• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 304
  • Last Modified:

VPN not working from public internet but does work from local outside the firewall...

Hopefully an easy question here...

First a quick synopsys of the background to the problem:

I have set up VPN access into my SBS2003 box. I had logged another question on experts-exchange because initially my tests could not connect through to the server. I was attempting to connect through to the VPN server by plugging directly into the ADSL router and putting the test notebook on the external 10.0.0.x network (thus attempting to replicate being outside the network). My internal network is 192.168.0.x.  When testing in this manner I was using the actual public IP address however I could not connect. This was resolved when someone here said that I was testing it incorrectly and rather than put the external public static address I should be putting the 10.0.0.8 address which is to the "external NIC" on the SBS2003 box.  I tried this and the VPN worked successfully. I thought the problem had therefore been solved...

However I now have had the opportunity to attempt to VPN from a real external internet connection and unfortunately I cannot connect through. I'm getting an Error 721.

I have ensured that my firewall is off on the client to be sure but no luck.

What's different from connecting via the 10.0.0.x address through the ADSL router and a public internet addresss going through the same ADSL router (obviously via the ADSL connection rather than directly into a port on the back of the router). I would have thought that both ways would still be routed by the routers same firewall routing rules? Or have I got this incorrect....??

Given that it works from the 10.0.0.x address the only difference is the source IP and the fact that the public IP is coming through the ADSL telephone link as opposed to a direct UTP connection into the router...

Any ideas?... I'm flying out tonight and need this resolved ASAP!!!...

Cheers.
0
slater27
Asked:
slater27
  • 10
  • 10
1 Solution
 
Rob WilliamsCommented:
You will now need to connect to the WAN/Public IP of the ADSL router. The ADSL router also needs to be configured to forward PPTP traffic on port 1723 to the external IP of your server. The ADSL router also needs to be configured to allow GRE traffic, which is protocol 47 (not port 47). On many units this is done by enabling PPTP pass-through or VPN pass-through. This assumes you have only a combined ADSL router and not a second router. If you have both an ADSL router (combined modem and router) as well as a second router, the ADSL router will have to be put in bridge mode and the forwarding and pass-through allowed on the second router.
If you were to provide make and model of your equipment we could be more specific as to how to configure.
0
 
slater27Author Commented:
Hi Robwill thanks for your speedy response. It is a combined router/adsl (Speed touch pro). I have copied all the settings below. From thinking about it some more it has to be a translation/routing table issue...somewhere this config is not right...

In regards to the ports and protocol 47 this is already setup in the NAT as you will see below. Remmebering that VPN does work if I am on the 10.0.0.x network AND I am selecting the internal ip 10.0.0.8 of the SBS server. It doesn't work when I go to the external fixed IP of 61.9.247.216 from an external location.

Here's the config of the Speedtouch Pro:

Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0

Phonebook:
Bigpond  VPI:8 VCI:35 Type:PPP Usage:Confirmed

PPP Dial-in Connections:
(None).

Routing:
IP ADDRESS TABLE
Intf          Address             Netmask           Type     Transl    
BigPond   61.9.247.216      255.0.0.0          Auto      pat  
eth0        10.0.0.1             255.255.255.0   User      none  
loop        127.0.0.1           255.0.0.0          Auto      none  

IP ROUTE TABLE:
Destination                  Source          Gateway         Intf  
10.0.0.0/24                 10.0.0.0/24    10.0.0.1         eth0  
61.9.247.216/32          any                61.9.247.216 BigPond  
10.0.0.1/32                 any               10.0.0.1         eth0  
127.0.0.1/32               any               127.0.0.1       loop  
255.255.255.255/32     any               10.0.0.1        eth0  
10.0.0.0/24                 any               10.0.0.1         eth0  
default                       10.0.0.8/0      61.9.247.216  BigPond  

PPP:
Name       Encap    Mode         State    Status  
BigPond    vc-mux  always-on   up       on        

PPP CONFIG:
Authentication
 User :   (myname@static.bigpond)
 Password :  *******
 
