Suburb-Man
asked on
W2k RRAS PPTP NAT 1723/47=fwded FilterPassTru=PPTP&IPSec
W2k, RRAS, PPTP, NAT, 1723/47=fwded, FilterPassTru=PPTP&IPSec
Static address pool 10.20.0.1 - 10.20.0.254
On my notebook at the office on the LAN/intranet with a 10.10.10.x address I can VPN to the server 10.10.10.x.
I can Login get assigned a 10.20.0.x address.
While still at the office same as above, same connection profile as above except aiming at our WAN address; it sits at "Verifying user and password..." for 30 seconds the returns Error 721 = "the remote computer is not responding".
(Not error: 678 = "no answer")
Also tried remotely from home to WAN address with of course no success, same Error 721.
I can successfully use pcAnywhere thru the WAN IP address firewall via forwarding ports 5631&5632.
Any VPN Idea's?
Static address pool 10.20.0.1 - 10.20.0.254
On my notebook at the office on the LAN/intranet with a 10.10.10.x address I can VPN to the server 10.10.10.x.
I can Login get assigned a 10.20.0.x address.
While still at the office same as above, same connection profile as above except aiming at our WAN address; it sits at "Verifying user and password..." for 30 seconds the returns Error 721 = "the remote computer is not responding".
(Not error: 678 = "no answer")
Also tried remotely from home to WAN address with of course no success, same Error 721.
I can successfully use pcAnywhere thru the WAN IP address firewall via forwarding ports 5631&5632.
Any VPN Idea's?
ASKER
The only firewall is:
LINKSYS BEFSR11 firmware 1.44.2
Filters set to allow IPSec and PPTP Pass through
Forwarding of 1723 and 47, allowing both UDP and TCP, to RRAS Server.
LINKSYS BEFSR11 firmware 1.44.2
Filters set to allow IPSec and PPTP Pass through
Forwarding of 1723 and 47, allowing both UDP and TCP, to RRAS Server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The W2kAdvServer is a DHCP, DNS, AD, RRAS, Exchange2k, Stand Alone Compaq Prolient ML530.
Router's DHCP not enabled, it is in Gateway mode.
The router does have UPnP Forwarding and Port Triggering functions, however I am not using them.
I have the router's logging enabled and it shows the WAN/Internet connect attempt to the server.
Is their a testing tool like telnet, SamSpade, or something to troubleshoot RRAS connectivity?
Since this is becomming a bigger issue I increased the points to 500
Router's DHCP not enabled, it is in Gateway mode.
The router does have UPnP Forwarding and Port Triggering functions, however I am not using them.
I have the router's logging enabled and it shows the WAN/Internet connect attempt to the server.
Is their a testing tool like telnet, SamSpade, or something to troubleshoot RRAS connectivity?
Since this is becomming a bigger issue I increased the points to 500
ASKER
I got PPTP maximum security MS CHAP v2, and EAP for the VPN working without DMZ!
I suggest nobody ever ever allows a DMZ to any computer.
If you absolutely have to, get another firewall to block the other 65 thousand doors (ports) DMZ opens.
DMZ is the same as in front of the firewall; remove DMZed PC from your LAN would be a good idea.
Access it like the hackers will, thru the internet/WAN with pcAnywhere or similar.
I found a RRAS "Remote access policy" that was blocking connections.
Did I mention I inherited this Server, yep the previous admin had blocked access with a RAS policy.
You could use them to lock down a DMZed RRAS.
Now on to the nightmare of L2TP certificates and SSL Outlook web access.
I suggest nobody ever ever allows a DMZ to any computer.
If you absolutely have to, get another firewall to block the other 65 thousand doors (ports) DMZ opens.
DMZ is the same as in front of the firewall; remove DMZed PC from your LAN would be a good idea.
Access it like the hackers will, thru the internet/WAN with pcAnywhere or similar.
I found a RRAS "Remote access policy" that was blocking connections.
Did I mention I inherited this Server, yep the previous admin had blocked access with a RAS policy.
You could use them to lock down a DMZed RRAS.
Now on to the nightmare of L2TP certificates and SSL Outlook web access.
ASKER
Make sure IPSec Passthrough and/or PPtP Passthrough is enabled
Port Forwarding
47 Server's LAN IP
1723 Server's LAN IP
Port Triggering
Application Name Trigger Port Range Incoming Port Range
1: VPN 47-47 1723-1723
*2: VPN 50-50 500-500 (optional?)
Port Forwarding
47 Server's LAN IP
1723 Server's LAN IP
Port Triggering
Application Name Trigger Port Range Incoming Port Range
1: VPN 47-47 1723-1723
*2: VPN 50-50 500-500 (optional?)
I still cannot get my problem resolved despite testing the above sugestion. the error 721 after system displays verifying username and password is really making me lose my hairs. there must be a way out somewhere. we need to crack this in the most simplest way possible.
ASKER
The problem I have always had with three different Routers/Gateways is:
They are not passing thru the GRE protocol 47!
Linksys 3 different firmware and two different routers, Symantec 320 until firmware fix.
Remove the router and test.
They are not passing thru the GRE protocol 47!
Linksys 3 different firmware and two different routers, Symantec 320 until firmware fix.
Remove the router and test.
ASKER
I even tried DMZ to the pptp host (server) and it still wouldn't work until they got the firmware right.
I still can't get L2TP to work.
PPTP isn't secure at login (handshake), use IPSec.
I suggest the Linksys BEFSX41 VPN End Point Firewall, but not the latest firmware only to next to latest (befsx41_1453_fw)
or any router with built in IPSec VPNs, I just know the linksys ones do not require special client software.
I still can't get L2TP to work.
PPTP isn't secure at login (handshake), use IPSec.
I suggest the Linksys BEFSX41 VPN End Point Firewall, but not the latest firmware only to next to latest (befsx41_1453_fw)
or any router with built in IPSec VPNs, I just know the linksys ones do not require special client software.
I have the same problem
I am using Cisco router as the gateway. When i am nating ip to ip its working fine
But when i nat port 1723 and 47 it is not working.
I am using Cisco router as the gateway. When i am nating ip to ip its working fine
But when i nat port 1723 and 47 it is not working.
PPTP passthru is for internal users going to an external server (not the external address of your own server).
If you are at home and can't connect, the firewall nearest the server is not passing GRE Protocol 47.
What kind of firewall do you have?