Options
How to set up Internal and External NIC's
Hi Guys,
I've been on holidays for the last few months (i LOVE not having to be in the office!) and i have now been called upon by an acquaintance to help hiim with his network... problem is though, i've been out of action for 6 months or so - and im a little rusty... so im in desperate need of ur help.
I ran him thhrough a new Server 2003 install, set up DHCP and installed ISA2004. I havent configured ISA yet, i've just created a couple of rules to override the default "DENY ALL" rule.
The server has two nics - one is the internal facing and the second is external.
On the internal, he has set it up like this:
IP 192.168.0.1 / 255.255.255.0
default g/w: 192.168.0.1
DNS: (he entered the ISP's DNS server addresses)
EXTERNAL:
IP: static ip (assigned by ISP)
mask: 255.255.255.248
default g/w: static (assigned by ISP)
DNS: (he entered ISP's DNS addresses same as for internal nic)
1. Does that sound about right? How should the two nics normally be set up?
2. Also, he doesnt have a domain controller set up.... does that mean he cannot set up the server as a DNS server?
3. DHCP stopped working all of a sudden.... the services is started, clients dont get an IP... it was literally working on second and not working the next. No errors in the event long - are there specific logs for DHCP that i can look at?
It looks like in DHCP, he added a DNS server (the external IP addresses of his ISP) which i though was incorrect but he insisted on???
The main thing i think, is to sort out the IP's of the two NIC's... im not exactly sure how they should be set up (i've never set up a server that wasnt a domain controller) so im not sure what settings to set up on each NIC for DNS......
Thanks in advance for your help.
O
I've been on holidays for the last few months (i LOVE not having to be in the office!) and i have now been called upon by an acquaintance to help hiim with his network... problem is though, i've been out of action for 6 months or so - and im a little rusty... so im in desperate need of ur help.
I ran him thhrough a new Server 2003 install, set up DHCP and installed ISA2004. I havent configured ISA yet, i've just created a couple of rules to override the default "DENY ALL" rule.
The server has two nics - one is the internal facing and the second is external.
On the internal, he has set it up like this:
IP 192.168.0.1 / 255.255.255.0
default g/w: 192.168.0.1
DNS: (he entered the ISP's DNS server addresses)
EXTERNAL:
IP: static ip (assigned by ISP)
mask: 255.255.255.248
default g/w: static (assigned by ISP)
DNS: (he entered ISP's DNS addresses same as for internal nic)
1. Does that sound about right? How should the two nics normally be set up?
2. Also, he doesnt have a domain controller set up.... does that mean he cannot set up the server as a DNS server?
3. DHCP stopped working all of a sudden.... the services is started, clients dont get an IP... it was literally working on second and not working the next. No errors in the event long - are there specific logs for DHCP that i can look at?
It looks like in DHCP, he added a DNS server (the external IP addresses of his ISP) which i though was incorrect but he insisted on???
The main thing i think, is to sort out the IP's of the two NIC's... im not exactly sure how they should be set up (i've never set up a server that wasnt a domain controller) so im not sure what settings to set up on each NIC for DNS......
Thanks in advance for your help.
O
Comments
-
OptionsKhattab Member Posts: 97 ■■□□□□□□□□One more thing....
What im also not sure about is..... how are request supposed to get out to the internet?
What i mean is, the clients obviously point to the internal NIC, but then how does that request get redirected to the external NIC? (im not asking for a low-level, detailed answer.... just a high level basic answer will do fine).
Thanks! -
Optionssprkymrk Member Posts: 4,884 ■■■□□□□□□□The external NIC should not have any DNS Entry.
The Internal NIC should have a DNS Entry pointing to the Internal DNS Server.
You should have an Internal DNS server, that forwards requests to your ISP DNS Servers.
You have to also create rules for anything the ISA server does, including making it a DHCP server.
You don't have to have a DC to run DNS, but again, doing anything other than "firewalling" on an ISA server is going to take some work in order to configure it.
This may help with your NIC setup:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.htmlAll things are possible, only believe. -
Optionssprkymrk Member Posts: 4,884 ■■■□□□□□□□Khattab wrote:One more thing....
What im also not sure about is..... how are request supposed to get out to the internet?
What i mean is, the clients obviously point to the internal NIC, but then how does that request get redirected to the external NIC? (im not asking for a low-level, detailed answer.... just a high level basic answer will do fine).
Thanks!
The ISA server acts as a router for the traffic you allow.
There are 3 client types:
Secure NAT
Firewall Client
Web Proxy
Depending on which one(s) you use will determine how the client interacts with the firewall.All things are possible, only believe. -
OptionsSWM Member Posts: 287I would also remove the gateway address from the LAN nic. The WAN nic needs the gateway to find the router/modem etc.
From memory when a server is configured with two gateways you should get a warning prompt...Isn't Bill such a Great Guy!!!! -
Optionsroyal Member Posts: 3,352 ■■■■□□□□□□Another tip for multiple NICs, especially for DMZ systems talking to internal network and to the internet. Since the external facing NIC has the gateway, all internal traffic will hit that gateway as well. Since this gateway will be the internet facing gateway, it'll have more strict port rules. So for example, if you need authentication traffic to go to the internal network, you'll want to create static routes so all traffic destined for internal subnets will go to an internal facing router that allows this type of traffic.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
OptionsKhattab Member Posts: 97 ■■□□□□□□□□Thanks very much for the advice....
It's all working like a treat at the moment....
Lets hope it stays that way -
OptionsHeroPsycho Inactive Imported Users Posts: 1,940A. If you really want your ISA server to be a good firewall, you really shouldn't run any additional services on it, such as DHCP.
B. Set the binding order of the NIC's so that whichever NIC has the DNS entries (and only one NIC should have DNS entries configured) should be at the top of the binding order.Good luck to all! -
Optionsd4nmf Member Posts: 56 ■■□□□□□□□□Internal NIC DNS pointed at itself should be okay and maybe a secondary as the routers internal Add...192.168.1.254 for example.
External NIC i always put ISP's DNS's in, and also insert them into DNS under forwaders... -
OptionsHeroPsycho Inactive Imported Users Posts: 1,940Internal NIC pointed to itself for DNS implies the ISA server itself is the DNS server. Again, not a good idea to run additional services on your ISA server if you want to be a good firewall. Last I checked, a PIX for example isn't a DNS server, and there are good security reasons for that.
You absolutely should not specify DNS servers on more than one NIC on the ISA server. Specifying both internal and external DNS servers is also an invalid configuration.
"No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesn’t matter which one). There is no need to set up DNS on all network adapters.
Always point DNS to either internal servers or external servers, never to both."
http://www.microsoft.com/technet/isa/2004/plan/configuring_dns.mspx#EDC
d4nmf, I highly recommend you review MS docs about ISA. If you've been doing that, you've got cleaning up to do...Good luck to all! -
Optionssprkymrk Member Posts: 4,884 ■■■□□□□□□□d4nmf wrote:Internal NIC DNS pointed at itself should be okay and maybe a secondary as the routers internal Add...192.168.1.254 for example.
External NIC i always put ISP's DNS's in, and also insert them into DNS under forwaders...
That's an insecure setup and not recommended. Check out some of the links I posted earlier.
EDIT: I jumped the gun, HeroPsycho already addressed it. Thanks HeroPsycho.All things are possible, only believe.