Dual adapter problem

Hi!

I'm trying to set up a VPN but that's not the problem. I'm trying
to get 2 adapters to work in this (Server 2003) machine and I'm not
having much luck.

Background:

We run a typical DMZ configuration with a hardware firewall. The DMZ
is under 10.0.0.x and Trust is under 10.0.1.x.

Adapter 1:

IP: 10.0.0.9
Subnet: 255.255.255.0
Gateway: 10.0.0.1
DNS: 10.0.1.93; 10.0.1.127

Adapter 2 (for vpn):

IP: 10.0.0.11
Subnet 255.255.255.0
Gateway: 10.0.0.1
DNS: 10.0.1.93; 10.0.1.127

Adapter 1 is live and working. It's fine. But the second adapter, I
can't ping from outside this machine. I can ping it from this machine
but not from others. The firewall allows all ports between Trust and
DMZ.

What's confusing me is the messages I'm getting from Windows. When I
try to set the properties for the second adapter, it says this:

"Warning: multiple default gateways are intended to provide redundancy
to a single network. They will not function properly when the
gateways are on 2 separate, disjoint networks."

What's confusing me is that both adapters are configured for the SAME
gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
gateway but I don't get this. The adapter is unpingable and i assume
because of this but how do I correct it/configure it properly? I've
tried leaving the gateway blank on the second adapter but I still
can't ping it.

Note, I'm just trying to get this second adapter pingable, the
firewall and vpn are a different issue.

Thanks!

1. You can't have both nics in the same subnet.
2. Only one Nic can have a DFG.

I see no purpose for a second Nic in the server with anything that you have
descibed.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------


"Tom wilson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi!
>
> I'm trying to set up a VPN but that's not the problem. I'm trying
> to get 2 adapters to work in this (Server 2003) machine and I'm not
> having much luck.
>
> Background:
>
> We run a typical DMZ configuration with a hardware firewall. The DMZ
> is under 10.0.0.x and Trust is under 10.0.1.x.
>
> Adapter 1:
>
> IP: 10.0.0.9
> Subnet: 255.255.255.0
> Gateway: 10.0.0.1
> DNS: 10.0.1.93; 10.0.1.127
>
> Adapter 2 (for vpn):
>
> IP: 10.0.0.11
> Subnet 255.255.255.0
> Gateway: 10.0.0.1
> DNS: 10.0.1.93; 10.0.1.127
>
> Adapter 1 is live and working. It's fine. But the second adapter, I
> can't ping from outside this machine. I can ping it from this machine
> but not from others. The firewall allows all ports between Trust and
> DMZ.
>
> What's confusing me is the messages I'm getting from Windows. When I
> try to set the properties for the second adapter, it says this:
>
> "Warning: multiple default gateways are intended to provide redundancy
> to a single network. They will not function properly when the
> gateways are on 2 separate, disjoint networks."
>
> What's confusing me is that both adapters are configured for the SAME
> gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
> gateway but I don't get this. The adapter is unpingable and i assume
> because of this but how do I correct it/configure it properly? I've
> tried leaving the gateway blank on the second adapter but I still
> can't ping it.
>
> Note, I'm just trying to get this second adapter pingable, the
> firewall and vpn are a different issue.
>
> Thanks!

As Phillip said, what are you going to do with a second adapter? VPN
doesn't need it.