Routing
 Connection Sharing:  Everybody
 Destination networks All networks
 Specific network  (Blank)
 Address translation (NAT-PAT)  (checked)
 Primary DNS  10.0.0.8   Secondary DNS  (none)
 
Options
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)

 CIP Interfaces:
(none)

CIP Connections:
(none)

PPTP Connections:
(None)

Bridging Ports:
(none)
 Aging: 300 seconds

DHCP:
NO DHCP

DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)

DNS hostname table:
[Hostname]        [address]
SpeedTouch       own address

Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)

When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx   Prot   Inside-address:Port     Outside-address:Port    Foreign-address:Port    Flgs        Expir   State    Control
   1    6       0.0.1.187:10               61.9.247.216:443         0.0.0.0:0                     instance
   2    6       10.0.0.8:1723             61.9.247.216:1723        0.0.0.0:0                     instance
   3    17     10.0.0.1:4672             61.9.247.216:4672        0.0.0.0:0                     instance
   4    6       10.0.0.1:4711             61.9.247.216:4711        0.0.0.0:0                    instance
   5   6        10.0.0.8:4125             61.9.247.216:4125        0.0.0.0:0                    instance
   6   6        10.0.0.1:4662             61.9.247.216:4662         0.0.0.0:0                  instance
   7  17        10.0.0.100:1029         61.9.247.216:10019     61.9.240.14:53             1             20      10
   8   6        10.0.0.1:4661             61.9.247.216:4661        0.0.0.0:0                   instance
   9  17        10.0.0.1:4665            61.9.247.216:4665        0.0.0.0:0                  instance
  10   6        10.0.0.8:61953           61.9.247.216:10026     67.19.96.18:80              1           1        6
  11  47        10.0.0.8:1                  61.9.247.216:1             0.0.0.0:0                 instance
  12  17        10.0.0.1:4672             0.0.0.0:4672               0.0.0.0:0               template
  13   6        10.0.0.1:4662             0.0.0.0:4662          0.0.0.0:0               template
  14   6        10.0.0.1:4661            0.0.0.0:4661          0.0.0.0:0          template
  15  17        10.0.0.1:4665           0.0.0.0:4665          0.0.0.0:0          template
  16   6        10.0.0.1:4711           0.0.0.0:4711          0.0.0.0:0         template
  17   6        10.0.0.8:1723           0.0.0.0:1723          0.0.0.0:0          template
  18  47        10.0.0.8:1               0.0.0.0:1             0.0.0.0:0            template
  19   6        10.0.0.8:4125          0.0.0.0:4125          0.0.0.0:0         template
  20   6        0.0.1.187:10           0.0.0.0:443           0.0.0.0:0          template
0
 
slater27Author Commented:
Further to this I did an open port check on 1723 from a workstation that sits behind the SBS2003 server (on the internal 192.168.0.x subnet) using canyouseeme.org

The website detected my workstation as my static IP on the router 61.9.247.216 and came back with "Success: I can see your service on 61.9.247.216 on port (1723) Your ISP is not blocking port 1723"

So from this it would appear that the 1723 port is open - does this necessarily mean that the packets are getting passed to the server?

Help!

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rob WilliamsCommented:
Sorry, I am guessing I am in a different time zone. GMT +4.  Everything does seem in order.
-Just to confirm, you are trying to connect to the 61.9.247.216 address not the 10.0.0.8, right?
-The fact that the canyouseeme works, would indicate all port forwarding is OK, however that doesn't test for GRE
-Since you provided the 61.9.247.216 address I tried to connect with the Windows PPTP client and I seem to connect to the VPN server (I assume the SBS) but get an incorrect UserName and/or password message, which would indicate it is working correctly
-What I cannot test without connecting (not suggesting I do connect) is that GRE is being passed satisfactorily. A 721 error can often indicate GRE is being blocked.

