Multihomed server 2000

Hello,

I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
connected to the LAN, the other is set to 192.168.200.1 (both masks
255.255.255.0). The first works fine; I want to use the second for VPNs,
but I can't ping it. It's enabled, I can see pings arriving, but no
response. Any idea why? (No firewalls, BTW).

Thanks for any suggestions.
--
Regards,
Dean

Two questions.

1.Why do you want a second NIC in the server? VPN clients connect to a
"virtual" interface. They do not need a separate NIC. On a private LAN the
encapsulated VPN traffic can be directed to the LAN NIC from the
router/NAT-device/firewall.

2. The 192.168.0.5 NIC is connected to the LAN. What is the second NIC
connected to?

DPM wrote:
> Hello,
>
> I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
> connected to the LAN, the other is set to 192.168.200.1 (both masks
> 255.255.255.0). The first works fine; I want to use the second for
> VPNs, but I can't ping it. It's enabled, I can see pings arriving,
> but no response. Any idea why? (No firewalls, BTW).
>
> Thanks for any suggestions.

We need more information to help. Do you enable NAT since you have two NICs? Posting the results of VPN server and client ipconfig /all here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"DPM" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Hello,

I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
connected to the LAN, the other is set to 192.168.200.1 (both masks
255.255.255.0). The first works fine; I want to use the second for VPNs,
but I can't ping it. It's enabled, I can see pings arriving, but no
response. Any idea why? (No firewalls, BTW).

Thanks for any suggestions.
--
Regards,
Dean

Bill,

Here's the scenario: I've got one NIC connected to my internal LAN; the plan
was to attach a wireless AP to the other, and only allow VPN connections
through it. The idea was that if I only accepted VPN connections on the
second port, I could control who got wireless access to a much greater
degree.

Now, in theory this seems identical to a classical dial-in configuration:
clients dial in to a modem, through which they establish a VPN which is
routed to internal resources. I'm just substituting an AP for the modem.

What I'm puzzled about is the fact that I can't ping the "wireless"
interface externally. If I ping it from the server console, no problem.
But if I attach my laptop to the interface, set the laptop's IP to
192.168.200.200 and try to ping I get no response. I can see the pings
arriving at the server, but the server doesn't respond. In this test setup
neither the server nor client have firewalls.

Bob Lin asked to see ipconfig reports for both server and client; I've
provided them below :

Server:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server
Primary DNS Suffix . . . . . . . : internal.inc.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.inc.com
inc.com

Ethernet adapter Intel: (attached to internal LAN)

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-03-47-A3-93-5A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.7
Primary WINS Server . . . . . . . : 192.168.0.7

Ethernet adapter Realtek: (wireless AP interface)

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139(A)-based PCI Fast
Ethernet Adapter
Physical Address. . . . . . . . . : 00-40-33-AF-D8-46
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.200.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

Client:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dpm-lt
Primary DNS Suffix . . . . . . . : internal.inc.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.inc.com
inc.com

Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21143 Based PCI Fast Ethernet
Adapter #2
Physical Address. . . . . . . . . : 00-C0-F0-3E-40-C4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.200.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.7
151.197.0.38
Primary WINS Server . . . . . . . : 192.168.0.7

Ethernet adapter {61A9DB95-4C1E-4641-A501-274A1D016308}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NOC Extranet Access Adapter
Physical Address. . . . . . . . . : 44-45-53-54-42-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

Thanks for your help.

Regards,
Dean

"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> Two questions.
>
> 1.Why do you want a second NIC in the server? VPN clients connect to a
> "virtual" interface. They do not need a separate NIC. On a private LAN the
> encapsulated VPN traffic can be directed to the LAN NIC from the
> router/NAT-device/firewall.
>
> 2. The 192.168.0.5 NIC is connected to the LAN. What is the second NIC
> connected to?
>
> DPM wrote:
> > Hello,
> >
> > I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
> > connected to the LAN, the other is set to 192.168.200.1 (both masks
> > 255.255.255.0). The first works fine; I want to use the second for
> > VPNs, but I can't ping it. It's enabled, I can see pings arriving,
> > but no response. Any idea why? (No firewalls, BTW).
> >
> > Thanks for any suggestions.
>
>

Bob,

I supplied ipconfig reports in my reply to Bill, but no, I did not enable NAT on the second interface. I did enable LAN routing.

Regards,
Dean

"Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
We need more information to help. Do you enable NAT since you have two NICs? Posting the results of VPN server and client ipconfig /all here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"DPM" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Hello,

I've got a Win2K server with 2 NICs; one is set to 192.168.0.5 and is
connected to the LAN, the other is set to 192.168.200.1 (both masks
255.255.255.0). The first works fine; I want to use the second for VPNs,
but I can't ping it. It's enabled, I can see pings arriving, but no
response. Any idea why? (No firewalls, BTW).

