Link to home
Start Free TrialLog in
Avatar of EDP_NIAdmin
EDP_NIAdmin

asked on

VPN Server behind firewall on single NIC

Customer is running small domain on win2k server sp4. There is a ADSL modem/firewall/router providing internet access. Customer wants VPN operational. I haven't played with VPN on windows server & have been reading up on this. Customer is not interested in buying another server for VPN so it's got to be on the DC & I'm interested in minimal disruption & reconfiguration in the network. So my question boils down to this:

Is it possible to implement VPN using only the current single internal NIC on the server?
I can configure whatever is required for routing/port passthru/etc so this is not an issue.

I did start just trying to test it but of course as soon as I installed/enable RRAS it blocked the LAN & I had to stop the server to allow LAN access.

Please note that whilst I mark my level on this as beginner, that is to do with my VPN knowledge only.

cheers
Avatar of jordibartrina
jordibartrina

Hello,

You don't need to break the customer service for install this option.
Yes, you can support RRAS with only one NIC.

Use wizard assistant and be aware of this points:

1st: open ports TCP1723 and GRE (protocol 47) in your router with NAT to the RRAS server.
2nd: configure RRAS service in your server. Only remote access, don't configure routing because it's not necessari.
3th: in RRAS server configure policies in order to accept in connections (allow almost the two rules defined by default).
4ht: explain to RRAS server where to obtain IP configuration: you can define a DHCP server, or a range of IP add.

Don't heistate contact again

HTH
Avatar of EDP_NIAdmin

ASKER

Hi Jordibartrina,

Used wizard to do the install/config of RRAS. RRas is stopped but configurable.
Have disabled routing

server properties - General TAB - Enable this computer as : -> RAS only
server properties - IP TAB - "enable IP routing" unticked
server properties - IP TAB - IP address assignment - Static IP pool

Default policy is "Allow access if dial in permission enabled"

No other policies, but then these are policies for remote access.

The core issue I have is that as soon as I start the RAS server I lose ALL LAN access. Can't ping anything, PC's can't access the server. I presume the RAS server is locking down the IF because it wants it secure, how do I stop it doing this?

TFYH


Have found area under IP Routing in RRAS. Server->IP Routing->General->Local IF-> properties
In the General TAB I have found "Enable IP Router Management" turned on. Don't know if this makes a difference as routing is turned off, but have disabled anyway.

Also, filters set for this interface would DEFINITELY block LAN if they go operational. Can't test this now as server is live but wondering if this is the right area? Can't as usual find any reference to this in the windows help.
ASKER CERTIFIED SOLUTION
Avatar of jordibartrina
jordibartrina

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks jordi...

Tried setting routes & modifying filters but as soon as I enabled the server the network was killed. Investigation showed that it was killing the basic LAN routes, eg. 192.168.0.0/24 not in route table when IF is 192.168.0.1/24.

So...

Killed then installed/reconfigured the server & dumped the filters & routing & it looks OK at the moment. Now I've got to see if I can get a client to connect :)

thanks again.

cheers