-Make sure the windows firewall is disabled on the server if possible. It could be blocking GRE, and make sure the remote computer you are connecting with, does not have a 10.0.0.0 address assigned to any enabled network adapters.
-Which model Speedtouch pro ? I was looking for configuration details. Also I assume the router supports PPTP VPN traffic? A few don't.
-Also to confirm, there is no additional router between the Speedtouch and the SBS?
0
 
slater27Author Commented:
Ok thanks Robwill for your comments. You may have tested just when I was testing as I had disabled the firewall on the Speedtouch through telnet by issuing the nat command defserver addr 10.0.0.8 This then immediately worked and I could VPN into the server. I have now reenabled the firewall and it no longer works again. My external test is a notebook dialing out via bluetooth modem onto the internet via GPRS. So confirmed working with the speedtouch pro firewall off and not working when turned back on.

So therefore there is definately something wrong with the configuration of the speedtouch pro. The fact that canyouseeme.org sees 1723 port as open is a bit baffling though as that would seem to indicate that the port is ok although it may be having a problem with GRE translation as you pointed out. Still I am examining the Nat List as in my config above to see what might be the problem there but at least the problem is narrowed right down now to the speedtouch pro router.

If you can focus your superior networking skills in this area you hopefully will be able to solve it much faster than me as I need time to pack my bags to catch my flight!!

I'll be keeping this onscreen and refreshed so if you do come up with something let me know asap!! Many thanks for your suggestions thus far!...
0
 
Rob WilliamsCommented:
Which model SpeedTouch ?
I will look through the manual to see if there is anything I can find. Specifically are there any options such as "allow PPTP pass-through" ?
Some older Alcatel Speedtouch units I have seen have High, medium, low and off firewall security settings. Is this the case here? Seems to me if so, it requires the medium setting, high and low will not work.
0
 
slater27Author Commented:
It's simply called a "Speedtouch Pro".  From info on the net it is one of the earlier ADSL models provided by Telstra in Australia. There was a speedtouch home and a speedtouch pro. Then there were some later models with numbers after them. However this one is definately referred to as simply the Speed Touch Pro.

There is no "allow PPTP pass-through" option and no high,medium,low and off setting. If you look back at my configuration above that is effectively a copy from each available setting on the web interface the the Speedtouch pro. Other than that you have to telnet in to do NAT's.
0
 
Rob WilliamsCommented:
Seems others have had problems as well, but I found no solutions. As you suggested it must be the firewall. I can't seem to find any further information on how to configure it. There are dozens of Speed touch units with even more firmware versions for different vendors. I will keep looking and let you know if I find anything.
--Rob
0
 
slater27Author Commented:
OK. Just in case it is a firmware problem I found a later firmware revision at http://www.nzdsl.co.nz/software/alcatel/Default.htm . I installed it - Gv8bab3.281 (1005372)  - however unfortunately it has not resolved the problem.

Certainly from the NAT perspective the entries for VPN specifically seem fine....  Is the IP Route table and the options below it correct?....

For example is the following options correct? What's PAP, lCP echo and ACCOMP? and should I have the localip defined as 10.0.0.1 and remote ip as 61.9.247.216 ?
Options
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)
0
 
Rob WilliamsCommented:
I am not very familiar with these protocols but there should be no need for any of them:
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression

However I would think you have to configure the local and remote IP's Local 10.0.0.8 and remote 0.0.0.0 = any

Wonder if you should consider un-binding PPTP and GRE as per article below. Seems backward to my thinking but if it makes sense to you you could try.
http://www.speedtouch.net.nz/DisableALG.htm
0
 
slater27Author Commented:
Unfortunately the unbiding is only relevant to the SpeedTouch 500 / 600 not the Pro. I have already tried this before :o)

I do have something weird happening now though. I thought I'd check the NAT list after the formware upgrade and noticed a few additional entries in the tables that were not there before. I thought I'd simply clear all the port forwards and start a fresh perhaps with the reissuing of the nat create under the new firmware might spark it into life. However I'm now finding that on each list (after I deleted them all) i'm getting weird port forwards appear and then disappear...?

