Win 2003 VPN: Cannot reach LAN

[Guest]

Hi All,

This seem to be the most common problem with a VPN setup, but none of the
solutions I've found have worked for me.

I have configured a VPN in my DC/DHCP/DNS server. This is behind an iptables
linux based firewall/NAT. I can connect to the server from the Internet, and
I can see all the server resources (shares, terminal server, etc.)

However I cannot reach any LAN host, either by IP or name.

The server has only "Remote access server" enabled (Router is disabled) and
it has no filter defined in any adapter. It is configured to provide
addresses from a pool (10.0.1.1 - 10.0.1.253, net mask 255.255.255.0). My LAN
is 10.0.0.0/24.

Any help, VERY welcomed, as I've being fighting this for over a week now.

TIA.

Edo.

 

[Robert L [MS-MVP]]

To access whole network resources, you need to enable Router also. Otherwise, you are limited to access the server only.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi All,

This seem to be the most common problem with a VPN setup, but none of the
solutions I've found have worked for me.

I have configured a VPN in my DC/DHCP/DNS server. This is behind an iptables
linux based firewall/NAT. I can connect to the server from the Internet, and
I can see all the server resources (shares, terminal server, etc.)

However I cannot reach any LAN host, either by IP or name.

The server has only "Remote access server" enabled (Router is disabled) and
it has no filter defined in any adapter. It is configured to provide
addresses from a pool (10.0.1.1 - 10.0.1.253, net mask 255.255.255.0). My LAN
is 10.0.0.0/24.

Any help, VERY welcomed, as I've being fighting this for over a week now.

TIA.

Edo.

 

[Guest]

Robert,

Thank you for your answer.

I tried what you recommend, but nothing changed.

The PPP Adapter gets this config from the VPN server:

DNS suffix :
Description : WAN (PPP/SLIP) Interface
Physical Address: : 00-53-45-00-00-00
DHCP enabled : No
IP Address : 10.0.1.2
Subnet mask : 255.255.255.255
Default gateway :
DNS Servers: 10.0.0.10
10.0.0.1
WINS Server : 10.0.0.2

Is this right? If not, how do I correct it? Any ideas?

Regards,

Edo.

"Robert L [MS-MVP]" escribió:

 

[SAMIRJ [MS]]

If you are not able to access the LAN machines from VPN user using IP
address and routing is enabled, then it needs to be addressing issue.
1) Ensure the default gateway on the VPN client is VPN server (i.e.
10.0.1.1). Do route print on the VPN client machine and check that.
2) Ensure the LAN clients have a route for 10.0.1.x subnet with gateway as
IP address of LAN interface of your RRAS server machine (i.e. 10.0.0.x).
You can do this via DHCP server (i.e. send the network specific route).
I am presuming your LAN machines default gateway will be your NAT/firewall
router box. Please confirm

Let me know how it goes

Regards,
Samirj
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

Robert,

Thank you for your answer.

I tried what you recommend, but nothing changed.

The PPP Adapter gets this config from the VPN server:

DNS suffix :
Description : WAN (PPP/SLIP) Interface
Physical Address: : 00-53-45-00-00-00
DHCP enabled : No
IP Address : 10.0.1.2
Subnet mask : 255.255.255.255
Default gateway :
DNS Servers: 10.0.0.10
10.0.0.1
WINS Server : 10.0.0.2

Is this right? If not, how do I correct it? Any ideas?

Regards,

Edo.

"Robert L [MS-MVP]" escribió:

To access whole network resources, you need to enable Router also.
Otherwise, you are limited to access the server only.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
Hi All,

This seem to be the most common problem with a VPN setup, but none of
the
solutions I've found have worked for me.

I have configured a VPN in my DC/DHCP/DNS server. This is behind an
iptables
linux based firewall/NAT. I can connect to the server from the
Internet, and
I can see all the server resources (shares, terminal server, etc.)

However I cannot reach any LAN host, either by IP or name.

