(2k3) internet: deny LAN allow VPN

's Computer Specifications

I have a LAN (served by a Windows 2003 Server) on which I wish to deny all
traffic to/from outside this LAN.
On this LAN I also have a VPN server (the same Windows 2003 Server). I wish
to allow access to/from outside the VPN (internet access) to people who can
log on to the VPN server.

I am trying to realise this via inbound/outbound filters in the RAS manager
(via NAT/basic firewall, deny all, then make exceptions), but this turned
out not to be as easy as I thought.
My setup is as follows:

'internet': 90.0.0.1 255.255.255.0 (goes to firewall with IP 90.0.0.1
255.255.255.0)
LAN: 10.0.0.0 255.255.255.0
VPN: 10.0.1.0 255.255.255.0

LAN/VPN <-> 2K3 <-> internet

Confining computers on the LAN to the LAN turned out to be easy:
10.0.0.0 255.255.255.0 <-> 10.0.0.0 255.255.255.0
This allowed me to login to the Terminal Server running on 2K3 from the LAN
so data traffic was as normal, except that there was no internet available
(as expected)

VPN was the same exercise:
10.0.1.0 255.255.255.0 <-> 10.0.1.0 255.255.255.0
Was able to login and do my thing, but there was no internet (again, as
expected)

I then tried this rule which I planned to finetune after trying it:
10.0.1.0 255.255.255.0 <-> 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 <-> 10.0.1.0 255.255.255.0
This did however not result in the expected internet access from the VPN.

I then thought 'that's logical, you did not permit traffic on the internet
NIC';
90.0.0.0 255.255.255.0 <-> 90.0.0.0 255.255.255.0
however, there is still no internet available for anybody (this includes the
2k3 machine)

I then went about it another way (accept all, except these rules);
10.0.0.0 255.255.255.0 <-> 90.0.0.0 255.255.255.0
90.0.0.0 255.255.255.0 <-> 10.0.0.0 255.255.255.0
which resulted in internet connectivity, but both on the VPN and on the LAN

Perhaps all this is a basic error (I am new to routing on Windows servers),
but I fail to see what I need to do to make this setup work.
I tried searching the internet, but found no clear examples alike to my
situation, or good tutorials which would lead me to discover the answer
myself.
I wish not to involve big guns like ISA or a 3th party firewall.
Any help and/or pointers for my problems would be very welcome.

--
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
- kroesjnov

http://www.securitydatabase.net
http://www.mostly-harmless.nl
http://www.outerbrains.nl
email: (E-Mail Removed)rnet (remove inter to reply)
UIN: 85685870
MSN: (E-Mail Removed)

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Defender "Permit or Deny" only will not Allow or Always Allow	ThomasLyn	Spyware Discussion	0	15th Sep 2009 01:08 PM
newbie: allow deny vs deny allow	Jeff	Microsoft ASP .NET	2	19th Sep 2006 03:12 AM
vpn : lan to lan	sentinel	Microsoft Windows 2000	0	22nd Apr 2005 12:33 PM
LAN - LAN VPN and Routing	mik	Microsoft Windows 2000 RAS Routing	1	10th Feb 2004 01:31 AM
Need help with a LAN to LAN VPN please.	Nate	Microsoft Windows 2000 RAS Routing	5	3rd Oct 2003 11:45 PM