Solved

No Internet Access through VPN

Posted on 2006-06-17
15
5,951 Views
Last Modified: 2010-08-05
Firstly let me start by describing what I have:

I am running a Windows Server 2003 machine as a VPN server using RRAS (no special encryption, just a standard PPTP connection) between this and the internet I have a Cisco 2600 series router which routes all non-local packets to my Cisco PIX 515 firewall. The firewall has the necessary configuration to permit the VPN and the router is configured to bounce packets properly - this is evident because internal clients can browse the web and do other stuff on-line. I am also running a windows 2000 server that is part of the same domain with ISA 2000 server running as a proxy to facilitate authenticated access to the internet for my internal clients.

I have a Windows XP SP2 machine at home which has a VPN client installed on it. When I fire up the VPN it connects perfectly and I can ping/browse the servers on the remote location without any problems. the RRAS server allocates the Windows XP VPN client an IP address which seems to work fine until the point where I try to get out onto the internet through the VPN connection. Regardless of whether I try to use the proxy server address to get out or just leave it blank I just get no kind of internet access at all. Does anyone have any experience of this or have any suggestions?.
0
Comment
Question by:Steve Gould
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 16928003
The VPN client intentionally block local traffic to your local network and the Internet. This is a security feature to protect the corporate network from your local network. You can disable this but be aware it is a security feature. To do so go to:
control panel | network connections | right click on the VPN virtual adapter | networking | TCP/IP -properties | advanced | General | un-check "used default gateway on remote network"
0
 
LVL 6

Expert Comment

by:Booda2us
ID: 16928045
Hi Steve, I beleive the problem you are having is that the IP address you are trying to connect to Internet with is an Internal IP that can't be seen by the rest of the Internet. To connect to internet youll need to configure your router to forward incoming requests to your PC. I'm not sure if the Cisco 2600 will allow this.Here are a couple of links for more info:
www.csrc.nist.gov/pcig/CHECKLISTS/ cisco-router-checklist-procedure-guide-for-network-checkli.pdf
www.cisco.com/en/US/products/ hw/routers/ps259/index.html
Hope this helps...Booda2us
0
 
LVL 6

Expert Comment

by:Booda2us
ID: 16928052
Steve- Have you tried configuring the ISA router and 200 Server to set you up as an internal client?...Booda2us
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16928347
Your VPN client neds to use the gateway for your network to access the internet thrugh the VPN.

What is happening is your network adapter on your computer has a gateway assigned to it and all trafic to the internet is being sent to that gateway, but the VPN client is preventing that (normal and should not be changed).  What you need to do is set the VPN clien to use the remote gateway when the VPN is connected, this is configured in different ways on different clients.  Once you have the VPN client set to use the remote gate way you will be able to access the internet thrugh the office network when connected to the VPN, and thrugh your ISP's gateway when not connected to the VPN.

eb

0
 
LVL 3

Author Comment

by:Steve Gould
ID: 16929071
Thanks for the prompt input.

Robwill:

I suppose that is a workable solution but I was looking to use the ISA 2000 proxy server on my remote network to actually filter and log traffic for my VPN clients rather than just offer them a local breakout to the web and other internet based services. Incidentally, the ISA server runs as a proxy for my internal clients without any issues at all. The VPN client can see the proxy server and ping it but when I enter the proxy details in IE on the VPN client, there is no web access.

Booda2us:

Good idea, but my PIX 515 is already set to use NAT for my local network. So all clients that have direct rules on the PIX can get out to the Internet through a default IP address or if they try to use the ISA Proxy they get out with the Internet address that has been assigned to that. As I said above, the access works fine for internal clients on my LAN and as far as IP configurations go the only difference I can see from the IP config on a local client to the IP config on the VPN client is that the default gateway is set to the local machine rather than the 2600 router (which is the core router on my network). I'm guessing the VPN client has its own IP as the default gateway so that it can forward packets on the remote network in order to use the remote local gateway.

ebjers:

I see what you are saying here, but in the VPN client config on my remote machine I cannot see a way to manually configure the gateway IP address. As I said above, when I run '/ipconfig /all' on the VPN client, the default gateway is set as the local IP - i'd like to change it to the 2600 router's address but the config doesn't seem to have the ability to alter this setting. I'm guessing it gets that information from the RRAS.
0
 
LVL 6

Expert Comment

by:Booda2us
ID: 16929151
steve, Have you disabled DHCP on your home machine? Booda2us
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 16929235
Booda2us:

My home machine has the DHCP service running but it requires that in order to get a local IP from my Linksys ADSL gateway that i'm using to get out onto the internet. I have looked at the VPN connection properties and have tried disabling the DHCP allocated address and putting a static address in that is within the acceptable range of my remote network. I have also allocated DNS servers as they should be. When the connection tries to initialise it tells me that the address has been rejected. Following this I tried different addresses from different parts of the range and still the same result. As I said previously, the site to site connection works fine... I can browse web servers at the remote site without an issue (windows sharepoint and outlook web access) its just when it tries to break out of the remote network to get onto the internet. I've been trying to establish whether this is a traffic routing issue or a software issue (ISA server), I'm just drawing a blank at the moment.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16929497
Take a look at 3 IP subnets and see if there is any overlap:
1 - your home lan subnet - probably 192.168.1.x
2 - the IP subnet that your vpn client gets assigned
3 - the IP subnet of the corporate LAN

You have big problems if both the corporate LAn and your home LAN are the same IP subnet range

If not, what VPN client are you using? Are you using the VPN capabilities of the PIX FW and connecting using the Cisco VPN client? Or the Microsoft PPTP client? Or are you connecting "through" the firewall directly to an RRAS Windows server?

