• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 917
  • Last Modified:

Server 2003 VPN behind nat and multi firewalls?

Ok here is my nightmare...

I have a static IP at the house
70.xxx.xxx.xxx

It hits a redhat box that is my ISP
He NATs through his network to a microwave tower
My microwave tower radio has a static IP
172.16.112.xxx on the WAN port
It then connects to a Linksys WRT54GS Firmware Version: v4.71.1
It has a static IP of 192.168.2.XXX and is NOT serving DHCP.

Server config:
Server 2003 Standard
2 Nics
NIC 1 - NC 100 static IP 192.168.0.2
NIC 2 - Intel Pro 100 static IP 192.168.0.7
Both NICS are pluged into a Linksys switch which is uplinked into the linksys router

DHCP running and is serving 192.168.0.xxx scope
VPN/NAT is configured.
The access policies where not there so I had to create one
I used the wizy wiz to create the profile and then activated it.


Here is the forwarding from my radio tower to my Linksys:
192.168.2.xxx TCP+UDP 3389 Terminal Services  
192.168.2.xxx TCP+UDP 47 Generic Rtg Encapsul
192.168.2.xxx TCP+UDP 1723 PPTP  
192.168.2.xxx TCP+UDP 500 IPSec  
192.168.2.xxx TCP+UDP 50-51 IPSec  
192.168.2.xxx TCP+UDP 20-21 FTP  


Here is the port forwarding on the linksys: (Both = TCP and UDP)

20      to   Both 192.168.0.xxx
1723      to   Both 192.168.0.xxx  
500      to   Both 192.168.0.xxx  
50      to   Both 192.168.0.xxx  
47      to   Both 192.168.0.xxx  
3389      to   Both 192.168.0.xxx  

Here is what I get:
Connecting to the VPN server by IP address within the LAN
I am able to connect
can not navigate the lan nor get to the internet

Connecting via my cell
It rips through the Connecting although it never connects
It just sits at verifing user name and password.

Here is the linksys incoming log

Incoming Log Table  
Source IP           Destination Port Number
192.168.2.xxx           1723
the source IP address is the microwave tower/gateway
This tells me that the Linksys is receiving the request and processing
I do have all the VPN stuff enabled on the linksys

The best I can tell is that I am pounding on the VPN server
but the VPN server is not responding, or I have everything hosed and need to just start over
with a new build.

Could anybody make a sugestion as to where to start?
NOTE:
    I may be a little slow responding and testing as I can only work on this issue
    in the evenings and weekends.

TIA
Thor
0
cpctech
Asked:
cpctech
  • 3
  • 2
1 Solution
 
Rob WilliamsCommented:
You have port 47 GRE forwarded. GRE is not port 47, but protocol 47. Forwarding the port does not help. On supported routers there is an option "enable PPTP pass-through" which allows GRE traffic, or on some commercial routers a rule has to be added to allow GRE traffic.

If I follow correctly, your VPN end point is the 2003 server, and it is behind 2 NAT routers 172.16.x.x and 192.168.2.x  If this is the case it is likely your problem. VPN's do not like being behind 2 NAT devices, and I'm not so sure there is a work around.
As an alternative you might try Hamachi's VPN. It doesn't require any port forwarding. You install it at the 2 sites, and both make an automated outgoing connection to a 3rd party server that looks after the "hanshaking". Works well:
http://www.hamachi.cc
to run it as a service:
http://www.itsatechworld.com/2006/01/17/hamachi-vpn-solution/
batch file to set up service more easily, see near end of thread.
http://forums.hamachi.cc/viewtopic.php?t=522&postdays=0&postorder=asc&highlight=batch&start=15

To confirm the double NAT is the issue see if you can get remote desktop working by forwarding it on both routers. It should work OK.

Also, for the record, if you are just using the standard Windows PPTP VPN, you only need port 1723 forwarded. Ports 500, 1701, 4500 and protocol 50 and 51 are for L2TP and IPSec VPN's
0
 
cpctechAuthor Commented:
Will check out the sugestions over the next day ot two and report

Thor
0
 
Rob WilliamsCommented:
Let us know how it goes Thor.
--Rob
0
 
cpctechAuthor Commented:
Well Rob...

Found out the core cause
NAT
My ISP does not have NAT configured for the VPN ports nor the 10 other ones I need to I am testing the Hamachi thing and so far I like it.

By the looks of thier sit I presume they are going to run a free version and a paid version in the future.

Points to follow

Thanks
0
 
Rob WilliamsCommented:
Thanks Thor,
as I understand it there will likely be a fee for Hamachi running as a service. If you wish to use the modifications in the links I provided it will work fine, at no cost. But a commercial version that installs as a service, as most corporate office would want it, seems to be in the works and there will be a fee. If it is not already available.
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now