How do you setup VPN  on Windows 2003 with 2 Ethernet Cards

Posted on 2007-04-10
Last Modified: 2010-04-12
I have 3 Windows XP computers and one Windows 2003 server. I want to use the Win2003 server for hosting a WEB site and also as a VPN server. The IP addresses on all 4 computers are in 192.168.3.X.
I am able to view the web pages throught the Internet with no problem, and I can connect via VPN from a remote location.
When I login from a remote location into the VPN server, I get an IP of 192.168.7.X. This is because I specified a static address pool in the range of to and I can not access any of the computers.
I have a second ethernet card on the WIn2003 server but it is not configured.
What do I need to do to be able to access the computers through the VPN connection?

Question by:Ruben1717
  • 5
  • 4

Expert Comment

ID: 18885655
Hi Ruben

The best solution would be to configure that unused ethernet card within the 192.168.3.x range ( preferably). This interface can then talk to the other computers and possibly act as a gateway (depending on your configuration).

I presume the VPN is coming in on the other interface (192.168.7.x) and talking to the Win2003 Server. Now as long as this is true, all you need is a service called Packet Forwarding configured on the Win2003 Server. I'm not sure what VPN software you are using but most (including the standard Microsoft Routing & Remote Access) enable this setting by default. So that should be it.

You may need to play around with the configuration but one things for sure, you definately want to utilize that other unused interface.

LVL 77

Expert Comment

by:Rob Williams
ID: 18885661
Either change the static address pool in the RRAS configuration to be part of the 192.168.3.x subnet, or on the remote computer you will need to add a static route.
If you want to add the route, on the client machine, find the client's assigned VPN IP by running 'ipconfig /all'  and locate the IP under the PPP adapter. Assuming for example purposes this is add the route, to the client machine:
route add mask
To remove the route:
route delete
However there is a catch. Every time a user connects they will be assigned a different IP, so the route changes. If you wish to assign a static IP you can do so near the bottom of the Dial-in page of the user's profile in active directory. Then you can make the route permanent by adding the '-p' option:
route -p add mask

I assume you can connect to shares on the RRAS server. If not make sure the local subnet at the client site differs from those at the server site. i.e. not 192.168.7.x, or 192.168.3.x

Author Comment

ID: 18909188
I must be missing something because I have not been able to access any of the computers.
The IP address at my remote computer is

I changed the address pool in RRAS to -> When I did this, I was not able to login to the network from the outside.

I changed the address pool to 192.168.7.x and then I was able to login from a remote computer and did a "route add mask" After I did this, I stil was not able to access the network.

I then removed the configuration from RRAS and have been playing with the configuration of the 2 NIC cards, but have not had any success.

The FTP server interface is
One interface in the VPN server is and the other one is
 I connected both interfaces from the VPN server into the same router.

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 77

Expert Comment

by:Rob Williams
ID: 18911262
>>"route add mask"
Almost. is the first IP in the static address pool so that is assigned to the RRAS server. You need to use your assigned VPN adapter address. To locate run IPConfig /all  The IP address under PPP adapter is the address you want to use in the route add statement.
The problem with this is the address is dynamic and changes each time you connect. If that works OK then under the dial-in tab of the users profile, in active directory you can add a static address that will be assigned to that client each time.

Author Comment

ID: 18922251
I must be doing something wrong because it still fails. I am able to connect to the VPN server, but I can not access any computers.  This is what I get from the command prompt:

PPP adapter aProd:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

C:\>route add mask

Connecting To not open connection to the host, on port 23:
Connect failed
LVL 77

Expert Comment

by:Rob Williams
ID: 18933114
In the above example you would want to use
route add mask
As a test run IPConfig while connected, and then add the route using your current PPP IP and see if you can connect.

Author Comment

ID: 18944395
I first establish a connection, then I do  
c:\ipconfig /all
This gives me the IP address, then I use that IP address int the route command
route add mask

It still does not let me access any of the computers in the network, not even the VNS server.

LVL 77

Expert Comment

by:Rob Williams
ID: 18954017
Odd, should work.
Are there any software firewalls running on the other systems such as Windows firewall, or Symantec security suite? They can often be configured to allow access from the local subnet only.

Author Comment

ID: 18962968
The VPN server is running the Windows firewall. I tried to disable it, but it does not let me. I get a message telling me that RRAS needs the firewall.
I have a windows XP system in the same subnet as the VPN server.. This computer hasZoneAlarm Pro.
I had not suspected it to be the problem, because I can not even access the VPN server itself from the remoote connection.
I am going to give it a try without ZoneAlarm.
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 18970460
Actually on the VPN/RRAS server the Windows Firewall would be disabled, because you are using RRAS. Other firewalls will definitely be an issue, in particular zone alarm, however at his point if it is not running on the RRAS server it is not an issue.
Is NAT enabled in RRAS? It shouldn't be in this situation.

I find your comment earlier very interesting, or odd that this is the case; "I changed the address pool in RRAS to -> When I did this, I was not able to login to the network from the outside."

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question