Solved

Server 2003 VPN behind nat and multi firewalls?

Posted on 2006-07-15
5
906 Views
Last Modified: 2013-11-29
Ok here is my nightmare...

I have a static IP at the house
70.xxx.xxx.xxx

It hits a redhat box that is my ISP
He NATs through his network to a microwave tower
My microwave tower radio has a static IP
172.16.112.xxx on the WAN port
It then connects to a Linksys WRT54GS Firmware Version: v4.71.1
It has a static IP of 192.168.2.XXX and is NOT serving DHCP.

Server config:
Server 2003 Standard
2 Nics
NIC 1 - NC 100 static IP 192.168.0.2
NIC 2 - Intel Pro 100 static IP 192.168.0.7
Both NICS are pluged into a Linksys switch which is uplinked into the linksys router

DHCP running and is serving 192.168.0.xxx scope
VPN/NAT is configured.
The access policies where not there so I had to create one
I used the wizy wiz to create the profile and then activated it.


Here is the forwarding from my radio tower to my Linksys:
192.168.2.xxx TCP+UDP 3389 Terminal Services  
192.168.2.xxx TCP+UDP 47 Generic Rtg Encapsul
192.168.2.xxx TCP+UDP 1723 PPTP  
192.168.2.xxx TCP+UDP 500 IPSec  
192.168.2.xxx TCP+UDP 50-51 IPSec  
192.168.2.xxx TCP+UDP 20-21 FTP  


Here is the port forwarding on the linksys: (Both = TCP and UDP)

20      to   Both 192.168.0.xxx
1723      to   Both 192.168.0.xxx  
500      to   Both 192.168.0.xxx  
50      to   Both 192.168.0.xxx  
47      to   Both 192.168.0.xxx  
3389      to   Both 192.168.0.xxx  

Here is what I get:
Connecting to the VPN server by IP address within the LAN
I am able to connect
can not navigate the lan nor get to the internet

Connecting via my cell
It rips through the Connecting although it never connects
It just sits at verifing user name and password.

Here is the linksys incoming log

Incoming Log Table  
Source IP           Destination Port Number
192.168.2.xxx           1723
the source IP address is the microwave tower/gateway
This tells me that the Linksys is receiving the request and processing
I do have all the VPN stuff enabled on the linksys

The best I can tell is that I am pounding on the VPN server
but the VPN server is not responding, or I have everything hosed and need to just start over
with a new build.

Could anybody make a sugestion as to where to start?
NOTE:
    I may be a little slow responding and testing as I can only work on this issue
    in the evenings and weekends.

TIA
Thor
0
Comment
Question by:cpctech
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17115490
You have port 47 GRE forwarded. GRE is not port 47, but protocol 47. Forwarding the port does not help. On supported routers there is an option "enable PPTP pass-through" which allows GRE traffic, or on some commercial routers a rule has to be added to allow GRE traffic.

If I follow correctly, your VPN end point is the 2003 server, and it is behind 2 NAT routers 172.16.x.x and 192.168.2.x  If this is the case it is likely your problem. VPN's do not like being behind 2 NAT devices, and I'm not so sure there is a work around.
As an alternative you might try Hamachi's VPN. It doesn't require any port forwarding. You install it at the 2 sites, and both make an automated outgoing connection to a 3rd party server that looks after the "hanshaking". Works well:
http://www.hamachi.cc
to run it as a service:
http://www.itsatechworld.com/2006/01/17/hamachi-vpn-solution/
batch file to set up service more easily, see near end of thread.
http://forums.hamachi.cc/viewtopic.php?t=522&postdays=0&postorder=asc&highlight=batch&start=15

To confirm the double NAT is the issue see if you can get remote desktop working by forwarding it on both routers. It should work OK.

Also, for the record, if you are just using the standard Windows PPTP VPN, you only need port 1723 forwarded. Ports 500, 1701, 4500 and protocol 50 and 51 are for L2TP and IPSec VPN's
0
 
LVL 2

Author Comment

by:cpctech
ID: 17123824
Will check out the sugestions over the next day ot two and report

Thor
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17123849
Let us know how it goes Thor.
--Rob
0
 
LVL 2

Author Comment

by:cpctech
ID: 17131787
Well Rob...

Found out the core cause
NAT
My ISP does not have NAT configured for the VPN ports nor the 10 other ones I need to I am testing the Hamachi thing and so far I like it.

By the looks of thier sit I presume they are going to run a free version and a paid version in the future.

Points to follow

Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17131858
Thanks Thor,
as I understand it there will likely be a fee for Hamachi running as a service. If you wish to use the modifications in the links I provided it will work fine, at no cost. But a commercial version that installs as a service, as most corporate office would want it, seems to be in the works and there will be a fee. If it is not already available.
--Rob
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question