The server has only "Remote access server" enabled (Router is disabled)
and
it has no filter defined in any adapter. It is configured to provide
addresses from a pool (10.0.1.1 - 10.0.1.253, net mask 255.255.255.0).
My LAN
is 10.0.0.0/24.

Any help, VERY welcomed, as I've being fighting this for over a week
now.

TIA.

Edo

 

[Robert L [MS-MVP]]

Posting the routing table from the VPN client may help. To do that use route print command.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Robert,

Thank you for your answer.

I tried what you recommend, but nothing changed.

The PPP Adapter gets this config from the VPN server:

DNS suffix :
Description : WAN (PPP/SLIP) Interface
Physical Address: : 00-53-45-00-00-00
DHCP enabled : No
IP Address : 10.0.1.2
Subnet mask : 255.255.255.255
Default gateway :
DNS Servers: 10.0.0.10
10.0.0.1
WINS Server : 10.0.0.2

Is this right? If not, how do I correct it? Any ideas?

Regards,

Edo.

"Robert L [MS-MVP]" escribió:

 

[Guest]

"SAMIRJ [MS]" escribió:

If you are not able to access the LAN machines from VPN user using IP
address and routing is enabled, then it needs to be addressing issue.

Samrij, thank you for your help.

1) Ensure the default gateway on the VPN client is VPN server (i.e.
10.0.1.1). Do route print on the VPN client machine and check that.

ipconfig shows me no default gateway for the PPP virtual adapter. 'route
print' shows my own VPN client address: 10.0.1.3. How do I fix this?

ipconfig output:
DNS suffix :
Description : WAN (PPP/SLIP) Interface
Physical Address: : 00-53-45-00-00-00
DHCP enabled : No
IP Address : 10.0.1.3
Subnet mask : 255.255.255.255
Default gateway :
DNS Servers: 10.0.0.10
10.0.0.1
WINS Server : 10.0.0.2

Funny things: no DNS suffix, wrong submnet mask (I guess), wrong WINS server
(the right one is 10.0.0.10, but I'm assuming the VPN server creates this
virtual adapter/address).

This is the VPN client routing table (translated from spanish windows xp) as
Robert suggested:
===========================================================================
IInterface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e 35 06 d8 85 ...... Intel(R) PRO/Wireless 2200BG Network
Connection
- SecuRemote Miniport
0x3 ...08 00 46 c8 bb 6a ...... Intel(R) PRO/100 VE Network Connection -
SecuRem
ote Miniport
0x4 ...54 55 43 44 52 02 ...... Check Point Virtual Network Adapter For
SecureCl
ient - SecuRemote Miniport
0x60006 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active routes:
Destination Network Subnet mask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.4 10.0.1.4 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.106 31
10.0.1.4 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.1.4 10.0.1.4 50
64.4.52.254 255.255.255.255 192.168.0.1 192.168.0.106 30
65.54.183.202 255.255.255.255 192.168.0.1 192.168.0.106 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.106 192.168.0.106 30
192.168.0.106 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.0.255 255.255.255.255 192.168.0.106 192.168.0.106 30
200.75.26.202 255.255.255.255 192.168.0.1 192.168.0.106 30
224.0.0.0 240.0.0.0 192.168.0.106 192.168.0.106 30
224.0.0.0 240.0.0.0 10.0.1.4 10.0.1.4 1
255.255.255.255 255.255.255.255 10.0.1.4 10.0.1.4 1
255.255.255.255 255.255.255.255 192.168.0.106 3 1
255.255.255.255 255.255.255.255 192.168.0.106 192.168.0.106 1
255.255.255.255 255.255.255.255 192.168.0.106 4 1
Default Gateway: 10.0.1.3
===========================================================================
Persistent Routes:

2) Ensure the LAN clients have a route for 10.0.1.x subnet with gateway as
IP address of LAN interface of your RRAS server machine (i.e. 10.0.0.x).
You can do this via DHCP server (i.e. send the network specific route).
I am presuming your LAN machines default gateway will be your NAT/firewall
router box. Please confirm

(Note: My VPN server is not dual-homed, it has a single adapter. And yes,
the LAN def gateway is the NAT/firewall: 10.0.0.1)

I added this configuration to DHCP and renewed some LAN client leases, but
nothing changed. When I ping 10.0.0.13 (my test LAN client) I get a timeout
error.

