Network Topology & VPN
Posted on 2004-03-31
Brief overview of the current network setup
|router| ---- |firewall| ---- |switch(s)| ---- w2k server and rest of LAN
I am trying to setup up a user to access the corporate network using PPTP. I have configured the VPN server using RRAS built into 2k server, and everything appears to be functioning correctly internally. The problem I am having deals with the way the traffic is being routed through the firewall. I only have the two ports on the firewall (one for the router and one for the LAN). I have turned on NAT to allow traffic to specific computers on the LAN from the outside world and that is working fine. That being said, when I try to connect to the VPN server, I always get some type of error message (I think the last one was 721). I think the problem is not with the setup of the VPN server, but with the way NAT is handling the traffic. I can get to the server (It tries to login), but when the VPN server sends traffic back to the client, I think the firewall is dropping it. I do have port 1723 and Protocol 47 open. Here is a graphic depiction:
Client computer initiates VPN session to the public address of the VPN server 216.145.1.xxx
Firewall recognizes the traffic to the VPN server and NAT translates the 216.145.1.xxx to the private address 192.168.20.40.
VPN server tries to send the info back to the client (using the private address I think)
The firewall doesn't relay the info to the client
Client gets the error message (721 I think).
The VPN server does have 2 NIC cards available, but seeing how the firewall only has the two ports, the second NIC card is disabled right now. My question is this...
How do I configure the network for this to work properly. I suppose I could put a hub between the router and the firewall using the second NIC card and a public address, but that would open the VPN server to all sorts of unwanted traffic. Any help at all would be appreciated.