Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 491
  • Last Modified:

VPN question - how to setup when behind router with NAT

Hello!
I want to setup a Windows 2003 server as VPN server.
The server is behind a router that runs NAT.

Are any special configuration needed on the server for this to work?

(like under the IP routing on th RRAS MMC - general/static routes, DHP relay, IGMP, NAT/basic firewall).
What should the settings for these be?
0
rj2
Asked:
rj2
  • 3
  • 3
1 Solution
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Setup your RRAS using the custom configuration, (for 1 NIC).  Select VPN server and follow the default prompts.  That's it for the RRAS server.

On your firewall/Router, you need to open up port TCP 1723 and forward that to the IP address of the VPN server.  Depending on the model, you may also have to enable GRE (IP Protocol 47).

Some routers have a PPTP passthrough which makes this a 1 setp process.

Anyway, that's all there is to it.  A VPN request hits the firewall/Router and that device forwards that port 1723 request on to the ip of the server for it to act on.
0
 
rj2Author Commented:
ok, that is what I have done, but I'm having a problem making it work.

If I connect directly to internal IP it works ok.

But if I try external IP it gets connected but then hangs with message "verifring username/password", and then times out with error message "error 721: remote computer did not respond".

The router is administered by our ISP. They say they have done it "by the book" according to http://cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

If I run command "netstat" on the server when I try to connect I see a PPTP connection from my IP.

So I'm not sure what to do now, something is wrong either on the VPN server or the router, but how can I find out where?
If the ISP have not setup GRE correctly on the router, could this give such symptoms? How can I verify if GRE is setup correctly on the router when I don't have telnet access to it?
The ISP also tried to let all IP traffic get through to the VPN server, but same results.


0
 
rj2Author Commented:
Or, actually I used the "manage your server" program when setting up the VPN. I had to add another NIC to be able to do that.

Could you elobarate somewhat what you mean when you say "Setup your RRAS using the custom configuration, (for 1 NIC).  "?

Should I remove the second NIC?
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Here is what I would do.  Lets uncomplicate things.  Take RRAS back to the beginning and remove the second NIC.  Open RRAS and click or right click, (I forget) to set it up.  When the wizard runs, select a Custom Configuration.  There you will select VPN server.  Then follow through the prompts.  This will allow you to run 1 Nic on your VPN server.  See how this works.
0
 
rj2Author Commented:
The problem was on the router.
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Glad to help!  Good Luck!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now