2 nics DMZ

Hello out there guru's.... I have a question about windows 2003 server with
2 network cards. #1 network card is attached to my local network 172.X.
Netowork card #2 is hooked onto my DMZ 192.X with netowork load balancing.
My goal is to have a website for external users and internal users. Since I
use an external DNS I have to make my own DNS entries for websites and I use
the internal Network #1 card. I use Network Card #2 for dmz -> PIX to
Internet.

Problem?

Since I can only have 1 gateway I used the network card #2 to
add my default gateway. I then wanted to use the RAS lan routing to add
static routes for the internal network #1. When going to configure the app
RAS told me I needed to stop ICS firewall service and disable it. I ended up
just adding the static routes via the command line ( route add command
with -p ) Now when I turn on the firewall I am unable to ping the #2 adapter
from a machine on #1 network? ICMP is on and I can ping the internal adapter
#1. Does the firewall take out my static routes or disable my #2 adapter.
What am I doing wrong?

Goal...

To have web serverices via #2 network card with network load
balancing. Windows 2003 firewall services to filter traffic from internet to
prevent #2 network from exposing my internal network #1 in the event IIS is
hacked or compremised.

I have this configuration on 2 other web servers and they run fine with no
firewall just a pin hole in the pix for http traffic. I would love to just
keep the servers in the DMZ however for backups the 1 gig network is great
and the pix is only 100mb and we cant afford a new pix. I was hoping there
was a way to use the firewall to help ward off attackers that may have some
sort of IIS hack that may lead to remote execution code being run on my
server and exposing my internal network. Any information that i might be
able to use would be appreciated.




Network Card #1 172.X Internal network -> to internal network switch on
servers subnet.

Network Card #2 192.X vlan with network load balancing.external
work -> pix -> border router -> internet

Thanks in advance.

JD

JD wrote:
> Hello out there guru's.... I have a question about windows 2003
> server with 2 network cards. #1 network card is attached to my local
> network 172.X. Netowork card #2 is hooked onto my DMZ 192.X with
> netowork load balancing. My goal is to have a website for external
> users and internal users. Since I use an external DNS I have to make
> my own DNS entries for websites and I use the internal Network #1
> card. I use Network Card #2 for dmz -> PIX to Internet.
>
> Problem?
>
> Since I can only have 1 gateway I used the network card
> #2 to add my default gateway. I then wanted to use the RAS lan
> routing to add static routes for the internal network #1. When going
> to configure the app RAS told me I needed to stop ICS firewall
> service and disable it. I ended up just adding the static routes via
> the command line ( route add command with -p ) Now when I turn on the
> firewall I am unable to ping the #2
> adapter from a machine on #1 network? ICMP is on and I can ping the
> internal adapter #1. Does the firewall take out my static routes or
> disable my #2 adapter. What am I doing wrong?
>
> Goal...
>
> To have web serverices via #2 network card with network
> load balancing. Windows 2003 firewall services to filter traffic from
> internet to prevent #2 network from exposing my internal network #1
> in the event IIS is hacked or compremised.
>
> I have this configuration on 2 other web servers and they run fine
> with no firewall just a pin hole in the pix for http traffic. I would
> love to just keep the servers in the DMZ however for backups the 1
> gig network is great and the pix is only 100mb and we cant afford a
> new pix. I was hoping there was a way to use the firewall to help
> ward off attackers that may have some sort of IIS hack that may lead
> to remote execution code being run on my server and exposing my
> internal network. Any information that i might be able to use would
> be appreciated.
>
>
>
> Network Card #1 172.X Internal network -> to internal network switch
> on servers subnet.
>
> Network Card #2 192.X vlan with network load balancing.external
> work -> pix -> border router -> internet
>
> Thanks in advance.
>
> JD

That mostly makes sense. I am not sure why you want to use RRAS, but you
can't enable RRAS with the firewall service running. They would interfere
with each other. But I have a few queries.

