Link to home
Create AccountLog in
Avatar of alanheaton
alanheaton

asked on

Setting Up a VPN Server

I have been reading a lot about this...and just need to clear a few points PLEASE..

I have a clean install of W2K3 server with 2 NIC cards in. I am led to believe that I need to connect 1 to the router IP 192.168.0.2 and 1 to my internal network 192.168.1.2

So I am assuming that the Router IP is assigned by the DHCP of the router and the Lan DHCP is assigned by my DHCP server on my LAN.

My question is if my router and my Lan are on seperate ranges how do my Internal PC's get access to the Internet?

Do they all have to go through the VPN server?

Or can I set up the router setting in DHCP to a different range?

This is confusing me a little... I understand the need for 2 NIC's for security but just need to understand how the internet works?
Avatar of r_naren22atyahoo
r_naren22atyahoo
Flag of Australia image






Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?           192.168.0.0      192.168.0.0  |  192.168.0.0
                             255.255.255.0  255.255.255.0|   255.255.255.0  

With this setup your LAN users are accessing the Internet Through Win 2003 and Through Router.

If the subnet mask is same as 255.255.255.0, then you are having 2 networks and users are passing through first the Win 2003 and later the Router from other NIC card.

IF you are trying to create the VPN Server then

You can create a the RRAS server on the Win 2003 and forward the Reguired ports from router to the Win 2003 server.

Routing is a follows.


If any packet or a request that is destined to out of your LAN from users then that arives to the win 2003,
then those packets will be forwarded to the Router by using Outbond NIC card of win 2003.(that includes the Internet requests)
Then the router will forward the request to the default gateway which is provided by your ISP.

and in the same way the requested data will back to your router. Your router will forward the requested to the Win 2003.
now your win 2003 knows the actual source and it forwards to that source

Also read about the NAT which is actually performed on the Router.
Avatar of alanheaton
alanheaton

ASKER

So let me understand this....


Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static 192.168.0.1                Static 192.168.0.2 (NIC 1)          Static 192.168.0.4                                               DHCP Assigned
                                                                        Static 192.168.0.3 (NIC 2)

The router connects to 192.168.02 and then the connection from 192.168.0.3 goes into my switch to support the server and clients?

So the internet comes into the router and it forwards on requests to the other servers.?

1723 to 192.168.0.2
25 to 192.168.0.4

CORRECT?

My next question is, in my DHCP on my server what is the IP address of the router?

Is it 192.168.0.1 or .2 or .3  ?

I hope this is clear? Probably as MUD

But we will see.

Obviously here the router is acting as the firewall so everything behind the firewall SHOULD be secure?
Sorry i have corrections

Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?           192.168.0.0      192.168.0.0  |  192.168.1.0<<<<<<<<<Correction
                             255.255.255.0  255.255.255.0|   255.255.255.0  


Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static 192.168.0.1                Static 192.168.0.2 (NIC 1)          Static 192.168.1.4                                               DHCP Assigned
                                                                        Static 192.168.1.3 (NIC 2)<<<<I suppose so

IF you want all devices to have 192.168.0.1,2,3,4,5, then you just need 1 NIC on the VPN server and disable the DHCP on the router
>>>My next question is, in my DHCP on my server what is the IP address of the router?
>>>Is it 192.168.0.1 or .2 or .3  ?

when you are on win2003(DHCP, E2K3)
you can access the router by 192.168.0.1
if you cannot access the 192.168.0.1, let me know, because if thats the case you have to configure the default gateway on Win2003 VPN server correctly.

IF in future if you want to publich OWA on exchange then you have to do
port forward on Router and also on the Win 2003 VPN server(as both are acting as the firewalls).
in this case, managing is not that easy, because you have to edit rules on router and Win 2003.

IF you just enable routing and disable the firewall on win 2003 VPN server.
then you have one point i.e router to edit firewall rules.(i suppose your router is also a firewall)

regards
Naren
It could be little confusing...

But first you have to decide how many firewalls you want???
and also keep in mind the maintenence if you have 2 firewalls....

Let me know so that i can give you the final design
At Present I have a simple setup

Internet-------------XP Machine------------W2K3 with all services----------Clients
ISDN----------------VPN Server
External ISP--------192.168.2.1------------192.168.2.2--------DHCP assigned

So XP machine has a dial up ISDN connection and all other services point to it for the gateway.

Now I am getting broadband installed via a satelite feed and want to enhance a little.

So the question is what do I need and what is the best solution?

I have a firewall Router, I have access to ISA 2004 just want to know best way to get this up and running?

Should I put router into ISA and do it that way, if that is the case does the VPN server still need to have 2 NIC's or can it sit on the same range as the Internal NIC of the ISA.
Let me ask another...

If I have this setup


Internet----------------Router---------------VPN Server----------------Server All In-----------Clients
External IP              192.168.0.1              192.168.0.2
                                                            192.168.1.1--------------192.168.1.2

Obviously I can route the traffic for the VPN on port 1723 to 192.168.0.2

My question would be can I forward Port 25 to my mail server on 192.168.1.2. Evewn though it is on a different range will it still forward through the VPN to my mail server, or do I have to set up port forward in my VPN server as well

This could get a little messy having to double forward everything?
with the above diag.
you have to do port forwarding on router and VPN server for the Mail..

regards
Naren
My suggesstion is

If you are getting a good piece of router/firewall then you can stick with that.

no need of another VPN server because Router/Firewall will also serve as the VPN server.

another suggession is
Just use the ADSL modem,
Use ISA 2000/2004 firewall With 2 Nics
as the firewall and proxy server. ISA is a very good proxy server too.

Internet---------Router/Firewall/VPN Server---------------LAN
            External IP address                    192.168.1.0 Range

or
Internet-----ADSLMOdem-----ISA2000/2004---------LAN
                                External IP               192.168.1.0

Both will do the job
However you have to decide on the what Firewall you gonna use.
Does ISA acts as a VPN server? or would I need to put another machine in the loop for the VPN Server.

Or can you set up the VPN Server on the ISA machine.

I thought the ISA Machine had to only be loaded with W2k3 and ISA nothing else?
ISA 2000/2004 is a
VPN Server
Firewall
Proxy Server with cacheing
all in one

for vpn setup have a look at this
http://www.isaserver.org/articles/isa2000vpndeploymentkit.html

going for a good hardware router/firewall/vpn server is also a good option

anyways how many users are in the LAN
and how many will do VPN on an average daily

regards
naren
The Network is only for 15.

There will be 1 laptop on VPN Pernamently and possibly a couple during the evening.

Nothing fantastic but the security and setup has to be correct.
ASKER CERTIFIED SOLUTION
Avatar of r_naren22atyahoo
r_naren22atyahoo
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer