2003 RRAS config problem

  • Thread starter Thread starter Armin Linder
  • Start date Start date
A

Armin Linder

Hi everyone,

can anyone help me with the following problem: I set up Routing and
Remote Access on a 2003 server. I can connect from the local as well as
from the Internet side. But when I connect via the Internet I cannot
reach any LAN side client. I can, however, reach and use the tunnel server.

The LAN side is made up of a private IP range. The Internet side uses a
static international Address provided by my ISP, and is attached via a
router which is also the default gateway.

The VPN clients cannot make use of the same IP range as the LAN side of
the RRAS server, because there are not enough IP Adresses left to serve
all remote clients. So I configured the VPN clients to use a separate
range (192.168.2.0/255.255.255.0), and set up static routes pointing to
the RRAS server's LAN address for network 192.168.2.0 on the LAN side. I
guess I got this right. The RRAS server, according to ipconfig, picked
192.168.2.1 as its own address, and I can PING and trace that address
from the LAN side.

When coming from the WAN side, however, I can only trace 192.168.2.1 and
the LAN IP address of the tunnel server. I cannot reach any other
machine on the LAN. It seems like my VPN clients are "isolated" to be
able to use only the tunnel server.

Can anybody advide me how I need to set up this scenatio so I can reach
the whole LAN ..?

Thanks

Armin.
 
If the remote users are on a different subnet from the LAN machines,
there are two things you need to do.

1. Enable IP routing on the RRAS server.
2. Ensure that the LAN machines can route traffic to the remote subnet. This
will only happen automatically if the RRAS server is the default gateway for
the LAN machines. If this is not the case, you need extra routing on the LAN
to get the remote traffic to the RRAS router.
 
Hi Bill,
If the remote users are on a different subnet from the LAN machines,
there are two things you need to do.

1. Enable IP routing on the RRAS server.
Click to expand...

IP Routing is enabled, on the following tabs:

<Server>-Properties-General-Router (enabled)-Lan and demand dial Routing
<Server>-Properties-General-Remote Access Server (enabled)
2. Ensure that the LAN machines can route traffic to the remote subnet. This
will only happen automatically if the RRAS server is the default gateway for
the LAN machines. If this is not the case, you need extra routing on the LAN
to get the remote traffic to the RRAS router.
Click to expand...

Think I got that right too. I can sucessfully ping the RAS server by its
LAN IP adress as well as by the lowest IP adress from the RAS IP range I
have configured. The latter proves, that the LAN routing is set up
correctly to route my VPN IP range wia the tunnel server.

....Armin
 
Additional Info:

if I re-configure the RRAs Server to use IP adresses from the local DHCP
range for the remote clients, I get access to the whole network. However
this is, as mentioned, not possible for the productive environment since
we don't have enough DHCP adresses left to serve all remote clients.

Still stuck ...

....Armin
 
But what is the default gateway setting on the LAN machines? Routing is
a two-way process. The target machine on the LAN must have a route back to
the remote!
 
The default gateway on all machines is a Cisco router (192.168.0.1). On
the Cisco there is static route to my VPN range (192.168.2.0) pointing
to the LAN address of my tunnel server (192.168.0.24).

As I said ... the Tunnelserver has picked the lowest address of my VPN
IP range (192.168.2.1) for itself.

I can trace 192.168.2.1 from any internal (192.168.0.x) client, so I
guess I got the LAN routing set up properly. I cannot, however, trace to
the IP address of a client having dialed in (e.g. 192.168.2.4), nor can
I trace any 192.168.0.x address from the remote client, except the
Tunnel LAN server IP address (192.168.0.24).

To me it seems that the VPN clients are isolated by something (firewall?
policy setting?) to be allowed to access the Tunnel-server only. I dimly
remember that the old RAS server had a setting like "may access the
whole LAN", "may access the tunnel server only".

I just canot find any such setting ...

....Armin
 
That should be OK. Is there a personal firewall on the client? That can
cause this problem.
 
Problem solved.

It hadn't anything to do with the Tunnelserver at all.

Thanks,

Armin Linder
 
Back
Top