• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

How do you setup VPN on Windows 2003 with 2 Ethernet Cards

I have 3 Windows XP computers and one Windows 2003 server. I want to use the Win2003 server for hosting a WEB site and also as a VPN server. The IP addresses on all 4 computers are in 192.168.3.X.
I am able to view the web pages throught the Internet with no problem, and I can connect via VPN from a remote location.
When I login from a remote location into the VPN server, I get an IP of 192.168.7.X. This is because I specified a static address pool in the range of to and I can not access any of the computers.
I have a second ethernet card on the WIn2003 server but it is not configured.
What do I need to do to be able to access the computers through the VPN connection?

  • 5
  • 4
1 Solution
Hi Ruben

The best solution would be to configure that unused ethernet card within the 192.168.3.x range ( preferably). This interface can then talk to the other computers and possibly act as a gateway (depending on your configuration).

I presume the VPN is coming in on the other interface (192.168.7.x) and talking to the Win2003 Server. Now as long as this is true, all you need is a service called Packet Forwarding configured on the Win2003 Server. I'm not sure what VPN software you are using but most (including the standard Microsoft Routing & Remote Access) enable this setting by default. So that should be it.

You may need to play around with the configuration but one things for sure, you definately want to utilize that other unused interface.

Rob WilliamsCommented:
Either change the static address pool in the RRAS configuration to be part of the 192.168.3.x subnet, or on the remote computer you will need to add a static route.
If you want to add the route, on the client machine, find the client's assigned VPN IP by running 'ipconfig /all'  and locate the IP under the PPP adapter. Assuming for example purposes this is add the route, to the client machine:
route add mask
To remove the route:
route delete
However there is a catch. Every time a user connects they will be assigned a different IP, so the route changes. If you wish to assign a static IP you can do so near the bottom of the Dial-in page of the user's profile in active directory. Then you can make the route permanent by adding the '-p' option:
route -p add mask

I assume you can connect to shares on the RRAS server. If not make sure the local subnet at the client site differs from those at the server site. i.e. not 192.168.7.x, or 192.168.3.x
Ruben1717Author Commented:
I must be missing something because I have not been able to access any of the computers.
The IP address at my remote computer is

I changed the address pool in RRAS to -> When I did this, I was not able to login to the network from the outside.

I changed the address pool to 192.168.7.x and then I was able to login from a remote computer and did a "route add mask" After I did this, I stil was not able to access the network.

I then removed the configuration from RRAS and have been playing with the configuration of the 2 NIC cards, but have not had any success.

The FTP server interface is
One interface in the VPN server is and the other one is
 I connected both interfaces from the VPN server into the same router.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Rob WilliamsCommented:
>>"route add mask"
Almost. is the first IP in the static address pool so that is assigned to the RRAS server. You need to use your assigned VPN adapter address. To locate run IPConfig /all  The IP address under PPP adapter is the address you want to use in the route add statement.
The problem with this is the address is dynamic and changes each time you connect. If that works OK then under the dial-in tab of the users profile, in active directory you can add a static address that will be assigned to that client each time.
Ruben1717Author Commented:
I must be doing something wrong because it still fails. I am able to connect to the VPN server, but I can not access any computers.  This is what I get from the command prompt:

PPP adapter aProd:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :

C:\>route add mask

Connecting To not open connection to the host, on port 23:
Connect failed
Rob WilliamsCommented:
In the above example you would want to use
route add mask
As a test run IPConfig while connected, and then add the route using your current PPP IP and see if you can connect.
Ruben1717Author Commented:
I first establish a connection, then I do  
c:\ipconfig /all
This gives me the IP address, then I use that IP address int the route command
route add mask

It still does not let me access any of the computers in the network, not even the VNS server.

Rob WilliamsCommented:
Odd, should work.
Are there any software firewalls running on the other systems such as Windows firewall, or Symantec security suite? They can often be configured to allow access from the local subnet only.
Ruben1717Author Commented:
The VPN server is running the Windows firewall. I tried to disable it, but it does not let me. I get a message telling me that RRAS needs the firewall.
I have a windows XP system in the same subnet as the VPN server.. This computer hasZoneAlarm Pro.
I had not suspected it to be the problem, because I can not even access the VPN server itself from the remoote connection.
I am going to give it a try without ZoneAlarm.
Rob WilliamsCommented:
Actually on the VPN/RRAS server the Windows Firewall would be disabled, because you are using RRAS. Other firewalls will definitely be an issue, in particular zone alarm, however at his point if it is not running on the RRAS server it is not an issue.
Is NAT enabled in RRAS? It shouldn't be in this situation.

I find your comment earlier very interesting, or odd that this is the case; "I changed the address pool in RRAS to -> When I did this, I was not able to login to the network from the outside."

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now