Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Network Topology & VPN

Posted on 2004-03-31
8
Medium Priority
?
556 Views
Last Modified: 2006-11-17
Brief overview of the current network setup

|router| ---- |firewall| ---- |switch(s)| ---- w2k server and rest of LAN

Problem:

I am trying to setup up a user to access the corporate network using PPTP.  I have configured the VPN server using RRAS built into 2k server, and everything appears to be functioning correctly internally.  The problem I am having deals with the way the traffic is being routed through the firewall.  I only have the two ports on the firewall (one for the router and one for the LAN).  I have turned on NAT to allow traffic to specific computers on the LAN from the outside world and that is working fine.  That being said, when I try to connect to the VPN server, I always get some type of error message (I think the last one was 721).  I think the problem is not with the setup of the VPN server, but with the way NAT is handling the traffic.  I can get to the server (It tries to login), but when the VPN server sends traffic back to the client, I think the firewall is dropping it.  I do have port 1723 and Protocol 47 open.  Here is a graphic depiction:

Client computer initiates VPN session to the public address of the VPN server 216.145.1.xxx
Firewall recognizes the traffic to the VPN server and NAT translates the 216.145.1.xxx to the private address 192.168.20.40.
VPN server tries to send the info back to the client (using the private address I think)
The firewall doesn't relay the info to the client
Client gets the error message (721 I think).

The VPN server does have 2 NIC cards available, but seeing how the firewall only has the two ports, the second NIC card is disabled right now.  My question is this...

How do I configure the network for this to work properly.  I suppose I could put a hub between the router and the firewall using the second NIC card and a public address, but that would open the VPN server to all sorts of unwanted traffic.  Any help at all would be appreciated.

Thanks,
J
0
Comment
Question by:jbayness
  • 4
  • 3
8 Comments
 
LVL 2

Expert Comment

by:noamkrief
ID: 10729177
i have that same problem. I have a cheezy linksys router which has a problem forwarding the VPN protocol to a win2k server.

It's very wierd. If you have my model of linksys router and a win2k VPN serber, it doesn't work :) funny.

I resorted to SSH tunneling which i think is faster and know is way more secure with key authentication.
With VPN, all users have to know is my username / password.
SSH they need my key file, username, and passphrase...

I hope you figure out the VPN.
Try setting it up as DMZ. That will open it up completely.
Noam
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10732517
What is on the other end? You are connecting from home with a router in place? If you are running NAT from the client end make sure that you have the correct settings on that router. I would switch to l2tp instead. If you check the firewall logs does any dropped packets from either side of the tunnel show up?
0
 

Author Comment

by:jbayness
ID: 10733156
I have a linksys on the other side (home) and a sonicwall soho 3 on the office side.  There is nothing in the firewall logs about dropped packets...  I have tried from a different home location without a router with no success either.  I will mess with L2tp this afternoon and post back the results.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 11

Expert Comment

by:ewtaylor
ID: 10733384
Quick question, do you have any other software installed like zonealarm or cisco vpn client?
0
 

Author Comment

by:jbayness
ID: 10733465
nope.  I just have what I mentioned before.  Will this even work with NAT turned on?
0
 
LVL 11

Accepted Solution

by:
ewtaylor earned 1500 total points
ID: 10733706
The soho 3 is a firewall with a vpn endpoint. You do not need the microsoft vpn server just install the sonicwall client and setup the soho as the vpn server.
0
 

Author Comment

by:jbayness
ID: 10736192
I am going to award the points to ewtaylor...his last point pointed me in the right direction (back to the firewall itself).  I updated the firmware on the soho3 to 6.5.x.  That added a few more features...namely TRANVERSE NAT.  guess what.  I am up and running beautifully.  Thanks for the help guys.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10736335
No problem, thanks for the points.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Resolve DNS query failed errors for Exchange
Integration Management Part 2
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question