VPN Server behind a NAT enabled router

Posted on 2004-11-18
Last Modified: 2013-11-29
Hello All,
        I want to setup a VPN connection for our intranet. We have SBS 2000 server setup with ISA firewall, The SBS 2000 is connected to the internet using a DSL Router Dlink 504. The Router has NAT enabled on it, and I have Port redirect enabled to forward port 1723 to the SBS2000 server. I am able to connect and test the VPN from within our network but I am not able to connect to the VPN from outside our network. Why I try to connect to the VPN Server from outside our network, the Windows XP client hangs on login screen, and keeps on saying that its authenticating the username and password. How can I get the VPN running from outside out network, what needs to be done to enable the VPN access with the current setup.
Question by:bindweb
    LVL 3

    Expert Comment

    On the Small Business Server you specify you are using the ISA firewall, I don't personally use it, however that seems to be causing your problem, if you check out it should explain how to allow the ports through.

    I'm assuming your not calling the internal IP address (192.168.0.X etc or the likes) because you seem quite knowlegable :)..

    Expert Comment

    try forwarding 443 and 4500 as well
    LVL 1

    Expert Comment

    Nope it is a different problem.

    VPN, at least the type based on PPTP and not l2TP, needs also to have the protocol 47, GRE, forwarded to the VPN server.

    This is an IP protocol but not TCP or UDP. It is protocol 47, GRE which stands for Generic Route Encapsulation.

    more info on

    When this is not forwarded you will see the logon screen but it will eventually fail and hang up.

    I am not sure how to do this on the Dlink router. Normally you would telnet tou your router and look in the Nat area to make a static route for protocol 47 inwards to your vpn machine

    Hope this helps

    LVL 5

    Expert Comment

    The Dlink DSL-504 only supports VPN pass-through. This means it can support a VPN client connecting from the LAN side out to a VPN Server on the Internet.

    However the firmware version is highly significant, earlier versions were broken.

    The first version to support it was Version R2.02.b2t8au/uk (Gen-I) Jun 28, 2002, but later versions reintroduced problems.

    See this page for more information:

    I believe, although I haven't tested it, that if you put your VPN server in the router's "DMZ" by setting its LAN IP address in the "DMZ IP Address" setting of the "NAT Configuration" page of the router control panel. it *might* support VPN.

    If you do that you must ensure you properly firewall the VPN server!

    LVL 1

    Expert Comment

    Ah Just fiddled around with my DSL router (Alcatel Speedtouch) and here it is

    Most of the time you would use the web interface to make changes in your router however the Alcatel has a lot more features but these are not implemented in the Web tool. Therefore you have to telnet into the router (SSH for the paranoids/wise amongst us).

    for the Alcatel the command is

    Nat create protocol =47 inside_address = ýour inside address' outside_address =ýour outside address'

    Your router probably can do something similar (if at all capable of routing this protocol).

    LVL 1

    Accepted Solution

    Ok, Another check. It appears your Dlink 504 is not capable of doing GRE. The only option you would have is placing the VPN machine in the DMZ.

    The only other option would be when you do not want to do this is to replace the router with one that does GRE


    Author Comment

    Yes that was the case, It seems that the DLink router is not allowing the GRE protocal 47 through it, so I created a DMZ and it worked :) Thanks for that, I however will try to give a try with altering the firmware if I can make that work with NAT, but I am not that hopeful with that.
    Thanks a lot everyone for your contribution, I think Dustbak sorted this issue out for me, so I will accept his response.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    1 WAN to 2 LAN 4 46
    Cisco Route Tagging Problem 12 31
    Enterasys QoS setup 2 21
    Multicast in a layer 2 to layer 3 migration 1 13
    Let’s list some of the technologies that enable smooth teleworking. 
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now