Thanks for any suggestions.
--
Regards,
Dean

Default routing falls down when there are multiple routers involved. The
main reason you cannot ping a machine in 192.168.200 froma workstation in
192.168.0 is that the default route is to 192.168.0.1, not to the RRAS
router. To get to 192.168.200 you need a specific route to get the traffic
to the RRAS router. You can add this route to each machine in 192.168.0 or
add it to the router at 192.168.0.1 . In either case this gets the traffic
for 192.168.200 to the RRAS router.

192.168.200.0 255.255.255.0 192.168.0.5

The second reason is that the machine in 192.168.200 does not have a
default gateway set. Set this to be the RRAS router interface in that subnet
(192.168.200.1) so that there is a route back to the RRAS router for the
reply.

DPM wrote:
> Bob,
>
> I supplied ipconfig reports in my reply to Bill, but no, I did not
> enable NAT on the second interface. I did enable LAN routing.
>
> Regards,
> Dean
>
> "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> We need more information to help. Do you enable NAT since you have
> two NICs? Posting the results of VPN server and client ipconfig /all
> here may help.
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "DPM" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> Hello,
>
> I've got a Win2K server with 2 NICs; one is set to 192.168.0.5
> and is
> connected to the LAN, the other is set to 192.168.200.1 (both
> masks
> 255.255.255.0). The first works fine; I want to use the second
> for VPNs,
> but I can't ping it. It's enabled, I can see pings arriving, but
> no
> response. Any idea why? (No firewalls, BTW).
>
> Thanks for any suggestions.
> --
> Regards,
> Dean

Bill,

Thanks for responding.

Please let me clarify: I have a server with 2 NICs; one NIC is set to
192.168.0.5, and everything on this NIC is normal and active; I can ping it
from a computer attached to this interface.

I have a second NIC set to 192.168.200.1; if I attach a computer to this
interface, give the computer an address of 192.168.200.200 and from it ping
192.168.200.1 I get no reply.

Note that I'm not trying to ping the 192.168.200 net from 192.168.0 net; I'm
simply trying to ping the 192.168.200.1 server on that net, and it's not
responding. Setting a default gateway address of 192.168.200.1 in the
192.168.200.200 machine does not fix the problem.

If I run Network Monitor on the 192.168.200 NIC, I see the ping requests
arrive at the server, but the server doesn't respond. If I ping the .200
machine from the server, NM records nothing, although ping reports a
timeout. If I ping 192.168.200.1 from the server console, ping records a
normal response.

This seems like it should be clear and straightforward - what am I missing
here?

Thanks for your help.

Regards,
Dean

"Bill Grant" <not.available@online> wrote in message
news:OJPS8$(E-Mail Removed)...
> Default routing falls down when there are multiple routers involved.
The
> main reason you cannot ping a machine in 192.168.200 froma workstation in
> 192.168.0 is that the default route is to 192.168.0.1, not to the RRAS
> router. To get to 192.168.200 you need a specific route to get the traffic
> to the RRAS router. You can add this route to each machine in 192.168.0 or
> add it to the router at 192.168.0.1 . In either case this gets the traffic
> for 192.168.200 to the RRAS router.
>
> 192.168.200.0 255.255.255.0 192.168.0.5
>
> The second reason is that the machine in 192.168.200 does not have a
> default gateway set. Set this to be the RRAS router interface in that
subnet
> (192.168.200.1) so that there is a route back to the RRAS router for the
> reply.
>
> DPM wrote:
> > Bob,
> >
> > I supplied ipconfig reports in my reply to Bill, but no, I did not
> > enable NAT on the second interface. I did enable LAN routing.
> >
> > Regards,
> > Dean
> >
> > "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > We need more information to help. Do you enable NAT since you have
> > two NICs? Posting the results of VPN server and client ipconfig /all
> > here may help.
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > "DPM" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > Hello,
> >
> > I've got a Win2K server with 2 NICs; one is set to 192.168.0.5
> > and is
> > connected to the LAN, the other is set to 192.168.200.1 (both
> > masks
> > 255.255.255.0). The first works fine; I want to use the second
> > for VPNs,
> > but I can't ping it. It's enabled, I can see pings arriving, but
> > no
> > response. Any idea why? (No firewalls, BTW).
> >
> > Thanks for any suggestions.
> > --
> > Regards,
> > Dean
>
>

Bill,

I finally figured this out: I have the RRAS server running, and it adds
filters that block ICMP packets. Adding an exception for ICMP allows pings
to get through.

I still can't get the RRAS server to answer a connection request, but that's
another issue.

Thanks for your help. If you've got any insight as to why the server's not
answering, I'm all ears <g>.

