TomBain
asked on
Need help setting up VPN and to figure out RRAS
Ok, I did this once before on a Windows 2000 server and it did work, but its been so long I have obviously forgotten something. I am new here, so if I do something wrong, I am sorry.
I have a client that wants to move from a workgroup to a domain. They want to VPN in, so I suggested another NIC. They also bought a Symantec Gateway 320 that will take place of their Linksys router. The routers ip was 192.168.1.1, and that is what I gave the Gateway 320 and we can get out to the internet. I gave it the WAN address of *.*.*.187 with the gateway of *.*.*.185, which is what we got from the ISP. Be aware, my experience with security devices like this is more limited than servers. I am just starting my career. :)
Now, on the one nic I gave it the internal IP of 192.168.1.5, made it a DC, setup DNS, and DHCP, and pointed itself at 192.168.1.5 for DNS. By my knowledge, that should be fine. The VPN nic I then gave it the IP addy of *.*.*.186, with the subnet from the ISP, and the gateway of *.*.*.187 to point at the router. I then went into RAS and went thru the Wizard of setting up a VPN. But I cannot ping *.*.*.187 or *.*.*.185. I should be able to, right? To me its like something is wrong with routing, but.... Anyways like I said, I set one of these up a year ago and I could ping the gateway.
I have a client that wants to move from a workgroup to a domain. They want to VPN in, so I suggested another NIC. They also bought a Symantec Gateway 320 that will take place of their Linksys router. The routers ip was 192.168.1.1, and that is what I gave the Gateway 320 and we can get out to the internet. I gave it the WAN address of *.*.*.187 with the gateway of *.*.*.185, which is what we got from the ISP. Be aware, my experience with security devices like this is more limited than servers. I am just starting my career. :)
Now, on the one nic I gave it the internal IP of 192.168.1.5, made it a DC, setup DNS, and DHCP, and pointed itself at 192.168.1.5 for DNS. By my knowledge, that should be fine. The VPN nic I then gave it the IP addy of *.*.*.186, with the subnet from the ISP, and the gateway of *.*.*.187 to point at the router. I then went into RAS and went thru the Wizard of setting up a VPN. But I cannot ping *.*.*.187 or *.*.*.185. I should be able to, right? To me its like something is wrong with routing, but.... Anyways like I said, I set one of these up a year ago and I could ping the gateway.
How is your hardware set up? Step by step...
Your internet connection - What type is it T-1, Cable, ADSL.... etc.
Is there a router before the symantec device or is the symantec device the first stop?
How are you connecting each network to the pc? Different switches, hubs, etc...
Your internet connection - What type is it T-1, Cable, ADSL.... etc.
Is there a router before the symantec device or is the symantec device the first stop?
How are you connecting each network to the pc? Different switches, hubs, etc...
ASKER
Cable modem that goes to the WAN port of the Symantec 320, then a cable goes to the switch, and then into the server and the future clients. Pretty simple. I tried plugging the vpn nic right into the 320, not that i thought it would work, and it didn't.
The switch is a linksys sr2016, and the cable is cat 5e. All new equipment.
The switch is a linksys sr2016, and the cable is cat 5e. All new equipment.
Is the VPN NIC plugged into the same switch?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
GODS, thank you guys!!!!
Ok, I understand that except this. I DID, I know DID, USE, HAVE it set up the way described it the other way with a public IP at the other place I worked. I VPNed into it. How is that possible???
Ok, now, I spoke to symantec support and he said I need to forward it to 192.168.1.5, which is the IP of the server for the LAN, but RRAS never allowed. So that I do not get because I just didn't know I could do it. I just am not smart enough to get yes.... Sorry, just not. Now, I see what you are say, I did allow protocol 47 and by default port 1723 is allowed by default. But, your saying to allow 192.168.1.6 access explicitely. Right?
So I think part most of it is done, but can you walk me thru part 2 and part 3 to point me to the right areas? Thats something I've never done. I think I know where its at, but not sure what to allow to what, if you understand my babbling...
