ICS quandary

[Brian]

It sure seems like I should be able to do this but I cannot get it to work.
I have a Win2K Pro machine connected via cable modem and static IP with 2
NICs. Nic 1 to the cable modem/static IP and Nic 2 to an internal network
pulling an IP from winproxy. I can easily live without Nic 2 if it would
help.
I connected a brand new USR v.92 to the 2K Pro machine and set up an
Incoming Connection. I set Nic 1 to share it's stuff and play nice. Taking
Nic 2 out of the machine causes Nic 1 not to have a sharing tab btw.
Now I dial into 2K pro from XP pro, make a nice quick clean connection that
shows data moving to and fro in the status box BUT I can't do anything over
the net from the XP machine. It acts like there is no DNS, it just cannot
find hosts.

All I want to do is connect to my own network from hotels to avoid paying
for an isp and hotel phone charges. If I get this working I'll put a toll
free # on the modem.

Thanks for any help
Brian

P.S. No virus scanners or firewalls involved.

 

[Rob Elder, MVP-Networking]

ICS doesn't support two configurations with two modems. That's why you lost
the sharing option.

 

[Brian]

It's 2 NIC's and 1 modem. It takes away the sharing option when I take the
second Nic out leaving 1 Nic and 1 Modem.

With 2 Nics I have sharing set up on the external Nic and can dial in and
connect by modem but the dialup connection does not have access to the
internet.

 

[Marc Reynolds [MSFT]]

Not sure if you are going to get this working with ICS or not. In Windows
2000 Server with RRAS/NAT you can do this only after appying a specific
netsh command. See 310888 How to Use NAT for Incoming RAS Connections on the
Same RRAS Server
http://support.microsoft.com/?id=310888

I have never tested this with Win2K Pro and ICS though..

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Bill Grant]

I agree with Marc. I don't think you will get this working with ICS.

The problem is that the dialup connection is not recognised as an input
to the address translation to enable Internet access. (Only the private NIC
is an input to the address translation.) So the dialup connection cannot
route throught the Internet, because it only has a private IP.

With RRAS/NAT, you can fix this with the netsh command described in
KB31088 . This makes the dialup private interface an input to the address
translation process. You can't use this with ICS. It will probably just tell
you NAT can't be found.

 

[Kurt]

I've never tried it, but I'll take the role of the protagonist here and say
that I think you could get it to work, but it'll take a little
unconventional thinking. When you dial in, do you get an IP address on the
LAN (you can ping the W2K box)? If that is the case, you should be able to
manually specify the default route as the private interface (NIC2) as the XP
pro's default gateway. (from command line > ip route 0.0.0.0 mask 0.0.0.0
<NIC2 IP Address>). You would also need to manually set your DNS server to
point to your ISP's (cable provider's) DNS server. That might route packets
via the shared connection. It's worth a try.

....kurt

 

[Kurt]

Sorry, that command line to add a default route in windows is

route add 0.0.0.0 mask 0.0.0.0 <ip address of NIC2>

Got routers on the brain.

 

[Bill Grant]

The problem isn't the routing, it is address translation. The packet may
be routed to the Internet, but it will then be lost because it is a private
IP. Because the client and the LAN machines are already in the same IP
subnet, you can't really use routing. The client uses proxy ARP to contact
LAN machines in the same subnet.

NAT and ICS enable the private packet to use the "server's" public IP.
In ICS, this just happens and is not configurable. In RRAS/NAT, you
configure which interfaces are the private side input to NAT, and which
interface(s) are public.

The netsh command described in KB 310888 is a method to make the
"internal" interface (to which the RAS client connects) an input to NAT, so
that it uses a public IP externally. This is required because you cannot
"see" this interface in the NAT display in the RRAS console. (This has been
fixed in W2k3. You can now do it from the console.)

The only other method which works involves using demand-dial interfaces.
But this solution is only possible with RRAS/NAT, not ICS.

 

[Kurt]

I Agree, and RRAS allows interfaces (like demand dial) to be created as
virtual, i.e. a demand dial vpn. Just to illustrate. I have a windows 2000
box with ICS providing NAT and public routing for the other 5 computers on
my LAN (3 XP pro, a 2k server domain controller, and a redhat 9). It has the
windows default Inside address of 192.168.0.1, and we'll call it server1. On
my other 2k server at 192.168.0.100 (server2), I have a VPN to my LAN at
work. The VPN uses ICS on the other server for its link to the Internet.
When the VPN is up, server2 has an IP address on my work LAN for the virtual
interface-the "VPN adapter" (10.x.x.x). Now for the tricky part. I share the
VPN connection with ICS on server2 just as I would share a real internet
connection, and I have a static route on server1 as:

route add 10.0.0.0 mask 255.0.0.0 192.168.0.100

which routes any traffic bound for the 10.0.0.0/8 network to server2, which
in turn NATs it to it's 10.x.x.x address and forwards it through the tunnel
to my work LAN (would that be a backward forward? : ) )

This enables me to access the work LAN from any of the computers on my LAN,
and a tracert to 10.z.z.z turns up something like:
192.168.0.1
192.168.0.100
10.y.y.y
10.z.z.z

where 10.y.y.y is the remote end of the VPN tunnel, and 10.z.z.z is some
host on the network at work.

So my reasoning is that if the remote machine has an IP address on his home
LAN, as with a VPN connection, then the private interface of the ICS box
should appear to be a local address to the remote box. By specifying that
private interface as the remote's default gateway, it should pass through
the ICS NAT and back just as if it were a local computer on the home LAN.
Now this might require a computer other than the ICS box for the dial-in
connection, and I've never tried this with a dial-in, but it might work. I'm
certain it would work with a separate remote access dial-in server as long
as the remote gets a local IP address.

....kurt

 

[Andrew W]

It sure seems like I should be able to do this but I cannot get it to work.
I have a Win2K Pro machine connected via cable modem and static IP with 2
NICs. Nic 1 to the cable modem/static IP and Nic 2 to an internal network
pulling an IP from winproxy. I can easily live without Nic 2 if it would
help.
I connected a brand new USR v.92 to the 2K Pro machine and set up an
Incoming Connection. I set Nic 1 to share it's stuff and play nice. Taking
Nic 2 out of the machine causes Nic 1 not to have a sharing tab btw.
Now I dial into 2K pro from XP pro, make a nice quick clean connection that
shows data moving to and fro in the status box BUT I can't do anything over
the net from the XP machine. It acts like there is no DNS, it just cannot
find hosts.

All I want to do is connect to my own network from hotels to avoid paying
for an isp and hotel phone charges. If I get this working I'll put a toll
free # on the modem.

Thanks for any help
Brian

P.S. No virus scanners or firewalls involved.

If you are trying to dial in to your lan to access it's internet connection
then this is possible because I set it up for my manager at work.
The only difference there is that her office lan has a router.

It should be as simple as putting the dns server addresses of your ISP into
the client PCs DNS fields and also the gateway address (e.g. 192.168.0.1).
NT based OS's have trouble picking up DNS addresses.
Often it has to be done even for PCs on the lan to be able to browse the
web.



--
Andrew Werner.
Religion investigator, dogma police and thought provocateur.

Imagination is more important than knowledge.
- Albert Einstein

Religion Exposed!
http://members.optusnet.com.au/ajwerner/