VPN and seperate IP Pool Routing issue

G

Greg Williams

Here is the situation MS!

Internal Network 10.1.1.x

RAS Server: 2 NIC's

NIC#1 (Exnternal)= Public IP
NIC#2 (Internal) = 10.1.1.12

Because we are almost out of IP address on our 10.1.1.x
subnet we have to create a static pool of:

Static Pool = 10.1.98.x

Clients VPN in fine. However, the VPN CLIENT can only
ping themselves, other vpn clients on the same box
connecting to the same nic, and the internal NIC. It
will not ping any other IP address on the 10.1.1.x
network. I have created a STATIC ROUTE:

10.1.x.x ; 255.255.0.0 ; 10.1.1.1 ; Metric 1

From the VPN server I can browse the internal network and
ping 10.1.1.1 all day long, but the client is still
unable to ping 10.1.1.1

Any ideas anyone?

-Greg
 
B

Bill Grant

I presume you are using a netmask of 255.255.255.0 on the LAN?

When remotes are in the same subnet as the LAN machines, they do not use
any "real" IP routing. The server just acts as a proxy for the remote
client.

If you put your remote clients in their own subnet, they cannot see the
LAN subnet unless you enable IP routing on the server (ie enable LAN routing
in RRAS). It should then work as long as the VPN server is the default
gateway for the LAN. If it isn't you will need to "bounce" the 10.1.98
traffic from the default gateway device to the VPN server.
 
G

Greg Williams

1) Yes the netmask is 255.255.255.0

2) The proxy server is NOT the default gateway for the
clients. 10.1.1.1 is the default gateway (main router
where other WAN connections come into. Http and all
outgoing internet traffic is sent out the PIX firewall.
The VPN server is just for incoming VPN located next to
the PIX.

3) Setup for the NIC with IP Routing:

Checked = Router
Checked = LAN and demand-dial routing
Checked = Remote access server

4) Just as a FYI...ISA server is setup on this server.
However, I stop all ISA funcitionality and services and
it still does not work, so it is not ISA server doing
this on the external NIC.

Any more ideas?

Thanks!
 
G

Greg Williams

Nevermind....fixed....

Needed a static route placed in 10.1.1.1 Cisco Router

Thanks!

-Greg
 
B

Bill Grant

That's right. If the default router is not the VPN server, you have to
redirect (or "bounce") the traffic for the remotes back to the VPN server
(otherwise they go out to the Internet unencrypted and are lost).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

2K RRAS not routing for vpn clients 3
VPN and .192 subnet mask 2
Server 2008 RAS Only allowing clients to see local subnet 0
VPN Server - 1 NIC vs 2 NIC 9
RAS VPN 1 Nic Routing? Problem 8
RRAS for VPN, use an internal-only 192.168.x.x connection pool? 3
VPN clients getting the same IP address as internal machines 3
Route to remote vlan 2

Top