The VPN I tried plugged into the switch and the router (aka, the Gateway 320). And the way I set it up before, with the VPN with the public IP, i tried it from an internal client, and it worked. Thanks guys? Upping points because its important. Do i have a preset amount of point per month, or what?
Ok, I understand that except this. I DID, I know DID, USE, HAVE it set up the way described it the other way with a public IP at the other place I worked. I VPNed into it. How is that possible???
Ok, now, I spoke to symantec support and he said I need to forward it to 192.168.1.5, which is the IP of the server for the LAN, but RRAS never allowed. So that I do not get because I just didn't know I could do it. I just am not smart enough to get yes.... Sorry, just not. Now, I see what you are say, I did allow protocol 47 and by default port 1723 is allowed by default. But, your saying to allow 192.168.1.6 access explicitely. Right?
So I think part most of it is done, but can you walk me thru part 2 and part 3 to point me to the right areas? Thats something I've never done. I think I know where its at, but not sure what to allow to what, if you understand my babbling...
The VPN I tried plugged into the switch and the router (aka, the Gateway 320). And the way I set it up before, with the VPN with the public IP, i tried it from an internal client, and it worked. Thanks guys? Upping points because its important. Do i have a preset amount of point per month, or what?
Quoted from TomBain:
"Ok, I understand that except this. I DID, I know DID, USE, HAVE it set up the way described it the other way with a public IP at the other place I worked. I VPNed into it. How is that possible???"
Most likely the router at the other location had an additional public ip associated with it's external interface forwarded to an internal interface on the vpn server - that's entirely possible. However, using a public ip address on the internal network would only work internally, and only then if your clients have an ip on that same network, or if there's another router that understands that public ip address range. That's just basic ip stuff - can't communicate if you aren't on the same ip network, or connected by a router that understands both networks.
As far as configuring RRAS for vpn connections, you have the ability to determine which ip addresses are available to vpn in to. When you first configure RRAS as a vpn server you have to choose an external interface - the interface to which people would connect their vpn. If worse comes to worst, and this RRAS box isn't supposed to serve any other functions just unconfigure RRAS then reconfigure it as a vpn server via the wizard.
I'm not 100% certain on Symantec's process to configure port forwarding, but I'm 100% sure it's in their documentation :)
good luck!
Joel
"Ok, I understand that except this. I DID, I know DID, USE, HAVE it set up the way described it the other way with a public IP at the other place I worked. I VPNed into it. How is that possible???"
Most likely the router at the other location had an additional public ip associated with it's external interface forwarded to an internal interface on the vpn server - that's entirely possible. However, using a public ip address on the internal network would only work internally, and only then if your clients have an ip on that same network, or if there's another router that understands that public ip address range. That's just basic ip stuff - can't communicate if you aren't on the same ip network, or connected by a router that understands both networks.
As far as configuring RRAS for vpn connections, you have the ability to determine which ip addresses are available to vpn in to. When you first configure RRAS as a vpn server you have to choose an external interface - the interface to which people would connect their vpn. If worse comes to worst, and this RRAS box isn't supposed to serve any other functions just unconfigure RRAS then reconfigure it as a vpn server via the wizard.
I'm not 100% certain on Symantec's process to configure port forwarding, but I'm 100% sure it's in their documentation :)
good luck!
Joel
ASKER
Ok, tried it. I set the VPN nic to 192.168.1.6 and went thru the RRAS wizard. I don't understand it though, because it wouldn't work. Internal clients could not browse to the server. If I went Start, Run, \\SERVER, it worked. But browsing, I got a permissions denied message. Nor could I get to the Internet. That I'd love to understand and know what I missed.
Anyways, I called Symantec about the Port Forwarding and they told me there is a problem with the firmware of that device, so they might be looking at returning it for a Symantec 360r.
Anyways, I called Symantec about the Port Forwarding and they told me there is a problem with the firmware of that device, so they might be looking at returning it for a Symantec 360r.
ASKER
And I forgot to mention that you can ping the router (187 and 185) and gateway from the one client in the domain. So that tells me its not RAS, but I am not sure. Thanks all.