reason you cannot ping a machine in 192.168.200 froma workstation in
    192.168.0 is that the default route is to 192.168.0.1, not to the RRAS
    router. To get to 192.168.200 you need a specific route to get the traffic
    to the RRAS router. You can add this route to each machine in 192.168.0 or
    add it to the router at 192.168.0.1 . In either case this gets the traffic
    for 192.168.200 to the RRAS router.

    192.168.200.0 255.255.255.0 192.168.0.5

    The second reason is that the machine in 192.168.200 does not have a
    default gateway set. Set this to be the RRAS router interface in that subnet
    (192.168.200.1) so that there is a route back to the RRAS router for the
    reply.
     
    Bill Grant, Mar 28, 2006
    #4
  5. DPM

    DPM Guest

    Bill,

    Thanks for responding.

    Please let me clarify: I have a server with 2 NICs; one NIC is set to
    192.168.0.5, and everything on this NIC is normal and active; I can ping it
    from a computer attached to this interface.

    I have a second NIC set to 192.168.200.1; if I attach a computer to this
    interface, give the computer an address of 192.168.200.200 and from it ping
    192.168.200.1 I get no reply.

    Note that I'm not trying to ping the 192.168.200 net from 192.168.0 net; I'm
    simply trying to ping the 192.168.200.1 server on that net, and it's not
    responding. Setting a default gateway address of 192.168.200.1 in the
    192.168.200.200 machine does not fix the problem.

    If I run Network Monitor on the 192.168.200 NIC, I see the ping requests
    arrive at the server, but the server doesn't respond. If I ping the .200
    machine from the server, NM records nothing, although ping reports a
    timeout. If I ping 192.168.200.1 from the server console, ping records a
    normal response.

    This seems like it should be clear and straightforward - what am I missing
    here?

    Thanks for your help.

    Regards,
    Dean

     
    DPM, Mar 28, 2006
    #5
  6. DPM

    DPM Guest

    Bill,

    I finally figured this out: I have the RRAS server running, and it adds
    filters that block ICMP packets. Adding an exception for ICMP allows pings
    to get through.

    I still can't get the RRAS server to answer a connection request, but that's
    another issue.

    Thanks for your help. If you've got any insight as to why the server's not
    answering, I'm all ears <g>.

    Regards,
    Dean

     
    DPM, Mar 28, 2006
    #6
  7. DPM

    Bill Grant Guest

    What error message do you get when you try to make a VPN connection?
     
    Bill Grant, Mar 29, 2006
    #7
  8. In
    If I may interject, I would suggest to disable RRAS, and then reconfigure it
    without filters to see is you can get the VPN to connect, then apply the
    appropriate filters afterwards. This also depends on what type of VPN is
    being configured or attempted to connect by, such as whether it's a PPTP or
    L2TP VPN. Of course, if L2TP, the IPSec policy should be properly created.
    If ICF is enabled, or any other personal firewall installed on the
    server/client, that would also block VPN connection attempts.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
     
    Ace Fekay [MVP], Mar 29, 2006
    #8
  9. DPM

    DPM Guest

    Ace, Bill:

    I got the RRAS server to answer; this proved to be an incorrect network mask
    on the .200 NIC (I was using 255.255.0.0 - changing it to 255.255.255.0
    fixed the problem).

    Now, the server answers, but I get:

    "Error 930: authentication server did not respond to authentication requests
    in a timely fashion."

    I've tried both Windows authentication and RADIUS (I have an IAS server
    running on this server) and get the same error regardless. Of course I
    created a user and password and gave the account dial-in permission, but the
    error implies that the RRAS server could not contact the authentication
    server.

    Is there any way to test the authentication server to debug this? Or is
    this a known issue and you know a workaround? I have implemented RRAS on
    singlehomed servers, both Win2K and 2003 and never saw this error before.