Here is some repeated Nat lists with no change in between: (Very odd)

[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   3   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 60    1
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2   6        10.0.0.8:63708    61.9.247.216:10082     67.19.96.18:80    1
 60    1
   3   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   4   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   4   6        10.0.0.8:63708    61.9.247.216:10082     67.19.96.18:80    1
 1     6
   5   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   6   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   4   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   5   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   3   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   4   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5

[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63712    61.9.247.216:10087     67.19.96.18:80    1
 60    1
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
[nat]=>
0
 
Rob WilliamsCommented:
These may be temporary mappings created by outgoing connections, especially where mostly port 80. They tend to choose any available port.
0
 
slater27Author Commented:
OK, I went back to the original firmware and now all my original port forwards are back again?.... It seems that the new firmware I tried was not right - very strange....

It could mean though that some of these firmwares do not work properly and therefore it still could be an issue with the firmware I have...I'm now going to look for some others to try.
0
 
slater27Author Commented:
sorry I posted in between your reponse. Is that normal behaviour then to see ports dynamically update like that in quick succession? Perhaps my original firmware didn't support this dynamic updates and the newer one does...

Which means that perhaps if I go back again to the new one and try and re enter the VPN ports it may be worth a try...?

First confirm if the above is normal as it wasn;t on my original firmware!!
0
 
Rob WilliamsCommented:
I wonder if the difference is just the reporting and you didn't get that information before. The previous list appears to be a static NAT list as opposed to the latter which seems more like a log report. At the risk of displaying my ignorance.....on a NAT router when a PC makes an outgoing connection to a site such as a web site, the router 'tags' the request and assigns a temporary port number. When the reply comes back it knows by the port number which PC to send the reply to. Thus, the temporary NAT table.

I did read in several forums about some versions being "flaky" especially the newest ones. However all references I read were quite different version numbers, so I believe they were for different models. Also noticed the commands and options changed with some versions.
If interested the following link has lots of similar information and many links within the text. Doesn't appear to apply to your SpeedTouch but still may be of some interest:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/458420.html

Have to head out to a service call for a while.
--Rob
0
 
slater27Author Commented:
OK, I tried  putting in the options section - Local 10.0.0.8 and remote 0.0.0.0 = any However it wouldn't take 0.0.0.0 in the remote. So I also thought I'd try Local 10.0.0.8 and remote 61.9.247.216 That simply hung the router up...wouldn't reconnect to the net. I then thought that perhaps the local shouldn't be the server address but instead the router address so I tried that also ie: Local 10.0.0.1 and remote 61.9.247.216  - same result wouldn't connect to the net. So my final test was to try both server and adsl ips for the local and leave the remote blank. 10.0.0.1 as local by itself did the same thing. 10.0.0.8 didn't hang up the router (ie web interface could still work) but it simply wouldn't connect....

I then turned all these off:

LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression

The link came back up but when I tried to VPN in I got a 678 error not respond.

So I turned them all on. The link kept trying to come back up and wouldn't. So from all these results I would say that these options relate to the router dialing up the ISP to connect rather than specific options for the link once it is up.

By the way I found the manual here: http://www.speedtouchdsl.com/pdf/stpro_manual_01.pdf
0
 
Rob WilliamsCommented:
Looking at the manual, there is no reference to PPTP, GRE, VPN's or VPN pass-through, other than for ISP connections. Adding to that, look at the first "NAT LIST". In addition to your NAT configurations, there are other obscure mappings that I assume you did not set up. If they are outgoing, automatically configured/temporary NAT connections, then the PPTP and GRE are outgoing as well, based on the inside and outside addressing, probably for ISP type connections. I am wondering if the router supports PPTP incoming connections at all. Some older units do not. Is the router supplied by your ISP ? Wondering if it is possible to confirm whether it is supported with them?
I'm not being much help here.
--Rob
0
 
Rob WilliamsCommented:
slater27, any luck with this, and were you able to confirm if the router was VPN compatible?
--Rob
0
 
slater27Author Commented:
I have closed this now. At the time I had left promptly via plane to Melbourne and couldn't respond.  The VPN ended up working remotely it was the testing mechanism through my bluetooth GPRS modem connection to my notebook which was causing the problem. Points awarded for the great help that Robwill provided regardless and he was on to it when he said that he could get through to the VPN himself but couldn't login without the userpass and password.
Cheers.
0
 
Rob WilliamsCommented:
Thanks slater27.
--Rob
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 10
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now