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 1. You can't have both nics in the same subnet.
> 2. Only one Nic can have a DFG.
>
> I see no purpose for a second Nic in the server with anything that you
> have descibed.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> "Tom wilson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi!
>>
>> I'm trying to set up a VPN but that's not the problem. I'm trying
>> to get 2 adapters to work in this (Server 2003) machine and I'm not
>> having much luck.
>>
>> Background:
>>
>> We run a typical DMZ configuration with a hardware firewall. The DMZ
>> is under 10.0.0.x and Trust is under 10.0.1.x.
>>
>> Adapter 1:
>>
>> IP: 10.0.0.9
>> Subnet: 255.255.255.0
>> Gateway: 10.0.0.1
>> DNS: 10.0.1.93; 10.0.1.127
>>
>> Adapter 2 (for vpn):
>>
>> IP: 10.0.0.11
>> Subnet 255.255.255.0
>> Gateway: 10.0.0.1
>> DNS: 10.0.1.93; 10.0.1.127
>>
>> Adapter 1 is live and working. It's fine. But the second adapter, I
>> can't ping from outside this machine. I can ping it from this machine
>> but not from others. The firewall allows all ports between Trust and
>> DMZ.
>>
>> What's confusing me is the messages I'm getting from Windows. When I
>> try to set the properties for the second adapter, it says this:
>>
>> "Warning: multiple default gateways are intended to provide redundancy
>> to a single network. They will not function properly when the
>> gateways are on 2 separate, disjoint networks."
>>
>> What's confusing me is that both adapters are configured for the SAME
>> gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
>> gateway but I don't get this. The adapter is unpingable and i assume
>> because of this but how do I correct it/configure it properly? I've
>> tried leaving the gateway blank on the second adapter but I still
>> can't ping it.
>>
>> Note, I'm just trying to get this second adapter pingable, the
>> firewall and vpn are a different issue.
>>
>> Thanks!
>
>

Microsoft recommends that a VPN operate from a separate adapter in a
server. So I have a server with 2 adapters. One is for the usual
network traffic, the other for the VPN.

Did I misinterpret what they're saying?

Thanks for the replies!



On Tue, 17 Apr 2007 18:41:25 +1000, "Bill Grant"
<not.available@online> wrote:

> As Phillip said, what are you going to do with a second adapter? VPN
>doesn't need it.
>
>"Phillip Windell" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> 1. You can't have both nics in the same subnet.
>> 2. Only one Nic can have a DFG.
>>
>> I see no purpose for a second Nic in the server with anything that you
>> have descibed.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>> "Tom wilson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi!
>>>
>>> I'm trying to set up a VPN but that's not the problem. I'm trying
>>> to get 2 adapters to work in this (Server 2003) machine and I'm not
>>> having much luck.
>>>
>>> Background:
>>>
>>> We run a typical DMZ configuration with a hardware firewall. The DMZ
>>> is under 10.0.0.x and Trust is under 10.0.1.x.
>>>
>>> Adapter 1:
>>>
>>> IP: 10.0.0.9
>>> Subnet: 255.255.255.0
>>> Gateway: 10.0.0.1
>>> DNS: 10.0.1.93; 10.0.1.127
>>>
>>> Adapter 2 (for vpn):
>>>
>>> IP: 10.0.0.11
>>> Subnet 255.255.255.0
>>> Gateway: 10.0.0.1
>>> DNS: 10.0.1.93; 10.0.1.127
>>>
>>> Adapter 1 is live and working. It's fine. But the second adapter, I
>>> can't ping from outside this machine. I can ping it from this machine
>>> but not from others. The firewall allows all ports between Trust and
>>> DMZ.
>>>
>>> What's confusing me is the messages I'm getting from Windows. When I
>>> try to set the properties for the second adapter, it says this:
>>>
>>> "Warning: multiple default gateways are intended to provide redundancy
>>> to a single network. They will not function properly when the
>>> gateways are on 2 separate, disjoint networks."
>>>
>>> What's confusing me is that both adapters are configured for the SAME
>>> gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
>>> gateway but I don't get this. The adapter is unpingable and i assume
>>> because of this but how do I correct it/configure it properly? I've
>>> tried leaving the gateway blank on the second adapter but I still
>>> can't ping it.
>>>
>>> Note, I'm just trying to get this second adapter pingable, the
>>> firewall and vpn are a different issue.
>>>
>>> Thanks!
>>
>>
>

Actually, not Microsoft, sorry. I'm following a Tech Republic
document on how to set up a VPN in 2003 and it says "For VPN Servers,
you should install and use a separate network adapter for VPN
applications."

Are they incorrect? Can I just run the VPN off the existing adapter
with no problem?

