Solved

Netgear VPN problem

Posted on 2006-10-25
18
772 Views
Last Modified: 2010-04-12
I have just set up a VPN FVS114 router for a customer connected to a cable modem. I purchased the ProSafe software and configured the VPN. I can connect successfully to the network but cannot ping a webserver box on their network I can however ping another router that is in the DMZ that I am trying to get to. The current configuration is that I have a Microsoft Web Server sitting off one off the Network ports on the Netgear Router the only other device is a DLink Router that plugs in as well which then feeds a seperate LAN basically creating a simple DMZ for the Webserver to work in. The IP address of the Netgear Router is 10.10.1.1 and the webserver is 10.10.1.2. The DLINK router has the WAN port set to 10.10.1.5 when I ping this when connected on the VPN i get a response but when I ping the webserver I get nothing. All device have been manually configured with IP addresses the DHCP on the Netgear has been turned off ( have tryed with it on as well though)

The IP address thaty I am getting assigned when I connect is 10.10.1.10 which looks to be fine to me. My PC that I am connecting from has an IP address of 10.10.0.2 which is a seperate sunbnet which I assume is the best option.

Anyway have tryed a number of different configurations with the VPN software and cannot get it to work. If I RDP onto the webserver I can ping everything fine and If I am on their internally LAN I can ping the webserver in the DMZ fine just not on the VPN..

Hope all the above makes sense feel the problem is maybe withy the webserver configuration just not sure.

Any help would be appreciated.

0
Comment
Question by:missmuppet
  • 8
  • 8
18 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17808389
One thought, if I understand correctly, does the web server that you cannot ping have the FVS114's IP as it's default gateway? If not you will need to change the default gateway or add a route manually.
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17808737
Yes it has 10.10.1.1 as the gateway and using WAN DNS address eg 203.96.152.4
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17809125
Any chance you could make a little sketch of the configuration, what is on which DMZ, and the IP's. Might help to clarify.

Sounds to me like :
Internet=>modem=>Netgear=>D-Link=>Webserver
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17830393
Close...

Internet=>Motorola Cable Modem=>Netgear Router/ VPN=>Webserver and Dlink(WAN)=> LAN 5 PC

The Webserver NIC and Dlink WAN port are plugged into 2 of the 4 available ports on the Netgear

The Netgear has an IP of 10.10.1.1 the Webserver 10.10.1.2 and the WAN port on the DLink has 10.10.1.5

The Netgear holds the Static Public IP address on the WAN port as the Motorola is acting as a bridge

The LAN on the DLINK is on another subent 192.168.0.0

Currently I have A NAT rule setup on the Netgear to allow me to connect through RDP to the webserver which works fine. The problem is when I am connected on the VPN I cannot connect to the server using 10.10.1.2 IP and or ping it, just not there, yet I can ping the WAN port on the DLink fine ( 10.10.1.5). Ideally i want to get rid of the NAT rule and allow only VPN access to the server for better security.

Hope this helps
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17830537
OK I better understand now. Sorry I am a little 'slow' :-)
1) make sure there are no software firewalls on the web server blocking ICMP (ping) requests. The windows firewall will by default, but will allow RDP if enabled.
2) on the ProSafe client, make sure in the policy editor, on the first page of the configuration under "remote party identity" you have:
ID Type = IP subnet
Subnet = 10.10.1.0 (in this case)
mask= 255.255.255.0
Protocol= all
3) on the Netgear router on the VPN policy page under "Traffic selector" you have"
Local IP= Subnet address
Start IP= 10.10.1.0
Finish IP address= 0.0.0.0
Subnet mask=255.255.255.0
Remote IP= any
Start IP= 0.0.0.0
Finish IP address= 0.0.0.0
Subnet mask= 0.0.0.0
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17831480
Thats Exactley as I have it ... strange as I can't see why it shouldn't work I feel it must have something to do with the server just can't figure out what. I have tryed the Virtual Adapter and still no go..
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17831521
Mmmmmm...
That is why I though a firewall might be enabled.
Is the D-Link on the LAN segment of the Netgear or the DMZ ?
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17831546
Thats Exactley as I have it ... strange as I can't see why it shouldn't work I feel it must have something to do with the server just can't figure out what. I have tryed the Virtual Adapter and still no go..
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:missmuppet
ID: 17831552
The Dlink is placed in the LAN segment of the netgear at this stage I do not have an IP address entered under the DMZ area of the netgear was thinking of putting the Webserver in there but it does not have a fireweall running so not a good idea...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17831577
No the web server is "safer" where it is, I just wondered if the difference might be the D-link was in the DMZ as earlier you stated "can however ping another router that is in the DMZ ". Out of curiosity, can you ping the LAN side of the Netgear through the VPN tunnel?
I'm running out of ideas.
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17831717
Yip so am I, thing is you can ping the webserver under diagnostics on the netgear router which suggest the Netgear has no problem seeing it. i am going to  install the client software on my laptop and try it throuigh a 3G Data card to ensure it is not my network or machine. Been having a look and I am now thinking it may be DNS issues so may have to pay a vist and have a fidddle. Only so much you can do on RDP.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17833089
You say may be a DNS issue, but you are pinging the IP rather than, or as well as, the name are you not ?
One other thought the network from which you are connecting does have a different subnet doesn't it ? not 10.10.1.x  They have to be different.
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17836865
Yes my network is 10.10.0.X so different. I am pinging the IP not the name but no go..
0
 
LVL 1

Author Comment

by:missmuppet
ID: 17838316
Well I put the software on my laptop and connected via a datacard and it worked fine could ping the webserver. I am pretty sure it was an issue with our DNS server here WSBS that had cached something which was causing the issue. I often use this subnet (10.10.1.X) for customers when setting up in the office and I think it is remembering somthing especially 10.10.1.2 as this is normally a server address .... So all sorted... Thanks for your help rob as everthing basically pushed me in the right direction
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 17839603
You are very welcome, though sorry I really wasn't any help. I'm not convinced DNS would be the issue since you were having problems using the IP. Since the configuration seems fine, it is possible your modem or ISP does not support IPSec.
Regardless if you are happy with the way things are working now......
Cheers !
--Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18223851
Thanks missmuppet,
Cheers !
--Rob
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now