I added the route using DHCP option 249 (classless static route):
destination: 10.0.1.0/255.255.255.0, gateway: 10.0.0.10 (my VPN server).

Another fact: ping from the LAN test PC to the VPN client (10.0.1.3) results
in a timeout.

Let me know how it goes

It's still not working! What you think?

Edo.

 

[SAMIRJ [MS]]

Lets not worry about name resolution for a moment and get things working
with IP address

1) Looking at your routing table of VPN client, it seems like you are
getting the default gateway address correctly. (Just a double-check - ensure
"enable default gateway check" is checked on in the VPN client - as given in
the firsts screen shot on
http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx)

Try few things:
1.1) When you do tracert from VPN client machine to LAN NIC IP addresses of
VPN server (i.e. 10.0.0.10), what do you see? Also try the same for some LAN
machine IP address (10.0.0.x)

2) Have you enabled forwarding on VPN server? Can you do "ipconfig /all" and
"route print" on VPN server and send the output?

3) Can you ensure your LAN machines are getting the route you published via
DHCP i.e. do "route print" on LAN machine

You can also connect with us directly via our blog
http://blogs.technet.com/rrasblog/contact.aspx.

Regards,
SamirJ

"SAMIRJ [MS]" escribió:

If you are not able to access the LAN machines from VPN user using IP
address and routing is enabled, then it needs to be addressing issue.

Samrij, thank you for your help.

1) Ensure the default gateway on the VPN client is VPN server (i.e.
10.0.1.1). Do route print on the VPN client machine and check that.

ipconfig shows me no default gateway for the PPP virtual adapter. 'route
print' shows my own VPN client address: 10.0.1.3. How do I fix this?

ipconfig output:
DNS suffix :
Description : WAN (PPP/SLIP) Interface
Physical Address: : 00-53-45-00-00-00
DHCP enabled : No
IP Address : 10.0.1.3
Subnet mask : 255.255.255.255
Default gateway :
DNS Servers: 10.0.0.10
10.0.0.1
WINS Server : 10.0.0.2

Funny things: no DNS suffix, wrong submnet mask (I guess), wrong WINS
server
(the right one is 10.0.0.10, but I'm assuming the VPN server creates this
virtual adapter/address).

This is the VPN client routing table (translated from spanish windows xp)
as
Robert suggested:
===========================================================================
IInterface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e 35 06 d8 85 ...... Intel(R) PRO/Wireless 2200BG Network
Connection
- SecuRemote Miniport
0x3 ...08 00 46 c8 bb 6a ...... Intel(R) PRO/100 VE Network Connection -
SecuRem
ote Miniport
0x4 ...54 55 43 44 52 02 ...... Check Point Virtual Network Adapter For
SecureCl
ient - SecuRemote Miniport
0x60006 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active routes:
Destination Network Subnet mask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.4 10.0.1.4 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.106
31
10.0.1.4 255.255.255.255 127.0.0.1 127.0.0.1
50
10.255.255.255 255.255.255.255 10.0.1.4 10.0.1.4
50
64.4.52.254 255.255.255.255 192.168.0.1 192.168.0.106
30
65.54.183.202 255.255.255.255 192.168.0.1 192.168.0.106
30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.106 192.168.0.106
30
192.168.0.106 255.255.255.255 127.0.0.1 127.0.0.1
30
192.168.0.255 255.255.255.255 192.168.0.106 192.168.0.106
30
200.75.26.202 255.255.255.255 192.168.0.1 192.168.0.106
30
224.0.0.0 240.0.0.0 192.168.0.106 192.168.0.106
30
224.0.0.0 240.0.0.0 10.0.1.4 10.0.1.4 1
255.255.255.255 255.255.255.255 10.0.1.4 10.0.1.4 1
255.255.255.255 255.255.255.255 192.168.0.106 3 1
255.255.255.255 255.255.255.255 192.168.0.106 192.168.0.106 1
255.255.255.255 255.255.255.255 192.168.0.106 4 1
Default Gateway: 10.0.1.3
===========================================================================
Persistent Routes:

