Yet another VPN problem


P

Phil D

Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in, browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip address.

The filters I added were the following input filters

Source add source mask dest add dest mask prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same subnet).

Now I suppose one solution is to go and buy another router and modify the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra filters to
eliminate the problem. The reason for this is that the vpn network card is
not routing to the second network card, so it must be servicing requests on
behalf of vpn clients itself. That been the case, the basic input filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network again,
and see the machines on the network, however they were still unable to
access resources on those machines or even see the resources on those
machines. ( I should add that I am running WINS on the vpn server, bound to
the 192.168.0.100 nic) I should also mention that the vpn clients obtain ip
addresses from a pool on the same subnet.

What I'd like to know is if there are more rules I can add to get my vpn
clients able to access resources on network machines again, and if so what
those rules are.

However, I may be completely wrong in my reasoning about this problem, and
the issue lies elsewhere. If so maybe someone could please let me know.

Many thanks in advance

Phil
 
Ad

Advertisements

R

Rama Krishna Amaravadi [MSFT]

Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Phil D said:
Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in, browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip address.

The filters I added were the following input filters

Source add source mask dest add dest mask prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same subnet).

Now I suppose one solution is to go and buy another router and modify the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra filters to
eliminate the problem. The reason for this is that the vpn network card is
not routing to the second network card, so it must be servicing requests on
behalf of vpn clients itself. That been the case, the basic input filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network again,
and see the machines on the network, however they were still unable to
access resources on those machines or even see the resources on those
machines. ( I should add that I am running WINS on the vpn server, bound to
the 192.168.0.100 nic) I should also mention that the vpn clients obtain ip
addresses from a pool on the same subnet.

What I'd like to know is if there are more rules I can add to get my vpn
clients able to access resources on network machines again, and if so what
those rules are.

However, I may be completely wrong in my reasoning about this problem, and
the issue lies elsewhere. If so maybe someone could please let me know.

Many thanks in advance

Phil
 
P

Phil D

Hi Rama,

Yes, this would work too, I started looking at this configuration after I
posted the article to the newsgroup last night. Unfortunantly, this is the
first time I've set up a RRAS server, and at the moment I haven't yet been
able to figure out how to configure routing on the vpn box.

I have a 2nd vpn box I'm using as a test bed with the following
configuration

router (192.168.0.1)
|
|
| (192.168.0.51)
VPN box
| (10.0.0.1)
|
| (10.0.0.2)
My machine.

I assume that I need to add a static route to the VPN box under the IP
routing in the RRAS snap-in to make this work (is that correct?) but haven't
been able to find any web site to tell me how to configure it. What I mean
by that is that I can see how to do it in principle, ie I know where I need
to type entries in, I just don't know what those entries should be.

For example, when configuring the internal NIC, what do I put it's gateway
as ? (should it be 192.168.0.51)
Also, when adding a static route, what interface should I add it too (Int
network, Ext network, or Internal ?)
Any help or pointers would be appreciated.

Phil.



Rama Krishna Amaravadi said:
Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Phil D said:
Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in, browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip address.

The filters I added were the following input filters

Source add source mask dest add dest mask prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same subnet).

Now I suppose one solution is to go and buy another router and modify the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra filters to
eliminate the problem. The reason for this is that the vpn network card is
not routing to the second network card, so it must be servicing requests on
behalf of vpn clients itself. That been the case, the basic input filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network again,
and see the machines on the network, however they were still unable to
access resources on those machines or even see the resources on those
machines. ( I should add that I am running WINS on the vpn server,
bound
to
the 192.168.0.100 nic) I should also mention that the vpn clients obtain ip
addresses from a pool on the same subnet.

What I'd like to know is if there are more rules I can add to get my vpn
clients able to access resources on network machines again, and if so what
those rules are.

However, I may be completely wrong in my reasoning about this problem, and
the issue lies elsewhere. If so maybe someone could please let me know.

Many thanks in advance

Phil
 
P

Phil D

Hello again, please scratch the above message, I've looked at it again and
it doesn't say clearly what I was trying to convey. What I wanted to say
is:-

Hi Rama,

Your suggested configuration;

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Yes, this should work too, I started looking at this configuration after I
posted the article to the newsgroup last night. Unfortunantly, this is the
first time I've set up a RRAS server, and at the moment I haven't yet been
able to figure out how to configure routing on the vpn box.

I have a 2nd vpn box I'm using as a test bed with the following
configuration

router (192.168.0.1)
|
|
switch----------------PC-----PC----PC----rest of network.
|
| (192.168.0.51)
VPN box
| (10.0.0.1)
|
| (10.0.0.2)
My machine.

With this configuration the vpn from "My machine" works fine, I can browse
the network, see shares, access the internet and do email via the vpn
connection, so it is obviously routing my vpn connection correctly.