Thanks!


On Tue, 17 Apr 2007 18:41:25 +1000, "Bill Grant"
<not.available@online> wrote:

> As Phillip said, what are you going to do with a second adapter? VPN
>doesn't need it.
>
>"Phillip Windell" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> 1. You can't have both nics in the same subnet.
>> 2. Only one Nic can have a DFG.
>>
>> I see no purpose for a second Nic in the server with anything that you
>> have descibed.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>> "Tom wilson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi!
>>>
>>> I'm trying to set up a VPN but that's not the problem. I'm trying
>>> to get 2 adapters to work in this (Server 2003) machine and I'm not
>>> having much luck.
>>>
>>> Background:
>>>
>>> We run a typical DMZ configuration with a hardware firewall. The DMZ
>>> is under 10.0.0.x and Trust is under 10.0.1.x.
>>>
>>> Adapter 1:
>>>
>>> IP: 10.0.0.9
>>> Subnet: 255.255.255.0
>>> Gateway: 10.0.0.1
>>> DNS: 10.0.1.93; 10.0.1.127
>>>
>>> Adapter 2 (for vpn):
>>>
>>> IP: 10.0.0.11
>>> Subnet 255.255.255.0
>>> Gateway: 10.0.0.1
>>> DNS: 10.0.1.93; 10.0.1.127
>>>
>>> Adapter 1 is live and working. It's fine. But the second adapter, I
>>> can't ping from outside this machine. I can ping it from this machine
>>> but not from others. The firewall allows all ports between Trust and
>>> DMZ.
>>>
>>> What's confusing me is the messages I'm getting from Windows. When I
>>> try to set the properties for the second adapter, it says this:
>>>
>>> "Warning: multiple default gateways are intended to provide redundancy
>>> to a single network. They will not function properly when the
>>> gateways are on 2 separate, disjoint networks."
>>>
>>> What's confusing me is that both adapters are configured for the SAME
>>> gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
>>> gateway but I don't get this. The adapter is unpingable and i assume
>>> because of this but how do I correct it/configure it properly? I've
>>> tried leaving the gateway blank on the second adapter but I still
>>> can't ping it.
>>>
>>> Note, I'm just trying to get this second adapter pingable, the
>>> firewall and vpn are a different issue.
>>>
>>> Thanks!
>>
>>
>

A separate adapter,....in a different subnet.
A VPN Server is a "form" of a router,...each interface on a router is a
different subnet.

One adapter faces the Internet and has a Public IP# or is Reverse NATed by a
capable Firewall.
The other adapter faces the LAN.

