VPN Server behind a NAT enabled router

Hello All,
        I want to setup a VPN connection for our intranet. We have SBS 2000 server setup with ISA firewall, The SBS 2000 is connected to the internet using a DSL Router Dlink 504. The Router has NAT enabled on it, and I have Port redirect enabled to forward port 1723 to the SBS2000 server. I am able to connect and test the VPN from within our network but I am not able to connect to the VPN from outside our network. Why I try to connect to the VPN Server from outside our network, the Windows XP client hangs on login screen, and keeps on saying that its authenticating the username and password. How can I get the VPN running from outside out network, what needs to be done to enable the VPN access with the current setup.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

On the Small Business Server you specify you are using the ISA firewall, I don't personally use it, however that seems to be causing your problem, if you check out http://www.experts-exchange.com/Security/Firewalls/Q_20872432.html it should explain how to allow the ports through.

I'm assuming your not calling the internal IP address (192.168.0.X etc or the likes) because you seem quite knowlegable :)..
Andy LearCommented:
try forwarding 443 and 4500 as well
Nope it is a different problem.

VPN, at least the type based on PPTP and not l2TP, needs also to have the protocol 47, GRE, forwarded to the VPN server.

This is an IP protocol but not TCP or UDP. It is protocol 47, GRE which stands for Generic Route Encapsulation.

more info on http://support.microsoft.com/?id=241251

When this is not forwarded you will see the logon screen but it will eventually fail and hang up.

I am not sure how to do this on the Dlink router. Normally you would telnet tou your router and look in the Nat area to make a static route for protocol 47 inwards to your vpn machine

Hope this helps

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

The Dlink DSL-504 only supports VPN pass-through. This means it can support a VPN client connecting from the LAN side out to a VPN Server on the Internet.

However the firmware version is highly significant, earlier versions were broken.

The first version to support it was Version R2.02.b2t8au/uk (Gen-I) Jun 28, 2002, but later versions reintroduced problems.

See this page for more information: http://shadow.sentry.org/~trev/dsl50x.html

I believe, although I haven't tested it, that if you put your VPN server in the router's "DMZ" by setting its LAN IP address in the "DMZ IP Address" setting of the "NAT Configuration" page of the router control panel. it *might* support VPN.

If you do that you must ensure you properly firewall the VPN server!

Ah Just fiddled around with my DSL router (Alcatel Speedtouch) and here it is

Most of the time you would use the web interface to make changes in your router however the Alcatel has a lot more features but these are not implemented in the Web tool. Therefore you have to telnet into the router (SSH for the paranoids/wise amongst us).

for the Alcatel the command is

Nat create protocol =47 inside_address = ýour inside address' outside_address =ýour outside address'

Your router probably can do something similar (if at all capable of routing this protocol).

Ok, Another check. It appears your Dlink 504 is not capable of doing GRE. The only option you would have is placing the VPN machine in the DMZ.

The only other option would be when you do not want to do this is to replace the router with one that does GRE


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bindwebAuthor Commented:
Yes that was the case, It seems that the DLink router is not allowing the GRE protocal 47 through it, so I created a DMZ and it worked :) Thanks for that, I however will try to give a try with altering the firmware if I can make that work with NAT, but I am not that hopeful with that.
Thanks a lot everyone for your contribution, I think Dustbak sorted this issue out for me, so I will accept his response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.