We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Network Topology & VPN

jbayness
jbayness asked
on
Medium Priority
576 Views
Last Modified: 2006-11-17
Brief overview of the current network setup

|router| ---- |firewall| ---- |switch(s)| ---- w2k server and rest of LAN

Problem:

I am trying to setup up a user to access the corporate network using PPTP.  I have configured the VPN server using RRAS built into 2k server, and everything appears to be functioning correctly internally.  The problem I am having deals with the way the traffic is being routed through the firewall.  I only have the two ports on the firewall (one for the router and one for the LAN).  I have turned on NAT to allow traffic to specific computers on the LAN from the outside world and that is working fine.  That being said, when I try to connect to the VPN server, I always get some type of error message (I think the last one was 721).  I think the problem is not with the setup of the VPN server, but with the way NAT is handling the traffic.  I can get to the server (It tries to login), but when the VPN server sends traffic back to the client, I think the firewall is dropping it.  I do have port 1723 and Protocol 47 open.  Here is a graphic depiction:

Client computer initiates VPN session to the public address of the VPN server 216.145.1.xxx
Firewall recognizes the traffic to the VPN server and NAT translates the 216.145.1.xxx to the private address 192.168.20.40.
VPN server tries to send the info back to the client (using the private address I think)
The firewall doesn't relay the info to the client
Client gets the error message (721 I think).

The VPN server does have 2 NIC cards available, but seeing how the firewall only has the two ports, the second NIC card is disabled right now.  My question is this...

How do I configure the network for this to work properly.  I suppose I could put a hub between the router and the firewall using the second NIC card and a public address, but that would open the VPN server to all sorts of unwanted traffic.  Any help at all would be appreciated.

Thanks,
J
Comment
Watch Question

i have that same problem. I have a cheezy linksys router which has a problem forwarding the VPN protocol to a win2k server.

It's very wierd. If you have my model of linksys router and a win2k VPN serber, it doesn't work :) funny.

I resorted to SSH tunneling which i think is faster and know is way more secure with key authentication.
With VPN, all users have to know is my username / password.
SSH they need my key file, username, and passphrase...

I hope you figure out the VPN.
Try setting it up as DMZ. That will open it up completely.
Noam

Commented:
What is on the other end? You are connecting from home with a router in place? If you are running NAT from the client end make sure that you have the correct settings on that router. I would switch to l2tp instead. If you check the firewall logs does any dropped packets from either side of the tunnel show up?

Author

Commented:
I have a linksys on the other side (home) and a sonicwall soho 3 on the office side.  There is nothing in the firewall logs about dropped packets...  I have tried from a different home location without a router with no success either.  I will mess with L2tp this afternoon and post back the results.

Commented:
Quick question, do you have any other software installed like zonealarm or cisco vpn client?

Author

Commented:
nope.  I just have what I mentioned before.  Will this even work with NAT turned on?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I am going to award the points to ewtaylor...his last point pointed me in the right direction (back to the firewall itself).  I updated the firmware on the soho3 to 6.5.x.  That added a few more features...namely TRANVERSE NAT.  guess what.  I am up and running beautifully.  Thanks for the help guys.

Commented:
No problem, thanks for the points.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.