M
Mike B.
Hi all again,
With only one physical Internet connection and one Windows 2000 Advanced
Server (PDC), I need to setup VPN access to a local LAN while keeping
unauthenticated VPN traffic OFF the LAN where Client PC's are located. I
have three Hardware Routers in which to use. I know it's NOT advised to
use a PDC for this, but this is all we have. I also know that it would be
much easier to use just one NIC, but the client wants(needs) to
have unauthenticated VPN traffic OFF the LAN. Previous attempts have
failed,
so I'm wondering if this new setup should/will work?
Thanks for any help,
Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
Previous question in newsgroup with old setup:
RE: RRAS as VPN Server Configuration Questions
Subnet Mask 255.255.255.0 for EVERYTHING
Because LAN PC's also VPN out:
IPSec - Passthrough on all Hardware Routers
PPTP - Passthrough on all Hardware Routers
PPPoE - Passthrough on all Hardware Routers
*** Router #1 gets feed from Internet.
*** Router #2 and #3 connect to LAN ports on Router #1.
Router #1
---------
For now, until VPN is setup than client will get static IP.
(External Address: Set by ISP; dns: Set by ISP)
(Internal Address: 192.168.118.1)
External Port 1723 Forwarded to Port 1723 on 192.168.118.2 (Router #2)
Router #2
---------
(External Address: 192.168.118.2 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.119.1)
Static Route: 192.168.120.0 255.255.255.0 192.168.119.2 on LAN
External Port 1723 Forwarded to Port 1723 on 192.168.119.2 (RRAS)
Router #3
---------
(External Address: 192.168.118.3 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.120.1)
Static Route: 192.168.119.0 255.255.255.0 192.168.120.2 on LAN
Windows 2000 Advanced Server
----------------------------
- 2 NICs
Connection Name: WAN (192.168.119.2 dg 192.168.119.1)
Connection Name: LAN (192.168.120.2 dg Blank)
- PDC (domain: abc.local) with Active Directory
- DHCP (Bindings to both NICs 192.168.119.2 and 192.168.120.2)
Scope 192.168.119.0 (pool: 192.168.119.10 - 192.168.119.254)
Scope Options:
(003 Router) 192.168.119.1
(004 Time Server) 192.168.119.2
(005 Name Servers) 192.168.119.2
(006 DNS Server) 192.168.119.2
(007 Log Servers) 192.168.119.2
(042 NTP Servers) 192.168.119.2
(044 WINS/NBNS Servers) 192.168.119.2
(015 DNS Domain Name) is abc.local.
Scope 192.168.120.0 (pool: 192.168.120.10 - 192.168.120.254)
Scope Options:
(003 Router) 192.168.120.1
(004 Time Server) 192.168.120.2
(005 Name Servers) 192.168.120.2
(006 DNS Server) 192.168.120.2
(007 Log Servers) 192.168.120.2
(042 NTP Servers) 192.168.120.2
(044 WINS/NBNS Servers) 192.168.120.2
(015 DNS Domain Name) is abc.local.
- DNS (Listen on Both NICs 192.168.119.2 and 192.168.120.2)
One Forward Lookup Zone
"Name Servers" property page includes one entry with both IP's
Two Reverse Lookup Zones
120.168.192-in-addr.arpa
119.168.192-in-addr.arpa
- WINS
- RRAS
Configured on 192.168.119.2 using DHCP
Router - LAN and demand-dial routing and Remote Access Server
Windows Authentication
Use the following adapter to obtain DHCP, DNS, and WINS addresses
for dial-up clients. Adapter: WAN
Modified Policy to only allow one domain group for Remote Access
DHCP Relay Agent configured for 192.168.119.2
WAN interface only
IGMP
WAN - IGMP Router
LAN - IGMP Router
Need HELP with the rest of RRAS configuration?