However such a capable Firewall could probably do the VPN itself and nullify to
need to do it with RRAS.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Tom wilson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Actually, not Microsoft, sorry. I'm following a Tech Republic
> document on how to set up a VPN in 2003 and it says "For VPN Servers,
> you should install and use a separate network adapter for VPN
> applications."
>
> Are they incorrect? Can I just run the VPN off the existing adapter
> with no problem?
>
> Thanks!
>
>
> On Tue, 17 Apr 2007 18:41:25 +1000, "Bill Grant"
> <not.available@online> wrote:
>
>> As Phillip said, what are you going to do with a second adapter? VPN
>>doesn't need it.
>>
>>"Phillip Windell" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>> 1. You can't have both nics in the same subnet.
>>> 2. Only one Nic can have a DFG.
>>>
>>> I see no purpose for a second Nic in the server with anything that you
>>> have descibed.
>>>
>>> --
>>> Phillip Windell
>>> www.wandtv.com
>>>
>>> The views expressed, are my own and not those of my employer, or
>>> Microsoft, or anyone else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>>
>>> "Tom wilson" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hi!
>>>>
>>>> I'm trying to set up a VPN but that's not the problem. I'm trying
>>>> to get 2 adapters to work in this (Server 2003) machine and I'm not
>>>> having much luck.
>>>>
>>>> Background:
>>>>
>>>> We run a typical DMZ configuration with a hardware firewall. The DMZ
>>>> is under 10.0.0.x and Trust is under 10.0.1.x.
>>>>
>>>> Adapter 1:
>>>>
>>>> IP: 10.0.0.9
>>>> Subnet: 255.255.255.0
>>>> Gateway: 10.0.0.1
>>>> DNS: 10.0.1.93; 10.0.1.127
>>>>
>>>> Adapter 2 (for vpn):
>>>>
>>>> IP: 10.0.0.11
>>>> Subnet 255.255.255.0
>>>> Gateway: 10.0.0.1
>>>> DNS: 10.0.1.93; 10.0.1.127
>>>>
>>>> Adapter 1 is live and working. It's fine. But the second adapter, I
>>>> can't ping from outside this machine. I can ping it from this machine
>>>> but not from others. The firewall allows all ports between Trust and
>>>> DMZ.
>>>>
>>>> What's confusing me is the messages I'm getting from Windows. When I
>>>> try to set the properties for the second adapter, it says this:
>>>>
>>>> "Warning: multiple default gateways are intended to provide redundancy
>>>> to a single network. They will not function properly when the
>>>> gateways are on 2 separate, disjoint networks."
>>>>
>>>> What's confusing me is that both adapters are configured for the SAME
>>>> gateway; 10.0.0.1. I could understand if I said 10.0.1.50 for the
>>>> gateway but I don't get this. The adapter is unpingable and i assume
>>>> because of this but how do I correct it/configure it properly? I've
>>>> tried leaving the gateway blank on the second adapter but I still
>>>> can't ping it.
>>>>
>>>> Note, I'm just trying to get this second adapter pingable, the
>>>> firewall and vpn are a different issue.
>>>>
>>>> Thanks!
>>>
>>>
>>
>

Guess what? We have a capable firewall. A Netscreen 25 with VPN
capabilities. I configured it but it requires a client program made
by Netscreen on the client side. I can't download it because our
support contract expired. So I have to do it this way.

So then, what I should do is find an unused subnet, configure the
second adapter for it and... I think I get it.

THANKS!


On Tue, 17 Apr 2007 09:52:04 -0500, "Phillip Windell"
<(E-Mail Removed)> wrote:

>A separate adapter,....in a different subnet.
>A VPN Server is a "form" of a router,...each interface on a router is a
>different subnet.
>
>One adapter faces the Internet and has a Public IP# or is Reverse NATed by a
>capable Firewall.
>The other adapter faces the LAN.
>
>However such a capable Firewall could probably do the VPN itself and nullify to
>need to do it with RRAS.

Build the RRAS box with two nic and have it side by side with the Netscreen box.
One nic of the RRAS box faces the Internet and has a public IP# like the
Netwscreen box does. You will effectively have two firewalls,...the Netscreen
box and the RRAS box.

You will want to unbind everything except TCP/IP from the RRAS box's external
facing Nic.

You should be able to find what you need for configureing RRAS as a VPN box on
MS's site. Plus it is right there in the built in Help in the RRAS MMC. You do
*not* need to configure it for being a NAT Firewall/Router since the Netscreen
box already does that.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Tom wilson" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
>
> Guess what? We have a capable firewall. A Netscreen 25 with VPN
> capabilities. I configured it but it requires a client program made
> by Netscreen on the client side. I can't download it because our
> support contract expired. So I have to do it this way.
>
> So then, what I should do is find an unused subnet, configure the
> second adapter for it and... I think I get it.
>
> THANKS!
>
>
> On Tue, 17 Apr 2007 09:52:04 -0500, "Phillip Windell"
> <(E-Mail Removed)> wrote:
>
>>A separate adapter,....in a different subnet.
>>A VPN Server is a "form" of a router,...each interface on a router is a
>>different subnet.
>>
>>One adapter faces the Internet and has a Public IP# or is Reverse NATed by a
>>capable Firewall.
>>The other adapter faces the LAN.
>>
>>However such a capable Firewall could probably do the VPN itself and nullify
>>to
>>need to do it with RRAS.
>