1. RRAS is an IP router. Do you have IP routing enabled on this
machine? If so, why?

2. I don't understand the bit about static routes. What static routes
were you trying to add to the machine? What were they supposed to do? Is
your 172. network a routed network?

3. Why do you want to be able to ping the external NIC from the LAN?
What would you need to do that for? The LAN machines have no reason to use
the external NIC. They can access the web server from the internal NIC.

Thanks for the respose Bill. Here are the answers..

1. No routing and remote access installed. I added the routes for the
internal network via the command line ( Route Add command )

2. Since I have 2 network cards I can only have 1 gateway. The gateway was
installed on Nic #2 External. Nic #1 Internal does not have a gateway so I
have to tell the nic how to route internally to other subnets. My 172
network is routed via ciso routers / vlans.

3. The external nic really dosent need to be pinged. I was unable to ping
the interface from another machine on the 192.x network. That kinda told me
there was somthing wrong. This only happened when I turned on the windows
firewall. I enabled ICMP pings on the external interface still not pingable
from the external network side. I am just wondering what I did or didn't do
to make this work.

Thanks again for the respone.....


JD


"Bill Grant" <not.available@online> wrote in message
news:uz$(E-Mail Removed)...
> JD wrote:
>> Hello out there guru's.... I have a question about windows 2003
>> server with 2 network cards. #1 network card is attached to my local
>> network 172.X. Netowork card #2 is hooked onto my DMZ 192.X with
>> netowork load balancing. My goal is to have a website for external
>> users and internal users. Since I use an external DNS I have to make
>> my own DNS entries for websites and I use the internal Network #1
>> card. I use Network Card #2 for dmz -> PIX to Internet.
>>
>> Problem?
>>
>> Since I can only have 1 gateway I used the network card
>> #2 to add my default gateway. I then wanted to use the RAS lan
>> routing to add static routes for the internal network #1. When going
>> to configure the app RAS told me I needed to stop ICS firewall
>> service and disable it. I ended up just adding the static routes via
>> the command line ( route add command with -p ) Now when I turn on the
>> firewall I am unable to ping the #2
>> adapter from a machine on #1 network? ICMP is on and I can ping the
>> internal adapter #1. Does the firewall take out my static routes or
>> disable my #2 adapter. What am I doing wrong?
>>
>> Goal...
>>
>> To have web serverices via #2 network card with network
>> load balancing. Windows 2003 firewall services to filter traffic from
>> internet to prevent #2 network from exposing my internal network #1
>> in the event IIS is hacked or compremised.
>>
>> I have this configuration on 2 other web servers and they run fine
>> with no firewall just a pin hole in the pix for http traffic. I would
>> love to just keep the servers in the DMZ however for backups the 1
>> gig network is great and the pix is only 100mb and we cant afford a
>> new pix. I was hoping there was a way to use the firewall to help
>> ward off attackers that may have some sort of IIS hack that may lead
>> to remote execution code being run on my server and exposing my
>> internal network. Any information that i might be able to use would
>> be appreciated.
>>
>>
>>
>> Network Card #1 172.X Internal network -> to internal network switch
>> on servers subnet.
>>
>> Network Card #2 192.X vlan with network load balancing.external
>> work -> pix -> border router -> internet
>>
>> Thanks in advance.
>>
>> JD
>
> That mostly makes sense. I am not sure why you want to use RRAS, but
> you can't enable RRAS with the firewall service running. They would
> interfere with each other. But I have a few queries.
>
> 1. RRAS is an IP router. Do you have IP routing enabled on this
> machine? If so, why?
>
> 2. I don't understand the bit about static routes. What static
> routes were you trying to add to the machine? What were they supposed to
> do? Is your 172. network a routed network?
>
> 3. Why do you want to be able to ping the external NIC from the LAN?
> What would you need to do that for? The LAN machines have no reason to use
> the external NIC. They can access the web server from the internal NIC.
>

1. Good.

2. Understood.

3. OK.

Then what exactly is your problem. What doesn't work?

