?
Solved

Server 2003 VPN behind nat and multi firewalls?

Posted on 2006-07-15
5
Medium Priority
?
909 Views
Last Modified: 2013-11-29
Ok here is my nightmare...

I have a static IP at the house
70.xxx.xxx.xxx

It hits a redhat box that is my ISP
He NATs through his network to a microwave tower
My microwave tower radio has a static IP
172.16.112.xxx on the WAN port
It then connects to a Linksys WRT54GS Firmware Version: v4.71.1
It has a static IP of 192.168.2.XXX and is NOT serving DHCP.

Server config:
Server 2003 Standard
2 Nics
NIC 1 - NC 100 static IP 192.168.0.2
NIC 2 - Intel Pro 100 static IP 192.168.0.7
Both NICS are pluged into a Linksys switch which is uplinked into the linksys router

DHCP running and is serving 192.168.0.xxx scope
VPN/NAT is configured.
The access policies where not there so I had to create one
I used the wizy wiz to create the profile and then activated it.


Here is the forwarding from my radio tower to my Linksys:
192.168.2.xxx TCP+UDP 3389 Terminal Services  
192.168.2.xxx TCP+UDP 47 Generic Rtg Encapsul
192.168.2.xxx TCP+UDP 1723 PPTP  
192.168.2.xxx TCP+UDP 500 IPSec  
192.168.2.xxx TCP+UDP 50-51 IPSec  
192.168.2.xxx TCP+UDP 20-21 FTP  


Here is the port forwarding on the linksys: (Both = TCP and UDP)

20      to   Both 192.168.0.xxx
1723      to   Both 192.168.0.xxx  
500      to   Both 192.168.0.xxx  
50      to   Both 192.168.0.xxx  
47      to   Both 192.168.0.xxx  
3389      to   Both 192.168.0.xxx  

Here is what I get:
Connecting to the VPN server by IP address within the LAN
I am able to connect
can not navigate the lan nor get to the internet

Connecting via my cell
It rips through the Connecting although it never connects
It just sits at verifing user name and password.

Here is the linksys incoming log

Incoming Log Table  
Source IP           Destination Port Number
192.168.2.xxx           1723
the source IP address is the microwave tower/gateway
This tells me that the Linksys is receiving the request and processing
I do have all the VPN stuff enabled on the linksys

The best I can tell is that I am pounding on the VPN server
but the VPN server is not responding, or I have everything hosed and need to just start over
with a new build.

Could anybody make a sugestion as to where to start?
NOTE:
    I may be a little slow responding and testing as I can only work on this issue
    in the evenings and weekends.

TIA
Thor
0
Comment
Question by:cpctech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 17115490
You have port 47 GRE forwarded. GRE is not port 47, but protocol 47. Forwarding the port does not help. On supported routers there is an option "enable PPTP pass-through" which allows GRE traffic, or on some commercial routers a rule has to be added to allow GRE traffic.

If I follow correctly, your VPN end point is the 2003 server, and it is behind 2 NAT routers 172.16.x.x and 192.168.2.x  If this is the case it is likely your problem. VPN's do not like being behind 2 NAT devices, and I'm not so sure there is a work around.
As an alternative you might try Hamachi's VPN. It doesn't require any port forwarding. You install it at the 2 sites, and both make an automated outgoing connection to a 3rd party server that looks after the "hanshaking". Works well:
http://www.hamachi.cc
to run it as a service:
http://www.itsatechworld.com/2006/01/17/hamachi-vpn-solution/
batch file to set up service more easily, see near end of thread.
http://forums.hamachi.cc/viewtopic.php?t=522&postdays=0&postorder=asc&highlight=batch&start=15

To confirm the double NAT is the issue see if you can get remote desktop working by forwarding it on both routers. It should work OK.

Also, for the record, if you are just using the standard Windows PPTP VPN, you only need port 1723 forwarded. Ports 500, 1701, 4500 and protocol 50 and 51 are for L2TP and IPSec VPN's
0
 
LVL 2

Author Comment

by:cpctech
ID: 17123824
Will check out the sugestions over the next day ot two and report

Thor
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17123849
Let us know how it goes Thor.
--Rob
0
 
LVL 2

Author Comment

by:cpctech
ID: 17131787
Well Rob...

Found out the core cause
NAT
My ISP does not have NAT configured for the VPN ports nor the 10 other ones I need to I am testing the Hamachi thing and so far I like it.

By the looks of thier sit I presume they are going to run a free version and a paid version in the future.

Points to follow

Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17131858
Thanks Thor,
as I understand it there will likely be a fee for Hamachi running as a service. If you wish to use the modifications in the links I provided it will work fine, at no cost. But a commercial version that installs as a service, as most corporate office would want it, seems to be in the works and there will be a fee. If it is not already available.
--Rob
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question