2) Ensure the LAN clients have a route for 10.0.1.x subnet with gateway
as
IP address of LAN interface of your RRAS server machine (i.e. 10.0.0.x).
You can do this via DHCP server (i.e. send the network specific route).
I am presuming your LAN machines default gateway will be your
NAT/firewall
router box. Please confirm

(Note: My VPN server is not dual-homed, it has a single adapter. And yes,
the LAN def gateway is the NAT/firewall: 10.0.0.1)

I added this configuration to DHCP and renewed some LAN client leases, but
nothing changed. When I ping 10.0.0.13 (my test LAN client) I get a
timeout
error.

I added the route using DHCP option 249 (classless static route):
destination: 10.0.1.0/255.255.255.0, gateway: 10.0.0.10 (my VPN server).

Another fact: ping from the LAN test PC to the VPN client (10.0.1.3)
results
in a timeout.

Let me know how it goes

It's still not working! What you think?

Edo.

 

[Guest]

"SAMIRJ [MS]" escribió:

Lets not worry about name resolution for a moment and get things working
with IP address

Thank you again for your help.

1) Looking at your routing table of VPN client, it seems like you are
getting the default gateway address correctly. (Just a double-check - ensure
"enable default gateway check" is checked on in the VPN client - as given in
the firsts screen shot on
http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx)

It is that way.

Try few things:
1.1) When you do tracert from VPN client machine to LAN NIC IP addresses of
VPN server (i.e. 10.0.0.10), what do you see? Also try the same for some LAN
machine IP address (10.0.0.x)

Sure:

tracert 10.0.0.10
Traza a 10.0.0.10 sobre caminos de 30 saltos como máximo.

1 76 ms * 72 ms 10.0.0.10

Traza completa.

tracert 10.0.0.13
Traza a 10.0.0.13 sobre caminos de 30 saltos como máximo.

1 * * * Tiempo de espera agotado para esta solicitud.
2 * * * Tiempo de espera agotado para esta solicitud.
3 * * * Tiempo de espera agotado para esta solicitud.
and so on...

2) Have you enabled forwarding on VPN server? Can you do "ipconfig /all" and
"route print" on VPN server and send the output?

Forwarding? Errrrh... No. How do I do that? (I enabled routing, thou)

Here's the output of 'ipconfig /all' and 'route print'

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : tarzan
Primary Dns Suffix . . . . . . . : hq.navix.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : hq.navix.com
navix.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : 00-11-2F-BC-0A-A9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.2

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :


route print

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 2f bc 0a a9 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- S
ecuRemote Miniport
0x10003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.10 20
10.0.0.0 255.255.255.0 10.0.0.10 10.0.0.10 20
10.0.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.1 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.1.2 255.255.255.255 10.0.1.1 10.0.1.1 1
10.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
200.119.233.36 255.255.255.255 10.0.0.1 10.0.0.10 20
224.0.0.0 240.0.0.0 10.0.0.10 10.0.0.10 20
255.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

3) Can you ensure your LAN machines are getting the route you published via
DHCP i.e. do "route print" on LAN machine

I'm sure. Here's the output of 'route print' in the LAN client:

===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 20 51 d1 b4 ...... Intel(R) PRO/100 VE Network Connection -
SecuRemote Miniport
===========================================================================
===========================================================================
Rutas activas:
Destino de red M scara de red Puerta de acceso Interfaz M‚trica
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 20
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 20
10.0.0.13 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.0 255.255.255.0 10.0.0.10 10.0.0.13 1
10.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 20
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 1
Puerta de enlace predeterminada: 10.0.0.1
===========================================================================
Rutas persistentes:
ninguno


Best Regards,

Ed.

