Unable to access private network from the VPN (NAT)

[Guest]

I have users successfully connecting to the VPN through my public, they are
able to access both interfaces on the VPN server however they are unable to
access any of the machines on the private network. Within the Windows 2003
VPN setup I was able to forward ports to specific machines and have the VPN
users access that but ideally I would like to give the users unrestricted
access to the private network. Is this possible if so how? Private network
is 192.168.1.0/24

 

[Scott Harding]

This is typically because of misconfigured DNS/WINS settings. They won't be
able to browse through Network neighborhood but should be able to access
resources by name.

 

[Guest]

I'm sorry I guess I was unclear. I'm unable to access the machines on the
private interface. I'm unable to ping them. However if I forward ports to
these server then i'm able to connect to 192.168.1.machinIP

I would like open access to all machines...

thanks!

 

[Bill Grant]

Are you sure you are actually connecting by VPN? The symptoms you
describe fit the case when you are connecting directly through the Internet!

If you connect by VPN, your client should be receiving a private IP
address. Its connection to the server should be through the "virtual"
interface of the server. Any port forwarding settings on the server should
have no effect on this connection. The VPN traffic comes through the
"public" interface encrypted and encapsulated and is not seen by that
interface.

 

[Guest]

I have two interfaces on the windows2k3 machine. The first interface is
192.168.1.181 and the second is .182 (yes they are on the same router)

I'm connecting to the VPN from an external site (some where over the internet)
Yes i'm connected to the vpn! The external machine gets an internal ip
address and its able to ping the interfaces on the VPN server. Not only that
if I allow routing to 192.168.1.69 on port 22 I can ssh to that machine from
the external computer. Yes the machine is on the VPN

Its not an "internet" issue

 

[Bill Grant]

I don't understand the last bit. How can you "allow routing on port 22"!
IP routing works on IP addresses. Port forwarding/filtering is a completely
different thing.

In addition, why does the server have two interfaces in the same IP
subnet? RRAS does funny things when this is the case. You only need two
interfaces if the server if is directly connected to the Internet (ie one
public and one private). If you are behind a router, the router is the
public interface.

I would give the server just one NIC and one IP address. Forward tcp
port 1723 from the router to this IP address. This extends the VPN
connection to the server. All VPN traffic will be encrypted and encapsulated
between the remote client and the server. After it reaches the server it
will be decrypted and forwarded to the LAN with its private address.

 

[Guest]

I've actually tired with only one interface... I'll give it a try again but
it wasnt working before... =/

Even before when I was using one interface the only way I could connect to
specific servers was by clicking on NAT/Basic Filtering and then click on the
interface ...under there you will see a Services and Ports ... I select a
service or add a port and the ip I want to access and the next time I connect
to the vpn I can access the machine.

I'd like to access all machines without having to do that...

thanks for all the help=) hopefully I can figure this out...

 

[Scott Harding]

You need two interfaces on 2 different subnets for this to work.

 

[Guest]

To be honest that doesnt make sense since you can run the VPN from one
interface... Bill what is your take =)

 

[Bill Grant]

If you use two NICs, they need to be in different IP subnets. Whether
you use one NIC or two depends on how you configure the LAN. They will both
work.

With one NIC, the server is just another machine on the LAN and uses the
router as the gateway (as do the other LAN machines). With two NICs, the
server becomes the default gateway for the LAN. The"public" NIC connects to
the router on a different IP subnet. You need to use this setup if you want
to use the server to filter traffic between the LAN and the outside world.
In the one NIC model, you would need to do that at the router.

 

[Guest]

Bill,

I'm fine with having the router send traffic from the outside world to the
VPN server. My problem then becomes how do I tell the win2k3 server that I
want the VPN user to have access to entire private network?

Thanks Bill...

 

[Bill Grant]

If the remotes are receiving IP addresses in the same IP subnet as the
LAN machines it should happen automatically. The server acts as a proxy for
the remotes and forwards traffic on to LAN machines. In the other direction
the server does proxy ARP for the clients, gets the packet and forwards it
across the VPN link.

If the remotes are in a different IP subnet you need to route the remote
traffic through the RRAS server.

 

[Guest]

Bill,

First off thanks for your time. I have the VPN setup with one network
interface. Clients get assigned an ip address and they are on the same
subnet. However they can't access any of the machines on the network. I'm
back to the same problem where I had to specify services/ports for each
machine then I can access the machine =/

Any ideas?

 

[BP]

Not sure how you are natting with one interface but
other posts with similar symptoms with vpn clients being
able to connect to local network servers have added
the internal interface to the nat protocol config using
netsh cmd line entry. It sounds like you have a dhcp
pool in rras that is registering a different network
address to remote vpn clients over your local nic's
assigned network address.

 

[Scott Harding]

This won't work with 1 nic. You need two nics on different subnets.

 

[Scott Harding]

Here's the article..

http://support.microsoft.com/default.aspx?scid=kb;en-us;300434

 

[Guest]

Ok now I guess the question is who is right =/

This won't work with 1 nic. You need two nics on different subnets.

 

[Bill Grant]

Right about what? I don't see anything that Scott and I disagree about.
If you use two NICs, they must be in different IP subnets.

 

[Scott Harding]

One nic gets you to the machine, if you want to go further you will need two
nics on two different subnets. Obviously it doesn't work the way you have it
and I have done this a million times. You need two nics and this problem
will go away.