Solved

Network Topology & VPN

Posted on 2004-03-31
8
543 Views
Last Modified: 2006-11-17
Brief overview of the current network setup

|router| ---- |firewall| ---- |switch(s)| ---- w2k server and rest of LAN

Problem:

I am trying to setup up a user to access the corporate network using PPTP.  I have configured the VPN server using RRAS built into 2k server, and everything appears to be functioning correctly internally.  The problem I am having deals with the way the traffic is being routed through the firewall.  I only have the two ports on the firewall (one for the router and one for the LAN).  I have turned on NAT to allow traffic to specific computers on the LAN from the outside world and that is working fine.  That being said, when I try to connect to the VPN server, I always get some type of error message (I think the last one was 721).  I think the problem is not with the setup of the VPN server, but with the way NAT is handling the traffic.  I can get to the server (It tries to login), but when the VPN server sends traffic back to the client, I think the firewall is dropping it.  I do have port 1723 and Protocol 47 open.  Here is a graphic depiction:

Client computer initiates VPN session to the public address of the VPN server 216.145.1.xxx
Firewall recognizes the traffic to the VPN server and NAT translates the 216.145.1.xxx to the private address 192.168.20.40.
VPN server tries to send the info back to the client (using the private address I think)
The firewall doesn't relay the info to the client
Client gets the error message (721 I think).

The VPN server does have 2 NIC cards available, but seeing how the firewall only has the two ports, the second NIC card is disabled right now.  My question is this...

How do I configure the network for this to work properly.  I suppose I could put a hub between the router and the firewall using the second NIC card and a public address, but that would open the VPN server to all sorts of unwanted traffic.  Any help at all would be appreciated.

Thanks,
J
0
Comment
Question by:jbayness
  • 4
  • 3
8 Comments
 
LVL 2

Expert Comment

by:noamkrief
ID: 10729177
i have that same problem. I have a cheezy linksys router which has a problem forwarding the VPN protocol to a win2k server.

It's very wierd. If you have my model of linksys router and a win2k VPN serber, it doesn't work :) funny.

I resorted to SSH tunneling which i think is faster and know is way more secure with key authentication.
With VPN, all users have to know is my username / password.
SSH they need my key file, username, and passphrase...

I hope you figure out the VPN.
Try setting it up as DMZ. That will open it up completely.
Noam
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10732517
What is on the other end? You are connecting from home with a router in place? If you are running NAT from the client end make sure that you have the correct settings on that router. I would switch to l2tp instead. If you check the firewall logs does any dropped packets from either side of the tunnel show up?
0
 

Author Comment

by:jbayness
ID: 10733156
I have a linksys on the other side (home) and a sonicwall soho 3 on the office side.  There is nothing in the firewall logs about dropped packets...  I have tried from a different home location without a router with no success either.  I will mess with L2tp this afternoon and post back the results.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10733384
Quick question, do you have any other software installed like zonealarm or cisco vpn client?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jbayness
ID: 10733465
nope.  I just have what I mentioned before.  Will this even work with NAT turned on?
0
 
LVL 11

Accepted Solution

by:
ewtaylor earned 500 total points
ID: 10733706
The soho 3 is a firewall with a vpn endpoint. You do not need the microsoft vpn server just install the sonicwall client and setup the soho as the vpn server.
0
 

Author Comment

by:jbayness
ID: 10736192
I am going to award the points to ewtaylor...his last point pointed me in the right direction (back to the firewall itself).  I updated the firmware on the soho3 to 6.5.x.  That added a few more features...namely TRANVERSE NAT.  guess what.  I am up and running beautifully.  Thanks for the help guys.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10736335
No problem, thanks for the points.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now