 

[SAMIRJ [MS]]

Hmm - looks like your IP addressing + routing seems to be correct on VPN
client, VPN server as well as LAN client. Also I can see IP routing flag
(i.e. forwarding) is enabled on VPN server which is correct. But still you
are not able to access LAN machines from VPN client, but can access VPN
server resources from VPN client. Any body else have any clues here?

1) Is any kind of filtering is dropping the packets on RRAS server? like
RRAS static filters OR basic firewall?
2) Is it possible to get network packet capture by any chance
(http://support.microsoft.com/kb/243270/,
http://www.windowsnetworking.com/articles_tutorials/Analyzing-Traffic-Network-Monitor.html).
Install Netmon on RRAS server machine, start netmon on LAN adapter, connect
a VPN client, ping to LAN machine, stop netmon.

Regards,
Samirj
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"SAMIRJ [MS]" escribió:

Lets not worry about name resolution for a moment and get things working
with IP address

Thank you again for your help.

1) Looking at your routing table of VPN client, it seems like you are
getting the default gateway address correctly. (Just a double-check -
ensure
"enable default gateway check" is checked on in the VPN client - as given
in
the firsts screen shot on
http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx)

It is that way.

Try few things:
1.1) When you do tracert from VPN client machine to LAN NIC IP addresses
of
VPN server (i.e. 10.0.0.10), what do you see? Also try the same for some
LAN
machine IP address (10.0.0.x)

Sure:

tracert 10.0.0.10
Traza a 10.0.0.10 sobre caminos de 30 saltos como máximo.

1 76 ms * 72 ms 10.0.0.10

Traza completa.

tracert 10.0.0.13
Traza a 10.0.0.13 sobre caminos de 30 saltos como máximo.

1 * * * Tiempo de espera agotado para esta
solicitud.
2 * * * Tiempo de espera agotado para esta
solicitud.
3 * * * Tiempo de espera agotado para esta
solicitud.
and so on...

2) Have you enabled forwarding on VPN server? Can you do "ipconfig /all"
and
"route print" on VPN server and send the output?

Forwarding? Errrrh... No. How do I do that? (I enabled routing, thou)

Here's the output of 'ipconfig /all' and 'route print'

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : tarzan
Primary Dns Suffix . . . . . . . : hq.navix.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : hq.navix.com
navix.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : 00-11-2F-BC-0A-A9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.2

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :


route print

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 2f bc 0a a9 ...... Realtek RTL8139 Family PCI Fast Ethernet
NIC
- S
ecuRemote Miniport
0x10003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.10 20
10.0.0.0 255.255.255.0 10.0.0.10 10.0.0.10 20
10.0.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.1 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.1.2 255.255.255.255 10.0.1.1 10.0.1.1 1
10.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
200.119.233.36 255.255.255.255 10.0.0.1 10.0.0.10 20
224.0.0.0 240.0.0.0 10.0.0.10 10.0.0.10 20
255.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

3) Can you ensure your LAN machines are getting the route you published
via
DHCP i.e. do "route print" on LAN machine

I'm sure. Here's the output of 'route print' in the LAN client:

===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 20 51 d1 b4 ...... Intel(R) PRO/100 VE Network Connection -
SecuRemote Miniport
===========================================================================
===========================================================================
Rutas activas:
Destino de red M scara de red Puerta de acceso Interfaz
M‚trica
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 20
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 20
10.0.0.13 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.0 255.255.255.0 10.0.0.10 10.0.0.13 1
10.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 20
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 1
Puerta de enlace predeterminada: 10.0.0.1
===========================================================================
Rutas persistentes:
ninguno


Best Regards,

Ed.

 

[Guest]

SAMIRJ,

I have no static filters I'm aware of. The basic firewall is not installed.

