Server with 3 NICs

I have a SBS 2003 Server with 3 Nics, running ISA 2000.
1 Nic for the LAN 10.0.10.120
1 Nic is for the Internet Connection 10.0.100.120
Everythings was working fine
Now I am enabling the third Nic for a second LAN segment
that comes from a router. IP is 10.0.100.121.
In the switch where 10.0.100.121 is there are 3 Server
including this one, and a PC. I can ping everything but
this server; I cann't access this server thru 10.0.100.121
What am I doing wrong, is the IP configuration the
problem? Or is ISA preventing this to happen?

In Networking Advanced, Server Local Area Connection is
first, then Network Connection2, then Network Connection.
Here is ipconfig/all info.

Windows IP Configuration
Host Name . . . . . . . . . . . . : server2
Primary Dns Suffix . . . . . . . : RedmondBCMS.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : RedmondBCMS.local

Ethernet adapter Network Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme
Gigabit Ethernet #2
Physical Address. . . . . . . . . : 00-0F-1F-6A-23-E4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.100.120
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.100.140
DNS Servers . . . . . . . . . . . : 10.0.10.120
Primary WINS Server . . . . . . . : 10.0.10.120
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme
Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-6A-23-E3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.100.121
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.100.210
Primary WINS Server . . . . . . . : 10.0.10.120

Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000
MT Dual Port Network Connection #2
Physical Address. . . . . . . . . : 00-04-23-A7-68-69
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.10.120
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.10.120
Primary WINS Server . . . . . . . : 10.0.10.120

<(E-Mail Removed)> wrote in message
news:2452401c45f82$c61923a0$(E-Mail Removed)...
> I have a SBS 2003 Server with 3 Nics, running ISA 2000.
> 1 Nic for the LAN 10.0.10.120
> 1 Nic is for the Internet Connection 10.0.100.120
> Everythings was working fine
> Now I am enabling the third Nic for a second LAN segment
> that comes from a router. IP is 10.0.100.121.
> In the switch where 10.0.100.121 is there are 3 Server
> including this one, and a PC. I can ping everything but
> this server; I cann't access this server thru 10.0.100.121
> What am I doing wrong, is the IP configuration the
> problem?

Yes it is all wrong. Your ISA's Internet Connection is 10.0.100.120, yet
this "second segment" is 10.0.100.121,...that is the same subnet so it in
*not* a "second segment" but is the *same* segment as the ISA's Internet
Connection Segment. Therefore to use this IP# you must add that address to
the Internet Nic that is already in the ISA as an "additional IP#". Your
physical cabling must be designed to "agree" with this. In the end you
still have two segments and the ISA still has the same two nics doing the
same thing except that the external Nic will now have two IP#s.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Sorry, my last post may not have addressed what your goal really is. But I
don't know what your goal is. Explain what you want to do and *why*, but
don't bother with the method you tried to use,...let me worry about comming
up with the right method. I just need to know the "what" and not the "how".


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Phillip Windell" <@.> wrote in message
news:O%(E-Mail Removed)...
>
> <(E-Mail Removed)> wrote in message
> news:2452401c45f82$c61923a0$(E-Mail Removed)...
> > I have a SBS 2003 Server with 3 Nics, running ISA 2000.
> > 1 Nic for the LAN 10.0.10.120
> > 1 Nic is for the Internet Connection 10.0.100.120
> > Everythings was working fine
> > Now I am enabling the third Nic for a second LAN segment
> > that comes from a router. IP is 10.0.100.121.
> > In the switch where 10.0.100.121 is there are 3 Server
> > including this one, and a PC. I can ping everything but
> > this server; I cann't access this server thru 10.0.100.121
> > What am I doing wrong, is the IP configuration the
> > problem?
>
> Yes it is all wrong. Your ISA's Internet Connection is 10.0.100.120, yet
> this "second segment" is 10.0.100.121,...that is the same subnet so it in
> *not* a "second segment" but is the *same* segment as the ISA's Internet
> Connection Segment. Therefore to use this IP# you must add that address
to
> the Internet Nic that is already in the ISA as an "additional IP#". Your
> physical cabling must be designed to "agree" with this. In the end you
> still have two segments and the ISA still has the same two nics doing the
> same thing except that the external Nic will now have two IP#s.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

My goal is
Leave 1 NIC to communicate with the Internet.
Second NIC to communicate with internal LAN.
and third NIC communicate with second LAN, which come
from a remote location via Router.
If you need more details let me know. Thanks


