F
Freedom
Hello,
We have a W2K Server SP4 domain controller, which does RRAS VPN, internal
private AD DNS, DHCP, and Exchange 2K, all running behind an Intel Firewall.
We are having many problems with maintaining good VPN connections with our
remote users. I am quite certain that problems are not firewall related, as
all users can successfully connect via VPN, and also all is working related
to other LAN/WAN services. LAN is using 10.0.0.x subnet. RRAS relies on
DHCP to hand out IPs to VPN clients, all of whom are W2K Pro or WinXP Pro
clients using DHCP.
Problem is: Some VPN users at home use SOHO firewalls. At home they
receive 192.168.x.x DHCP from their SOHO firewalls, and VPN through them to
us. The DNS server frequently (but not always) registers their 192.168.x.x
IP from home instead of their 10.0.0.x IP from the local RRAS/DHCP. As a
result, they can send traffic in, but cannot receive traffic back. RRAS
properties for the connected tunnel properly show the 10.0.0.x IP for the
VPN session, and we can successfully ping and route packets via IP, but if
any traffic goes by Hostname, it fails due to wrong IP resolution. If we
manually delete the 192.168.x.x A record in DNS, and replace it with the
proper 10.0.0.x A record, it fixes the routing problem, but does not prevent
the RRAS/DNS from improperly registering a non-LAN IP in the future.
Question: How do we prevent our internal DNS server from dynamically adding
A records with remote/foreign LAN IPs, or from adding IPs that are outside
of our defined 10.0.0.x LAN subnet?
Thank you in advance!
-- Freedom
We have a W2K Server SP4 domain controller, which does RRAS VPN, internal
private AD DNS, DHCP, and Exchange 2K, all running behind an Intel Firewall.
We are having many problems with maintaining good VPN connections with our
remote users. I am quite certain that problems are not firewall related, as
all users can successfully connect via VPN, and also all is working related
to other LAN/WAN services. LAN is using 10.0.0.x subnet. RRAS relies on
DHCP to hand out IPs to VPN clients, all of whom are W2K Pro or WinXP Pro
clients using DHCP.
Problem is: Some VPN users at home use SOHO firewalls. At home they
receive 192.168.x.x DHCP from their SOHO firewalls, and VPN through them to
us. The DNS server frequently (but not always) registers their 192.168.x.x
IP from home instead of their 10.0.0.x IP from the local RRAS/DHCP. As a
result, they can send traffic in, but cannot receive traffic back. RRAS
properties for the connected tunnel properly show the 10.0.0.x IP for the
VPN session, and we can successfully ping and route packets via IP, but if
any traffic goes by Hostname, it fails due to wrong IP resolution. If we
manually delete the 192.168.x.x A record in DNS, and replace it with the
proper 10.0.0.x A record, it fixes the routing problem, but does not prevent
the RRAS/DNS from improperly registering a non-LAN IP in the future.
Question: How do we prevent our internal DNS server from dynamically adding
A records with remote/foreign LAN IPs, or from adding IPs that are outside
of our defined 10.0.0.x LAN subnet?
Thank you in advance!
-- Freedom