• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1148
  • Last Modified:

VPN Server behind a NAT enabled router

Hello All,
        I want to setup a VPN connection for our intranet. We have SBS 2000 server setup with ISA firewall, The SBS 2000 is connected to the internet using a DSL Router Dlink 504. The Router has NAT enabled on it, and I have Port redirect enabled to forward port 1723 to the SBS2000 server. I am able to connect and test the VPN from within our network but I am not able to connect to the VPN from outside our network. Why I try to connect to the VPN Server from outside our network, the Windows XP client hangs on login screen, and keeps on saying that its authenticating the username and password. How can I get the VPN running from outside out network, what needs to be done to enable the VPN access with the current setup.
1 Solution
On the Small Business Server you specify you are using the ISA firewall, I don't personally use it, however that seems to be causing your problem, if you check out http://www.experts-exchange.com/Security/Firewalls/Q_20872432.html it should explain how to allow the ports through.

I'm assuming your not calling the internal IP address (192.168.0.X etc or the likes) because you seem quite knowlegable :)..
Andy LearCommented:
try forwarding 443 and 4500 as well
Nope it is a different problem.

VPN, at least the type based on PPTP and not l2TP, needs also to have the protocol 47, GRE, forwarded to the VPN server.

This is an IP protocol but not TCP or UDP. It is protocol 47, GRE which stands for Generic Route Encapsulation.

more info on http://support.microsoft.com/?id=241251

When this is not forwarded you will see the logon screen but it will eventually fail and hang up.

I am not sure how to do this on the Dlink router. Normally you would telnet tou your router and look in the Nat area to make a static route for protocol 47 inwards to your vpn machine

Hope this helps

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

The Dlink DSL-504 only supports VPN pass-through. This means it can support a VPN client connecting from the LAN side out to a VPN Server on the Internet.

However the firmware version is highly significant, earlier versions were broken.

The first version to support it was Version R2.02.b2t8au/uk (Gen-I) Jun 28, 2002, but later versions reintroduced problems.

See this page for more information: http://shadow.sentry.org/~trev/dsl50x.html

I believe, although I haven't tested it, that if you put your VPN server in the router's "DMZ" by setting its LAN IP address in the "DMZ IP Address" setting of the "NAT Configuration" page of the router control panel. it *might* support VPN.

If you do that you must ensure you properly firewall the VPN server!

Ah Just fiddled around with my DSL router (Alcatel Speedtouch) and here it is

Most of the time you would use the web interface to make changes in your router however the Alcatel has a lot more features but these are not implemented in the Web tool. Therefore you have to telnet into the router (SSH for the paranoids/wise amongst us).

for the Alcatel the command is

Nat create protocol =47 inside_address = ├Żour inside address' outside_address =├Żour outside address'

Your router probably can do something similar (if at all capable of routing this protocol).

Ok, Another check. It appears your Dlink 504 is not capable of doing GRE. The only option you would have is placing the VPN machine in the DMZ.

The only other option would be when you do not want to do this is to replace the router with one that does GRE

bindwebAuthor Commented:
Yes that was the case, It seems that the DLink router is not allowing the GRE protocal 47 through it, so I created a DMZ and it worked :) Thanks for that, I however will try to give a try with altering the firmware if I can make that work with NAT, but I am not that hopeful with that.
Thanks a lot everyone for your contribution, I think Dustbak sorted this issue out for me, so I will accept his response.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now