>-----Original Message-----
>
><(E-Mail Removed)> wrote in message
>news:2452401c45f82$c61923a0$(E-Mail Removed)...
>> I have a SBS 2003 Server with 3 Nics, running ISA 2000.
>> 1 Nic for the LAN 10.0.10.120
>> 1 Nic is for the Internet Connection 10.0.100.120
>> Everythings was working fine
>> Now I am enabling the third Nic for a second LAN
segment
>> that comes from a router. IP is 10.0.100.121.
>> In the switch where 10.0.100.121 is there are 3 Server
>> including this one, and a PC. I can ping everything
but
>> this server; I cann't access this server thru
10.0.100.121
>> What am I doing wrong, is the IP configuration the
>> problem?
>
>Yes it is all wrong. Your ISA's Internet Connection is
10.0.100.120, yet
>this "second segment" is 10.0.100.121,...that is the
same subnet so it in
>*not* a "second segment" but is the *same* segment as
the ISA's Internet
>Connection Segment. Therefore to use this IP# you must
add that address to
>the Internet Nic that is already in the ISA as
an "additional IP#". Your
>physical cabling must be designed to "agree" with this.
In the end you
>still have two segments and the ISA still has the same
two nics doing the
>same thing except that the external Nic will now have
two IP#s.
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>.
>

<(E-Mail Removed)> skrev i melding
news:2452401c45f82$c61923a0$(E-Mail Removed)...
> I have a SBS 2003 Server with 3 Nics, running ISA 2000.
> 1 Nic for the LAN 10.0.10.120
> 1 Nic is for the Internet Connection 10.0.100.120
> Everythings was working fine
> Now I am enabling the third Nic for a second LAN segment
> that comes from a router. IP is 10.0.100.121.
> In the switch where 10.0.100.121 is there are 3 Server
> including this one, and a PC. I can ping everything but
> this server; I cann't access this server thru 10.0.100.121
> What am I doing wrong, is the IP configuration the
> problem? Or is ISA preventing this to happen?
>
> In Networking Advanced, Server Local Area Connection is
> first, then Network Connection2, then Network Connection.
> Here is ipconfig/all info.
>

Why use 10.x.x.x ?? The 10.x.x.x should use 255.0.0.0 mask and then all of
the network is in the same subnet. There is some routers that dont allow to
use 10.x.x.x and 255.255.255.0 mask. So the best thing you can do is use
192.168.x.x with 255.255.255.0 mask and use different subnet on every
network, thats the best solutions.

/Per W.

Forgive me if this is a stupid question.

Why is your subnet mask 255.255.255.0?

Should it not be 255.0.0.0 or are you really using a /24?

TIA.
>-----Original Message-----
>I have a SBS 2003 Server with 3 Nics, running ISA 2000.
>1 Nic for the LAN 10.0.10.120
>1 Nic is for the Internet Connection 10.0.100.120
>Everythings was working fine
>Now I am enabling the third Nic for a second LAN segment
>that comes from a router. IP is 10.0.100.121.
>In the switch where 10.0.100.121 is there are 3 Server
>including this one, and a PC. I can ping everything but
>this server; I cann't access this server thru 10.0.100.121
>What am I doing wrong, is the IP configuration the
>problem? Or is ISA preventing this to happen?
>
>In Networking Advanced, Server Local Area Connection is
>first, then Network Connection2, then Network Connection.
>Here is ipconfig/all info.
>
>Windows IP Configuration
> Host Name . . . . . . . . . . . . : server2
> Primary Dns Suffix . . . . . . . : RedmondBCMS.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : RedmondBCMS.local
>
>Ethernet adapter Network Connection 2:
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom NetXtreme
>Gigabit Ethernet #2
> Physical Address. . . . . . . . . : 00-0F-1F-6A-23-E4
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.100.120
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.0.100.140
> DNS Servers . . . . . . . . . . . : 10.0.10.120
> Primary WINS Server . . . . . . . : 10.0.10.120
> NetBIOS over Tcpip. . . . . . . . : Disabled
>
>Ethernet adapter Network Connection:
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom NetXtreme
>Gigabit Ethernet
> Physical Address. . . . . . . . . : 00-0F-1F-6A-23-E3
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.100.121
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 10.0.100.210
> Primary WINS Server . . . . . . . : 10.0.10.120
>
>Ethernet adapter Server Local Area Connection:
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) PRO/1000
>MT Dual Port Network Connection #2
> Physical Address. . . . . . . . . : 00-04-23-A7-68-69
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.10.120
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 10.0.10.120
> Primary WINS Server . . . . . . . : 10.0.10.120
>.
>

"Eric the IT Novice" <(E-Mail Removed)> wrote in message
news:246cc01c45f94$d898fd40$(E-Mail Removed)...
> Forgive me if this is a stupid question.
>
> Why is your subnet mask 255.255.255.0?
>
> Should it not be 255.0.0.0 or are you really using a /24?

If you want to maintain the "classfullness" of the addressing yes. But that
isn't required anymore. That went back to the very early days of TCP/IP
Routing. Newer routers use "Class-less" routing now. So you can pretty
much do what you want.

Besides no one (who knew better) every really used all three octets for
hosts anyway. It was meant to be broken up and distributed as smaller
subnets. Ethernet often starts to suffer from broadcast congestion once the
number of hosts per subnet gets around 300 so keeping it around 250 is good
practice. Since one octet gives "254" it is a good clean way to do it buy
using 255.255.255.0 as the mask.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

To get back to the original question, why do you want to put an extra NIC
in the SBS server when the extra subnet comes in through a router? All you
really need to do is get the routing working between the subnets and add the
extra subnet to the LAT of the proxy server. As Phillip suggested, a
description of your setup (peferably with a simple diagram showing IP
addresses and default routes) would help.

