Server 2003 VPN behind nat and multi firewalls?

Ok here is my nightmare...

I have a static IP at the house

It hits a redhat box that is my ISP
He NATs through his network to a microwave tower
My microwave tower radio has a static IP on the WAN port
It then connects to a Linksys WRT54GS Firmware Version: v4.71.1
It has a static IP of 192.168.2.XXX and is NOT serving DHCP.

Server config:
Server 2003 Standard
2 Nics
NIC 1 - NC 100 static IP
NIC 2 - Intel Pro 100 static IP
Both NICS are pluged into a Linksys switch which is uplinked into the linksys router

DHCP running and is serving scope
VPN/NAT is configured.
The access policies where not there so I had to create one
I used the wizy wiz to create the profile and then activated it.

Here is the forwarding from my radio tower to my Linksys: TCP+UDP 3389 Terminal Services TCP+UDP 47 Generic Rtg Encapsul TCP+UDP 1723 PPTP TCP+UDP 500 IPSec TCP+UDP 50-51 IPSec TCP+UDP 20-21 FTP  

Here is the port forwarding on the linksys: (Both = TCP and UDP)

20      to   Both
1723      to   Both  
500      to   Both  
50      to   Both  
47      to   Both  
3389      to   Both  

Here is what I get:
Connecting to the VPN server by IP address within the LAN
I am able to connect
can not navigate the lan nor get to the internet

Connecting via my cell
It rips through the Connecting although it never connects
It just sits at verifing user name and password.

Here is the linksys incoming log

Incoming Log Table  
Source IP           Destination Port Number           1723
the source IP address is the microwave tower/gateway
This tells me that the Linksys is receiving the request and processing
I do have all the VPN stuff enabled on the linksys

The best I can tell is that I am pounding on the VPN server
but the VPN server is not responding, or I have everything hosed and need to just start over
with a new build.

Could anybody make a sugestion as to where to start?
    I may be a little slow responding and testing as I can only work on this issue
    in the evenings and weekends.

Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
You have port 47 GRE forwarded. GRE is not port 47, but protocol 47. Forwarding the port does not help. On supported routers there is an option "enable PPTP pass-through" which allows GRE traffic, or on some commercial routers a rule has to be added to allow GRE traffic.

If I follow correctly, your VPN end point is the 2003 server, and it is behind 2 NAT routers 172.16.x.x and 192.168.2.x  If this is the case it is likely your problem. VPN's do not like being behind 2 NAT devices, and I'm not so sure there is a work around.
As an alternative you might try Hamachi's VPN. It doesn't require any port forwarding. You install it at the 2 sites, and both make an automated outgoing connection to a 3rd party server that looks after the "hanshaking". Works well:
to run it as a service:
batch file to set up service more easily, see near end of thread.

To confirm the double NAT is the issue see if you can get remote desktop working by forwarding it on both routers. It should work OK.

Also, for the record, if you are just using the standard Windows PPTP VPN, you only need port 1723 forwarded. Ports 500, 1701, 4500 and protocol 50 and 51 are for L2TP and IPSec VPN's
cpctechAuthor Commented:
Will check out the sugestions over the next day ot two and report

Rob WilliamsCommented:
Let us know how it goes Thor.
cpctechAuthor Commented:
Well Rob...

Found out the core cause
My ISP does not have NAT configured for the VPN ports nor the 10 other ones I need to I am testing the Hamachi thing and so far I like it.

By the looks of thier sit I presume they are going to run a free version and a paid version in the future.

Points to follow

Rob WilliamsCommented:
Thanks Thor,
as I understand it there will likely be a fee for Hamachi running as a service. If you wish to use the modifications in the links I provided it will work fine, at no cost. But a commercial version that installs as a service, as most corporate office would want it, seems to be in the works and there will be a fee. If it is not already available.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.