==================================================================
Router #1
|
|
Router #2
|
|
Strictly for VPN Clients (dhcp clients 192.168.119.2 *see above)
VPN Clients do NOT "use default gateway on remote network" - which
allows them to access their local LAN and Internet connection?
|
|
192.168.119.2 dg 192.168.119.1
Windows 2000 Advanced Server
192.168.120.2 dg blank
|
|
Clients (dhcp clients 192.168.120.2 *see above)
|
|
Router #3
|
|
Router #1
With only one physical Internet connection and one Windows 2000 Advanced
Server (PDC), I need to setup VPN access to a local LAN while keeping
unauthenticated VPN traffic OFF the LAN where Client PC's are located. I
have three Hardware Routers in which to use. I know it's NOT advised to
use a PDC for this, but this is all we have. I also know that it would be
much easier to use just one NIC, but the client wants(needs) to
have unauthenticated VPN traffic OFF the LAN. Previous attempts have
failed,
so I'm wondering if this new setup should/will work?
Thanks for any help,
Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
Previous question in newsgroup with old setup:
RE: RRAS as VPN Server Configuration Questions
Subnet Mask 255.255.255.0 for EVERYTHING
Because LAN PC's also VPN out:
IPSec - Passthrough on all Hardware Routers
PPTP - Passthrough on all Hardware Routers
PPPoE - Passthrough on all Hardware Routers
*** Router #1 gets feed from Internet.
*** Router #2 and #3 connect to LAN ports on Router #1.
Router #1
---------
For now, until VPN is setup than client will get static IP.
(External Address: Set by ISP; dns: Set by ISP)
(Internal Address: 192.168.118.1)
External Port 1723 Forwarded to Port 1723 on 192.168.118.2 (Router #2)
Router #2
---------
(External Address: 192.168.118.2 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.119.1)
Static Route: 192.168.120.0 255.255.255.0 192.168.119.2 on LAN
External Port 1723 Forwarded to Port 1723 on 192.168.119.2 (RRAS)
Router #3
---------
(External Address: 192.168.118.3 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.120.1)
Static Route: 192.168.119.0 255.255.255.0 192.168.120.2 on LAN
Windows 2000 Advanced Server
----------------------------
- 2 NICs
Connection Name: WAN (192.168.119.2 dg 192.168.119.1)
Connection Name: LAN (192.168.120.2 dg Blank)
- PDC (domain: abc.local) with Active Directory
- DHCP (Bindings to both NICs 192.168.119.2 and 192.168.120.2)
Scope 192.168.119.0 (pool: 192.168.119.10 - 192.168.119.254)
Scope Options:
(003 Router) 192.168.119.1
(004 Time Server) 192.168.119.2
(005 Name Servers) 192.168.119.2
(006 DNS Server) 192.168.119.2
(007 Log Servers) 192.168.119.2
(042 NTP Servers) 192.168.119.2
(044 WINS/NBNS Servers) 192.168.119.2
(015 DNS Domain Name) is abc.local.
Scope 192.168.120.0 (pool: 192.168.120.10 - 192.168.120.254)
Scope Options:
(003 Router) 192.168.120.1
(004 Time Server) 192.168.120.2
(005 Name Servers) 192.168.120.2
(006 DNS Server) 192.168.120.2
(007 Log Servers) 192.168.120.2
(042 NTP Servers) 192.168.120.2
(044 WINS/NBNS Servers) 192.168.120.2
(015 DNS Domain Name) is abc.local.
- DNS (Listen on Both NICs 192.168.119.2 and 192.168.120.2)
One Forward Lookup Zone
"Name Servers" property page includes one entry with both IP's
Two Reverse Lookup Zones
120.168.192-in-addr.arpa
119.168.192-in-addr.arpa
- WINS
- RRAS
Configured on 192.168.119.2 using DHCP
Router - LAN and demand-dial routing and Remote Access Server
Windows Authentication
Use the following adapter to obtain DHCP, DNS, and WINS addresses
for dial-up clients. Adapter: WAN
Modified Policy to only allow one domain group for Remote Access
DHCP Relay Agent configured for 192.168.119.2
WAN interface only
IGMP
WAN - IGMP Router
LAN - IGMP Router
Need HELP with the rest of RRAS configuration?
==================================================================
Router #1
|
|
Router #2
|
|
Strictly for VPN Clients (dhcp clients 192.168.119.2 *see above)
VPN Clients do NOT "use default gateway on remote network" - which
allows them to access their local LAN and Internet connection?
|
|
192.168.119.2 dg 192.168.119.1
Windows 2000 Advanced Server
192.168.120.2 dg blank
|
|
Clients (dhcp clients 192.168.120.2 *see above)
|
|
Router #3
|
|
Router #1