However, with this configuration, when "My machine" is not VPN'd into the
vpn box, I am unable to browse the rest of the network,etc. So, before I
move the rest of the network onto the 10.0.0.x subnet, I need to configure
the vpn box with routing so that they can access the internet etc. At the
moment "My machine" can't even ping the router without using vpn.

I have never set up routing before,and to be honest, don't know where to
start.

My router does NAT already, so do I need to configure NAT on the vpn box
also?
Do I need to install static routes between the two subnets on the vpn box,
or can I use RIP or something else.

I would basically like to make the vpn box transparent as far as normal
network operations go before I shift the other machines.

Any help would be appreciated,

Phil


Rama Krishna Amaravadi said:
Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Phil D said:
Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in, browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip address.

The filters I added were the following input filters

Source add source mask dest add dest mask prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same subnet).

Now I suppose one solution is to go and buy another router and modify the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra filters to
eliminate the problem. The reason for this is that the vpn network card is
not routing to the second network card, so it must be servicing requests on
behalf of vpn clients itself. That been the case, the basic input filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network again,
and see the machines on the network, however they were still unable to
access resources on those machines or even see the resources on those
machines. ( I should add that I am running WINS on the vpn server,
bound
to
the 192.168.0.100 nic) I should also mention that the vpn clients obtain ip
addresses from a pool on the same subnet.

What I'd like to know is if there are more rules I can add to get my vpn
clients able to access resources on network machines again, and if so what
those rules are.

However, I may be completely wrong in my reasoning about this problem, and
the issue lies elsewhere. If so maybe someone could please let me know.

Many thanks in advance

Phil
 
R

Rama Krishna Amaravadi [MSFT]

Hi Phil,
I guess your VPN box is already enabled for routing. But the reason that you
are not able to ping the router may be that your default gateway on 'My
Machine' is not set properly.
Go to your NIC Properties on 'My Machine', Click on 'Internet Protocol
(TCP/IP)' and click 'Properties'. Now make sure that the 'Default Gateway'
to be '10.0.0.1' (The IP address of your VPN box.
You don't see the problem when you dialed in because this is done
automatically.

Thanks,
Rama Krishna Amaravadi

--
This posting is provided "AS IS" with no warranties and confers no rights.

Phil D said:
Hello again, please scratch the above message, I've looked at it again and
it doesn't say clearly what I was trying to convey. What I wanted to say
is:-

Hi Rama,

Your suggested configuration;

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Yes, this should work too, I started looking at this configuration after I
posted the article to the newsgroup last night. Unfortunantly, this is the
first time I've set up a RRAS server, and at the moment I haven't yet been
able to figure out how to configure routing on the vpn box.

I have a 2nd vpn box I'm using as a test bed with the following
configuration

router (192.168.0.1)
|
|
switch----------------PC-----PC----PC----rest of network.
|
| (192.168.0.51)
VPN box
| (10.0.0.1)
|
| (10.0.0.2)
My machine.

With this configuration the vpn from "My machine" works fine, I can browse
the network, see shares, access the internet and do email via the vpn
connection, so it is obviously routing my vpn connection correctly.

However, with this configuration, when "My machine" is not VPN'd into the
vpn box, I am unable to browse the rest of the network,etc. So, before I
move the rest of the network onto the 10.0.0.x subnet, I need to configure
the vpn box with routing so that they can access the internet etc. At the
moment "My machine" can't even ping the router without using vpn.

I have never set up routing before,and to be honest, don't know where to
start.

My router does NAT already, so do I need to configure NAT on the vpn box
also?
Do I need to install static routes between the two subnets on the vpn box,
or can I use RIP or something else.

I would basically like to make the vpn box transparent as far as normal
network operations go before I shift the other machines.

Any help would be appreciated,

Phil


Rama Krishna Amaravadi said:
Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Phil D said:
Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port
redirection
set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in, browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip address.

The filters I added were the following input filters

Source add source mask dest add dest mask prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same subnet).

Now I suppose one solution is to go and buy another router and modify the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra
filters
card
is requests
on bound obtain
ip
 
R

Rama Krishna Amaravadi [MSFT]

Hi Phil,
One more thing worth noting.I guess in the above configuration you might have selected the 10.0.0.1
interface as the one connected to internet (in the words to accept VPN
connections). If you do this then by default the VPN box drops all the
traffic except for the VPN traffic (PPTP and L2TP/IPsec). That's why you are
not able to ping.

Thanks,
Rama Krishna Amaravadi


--
This posting is provided "AS IS" with no warranties and confers no rights.

