Problem with svr2003 with 2 NICS

Here is the deal.. I have a CSU|DSU from the local ISP, the CSU\DSU is connected to a linksys hub (the hub has DHCP disabled). From the hub there is a cable doing to the external port on the watchguard x500 firewall. The other port on the firewall is going to the internal network switch. Internet is running fine. Then, I have a Windows 2003 server with 2 NIC’s. NIC #1 has a internal IP address and is connected to the internal network switch. The gateway is the IP address of the firewall (192.168.1.201). All is running fine. Here is the problem, I want some other offices to be able to VPN via RRAS on the Windows 2003 server. So, on the 2nd nic on the windows 2003 server, I plug a cable from NIC #2 to the linksys hub, and assign another public IP address\gateway\subnet\dns provided by the ISP. ( same gateway\sub\dns as on the firewall). When I enable the 2nd nic on the server, internet goes down on the server. If I disable the 2nd nic everything starts running fine again.



I would rather not have to put another box up just for VPN… can you think of what may be causing this?

 

you should not use 2nd nic to connect to a public ip. you can have 1 nic to setup VPN. for more information, visit http://www.chicagotech.net.

 

To flesh out chicagotech's comments: If you set up the server as you suggest, you are effectively bypassing the watchguard firewall and exposing the server unprotected on the internet - definitely not a good idea. Whereas it should be possible to get this configuration working (I expect you have your internal computers set to use the server as the default gateway), this would be a wasted effort as there are other more secure options that would not require you to get your suggested configuration working.

1. Use the watchguard x500 firewall's VPN facility. This would be my top choice. Watchguard firewalls have a good VPN facility and depending on the model (I can find an x50, but not an x500) this will either be bundled with the firewall or an added extra. For example see this datasheet comparing different current X model boxes. Watchguard (and/or the supplier of the firewall) should be able to give you assistance with setting up the VPN.

2. Open a VPN connection through the firewall to the Windows server. This will involve setting up a rule to forward the VPN packets from the firewall to the server. I would recommend setting RRAS to only use one VPN protocol as this will simplify the Firewall setup and minimise the hole in the firewall. See microsoft.com for information on setting up the VPN.

With these options, you only need to use the one NIC as the VPN/external traffic will come from the firewall over the internal network.

Reading around, I see a number of articles suggesting you set up the server as you originally suggest. Certainly if this was a secure VPN box, I'd agree. But personally, I would be very nervous of putting a 2003 server directly onto the internet - even with the SP1 firewall enabled and blocking all but the VPN traffic. Putting a hardware firewall like the Watchguard unit, between the internet and the server is definitely the right way to go. An exception to this would be if the server was running ISA or another good firewall utility.