Router to Router


Yay Deutschland!


I have two LANs I want to connect together using RRAS on Windows 2003
Server. Both of the LANs are connected to the internet using cable modem.
LAN1 is running Windows 2003 Server with ISA Server 2000 running on the same
machine. LAN2 is a Windows 2000 machine no ISA running RRAS. Right now I
have created a Demand Dial VPN to LAN2 from LAN1. On the server console, I
can ping all the resources on LAN2, but I cannot ping anything on LAN2 from
a Client workstation on LAN1.

From reading previous posts, I relized that it is MOST likely to be a Static
Routing problem. Can you please tell me exactly what to type into the Static
Routes, based on the information that I have provided here? This is my first
time setting this up, and I am totally new to this.

LAN1 (RRAS Server with ISA)
Nic1: <Internet>


PPP adapter RAS Server (Dial In) Interface:


Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :

As for the static routes that I put in:
Dst: Mask: Metric 1 on Interface DEMAND_DIAL
Dst: Mask: Gateway: Metric 1 on
Interface NIC2

LAN2 (Win2000 with RRAS):
Nic1: <Internet>
Nic 2:

Danke Schön!!! :D



Yay Deutschland!

Ok I think I solved my own problem, I needed to create a Remote access
server on my side and create another demand dial vpn connection from the
other side to my side. Right now all the systems in LAN1 can communicate
ONLY with the RRAS server on the other side the internet gateway and not the
clients ie. all systems on LAN1 can talk to and (see below). Only the RRAS server on LAN1 can access an IP
address like, if you try to access that from a client on LAN 1
it will time out.

The setup on the other side is like so:

Internet<<==>>USR Router with Port 1723 forwarded to RRAS<<==>>RRAS Server,
USR Router's Internal IP:
Gateway: none

RRAS Server's IP:

All Client Machines + Print Servers etc...: On the and
Gateway Bound to:
Print Server:

My Question:
Tell me if my theorie is correct: The RRAS Server on LAN1 can ping because it has an IP-Address on the D-D interface as so the Client with IP of (which thinks is on its own local network) is sending the return packets


A Client on LAN1 with an IP Address of can NOT ping, (although the packet does get there), because the system can not find a return route to because it's
gateway is bound to and the return packets to
when it tries to respond is lost through the internet, or gets dropped.

Please give me a reply, as I am trying to learn about routers and

Bill Grant

Yes, you do need a static route at each end for routing to work
properly. To get full "site to site" routing (ie a client at one site can
ping a client at the other), the RRAS routers must both have a static route
to the "other" site through the VPN link.

Your problem is probably caused by the fact that you have ISA at one end
and RRAS at the other. In ISA, this is configured from an ISA wizard, and
this takes care of the return route. When you set up one end, the wizard
creates a file to configure the "other" router.

With RRAS, you need to configure it manually. This involves setting up a
demand dial interface on the answering router, and adding a static route
back to the calling router's local subnet linked to the demand dial

To make this work, the calling router uses the name of the dd interface
as the username for the connection. When the answering router receives to
call, it sees that it is to a dd interface, and makes the right connection.
This activates the return route.

If the dd interface doesn't exist, or if the username doesn't match a dd
interface name, the server assumes that the caller is just a remote client
(not a router) and connects to the default internal interface. In this case,
only a host route back to the calling machine is set up. I assume that is
the situation you are seeing.

When it is set up properly (ie with routes at both ends), the VPN link
works like a simple (slow) IP router, and site to site routing works.

Yay Deutschland!

Ok on I tried what you suggested:

Interface Name: ddlan2
Username: (e-mail address removed)

RRAS on LAN2 on
Interface Name: ddlan1
Username: (e-mail address removed)

And I still get the same problem. Can it be just the fact that the gateway
settings on clients on LAN2 is bound to (US Robotics Router)
and ===!!==>>NOT the RRAS router<<===!!===, which is having its VPN port
forwarded by the US Robotics Router?

Thanks again for your time =)



Bill Grant

If the default gateway of the LAN is not the RRAS router, you will need
extra routing to get the traffic to the RRAS router.

The simplest way to do that is to add a static route to the gateway
router to redirect traffic destined for the "other" site back to the RRAS
router. It will then be encrypted and encapsulated before going to the
gateway router.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question