Rama Krishna Amaravadi said:
Hi Phil,
I guess your VPN box is already enabled for routing. But the reason that you
are not able to ping the router may be that your default gateway on 'My
Machine' is not set properly.
Go to your NIC Properties on 'My Machine', Click on 'Internet Protocol
(TCP/IP)' and click 'Properties'. Now make sure that the 'Default Gateway'
to be '10.0.0.1' (The IP address of your VPN box.
You don't see the problem when you dialed in because this is done
automatically.

Thanks,
Rama Krishna Amaravadi

--
This posting is provided "AS IS" with no warranties and confers no rights.

Phil D said:
Hello again, please scratch the above message, I've looked at it again and
it doesn't say clearly what I was trying to convey. What I wanted to say
is:-

Hi Rama,

Your suggested configuration;

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Yes, this should work too, I started looking at this configuration after I
posted the article to the newsgroup last night. Unfortunantly, this is the
first time I've set up a RRAS server, and at the moment I haven't yet been
able to figure out how to configure routing on the vpn box.

I have a 2nd vpn box I'm using as a test bed with the following
configuration

router (192.168.0.1)
|
|
switch----------------PC-----PC----PC----rest of network.
|
| (192.168.0.51)
VPN box
| (10.0.0.1)
|
| (10.0.0.2)
My machine.

With this configuration the vpn from "My machine" works fine, I can browse
the network, see shares, access the internet and do email via the vpn
connection, so it is obviously routing my vpn connection correctly.

However, with this configuration, when "My machine" is not VPN'd into the
vpn box, I am unable to browse the rest of the network,etc. So, before I
move the rest of the network onto the 10.0.0.x subnet, I need to configure
the vpn box with routing so that they can access the internet etc. At the
moment "My machine" can't even ping the router without using vpn.

I have never set up routing before,and to be honest, don't know where to
start.

My router does NAT already, so do I need to configure NAT on the vpn box
also?
Do I need to install static routes between the two subnets on the vpn box,
or can I use RIP or something else.

I would basically like to make the vpn box transparent as far as normal
network operations go before I shift the other machines.

Any help would be appreciated,

Phil


Rama Krishna Amaravadi said:
Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the
packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection
set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in,
browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip
address.

The filters I added were the following input filters

Source add source mask dest add dest mask
prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box is not
routing between the two network cards (as they're both on the same
subnet).

Now I suppose one solution is to go and buy another router and
modify
the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic from
one nic to the other.

However, rather than spend money, I decided to try adding extra
filters
to
eliminate the problem. The reason for this is that the vpn network
card
is
not routing to the second network card, so it must be servicing requests
on
behalf of vpn clients itself. That been the case, the basic input filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask
prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network
again,
and see the machines on the network, however they were still unable to
access resources on those machines or even see the resources on those
machines. ( I should add that I am running WINS on the vpn server, bound
to
the 192.168.0.100 nic) I should also mention that the vpn clients obtain
ip
addresses from a pool on the same subnet.

What I'd like to know is if there are more rules I can add to get my vpn
clients able to access resources on network machines again, and if
so
what
those rules are.

However, I may be completely wrong in my reasoning about this
problem,
and
the issue lies elsewhere. If so maybe someone could please let me know.

Many thanks in advance

Phil
 
Ad

Advertisements

P

Phil D

Hi Rama,

Thanks for your replies.

With regard to your suggestions, the default gateway on my machine is
correctly configured to 10.0.0.1
As to the suggestion below that 10.0.0.1 is the internet connection for the
vpn, I've checked and that isn't the case. And besides, experimenting with
these vpn boxes I've found that I can vpn into it from any direction - it
appears to listen on all network adapters. The only thing that stops it is
packet filters and I have none configured.

What I have done is to establish NAT from the internal to external NIC, and
that allows me to access the internet, emails etc, however pc's on the
perimiter portion of the network do not appear in network neighbourhood,
even though I connect "My machine" to a WINS server in the perimiter
network. However, I think that that is the correct behaviour anyhow, I'm
getting the idea that the browser service on NT is a fiddly beast and
doesn't work well accross subnets.

Best Regards

Phil




Rama Krishna Amaravadi said:
Hi Phil,
One more thing worth noting.I guess in the above configuration you might have selected the 10.0.0.1
interface as the one connected to internet (in the words to accept VPN
connections). If you do this then by default the VPN box drops all the
traffic except for the VPN traffic (PPTP and L2TP/IPsec). That's why you are
not able to ping.

Thanks,
Rama Krishna Amaravadi


--
This posting is provided "AS IS" with no warranties and confers no rights.

Rama Krishna Amaravadi said:
Hi Phil,
I guess your VPN box is already enabled for routing. But the reason that you
are not able to ping the router may be that your default gateway on 'My
Machine' is not set properly.
Go to your NIC Properties on 'My Machine', Click on 'Internet Protocol
(TCP/IP)' and click 'Properties'. Now make sure that the 'Default Gateway'
to be '10.0.0.1' (The IP address of your VPN box.
You don't see the problem when you dialed in because this is done
automatically.