"Phillip Windell" <@.> wrote in message
news:#(E-Mail Removed)...
> "Eric the IT Novice" <(E-Mail Removed)> wrote in
message
> news:246cc01c45f94$d898fd40$(E-Mail Removed)...
> > Forgive me if this is a stupid question.
> >
> > Why is your subnet mask 255.255.255.0?
> >
> > Should it not be 255.0.0.0 or are you really using a /24?
>
> If you want to maintain the "classfullness" of the addressing yes. But
that
> isn't required anymore. That went back to the very early days of TCP/IP
> Routing. Newer routers use "Class-less" routing now. So you can pretty
> much do what you want.
>
> Besides no one (who knew better) every really used all three octets for
> hosts anyway. It was meant to be broken up and distributed as smaller
> subnets. Ethernet often starts to suffer from broadcast congestion once
the
> number of hosts per subnet gets around 300 so keeping it around 250 is
good
> practice. Since one octet gives "254" it is a good clean way to do it buy
> using 255.255.255.0 as the mask.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

> <(E-Mail Removed)> wrote in message
> news:242aa01c45f93$aea337e0$(E-Mail Removed)...
> > My goal is
> > Leave 1 NIC to communicate with the Internet.
> > Second NIC to communicate with internal LAN.
> > and third NIC communicate with second LAN, which come
> > from a remote location via Router.
> > If you need more details let me know. Thanks

You must have "multi-posted" to the ISA group as well (bad, bad) an I
replied there. If you had crossposted instead (good, good), my reply would
have shown in each group. Here's yesterday's reply that never showed up
here.

---------------------------------------------------------------------------

The way it should be done is to not use the ISA, the ISA is not a LAN
router, it is not a router at all, and shouldn't be used as one. Your
additional remote segment should come into your local segment directly to
another router on your LAN and the ISA should not be involved in any way at
all.

Note: You cannot use the 10.0.100.x address range because that one is
already used as the "Untrusted/External" segment for ISA. So the 10.0.100.x
range is "off limits" for any kind of LAN redesigning.

Then on the ISA, you do two things:

1. Enter the addition address range into the LAT.

2. Then add a Static Route to the routing table on the ISA box that
sets a route to the new subnet via the LAN Router that the connection comes
to.


<subnet #2>
\
[LAN router]--<subnet#1> --<ISA>--<Untrusted subnet> --Internet
/
<subnet #3>


Subnets 1,2,&3 are trusted subnets and represent you LAN and any other
private subnets (remote or local) that you want to add to your LAN.

Assuming the mask is 255.255.255.0 .......
Subnet #1 is 10.0.10.x and the ISA is in this one
Subnets #2 & #3 are whatever you add.
"Untrusted Subnet" is the 10.0.100.x range and can *not* be used for
anything else.

All LAN ("Trusted") subnets must be listed in the ISA's LAT

Static routes to subnets other than #1 are added to the Routing Table of the
OS on the ISA box. This is not an "ISA thing" it is an "OS thing".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> To get back to the original question, why do you want to put an extra
NIC
> in the SBS server when the extra subnet comes in through a router? All you
> really need to do is get the routing working between the subnets and add
the
> extra subnet to the LAT of the proxy server. As Phillip suggested, a
> description of your setup (peferably with a simple diagram showing IP
> addresses and default routes) would help.

The original poster must have multi-posted instead of cross-posted so my
reply yesterday didn't show up here. Here is a copy of it:

-----------------------

The way it should be done is to not use the ISA, the ISA is not a LAN
router, it is not a router at all, and shouldn't be used as one. Your
additional remote segment should come into your local segment directly to
another router on your LAN and the ISA should not be involved in any way at
all.

Note: You cannot use the 10.0.100.x address range because that one is
already used as the "Untrusted/External" segment for ISA. So the 10.0.100.x
range is "off limits" for any kind of LAN redesigning.

Then on the ISA, you do two things:

1. Enter the addition address range into the LAT.

2. Then add a Static Route to the routing table on the ISA box that
sets a route to the new subnet via the LAN Router that the connection comes
to.


<subnet #2>
\
[LAN router]--<subnet#1> --<ISA>--<Untrusted subnet> --Internet
/
<subnet #3>


Subnets 1,2,&3 are trusted subnets and represent your LAN and any other
private subnets (remote or local) that you want to add to your LAN.

Assuming the mask is 255.255.255.0 .......
Subnet #1 is 10.0.10.x and the ISA is in this one
Subnets #2 & #3 are whatever you add.
"Untrusted Subnet" is the 10.0.100.x range and can *not* be used for
anything else.

All LAN ("Trusted") subnets must be listed in the ISA's LAT

Static routes to subnets other than #1 are added to the Routing Table of the
OS on the ISA box. This is not an "ISA thing" it is an "OS thing".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com