    By the way, I took Ace's advice and removed all filters from the VPN NIC. I
    also added two static routes: 192.168.0.0/255.255.255.0 on the VPN NIC and
    192.168.200.0/255.255.255.0 to the LAN NIC. I can now ping the .200.0 net
    from .0.0 net and vice versa.

    Thanks again for your patience and help.

    Regards,
    Dean

     
    DPM, Mar 29, 2006
    #9
  10. DPM

    DPM Guest

    I finally resolved this by enabling tracing and pouring over the logs. Even
    though I used Windows authentication, I expected the RRAS server to use the
    local user list, but because the server is a domain member it went back to
    the DC for authentication, and the user there did not have dialin
    permission. Why that got reported as an authentication timeout only
    Microsoft knows, I guess.

    Last item, if you're still reading: I set the RRAS server to assign IPs from
    a static pool (192.168.100.x). I added a static route (0.0.0.0/0.0.0.0) to
    the VPN NIC, and now I can get to the internet through the VPN. But I can't
    get to other computers in the 192.168.0.x net, other than the server itself
    (192.168.0.5) and the default gateway (192.168.0.1). I can ping these, but
    no others. Also, with the VPN established I can ping 192.168.200.200 (the
    client NIC) but not the assigned VPN address (192.168.100.103, say).

    I think I don't clearly understand how packets get routed: if my LAN is
    192.168.0.x, my VPN adapter 192.168.200.x and the VPN address 192.168.100.x,
    how do I set the routes so that a client attached through the VPN can see
    all the resources on the LAN net?

    Thanks for bearing with me on this journey.

    Regards,
    Dean


     
    DPM, Mar 29, 2006
    #10
  11. In
    ISA reported it as such because it couldn't authenticate the user account,
    however, if you look in the security Event logs, you should see the failure
    attempt.
    I think you mean you cannot use the single NetBIOS name to ping or connect
    to. Try connecting via FQDN. If you can do that, then it appears you'll need
    WINS to provide NetBIOS name resolution across subnets, which is not
    possible by default.
    WINS, if you mean by NetBIOS names.
    No problem, Dean.

    Ace
     
    Ace Fekay [MVP], Mar 30, 2006
    #11
  12. DPM

    DPM Guest

    No, I mean I cannot ping the IP address. If I'm on the VPN client with the
    VPN established, I can ping the RRAS server's IP (192.168.0.5) and the
    internet router (192.168.0.1). But I can't ping the domain controller
    (192.168.0.7). I CAN ping the DC from the RRAS server console both by IP
    and FQDN, so I know it's working. But from the client, no. And since the
    DC is both the DNS and WINS server, if I can't get to it from the client I'm
    stuck. Do I need to add some static routes? If so, can you point me to a
    resource that will help me figure out which ones?

    Thanks,
    Dean
     
    DPM, Mar 30, 2006
    #12
  13. In
    Can you UNC to a shared folder on the DC?

    Here are some links to help guide you thru setting up VPNs using Windows
    RRAS:

    Q292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
    Controller with Routing and Remote Access and DNS Installed and Demand Dial:
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q292822&

    Virtual Private Networks:
    http://www.microsoft.com/technet/pr...elp/a08da8ea-a616-4422-bbd7-9cb8de066b29.mspx

    Deploying Virtual Private Networks:
    http://www.microsoft.com/technet/pr...elp/43f330b4-3fdd-4b0d-bf4e-eaa10a9a06e3.mspx

    How To Configure all aspects of RAS on Windows 2003:
    http://www.microsoft.com/resources/.../datacenter/proddocs/en-us/sag_rras_howto.asp

    Ace
     
    Ace Fekay [MVP], Mar 31, 2006
    #13
  14. DPM

    DPM Guest

    Ace,

    Thanks for your help. I've finally gotten most of this working.

    Regards,
    Dean
     
    DPM, Mar 31, 2006
    #14
  15. In
    Good to hear!
     
    Ace Fekay [MVP], Apr 4, 2006
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.