Thanks,
Rama Krishna Amaravadi

--
This posting is provided "AS IS" with no warranties and confers no rights.

Phil D said:
Hello again, please scratch the above message, I've looked at it again and
it doesn't say clearly what I was trying to convey. What I wanted to say
is:-

Hi Rama,

Your suggested configuration;

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Yes, this should work too, I started looking at this configuration
after
I
posted the article to the newsgroup last night. Unfortunantly, this is the
first time I've set up a RRAS server, and at the moment I haven't yet been
able to figure out how to configure routing on the vpn box.

I have a 2nd vpn box I'm using as a test bed with the following
configuration

router (192.168.0.1)
|
|
switch----------------PC-----PC----PC----rest of network.
|
| (192.168.0.51)
VPN box
| (10.0.0.1)
|
| (10.0.0.2)
My machine.

With this configuration the vpn from "My machine" works fine, I can browse
the network, see shares, access the internet and do email via the vpn
connection, so it is obviously routing my vpn connection correctly.

However, with this configuration, when "My machine" is not VPN'd into the
vpn box, I am unable to browse the rest of the network,etc. So, before I
move the rest of the network onto the 10.0.0.x subnet, I need to configure
the vpn box with routing so that they can access the internet etc. At the
moment "My machine" can't even ping the router without using vpn.

I have never set up routing before,and to be honest, don't know where to
start.

My router does NAT already, so do I need to configure NAT on the vpn box
also?
Do I need to install static routes between the two subnets on the vpn box,
or can I use RIP or something else.

I would basically like to make the vpn box transparent as far as normal
network operations go before I shift the other machines.

Any help would be appreciated,

Phil


message Hi Phil,
In general you would want the external NIC to be in different subnet than
the one you have for intranet (which is 192.168.x.x).
Would the following configuration work for you?

router ( 10.0.0.1)
|
|
VPN server (10.0.0.2 set in DMZ for router)
[also IIS] (192.168.0.100)
|
|
switch ----------------------PC-----PC-----PC-----etcetc

Thanks,
Rama Krishna Amaravadi
--
This posting is provided "AS IS" with no warranties and confers no rights.


Hi all,

I have set up VPN on my local network and thought I had it all working
properly. However I have run into a slight problem in setting up the
packet
filters on the external NIC.

The layout is thus :-

router ( 192.168.0.1)
|
|
switch ----------------------PC-----PC-----PC-----etcetc
|
|
VPN server (192.168.0.99 set in DMZ for router)
[also IIS] (192.168.0.100)

NIC 1 (x.x.x.99) is set in the router DMZ and was intended as the
external
VPN card
NIC 2 (x.x.x.100) is used for web and ftp access, with port redirection
set
on the router for ports 21 & 80.

As I said, I got everything up and running ok, clients could vpn in,
browse
network, access web, collect email etc. I then tried to add the input
filters onto NIC 1 so that only vpn access was possible on that ip
address.

The filters I added were the following input filters

Source add source mask dest add dest mask
prot
source port dest port
any any x.x.x.99 255.255.255.255
47 any any
any any x.x.x.99 255.255.255.255
TCP any 1723

When I did this the clients could still vpn in, but could no longer
browse
the network or access shares on the network machines. After a bit of
head-scratching, I realised that the problem is that the vpn box
is
not
routing between the two network cards (as they're both on the same
subnet).

Now I suppose one solution is to go and buy another router and modify
the
network topology to this

router (10.0.0.1)-------------------
| |
| (10.0.0.3)
| (10.0.0.2) VPN box
router -------------------------- (192.168.0.100)
| (192.168.0.1)
|
switch------------PC----PC---etcetc

which I assume would work cause the vpn box would then route traffic
from
one nic to the other.

However, rather than spend money, I decided to try adding extra filters
to
eliminate the problem. The reason for this is that the vpn network card
is
not routing to the second network card, so it must be servicing requests
on
behalf of vpn clients itself. That been the case, the basic input
filters
would interfere with the responses from the local network machines.

To solve this I added the following input filters:-

Source add source mask dest add dest mask
prot
source port dest port
192.168.0.0 /24 x.x.x.99 /32
TCP Any Any
192.168.0.0 /24 x.x.x.99 /32
UDP Any Any
192.168.0.0 /24 x.x.x.99 /32
ICMP Any Any
192.168.0.0 /24 x.x.x.99 /32
Any Any Any

Doing this again enabled the vpn clients to browse the local network
again,
and see the machines on the network, however they were still
unable
to my
vpn
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top