Solved

Server 2003 VPN behind nat and multi firewalls?

Posted on 2006-07-15
5
903 Views
Last Modified: 2013-11-29
Ok here is my nightmare...

I have a static IP at the house
70.xxx.xxx.xxx

It hits a redhat box that is my ISP
He NATs through his network to a microwave tower
My microwave tower radio has a static IP
172.16.112.xxx on the WAN port
It then connects to a Linksys WRT54GS Firmware Version: v4.71.1
It has a static IP of 192.168.2.XXX and is NOT serving DHCP.

Server config:
Server 2003 Standard
2 Nics
NIC 1 - NC 100 static IP 192.168.0.2
NIC 2 - Intel Pro 100 static IP 192.168.0.7
Both NICS are pluged into a Linksys switch which is uplinked into the linksys router

DHCP running and is serving 192.168.0.xxx scope
VPN/NAT is configured.
The access policies where not there so I had to create one
I used the wizy wiz to create the profile and then activated it.


Here is the forwarding from my radio tower to my Linksys:
192.168.2.xxx TCP+UDP 3389 Terminal Services  
192.168.2.xxx TCP+UDP 47 Generic Rtg Encapsul
192.168.2.xxx TCP+UDP 1723 PPTP  
192.168.2.xxx TCP+UDP 500 IPSec  
192.168.2.xxx TCP+UDP 50-51 IPSec  
192.168.2.xxx TCP+UDP 20-21 FTP  


Here is the port forwarding on the linksys: (Both = TCP and UDP)

20      to   Both 192.168.0.xxx
1723      to   Both 192.168.0.xxx  
500      to   Both 192.168.0.xxx  
50      to   Both 192.168.0.xxx  
47      to   Both 192.168.0.xxx  
3389      to   Both 192.168.0.xxx  

Here is what I get:
Connecting to the VPN server by IP address within the LAN
I am able to connect
can not navigate the lan nor get to the internet

Connecting via my cell
It rips through the Connecting although it never connects
It just sits at verifing user name and password.

Here is the linksys incoming log

Incoming Log Table  
Source IP           Destination Port Number
192.168.2.xxx           1723
the source IP address is the microwave tower/gateway
This tells me that the Linksys is receiving the request and processing
I do have all the VPN stuff enabled on the linksys

The best I can tell is that I am pounding on the VPN server
but the VPN server is not responding, or I have everything hosed and need to just start over
with a new build.

Could anybody make a sugestion as to where to start?
NOTE:
    I may be a little slow responding and testing as I can only work on this issue
    in the evenings and weekends.

TIA
Thor
0
Comment
Question by:cpctech
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17115490
You have port 47 GRE forwarded. GRE is not port 47, but protocol 47. Forwarding the port does not help. On supported routers there is an option "enable PPTP pass-through" which allows GRE traffic, or on some commercial routers a rule has to be added to allow GRE traffic.

If I follow correctly, your VPN end point is the 2003 server, and it is behind 2 NAT routers 172.16.x.x and 192.168.2.x  If this is the case it is likely your problem. VPN's do not like being behind 2 NAT devices, and I'm not so sure there is a work around.
As an alternative you might try Hamachi's VPN. It doesn't require any port forwarding. You install it at the 2 sites, and both make an automated outgoing connection to a 3rd party server that looks after the "hanshaking". Works well:
http://www.hamachi.cc
to run it as a service:
http://www.itsatechworld.com/2006/01/17/hamachi-vpn-solution/
batch file to set up service more easily, see near end of thread.
http://forums.hamachi.cc/viewtopic.php?t=522&postdays=0&postorder=asc&highlight=batch&start=15

To confirm the double NAT is the issue see if you can get remote desktop working by forwarding it on both routers. It should work OK.

Also, for the record, if you are just using the standard Windows PPTP VPN, you only need port 1723 forwarded. Ports 500, 1701, 4500 and protocol 50 and 51 are for L2TP and IPSec VPN's
0
 
LVL 2

Author Comment

by:cpctech
ID: 17123824
Will check out the sugestions over the next day ot two and report

Thor
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17123849
Let us know how it goes Thor.
--Rob
0
 
LVL 2

Author Comment

by:cpctech
ID: 17131787
Well Rob...

Found out the core cause
NAT
My ISP does not have NAT configured for the VPN ports nor the 10 other ones I need to I am testing the Hamachi thing and so far I like it.

By the looks of thier sit I presume they are going to run a free version and a paid version in the future.

Points to follow

Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17131858
Thanks Thor,
as I understand it there will likely be a fee for Hamachi running as a service. If you wish to use the modifications in the links I provided it will work fine, at no cost. But a commercial version that installs as a service, as most corporate office would want it, seems to be in the works and there will be a fee. If it is not already available.
--Rob
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now