SP2 Firewall Breaks VPN

[Guest]

2 Computers, both running XP Pro SP2. This problem has only existed since the
install of SP2.

Computer A connects to Computer B over the Internet via Windows RAS PPTP.
Both computers are protected from the internet via a NAT router on each end.

Computer A successfully connects to the VPN server on Computer B. I am able
to ping the NAT router on that remote network (192.168.0.1). I cannot ping
Computer B. I am ultimately trying to use Computer B as a host for my Palm
software and other network applications.

On the remote network, the following are the addresses in use:

192.168.0.x
..1 NAT Router
..100 Computer B
..200 VPN Server on Computer B
..201 Computer A's address on the remote network

If I turn off the Firewall and reconnect to the VPN, I am able to
successfully ping and perform all other actions.

I have installed the patch mentioned in KB article 884020 on both machines
and the problem persists.

 

[Robin Walker]

2 Computers, both running XP Pro SP2. This problem has only existed
since the install of SP2.

Computer A connects to Computer B over the Internet via Windows RAS
PPTP. Both computers are protected from the internet via a NAT router
on each end.

Computer A successfully connects to the VPN server on Computer B. I
am able to ping the NAT router on that remote network (192.168.0.1).
I cannot ping Computer B. I am ultimately trying to use Computer B as
a host for my Palm software and other network applications.

On the remote network, the following are the addresses in use:

192.168.0.x
.1 NAT Router
.100 Computer B
.200 VPN Server on Computer B
.201 Computer A's address on the remote network

If I turn off the Firewall and reconnect to the VPN, I am able to
successfully ping and perform all other actions.

Please use the Advanced tab in Windows Firewall to turn on logging of
dropped packets so that we can see what it is objecting to.

One possibility is that you try to ping 192.168.0.100 but the reply comes
from 192.168.0.200, so the firewall drops it.

In any case, it would not be unreasonable to turn off the firewall
permanently on the VPN connection, and leave it running for the other
connections.

 

[Guest]

Before I answer your question, I want to point out that the problem firewall
is on the computer acting as the VPN Server, not the client.

The following are dropped packets on the server's firewall in response to
pings.
2004-10-29 12:45:53 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:45:58 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:46:03 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND
2004-10-29 12:46:09 DROP ICMP 192.168.0.100 192.168.0.205 - - 60 - - - - 0 0
- SEND

** .205 is the current address of the client computer on the VPN

 

[Janani V[MSFT]]

Have you allowed the ICMP request messages in the firewall for that
particular interface which you are trying to ping? You can configure this in
the 'Exceptions' tab of the firewall by opening up TCP port 445.

 

[Guest]

The firewall that is doing the blocking is on the VPN Server! The Port 445
entry is controlled from the Advanced Tab/ICMP/Settings. But the problem I
am having is affected by ALL ports that I have tested.

I also use Remote Desktop. It is defined in the firewall and is open to
"Any" incoming address. It works fine from the Client computer with the
firewall running on the server as long as the address attempted is the
outside address of the NAT router (which forwards to the server's internal
address). If I attempt a RDP connection to the inside address directly (VPN
connected), it is denied as well...

2004-10-31 09:15:12 DROP TCP 192.168.0.100 192.168.0.205 3389 1658 40 A
2835594038 3895429792 9520 - - - SEND