VPN Access from the internet not working.

Hello,

I have a Sonicwall SOHO3 firewall, which on one side is connected to the Internet and on the other side to my LAN directly. On the LAn I have a Windows 2000 Server Domain COntroller running MS Exchange 2000, ISA 2000 and VPN Server.

I have configured the NAT on the firewall to access the Windows 2000 Server machine. The ports that are open to reach this server are 80,25, 1723, 500.

IP Address within my office is 172.31.8.xx . The Rules on the firewall are to allow the above metioned ports for the local IP of the server (172.31.8.xx)

I am able to connect a VPN connection successfully from within the LAN to this VPN Server. However, I am unable to do the same from the Internet.

Are there any other ports that need to be open for this to work successfully.

I tried the following on the Windows 2000 Server itself :
1. telnet localhost 25 --> Worked
2. telnet localhost 1723 --> Worked
3. telnet localhost 500 --> Did Not work.

Many Thanks,
Praveen.
rpraveenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi rpraveen,

extract from VPN site

If the VPN server is behind a router, Port Mapping will need to be done on the router.
Standard port usage is 1723 for PPTP. You might also need to configure your router for PPTP Passthrough. Port usage for IPSec is 500, 50-51. These ports will have to be forwarded to the VPN server's local IP address

could be the last ports you are missing

Cheers!
rpraveenAuthor Commented:
Hi Jay,

Thank you very much. It worked. But I am unable to access resources on the other machines on the LAN while connected using VPN via the internet. HOw can I achieve this, please.

Thanks
Praveen.
Jay_Jay70Commented:
hmm do you get given an IP address that matches the other machines when you connect via VPN?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Jay_Jay70Commented:
are you able to ping other machines and if you run \\computername what happens?
rpraveenAuthor Commented:
Yes, I get an IP silimar to the ones on the LAN. I am able to ping other machines. But I am unable to get access using \\computername. It says "The network path was not found."
Jay_Jay70Commented:
how about \\IPADDRESS    i am thinking its a simple DNS settings....

im off to bed mate, ill continue with you tomorrow :) just post a question letting me know your back online

James
rpraveenAuthor Commented:
Hi James,

Hope you had a good night. Guess you are in Australia. \\ipaddress works. Looks like a simple DNS setting, but I am not sure what to change. However, I put in an entry in the hosts file of the OS and then i was able to get \\computername. Is there a better solution that you have on this. PLs let me know.

Thanks
Praveen.
Rob WilliamsCommented:
Praveen, please do not award any points in my direction, if this is of some help, as James (Jay_Jay70) located your problem. But where he is "off duty" right now I'll post a copy of my "name resolution solutions", which may be of some help to you:

NetBIOS names are not normally broadcast over a VPN, to work around this issue try the following solutions:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_QXQQ.asp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay_Jay70Commented:
rob,

wow thats an answer! you deserve points on this for sure as you just pointed out a few things i didnt know about. ill be pasting that answer in my little book of knowledge for future reference!

James


Praveen,

hows is goin mate, did you try Rob's suggestions??

Rob WilliamsCommented:
Aw shucks !   Actually just a list I made a while ago, that I cut and paste. Name resolution over a VPN can be a nuisance some times.
Thanks though.
--Rob
Jay_Jay70Commented:
ha well i just flogged your list for my own!
Rob WilliamsCommented:
I hope I got credit, even if no points.  :-)
Plagiarism is punishable by caging with Tasmanian Devils.
Jay_Jay70Commented:
its alright the little buggers are virtually extinct.... if you can find one you can cage me with hm!  (zoos dont count)

its more for my use anywayz :)
Rob WilliamsCommented:
Feel free, just 'razzing you'
--Rob
Jay_Jay70Commented:
:) ill send you a tazzy devil in repayment
Rob WilliamsCommented:
Let's see you get that through customs.
Jay_Jay70Commented:
hmm toushe    i submit....
rpraveenAuthor Commented:
Hi James and Rob,

Thanks a lot to you guys. I tried the \\ipaddress suggested by James and the hosts file entry suggested by Rob. The two together helped me resolve my problem. Thanks once again.

James, good luck with getting a tazzy devil across to Rob ;)

I am going to split the points on this question to both of you.

Thanks and Regards,
Praveen.
Jay_Jay70Commented:
thanks praveen,

out of curiosity, i dont really care about the points, but why did we get the B grade, did our answers not help you enough??

i think i will have to express post the little rodent!

cheers mate
rpraveenAuthor Commented:
Hi James,

Sorry about that. that was an oversight. I think I was using the keyboard rather than the mouse and I made a mistake in choosing the grade. Is there a way I can change it to A? because I truely feel that your answers helped me solve my problem.

Many Thanks again,
Praveen.
Jay_Jay70Commented:
thats ok mate i was just curious

you can place a question in communtiy support asking the grade to be changed to A and the mods will take care of it for you. just make sure you put a link to this Q

as i said, i was just hoping that we had given a correct answer and if not, just wanted to know where it went skewiff!

cheers Praveen

James
Rob WilliamsCommented:
Thanks Praveen.,
--Rob
Rob WilliamsCommented:
Even more thanks <G> rpraveen, and AnnieMod.
--Rob
Jay_Jay70Commented:
thankyou!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.