unable to complete a VPN connection with Windows 2003 Server using RRAS
Hey everyone,
I've set our domain server that is running internally in our office to allow VPN connections remotely. I have not done this before today. I’ve got a Cisco 2610 that I’m routing with and I’ve forwarded ports 3389, 1723, 500, along with others to the 2003 server. I have remote desktop access but want to allow VPN access to reduce license costs.
I have the server set as a DHCP server with a scope of 10.0.0.50 – 10.0.0.75. Most internal users are static assigned to their phone extension, so only having a handful of addresses is okay. We’ll have about 6 people that are going to need the remote access, So when I set up the RRAS with the wizard, for this server named ICARUS, I told it to use Ips 10.0.0.70 – 75, since we won’t ever have that many DHCP clients in use at any one given time.
I Remote Desktopped from the office back to my home and set a VPN connection up on the XP desktop. It zzzzzoooms to the office and says that it’s verifying the username and password, but then disconnects.
Disconnected:
Error 721. The remote computer did not respond….blabla.
Well it looks like it made it through the ports on the router, or did it?
I’m testing this with the administrator account for the server. I haven’t added any permissions to the administrator’s account, nor have I messed with the GP objects, nor have I started anything in the RRAS management console.
I don’t want to go clicking on a lot of things because this server is the DNS server and domain controller for the office.
What might I be doing wrong here.
Thanks a ton for you help,
Inverted_2000
I've set our domain server that is running internally in our office to allow VPN connections remotely. I have not done this before today. I’ve got a Cisco 2610 that I’m routing with and I’ve forwarded ports 3389, 1723, 500, along with others to the 2003 server. I have remote desktop access but want to allow VPN access to reduce license costs.
I have the server set as a DHCP server with a scope of 10.0.0.50 – 10.0.0.75. Most internal users are static assigned to their phone extension, so only having a handful of addresses is okay. We’ll have about 6 people that are going to need the remote access, So when I set up the RRAS with the wizard, for this server named ICARUS, I told it to use Ips 10.0.0.70 – 75, since we won’t ever have that many DHCP clients in use at any one given time.
I Remote Desktopped from the office back to my home and set a VPN connection up on the XP desktop. It zzzzzoooms to the office and says that it’s verifying the username and password, but then disconnects.
Disconnected:
Error 721. The remote computer did not respond….blabla.
Well it looks like it made it through the ports on the router, or did it?
I’m testing this with the administrator account for the server. I haven’t added any permissions to the administrator’s account, nor have I messed with the GP objects, nor have I started anything in the RRAS management console.
I don’t want to go clicking on a lot of things because this server is the DNS server and domain controller for the office.
What might I be doing wrong here.
Thanks a ton for you help,
Inverted_2000
TheCleaner
Are you using IPSEC or PPTP?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think that both the server and test client are set to auto. I would like to start with PPTP and when I get better with it use IPSec, but lets stick with the PPTP first please.
VPN traffice will be passing through the router. Port 1723 is forwarded to the server's internal 10.0.0.152 address.
The server has some dual port NICs on it...so the one that the local LAN users use for DNS and domain is on 10.0.0.151...then I enabled one and placed 10.0.0.152 on the card and it works on the network. In RRAS I said that NIC 10.0.0.151 is how the server gets online and NIC 10.0.0.152 is the interface for the VPN traffic.
Was that right?
VPN traffice will be passing through the router. Port 1723 is forwarded to the server's internal 10.0.0.152 address.
The server has some dual port NICs on it...so the one that the local LAN users use for DNS and domain is on 10.0.0.151...then I enabled one and placed 10.0.0.152 on the card and it works on the network. In RRAS I said that NIC 10.0.0.151 is how the server gets online and NIC 10.0.0.152 is the interface for the VPN traffic.
Was that right?
ASKER
I think I should have stated that NIC 10.0.0.152 is how the server gets online and 10.0.0.151 is how VPN accesses the LAN
on the cisco router have you also forwarded IP protocol 47(GRE)?
ASKER
no...but I can...should I port forward to the NIC on the server that I have 10.0.0.152 set as or the 10.0.0.151 NIC?
same place the VPN is forwarding to...make sure and read that link I attached above...it walks through what is needed to configure windows 2003 as vpn server
mazaraat is on the right track for you...
http://www.chicagotech.net/vpnsetup.htm
http://www.howtonetworking.com/articles/mssetupvpn.htm
http://www.chicagotech.net/vpnsetup.htm
http://www.howtonetworking.com/articles/mssetupvpn.htm
ASKER
I'm followoing it...but do I don't have a NIC with a public IP address on the server. Both are behind the router. Is it going to work to have one of the NICs accept the VPN traffice while it is on the same Subnet as the server's internal NIC?
I had the same situation at a client location =)
Couldn't create the #&*^%@ connection so I asked a friend of mine (CCIE?) and he explained that in addition to forwarding the port I needed to forward the IP protocol 47 also....on any of the cheapo best buy routers you don't have to configure this, but on the better routers you do =)
Couldn't create the #&*^%@ connection so I asked a friend of mine (CCIE?) and he explained that in addition to forwarding the port I needed to forward the IP protocol 47 also....on any of the cheapo best buy routers you don't have to configure this, but on the better routers you do =)
forward GRE to the same IP as you are forwarding port 1723
yeah, by default from what I understand the Cisco routers don't forward GRE packets with the PPTP packets.
See the sub-article from the above link:
How to use PPTP through a Cisco PIX
In order to use PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.
See the sub-article from the above link:
How to use PPTP through a Cisco PIX
In order to use PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.
ASKER
Okay then...I'm forwarding port 1723 to 10.0.0.152, since that is what I told RRAS I am going to use.
How is GRE forwarded...is it a port? I'm not familiar with it.
How is GRE forwarded...is it a port? I'm not familiar with it.
Forgot to mention, if you can get in and connected, but cannot get anywhere on the LAN then you may have to reconfigure your multihomed computer with the proper routes / IP forwarding.
ASKER
I got connected from within the LAN. I had to check off for the administrator in AD that the user could use VPN.
Now if I can just tweeke the router (o:
Now if I can just tweeke the router (o:
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks! have a good weekend =)
So i'm guessing it is working now? Thanks for the points...