You -DSL--- Internet ----2600--PIX--RRAS---LAN
                                                                 \
                                                                Proxy

Is the above accurate?
How many NICs in the RRAS server? Is this its only function?

0
 
LVL 3

Author Comment

by:Steve Gould
ID: 16929668
lrmoore:

I'm afraid the three subnets are all the same IP range - 192.168.1.x. Basically, I have the RRAS server looking at the LAN's DHCP server (running from a Cisco switch stack) and allocating IPs to the VPN clients from there. When I do 'ipconfig /all' on my home client, it looks like this...

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : WAG54GX2
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 212.104.130.9
                                            212.104.130.65
        Lease Obtained. . . . . . . . . . : 18 June 2006 11:35:25
        Lease Expires . . . . . . . . . . : 19 June 2006 11:35:25

PPP adapter VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.107
        DNS Servers . . . . . . . . . . . : 192.168.1.13
                                            192.168.1.15
        Primary WINS Server . . . . . . . : 192.168.1.15

I am using the standard VPN client that comes bundled with Windows XP, nothing special about it - just a standard configuration. I have ports open on the PIX to allow my static IP from home to establish the VPN connection directly with the RRAS server.

Your diagram should read: me --> DSL --> Internet --> PIX --> 2600 --> RRAS --> LAN --> Proxy

The RRAS has one NIC and yes, this is its only function.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16929735
Well, the issue is that your home LAN and the remote LAN are the same 192.168.1.x IP subnet. Easier to change your home network to something else than it is to change all of the office servers/stuff..
Suggest using something in the higher, less-used range like 192.168.250.x for your home LAN.

You have NO CHOICE but to change one of them.
You will have the same problem with all of your other VPN users if they also have 192.168.1.x at home.
Never, ever, ever use 192.168.0.0, 192.168.1.0, 10.0.0.0, 10.10.10.0 at any office/company where you intend to have remote users VPN in. Those are the 4 most-used private ip subnets for all home users, hotels, motels, etc, and you will always have access problems.

0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16929762
If you are using the VPN client that comes with XP do this:

1) Go to the Control Panel
    If classic view go to Network Connections
    If catagory view go to Network and Internet Connections then Network Connections

2) Right click your VPN connection and go to Properties

3) On the Network Tab select Internet Protical (TCP/IP) and click properties

4) Click the advanced button

5) Make sure 'Use default gateway on remote network' is checked

6) Click OK to close all the windows


Also as Lrmoore stated change the subnet of your home network to something like 192.168.178.x both networks should not have the same IP subnets.

eb
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 16929855
lrmoore:

Ok good suggestion. I have changed the IP on my Linksys ADSL router which also acts as my home DHCP server. This in turn changed my home PC's IP to something in the 192.168.250.x range as suggested. However, when I establish the VPN connection I get exactly the same results as I did when my range was 192.168.1.x.

'ipconfig /all' reads:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : WAG54GX2
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.250.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.250.1
        DHCP Server . . . . . . . . . . . : 192.168.250.1
        DNS Servers . . . . . . . . . . . : 212.104.130.9
                                            212.104.130.65
        Lease Obtained. . . . . . . . . . : 18 June 2006 15:45:16
        Lease Expires . . . . . . . . . . : 19 June 2006 15:45:16

PPP adapter VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.132
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.132
        DNS Servers . . . . . . . . . . . : 192.168.1.13
                                            192.168.1.15

I can see where you were going with this solution and it is something to bear in mind for the future when I deploy this solution to my remote workers, but as far as this internet access problem goes, its a non-starter.

ebjers:

Made sure that is checked, thanks - still failing though.
0
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 300 total points
ID: 16929883
OK try unchecking it (I haven't used windows VPN client in a long time so can't remember what you need to do).

The IP settings you are getting are correct;

The first set (182.168.250.x) is your local NIC connected to your router and getting it's IP from there

The second set (192.168.1.x) is your VPN connection and getting it's IP from your VPN server's DHCP

You also need to check the routs on the VPN server, again I haven't used Windows VPN in a long time so I can't give you too many details with out my book (about 300 miles north of my current location)

eb
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 16929938
ebjers:

I unchecked the 'Use default gateway on remote network' check box and that did allow me to break out to the internet while I was connected to the VPN. However, I specifically wanted to use the proxy server (in the office) for gaining web access and the like because it afforded me a greater degree of control and monitoring over what people were doing on-line - VPN client or not. If my time runs out then I will have to roll the solution out like this but if at all possible I would like to figure out why it can't seem to gain access through the VPN connection.

This may help: I have been altering the configuration of my PIX 515 to try and establish if the problem is related to routing within the firewall. At one point I added a defined host as the internal IP address allocated to the VPN client and then allowed that IP to break out to the internet through the firewall through TCP/UDP/ICMP and IP. This did work (as I could browse the net without unchecking the 'Use default gateway on remote network' check box on the VPN client), although i'm not entirely sure it was using the proxy server to facilitate the connection - I was just going straight out onto the net through the firewall at the remote site.
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16929998
OK, I beleive you have to configure IE to use a proxy server, unless your proxy is in the only path to the internet.  I know if you want the VPN clients to access the internet thrugh your network you need to have routs in your RRAS settings to allow this.  I think unchecking the 'Use default gateway on remote network...' is allowing you to connect to the internet using your local internet connection and not the one on your office network.

If I remember correctly the PIX can be used a s a VPN server and you can get a VPN client for it from CISCO (may be free since you have the PIX).  You may want to try this config (VPN to the PIX, then into your network)  This is how I do it (but I use a CISCO concentrator for more power) and I can access the internet thrug my corprate network when connected to the VPN.  Also this is a more secure VPN solution.  I can't tell you how to configure the PIX for VPN, but I'm sure someone here can.

eb
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question