Regards,
Dean

"Bill Grant" <not.available@online> wrote in message
news:OJPS8$(E-Mail Removed)...
> Default routing falls down when there are multiple routers involved.
The
> main reason you cannot ping a machine in 192.168.200 froma workstation in
> 192.168.0 is that the default route is to 192.168.0.1, not to the RRAS
> router. To get to 192.168.200 you need a specific route to get the traffic
> to the RRAS router. You can add this route to each machine in 192.168.0 or
> add it to the router at 192.168.0.1 . In either case this gets the traffic
> for 192.168.200 to the RRAS router.
>
> 192.168.200.0 255.255.255.0 192.168.0.5
>
> The second reason is that the machine in 192.168.200 does not have a
> default gateway set. Set this to be the RRAS router interface in that
subnet
> (192.168.200.1) so that there is a route back to the RRAS router for the
> reply.
>
> DPM wrote:
> > Bob,
> >
> > I supplied ipconfig reports in my reply to Bill, but no, I did not
> > enable NAT on the second interface. I did enable LAN routing.
> >
> > Regards,
> > Dean
> >
> > "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > We need more information to help. Do you enable NAT since you have
> > two NICs? Posting the results of VPN server and client ipconfig /all
> > here may help.
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > "DPM" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > Hello,
> >
> > I've got a Win2K server with 2 NICs; one is set to 192.168.0.5
> > and is
> > connected to the LAN, the other is set to 192.168.200.1 (both
> > masks
> > 255.255.255.0). The first works fine; I want to use the second
> > for VPNs,
> > but I can't ping it. It's enabled, I can see pings arriving, but
> > no
> > response. Any idea why? (No firewalls, BTW).
> >
> > Thanks for any suggestions.
> > --
> > Regards,
> > Dean
>
>

What error message do you get when you try to make a VPN connection?

DPM wrote:
> Bill,
>
> I finally figured this out: I have the RRAS server running, and it
> adds filters that block ICMP packets. Adding an exception for ICMP
> allows pings to get through.
>
> I still can't get the RRAS server to answer a connection request, but
> that's another issue.
>
> Thanks for your help. If you've got any insight as to why the
> server's not answering, I'm all ears <g>.
>
> Regards,
> Dean
>
> "Bill Grant" <not.available@online> wrote in message
> news:OJPS8$(E-Mail Removed)...
>> Default routing falls down when there are multiple routers
>> involved. The main reason you cannot ping a machine in 192.168.200
>> froma workstation in 192.168.0 is that the default route is to
>> 192.168.0.1, not to the RRAS router. To get to 192.168.200 you need
>> a specific route to get the traffic to the RRAS router. You can add
>> this route to each machine in 192.168.0 or add it to the router at
>> 192.168.0.1 . In either case this gets the traffic for 192.168.200
>> to the RRAS router.
>>
>> 192.168.200.0 255.255.255.0 192.168.0.5
>>
>> The second reason is that the machine in 192.168.200 does not
>> have a default gateway set. Set this to be the RRAS router interface
>> in that subnet (192.168.200.1) so that there is a route back to the
>> RRAS router for the reply.
>>
>> DPM wrote:
>>> Bob,
>>>
>>> I supplied ipconfig reports in my reply to Bill, but no, I did not
>>> enable NAT on the second interface. I did enable LAN routing.
>>>
>>> Regards,
>>> Dean
>>>
>>> "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>> We need more information to help. Do you enable NAT since you have
>>> two NICs? Posting the results of VPN server and client ipconfig /all
>>> here may help.
>>>
>>> Bob Lin, MS-MVP, MCSE & CNE
>>> Networking, Internet, Routing, VPN Troubleshooting on
>>> http://www.ChicagoTech.net
>>> How to Setup Windows, Network, VPN & Remote Access on
>>> http://www.HowToNetworking.com
>>> "DPM" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>> Hello,
>>>
>>> I've got a Win2K server with 2 NICs; one is set to 192.168.0.5
>>> and is
>>> connected to the LAN, the other is set to 192.168.200.1 (both
>>> masks
>>> 255.255.255.0). The first works fine; I want to use the second
>>> for VPNs,
>>> but I can't ping it. It's enabled, I can see pings arriving,
>>> but no
>>> response. Any idea why? (No firewalls, BTW).
>>>
>>> Thanks for any suggestions.
>>> --
>>> Regards,
>>> Dean

In news:(E-Mail Removed),
DPM <(E-Mail Removed)> stated, which I commented on below:
> Bill,
>
> I finally figured this out: I have the RRAS server running, and it
> adds filters that block ICMP packets. Adding an exception for ICMP
> allows pings to get through.
>
> I still can't get the RRAS server to answer a connection request, but
> that's another issue.
>
> Thanks for your help. If you've got any insight as to why the
> server's not answering, I'm all ears <g>.
>
> Regards,
> Dean

If I may interject, I would suggest to disable RRAS, and then reconfigure it
without filters to see is you can get the VPN to connect, then apply the
appropriate filters afterwards. This also depends on what type of VPN is
being configured or attempted to connect by, such as whether it's a PPTP or
L2TP VPN. Of course, if L2TP, the IPSec policy should be properly created.
If ICF is enabled, or any other personal firewall installed on the
server/client, that would also block VPN connection attempts.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]