rcg112355
asked on
Name resolutions over VPN
I have created a VPN server in our office using Windows 2003 Standard Edition. The clients all run Windows XP Professional. The server assigns IP addresses to tbe client from a pool of addresses. At the VPN server the private NIC is configured to use the internal DNS server and the public NIC is not assigned any DNS server at all. The internal DNS server is configured as a forwarder. From the VPN server I can ping any computer on the internal network by name with no problem at all. When the client computer connects it is unable to resolve computer names. I can ping by IP address, but not by name. IPCONFIG shows that the VPN connnection has been assigned the DNS server on the internal network. When I try to ping or do nslookup to a computer name on the internal network it is resolving to a public IP address. Can anyone help me, please??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hosts file works very well, but a bit of a pain. If you can set up a WINS server it often works better, and is dynamic.
As for the IP addressing, it is a common problem and only solution is to change the corporate Subnet, though that can be a big project on some networks. 172.16 is a great choice, but I would still avoid 172.16.0.x I usually use something like 192.168.ab.x where ab is the last 2 digits of the client's street address just so I can remember who is who <G>
If by any chance your users only need access to the RRAS server, and no other PC's or servers, as a rule if the "use default remote gateway" option is checked on the VPN client (it is by default), they should be able to connect to that server only with the remote and local subnets the same.
Thanks rcg112355,
--Rob
As for the IP addressing, it is a common problem and only solution is to change the corporate Subnet, though that can be a big project on some networks. 172.16 is a great choice, but I would still avoid 172.16.0.x I usually use something like 192.168.ab.x where ab is the last 2 digits of the client's street address just so I can remember who is who <G>
If by any chance your users only need access to the RRAS server, and no other PC's or servers, as a rule if the "use default remote gateway" option is checked on the VPN client (it is by default), they should be able to connect to that server only with the remote and local subnets the same.
Thanks rcg112355,
--Rob
ASKER
I thought that I was using the WINS Server. I was assigning the WINS address to the dynamically assigned IP's, but failed to configure it on the static IP's. What a rookie mistake!!
Unfortunately, they do need to connect to computers beyond the RRAS, so it looks like I will be changing subnets this weekend.
Unfortunately, they do need to connect to computers beyond the RRAS, so it looks like I will be changing subnets this weekend.
DHCP for VPN clients is a little odd. It only passes the IP, gateway, and subnet mask. There is an other alternative; you can use the DHCP relay agent with-in RRAS. This requests an IP from the "normal" DHCP server and therefore inherits more of the scope options, such as WINS. You can't use DHCP reservations with this method, and I don't know what happens if you use this method and assign static IP's in the user profile in conjunction with the DHCP relay agent, but would be interesting to test.
Regardless,sStill need to change subnets.
Regardless,sStill need to change subnets.
ASKER
However, I did run into another problem. The internal network behind the VPN has a subnet of 192.168.1.x. Of course this is pretty popular for home networks as well. So if one of them connects to the VPN and they share the same subnet the client is unable to see the VPN network at all. It can't even ping by address.
I changed the subnet on the two remote users, but I realize that is not the ultimate solution. What happens when the company owner is sitting in a hotel and can't browse his network?? I guess the best solution is to give them a more unique subnet internally such as 172.16.x.x. That should dramatically reduce the chance for a conflict.
Do you have any other suggestions??
Thanks.