VPN - desparate housewife part 2

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Sorry for joke title. I posted weeks ago 6/17 (thanks BIll) and need more
basic help. I have read lots of literature (this is effectively my server
training) but basic questions about setup remain.-- --
I have a Win Server 2000 (DNS/AD not DHCP) we use only for file store and it
has 2 NIC's. NIC1(Internet) has static public IP 81.138.119.225 with Gateway
as 192.168.1.254 , NIC2 (lan) IP 192.168.1.10 static from Router DHCP without
Gateway entered.-- --Vpn client is receiving IP from list 192.168.1.25-32 and
connects to NIC1(internet) 81.138.119.225 works fine (only by IP address).
Can view shared files only if I map drive using NIC (lan) 192.168.1.10 IP.
i.e. \\192.168.1.10\Opendata etc.-- --Basic questions (this is the desparate
part): What IP do I use to view shared files (it doesn't seem right to use
..10)? Do I need to have vpn server name resolved anywhere? Internet cannot be
browsed from vpn server is this an issue I need to do something about?-- -- I
have more but please for now can anyone help me. If more info required please
tell me. Debora x.

Real basic questions are
 
you can try FQDN if the VPN client takes DNS from the VPN server. Or install WINS server or lmhosts if you want to use NetBIOS name.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.
Sorry for joke title. I posted weeks ago 6/17 (thanks BIll) and need more
basic help. I have read lots of literature (this is effectively my server
training) but basic questions about setup remain.-- --
I have a Win Server 2000 (DNS/AD not DHCP) we use only for file store and it
has 2 NIC's. NIC1(Internet) has static public IP 81.138.119.225 with Gateway
as 192.168.1.254 , NIC2 (lan) IP 192.168.1.10 static from Router DHCP without
Gateway entered.-- --Vpn client is receiving IP from list 192.168.1.25-32 and
connects to NIC1(internet) 81.138.119.225 works fine (only by IP address).
Can view shared files only if I map drive using NIC (lan) 192.168.1.10 IP.
i.e. \\192.168.1.10\Opendata etc.-- --Basic questions (this is the desparate
part): What IP do I use to view shared files (it doesn't seem right to use
.10)? Do I need to have vpn server name resolved anywhere? Internet cannot be
browsed from vpn server is this an issue I need to do something about?-- -- I
have more but please for now can anyone help me. If more info required please
tell me. Debora x.

Real basic questions are
 
That doesn't really make any sense. If the server is supposed to access
the Internet through a router at 192.168.1.254, why does it have a NIC with
a public address (81.138.119.225 )? Does this NIC connect to anything?

If the 81.138 NIC has a connection to the Internet you do not need to
use the router. If your router is the only connection to the Internet, you
do not need the second NIC with a public IP.

So the first thing we need to know is what is the NIC with the public
address actually doing? If it is doing nothing, disable it and use the
router at 192.168.1.254 as your default gateway. If it is connected to a
public network you can use it as your Internet connection.
 
Bill thanks again for help and understanding. You can see the desparation.
Our Broadband Router(4 ports) has IP of 81.138.11.230, the Server NIC
(internet) .225 and Server NIC (LAN) 192.168.1.10. The Gateway IP
192.168.1.254 was taken from the LAN settings, showed IP as gateway, if that
makes sense. When NIC(internet) settings entered I assumed Gateway as above.
I originally had NIC(internet) Gateway as Router IP .230 but changed it as
VPN not working (this is where I feel a mistake made). The NIC(internet) is
connected to Router port and NIC(lan) is connected to hub which in turn is
connected to Router. The Router acts as DHCP for local LAN, Server has static
IP(.10) range.All PC connected to hub.-- --Bill I hope you can help me as I'm
attempting RRAS/VPN but as you can see initial setup may be at fault. If you
need any more info please ask. Extremely grateful, Debora x.
 
That makes things a bit clearer. Your RRAS server does not need to know
about the public IP of the router, so disable the second NIC in the server
and only use the one with a private (192.168.1.x) address. Its default
gateway will be automatically set to 192.168.1.254 if it gets ite config
from DHCP on the router.

First make sure that all the clients and the server can access the
Internet through the DSL router. Next check that you can make a VPN
connection from a LAN client to your VPN server using its LAN IP. This will
check that your VPN server is correctly set up to allow VPN access. Any
problems with authorisation or policies can then be fixed locally.

The standard setup for a VPN server using two NICs assumes that the
server is directly connected to the Internet. In your case, your Internet
connection is via a NAT router. You only need one NIC in the server because
the router acts as your Internet connection.

