Don't add default gateway across disjoining networks
Multihomed with two gateways may cause a connectivity problem
It is not recommend that you add
default gateways across disjoint networks such as proxy servers and
multihomed computers that are
typically configured to connect two or more subnets: one public Internet and
one or more private intranets. In this situation, you should not assign the
default gateways on the private interfaces, as doing so may result in
improper routing on your network.
the multihomed computer can't access the Internet.
The remote computer can't establish VPN connection or Remote Desktop
Connection on the multihomed computer because no route returns or can't
possible both sites of the VPN using the same IP range
Theoretically, you should not do setup both sites to use the same IP
range. However, if this is the case, what you may do is modifying the
routing table manually and accordingly. For the consultants, refer to case
Metric is the same for both the remote gateway and the local gateway
Symptom: Whenever connecting to VPN server,
my laptop the routing table shows that the Interface Metric is the same for
both the remote gateway and the local gateway, and I can't access the remote
Resolution: if you unchecked "use default
gateway on remote network" option in the properties of the VPN connection
and you setup the Automatic Metric manually, you may have the same Metric.
Check "use default gateway on remote network" option and you should be able
to access the remote network.
One router goes to the corporation email server and another one goes to the
Symptoms: you have one router connecting to the corporation for email and
the Internet access. However, the corporate Proxy server filters web sites
and watches you access. Then, you add another router for the Internet access
and want to use the corporate router for the email only, but the traffic
always go to the corporation router.
Resolution: You need to modify the routing table. Make all traffic go to
the Internet and point the email server to the corporation ip range.
For consultants, refer to the case 110104TC.
Route command and examples
PRINT Prints a route - route PRINT 157* ....
Only prints those matching 157*
ADD Adds a route - route ADD 22.214.171.124 MASK 255.0.0.0 126.96.36.199 METRIC 3
DELETE Deletes a route - route DELETE 188.8.131.52
CHANGE Modifies an existing route - route CHANGE 184.108.40.206 MASK 255.0.0.0
220.127.116.11 METRIC 2 IF 2.
Routing issue if the the LAN and VPN are in different subnets
If your LAN is 10.0.0.0 and VPN is 192.168.1.0, you must enable the RRAS
server as a LAN router as well as a remote access server.
Automatic Metric feature is enabled by default in XP, and it can also be
manually configured to assign a specific metric if the routing table
contains multiple routes for the same destination. For example, if you have
a computer with a 10 MB NIC and a 100 MB NIC, and the computer has a default
gateway that is configured on both NICs, you may want to assigns a higher
metric to the slower NIC. This will force all of the traffic to use the
fastest NIC to access the Internet. The traffic will use slower NIC only if
the faster NIC is not available. Also refer to MS Q299540.
If you have two NICs in the same subnet on one w2k/xp computer, you
wonder which NIC is been used as primary NIC to access the Internet. In most
cases, when adding the second NIC on a w2k/xp computer, the first one is the
primary NIC. You may change the order by going to Advanced menu of the
Network Connection>Advanced Settings>Adapter and Bindings. If the settings
doesn't work (by default, the faster NIC will be chooses as primary NIC) or
if you want to override the settings, you can assign metric # manually by
going to the Properties of the Network Connection>the Properties of the
We have a PIX 515. what's the command to block outside people ping public
To Block outside people to ping your public
IP, do one of them:
1) by default it
should deny pings. 2) conduit permit
icmp any any echo-reply, and icmp deny any echo outside.
3) access-list acl_outside deny icmp any OUTSIDE_IP_ADDR.
4) add access-list acl_outside deny icmp any any.