I'll try to give the network monitor a try and I'll start a new thread if I
find anything worth mentioning.

Thanks.

Ed.

"SAMIRJ [MS]" escribió:

Hmm - looks like your IP addressing + routing seems to be correct on VPN
client, VPN server as well as LAN client. Also I can see IP routing flag
(i.e. forwarding) is enabled on VPN server which is correct. But still you
are not able to access LAN machines from VPN client, but can access VPN
server resources from VPN client. Any body else have any clues here?

1) Is any kind of filtering is dropping the packets on RRAS server? like
RRAS static filters OR basic firewall?
2) Is it possible to get network packet capture by any chance
(http://support.microsoft.com/kb/243270/,
http://www.windowsnetworking.com/articles_tutorials/Analyzing-Traffic-Network-Monitor.html).
Install Netmon on RRAS server machine, start netmon on LAN adapter, connect
a VPN client, ping to LAN machine, stop netmon.

Regards,
Samirj
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"SAMIRJ [MS]" escribió:

Lets not worry about name resolution for a moment and get things working
with IP address

Thank you again for your help.

1) Looking at your routing table of VPN client, it seems like you are
getting the default gateway address correctly. (Just a double-check -
ensure
"enable default gateway check" is checked on in the VPN client - as given
in
the firsts screen shot on
http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx)

It is that way.

Try few things:
1.1) When you do tracert from VPN client machine to LAN NIC IP addresses
of
VPN server (i.e. 10.0.0.10), what do you see? Also try the same for some
LAN
machine IP address (10.0.0.x)

Sure:

tracert 10.0.0.10
Traza a 10.0.0.10 sobre caminos de 30 saltos como máximo.

1 76 ms * 72 ms 10.0.0.10

Traza completa.

tracert 10.0.0.13
Traza a 10.0.0.13 sobre caminos de 30 saltos como máximo.

1 * * * Tiempo de espera agotado para esta
solicitud.
2 * * * Tiempo de espera agotado para esta
solicitud.
3 * * * Tiempo de espera agotado para esta
solicitud.
and so on...

2) Have you enabled forwarding on VPN server? Can you do "ipconfig /all"
and
"route print" on VPN server and send the output?

Forwarding? Errrrh... No. How do I do that? (I enabled routing, thou)

Here's the output of 'ipconfig /all' and 'route print'

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : tarzan
Primary Dns Suffix . . . . . . . : hq.navix.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : hq.navix.com
navix.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : 00-11-2F-BC-0A-A9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.0.0.1
Primary WINS Server . . . . . . . : 10.0.0.2

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :


route print

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 2f bc 0a a9 ...... Realtek RTL8139 Family PCI Fast Ethernet
NIC
- S
ecuRemote Miniport
0x10003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.10 20
10.0.0.0 255.255.255.0 10.0.0.10 10.0.0.10 20
10.0.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.1 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.1.2 255.255.255.255 10.0.1.1 10.0.1.1 1
10.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
200.119.233.36 255.255.255.255 10.0.0.1 10.0.0.10 20
224.0.0.0 240.0.0.0 10.0.0.10 10.0.0.10 20
255.255.255.255 255.255.255.255 10.0.0.10 10.0.0.10 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

3) Can you ensure your LAN machines are getting the route you published
via
DHCP i.e. do "route print" on LAN machine

I'm sure. Here's the output of 'route print' in the LAN client:

===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 20 51 d1 b4 ...... Intel(R) PRO/100 VE Network Connection -
SecuRemote Miniport
===========================================================================
===========================================================================
Rutas activas:
Destino de red M scara de red Puerta de acceso Interfaz
M‚trica
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 20
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 20
10.0.0.13 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.0 255.255.255.0 10.0.0.10 10.0.0.13 1
10.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 20
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 1
Puerta de enlace predeterminada: 10.0.0.1
===========================================================================
Rutas persistentes:
ninguno


Best Regards,

Ed.