When you have your VPN server working correctly on the LAN, you can
enable VPN connection from the Internet by programming your router. The
remote clients connect through the Intenet to your router's public interface
and the router forwards the information across the LAN to your VPN server.
Exactly how you do this depends on your router. (They all seem to use very
different config screens). What you need to do is forward PPTP (tcp port
1723) from the router to the server. This extends the VPN connection from
the router to the server.

The other problem you may meet is GRE. The data crossing the VPN link is
encrypted and encapsulated. The encapsulation protocol used is GRE (Generic
Routing Encapsulation). If your router is programmed to block GRE, no data
will be transferred and the connection will close. This usually shows up as
error 721. If you strike this problem you will need to find out how to allow
GRE. It might be mentioned by name, by protocol number (it is IP protocol
47) or it may be listed as pptp pass-through mode or even as VPN
pass-through mode.
 
Bill, I'm extremely grateful for your help. I have also read a lot of your
replies to others and I finally believe I have 'got' this Remote Access. I
plan to start again when in office with approp. wizard.

I will disable NIC (internet), run RRAS wizard with 'Remote Access'
selection, NOT Vpn selection, setup Router with approp. ports and GRE(see
below), and testing as you stated.

Further to your reply and further study of the Router guide states a VPN
server can be hosted but to allow Vpn client inbound the "Allow all
applications" rules must be selected. All traffic is then directed to Server.
The Server will be placed in DMZ mode, the Router will still provide Stateful
Packet Inspection (Denial of Service/Attack Detection etc) but recommends
another firewall be in place.

I want to ask some more and hope your patience is still intact. 1. Is my
thinking about right or have I missed it again. 2. With your solution and
Router guidance, it will still allow for normal Lan access to server for Lan
clients (being brave I assume YES as there are now NO blocking filters on
NIC)? 3. I assume that our 5 Static IPs and 2nd NIC are really useless for
this setup? 4. Lastly, do you feel it is important for a further firewall
which will probably be software one.

Bill thanks again for your invaluable help and advise. If I get this to work
I will ask my boss to send you some sort of fee for my server training and
RRAS setup help. I will post post again with outcome. (I hope I haven't
broken any rules or offended you.) Debora x.
 
Putting the router in DMZ mode opens up a whole new can of worms. You
would probably get three (or more) different answers from three security
experts on this!

My personal opinion would be to go back to a two NIC setup on the server
if you do that. You would connect only the "public" NIC of the server to the
router and connect your private LAN only to the "private" NIC of the server
(using a second hub/switch and a different IP subnet). This isolates your
private LAN from the rudimentary DMZ, which is the server-router link.

This would require a bit more work to configure. Your server is now the
default router for the private LAN, and you would need to configure NAT on
it as well as remote access. You would also need to configure DHCP on it for
your private LAN (unless you are happy to configure the clients manually).
They will not be able to use DHCP from the router. You could also set up a
software firewall on this server if you felt you needed to.

The setup would look like this.

Internet
|
public IP
router
192.168.1.254
|
192.168.1.10 dg 192.168.1.254
RRAS/NAT server
192.168.21.1 dg blank
|
clients
192.168.21.x dg 192.168.21.1

This setup does NAT translation twice but I don't think you would be
inconvenienced by that. You might like to configure the DNS address of your
ISP DNS server directly on the clients so that they access it directly
(rather than by DNS proxy in NAT). But VPN from outside should work fine
because all traffic reaching the router's public IP comes to the server. The
VPN clients will get IP addresses in the 192.168.21.x subnet and have
access to the LAN machines as well as the server itself.

This discussion has got a bit off topic. You could contact me directly
using the username grantaw at aliencamel dot com . I check my
mail most days. If you are in the US or Europe, there may be a delay because
of time zones. I'm in Australia.
 
Bill, thanks again for reply.
If you have spare minutes to read my ISP Router guide is published
here(http://static.btopenworld.com/business/help/otherfiles/BP-2039248PP.pdf).
This is legitimate link I have used from British Telecomm web pages. It may
help explain our setup/IP/equipment.

It appears that the Router will not allow individual GRE protocol filter for
the Vpn setup but all "traffic to flow to vpn server" type scenario. I also
believe it only mentions DMZ if only 1 static IP address involved. Taking
your solution of going with 2 NIC's our setup may be something like page
14/15 of guide titled "Sample Small-to-Medium Business Network" example, the
customer has purchased 5 broadband static IP addresses. We have purchased 5
static IP's. The diagram (page 14/15) we have the vpnserver and masterserver
as 1 x Win 2000 Server.

Would your solution fit in with our static IP range? If details of our real
setup needed then I will post to your private e-mail if that's ok. Thanks
again for your time and advice. Debora x
 
Yes, I will have a look at the documentation from BT. Drop me a line
directly so that I can get in touch. This is getting way off the subject
matter of this newsgroup.
 
Back
Top