JD wrote:
> Thanks for the respose Bill. Here are the answers..
>
> 1. No routing and remote access installed. I added the routes for the
> internal network via the command line ( Route Add command )
>
> 2. Since I have 2 network cards I can only have 1 gateway. The
> gateway was installed on Nic #2 External. Nic #1 Internal does not
> have a gateway so I have to tell the nic how to route internally to
> other subnets. My 172 network is routed via ciso routers / vlans.
>
> 3. The external nic really dosent need to be pinged. I was unable to
> ping the interface from another machine on the 192.x network. That
> kinda told me there was somthing wrong. This only happened when I
> turned on the windows firewall. I enabled ICMP pings on the external
> interface still not pingable from the external network side. I am
> just wondering what I did or didn't do to make this work.
>
> Thanks again for the respone.....
>
>
> JD
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:uz$(E-Mail Removed)...
>> JD wrote:
>>> Hello out there guru's.... I have a question about windows 2003
>>> server with 2 network cards. #1 network card is attached to my local
>>> network 172.X. Netowork card #2 is hooked onto my DMZ 192.X with
>>> netowork load balancing. My goal is to have a website for external
>>> users and internal users. Since I use an external DNS I have to make
>>> my own DNS entries for websites and I use the internal Network #1
>>> card. I use Network Card #2 for dmz -> PIX to Internet.
>>>
>>> Problem?
>>>
>>> Since I can only have 1 gateway I used the network card
>>> #2 to add my default gateway. I then wanted to use the RAS lan
>>> routing to add static routes for the internal network #1. When going
>>> to configure the app RAS told me I needed to stop ICS firewall
>>> service and disable it. I ended up just adding the static routes via
>>> the command line ( route add command with -p ) Now when I turn on
>>> the firewall I am unable to ping the #2
>>> adapter from a machine on #1 network? ICMP is on and I can ping the
>>> internal adapter #1. Does the firewall take out my static routes or
>>> disable my #2 adapter. What am I doing wrong?
>>>
>>> Goal...
>>>
>>> To have web serverices via #2 network card with network
>>> load balancing. Windows 2003 firewall services to filter traffic
>>> from internet to prevent #2 network from exposing my internal
>>> network #1 in the event IIS is hacked or compremised.
>>>
>>> I have this configuration on 2 other web servers and they run fine
>>> with no firewall just a pin hole in the pix for http traffic. I
>>> would love to just keep the servers in the DMZ however for backups
>>> the 1 gig network is great and the pix is only 100mb and we cant
>>> afford a new pix. I was hoping there was a way to use the firewall
>>> to help ward off attackers that may have some sort of IIS hack that
>>> may lead to remote execution code being run on my server and
>>> exposing my internal network. Any information that i might be able
>>> to use would be appreciated.
>>>
>>>
>>>
>>> Network Card #1 172.X Internal network -> to internal network switch
>>> on servers subnet.
>>>
>>> Network Card #2 192.X vlan with network load balancing.external
>>> work -> pix -> border router -> internet
>>>
>>> Thanks in advance.
>>>
>>> JD
>>
>> That mostly makes sense. I am not sure why you want to use RRAS,
>> but you can't enable RRAS with the firewall service running. They
>> would interfere with each other. But I have a few queries.
>>
>> 1. RRAS is an IP router. Do you have IP routing enabled on this
>> machine? If so, why?
>>
>> 2. I don't understand the bit about static routes. What static
>> routes were you trying to add to the machine? What were they
>> supposed to do? Is your 172. network a routed network?
>>
>> 3. Why do you want to be able to ping the external NIC from
>> the LAN? What would you need to do that for? The LAN machines have
>> no reason to use the external NIC. They can access the web server
>> from the internal NIC.