router forwarding traffic directly to VPN routers WAN IP

[Guest]

I have a problem where internal LAN computers need to communicate with
computers in a remote LAN through a VPN tunnel. I have a windows 2000 router
with 2 network cards installed. 1 nic is 10.0.1.6 which communicates with
the internal LAN devices, and the other is 192.168.2.3 which communicates
with the VPN router on 192.168.2.254. The remote network is on the 10.0.5.0
range and the router is 10.0.5.1. I am able to communicate with devices in
10.0.1.x ranges from the 10.0.5.x, but am having problem connecting to
10.0.5.x devices from the 10.0.1.x devices. When I run a tracert from a
10.0.1.x machine, it goes to the 10.0.1.6 windows 2000 router, then it goes
directly to the 217.45.127.110 external wan ip of the VPN router, when it
should go to the internal ip 192.168.2.254 of the VPN router and then through
the tunnel. Ip forwarding has been enabled on the router and the static
routes have been created. Does anyone know what the problem might be.
Thanks.

 

[Robert L [MS-MVP]]

you have a routing issue. this Routing in an Internetwork may help, http://howtonetworking.com/Networking/multiplerouters1.htm

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

I have a problem where internal LAN computers need to communicate with
computers in a remote LAN through a VPN tunnel. I have a windows 2000 router
with 2 network cards installed. 1 nic is 10.0.1.6 which communicates with
the internal LAN devices, and the other is 192.168.2.3 which communicates
with the VPN router on 192.168.2.254. The remote network is on the 10.0.5.0
range and the router is 10.0.5.1. I am able to communicate with devices in
10.0.1.x ranges from the 10.0.5.x, but am having problem connecting to
10.0.5.x devices from the 10.0.1.x devices. When I run a tracert from a
10.0.1.x machine, it goes to the 10.0.1.6 windows 2000 router, then it goes
directly to the 217.45.127.110 external wan ip of the VPN router, when it
should go to the internal ip 192.168.2.254 of the VPN router and then through
the tunnel. Ip forwarding has been enabled on the router and the static
routes have been created. Does anyone know what the problem might be.
Thanks.

 

[BP]

Filters/Nat in vpn router may be inhibiting proper response
from tracert command. When you ping from local net to
remote net 10.0.5.x do you receive a reply of any kind
from the remote server or router like destination unreachable
or request timeout or no reply 4 times with an address?
Most cases of request timeout back means there is no route
back from the remote site to the local network your pinging from
in the remote router or server.

 

[Guest]

I am able to ping remote net 10.0.5.x from devices on 192.168.2.x net, but
not from the internal 10.0.1.x range

 

[BP]

That's because there is a route back to 192.168.2.x on the
remote sites routing table, what about 10.0.1.x on the remote
sites routing table, does one exist?

 

[Guest]

yes there is, and it still doesnt work. we have got an ISA 2000 server on
10.0.1.1. All LAN PC default GW point to that. ISA server routing table
points all traffic heading for 10.0.5.x to the windows 2000 router, which
then forwards traffic onto the draytek VPN router 192.168.2.254, (it picks
up the 217.45.127.110 wan ip of router here and times out after this), Then
the VPN router should forward to remote end 10.0.5.x. Is that any clearer?
Please help me, because Im really stuck on this.

Thanks

 

[BP]

You make it sound like the vpn router is the
break point but sometimes as I mentioned earlier
tracert is not always the tool of all knowing. Why
not do a continuous ping from 10.0.1.x to the
10.0.5.x router and monitor packets on the
other end to see if they get there. This may
require to enable logging on either router
to monitor what is actually happening.
Most vpn routers allow direct client
connection monitoring of packets
by design for debug purposes.