How do I test RRAS implementation

[Rich]

Hello,

I have just implemented RRAS for allowing remote access to my home network.
My setup is as follows:

1 Win2K server on internal LAN running: DHCP/AD/DNS/WINS. Static IP.
1 WinXP desktop client. DHCP Client.
1 WIN2K Server running RAS. This server has 2 NIC's. External NIC gets IP
config from DHCP provided by DSL Router/modem. Internal NIC has static IP
set for same internal subnet.

How can I verify that I have a good secure setup? I can reach the Internet
from each machine. DSL router also runs firewall. Should the RAS server be
part of the domain? Right now, it is not. What testing should I do? Any
AD/DNS considerations? SHould I make entries in DNS for the router or
anything not on the internal network? How to I verify that NAT is hiding
all internal addresses?

TIA,
Rich

 

[Bill Grant]

Sounds more secure than most home networks!

NAT doesn't need to "hide" your LAN IPs. Private addresses cannot be
routed through the Internet. Even if somebody knows the IP of your DC, there
is no way they can access it from the Internet. The Internet routers discard
packets with private IP addresses because they are not unique.

I can't see any reason the make your RRAS server part of the domain if
its sole purpose is to act as a router.

How is DNS configured now? The usual method with AD is to set all AD
clients to use the local DNS, and set up this local DNS to forward to a
public DNS service. The LAN clients don't need to know anything about the
router (except its IP address).

 

[Rich]

So Bill,

Are you saying that I don't need NAT at all? The RAS server in fact has
only two purposes: Routing between my internal network and the internet,
and 2, providing VPN services. Right now, its not part of the domain.

One problem that I am having: There are 2 NIC's on the RAS server: NIC-DSL
which connects to the DSL router/Internet.
The second NIC is on the mini-switch for my internal network. How can I
ensure that the internal NIC gets an IP config from the DHCP server on the
internal network? I have not been able to do this. I have to give it a
static IP configuration.

TIA,
Rich

 

[Rich]

Should I point my DNS server IP addresses to my DSL router or to my Internal
DNS server? DNS is not setup to forward to and DNS server on the net or my
IPS's DNS. I'm not sure how to do this.

Rich

 

[Bill Grant]

If you are using AD, all clients (and the AD server itself) should use
the local DNS server. This DNS server has the SRV records which clients need
to find AD services (such as logon).

It is pretty easy to set a DNS server to forward to a public DNS server
in W2003. Just a couple of clicks in the DNS server properties.

 

[Bill Grant]

You need NAT somewhere to translate your private IP addresses to public
ones (so that you can access to Internet sites). If your DSL router is doing
the NAT, all of your private network can use private IPs.

In this case, you could get by without using a RRAS router. You could
make the DSL router the default gateway for the LAN and run the RRAS/VPN
server with one NIC. Either option will work.

With your current setup, I would not try to get the RRAS server's inner
IP from DHCP. This NIC is the gateway address for your LAN, and you don't
want it to change. So set it as a static IP.

 

[Guest]

Ok, still frustrated. I've somehow lost access to the Internet from the
internal network. The internal interface on the RAS server now has a static
IP config. All devices on the internal network point to the Internal NIC on
the RAS server as the gateway. The internal network is:
200.200.200.1 This is the RAS Server / router
200.200.200.2 W2K server: DC/DNS/DHCP (DHCP Scope = ...200.50 -
....200.75)
All internal point to this server for DNS.

Now, how do I make sure that my internal server is pointing to the ISP's
public DNS server?

Do I understand correctly that I don't need NAT on the RAS server?

How do I verify that the RAS server is routing both ways between its 2 NIC's?

Thanks again,
Rich

 

[Bill Grant]

Why are you using these odd addresses? There are specific IP addresses
reserved for private LANs.

If you are running the RRAS server as a LAN router, you need to know how
IP routing works. If you don't, you would be better off using the alternate
scenario of one NIC in the server.

To use the RRAS router as the gateway to your LAN, the subnet between
this router and the Internet router must be in different IP subnets. And the
Internet router needs extra routing info to know how to find the internal
subnet.

In either case, you will need to use port forwarding to get VPN to work.
The remote users must connect to a registered public IP. and that means the
Internet router's public interface (if it is doing NAT for the LAN).

Here is a basic diagram of the two options.
One NIC option.

Internet
|
public IP
router
192.168.0.1
|
RRAS server
192.168.0.2 dg 192.168.0.1
|
DC and client machines
192.168.0.x dg 192.168.0.1

Router option

Internet
|
public IP
router
192.168.0.1
|
192.168.0.2 dg 192.168.0.1
RRAS
192.168.1.1 dg blank
|
DC and clients
192.168.1.x dg 192.168.1.1

To get access to the Internet from the internal subnet, the Internet
router must know how to reach the internal subnet via the RRAS router. It
needs extra routing eg a static route like

192.168.1.0 255.255.255.0 192.168.0.2

The other way around this is to use NAT on the RRAS router. But that is
a bit of a waste when the Internet router is doing NAT already. You would be
doing address translation twice.

 

[Guest]

Bill,

I have a similiar setup.
My dsl modem address is 192.168.1.1
I have a 2003 Server running RRAS and NAT enabled. First(External) NIC has
ip 192.168.1.2

Second(Internal LAN) NIC has ip of 192.168.2.1
I open the port for ftp access which is forward to internal ip 192.168.2.30.
Here is my question, within my internal LAN, I can access the ftp server.
How can I set it up so someone outside my LAN can access the ftp server?


Thanks.
Mike