Solved

Set up Router to allow VPN access

Posted on 2008-10-09
17
674 Views
Last Modified: 2012-05-05
I have configured ISA 2004 on a Win2K server for VPN access, does anyone know what I need to set on the router (Vigor 2810) to make this work?

Thanks
0
Comment
Question by:HKFuey
  • 7
  • 5
  • 5
17 Comments
 
LVL 5

Expert Comment

by:gzarnick
ID: 22677791
Make sure you have port 1723 open
0
 
LVL 5

Expert Comment

by:gzarnick
ID: 22677842
If your router has services listed then you need PPTP open with GRE.
0
 

Author Comment

by:HKFuey
ID: 22678735
OK, I have unchecked the VPN services in the router and done a port redirect to local computer (ISA 2004, 192.168.1.238) and also opened port 1723.
When I query the ISA logs after trying to connect from an external source I see nothing so I assume the router is still blocking the VPN inbound.
0
 
LVL 5

Expert Comment

by:gzarnick
ID: 22679078
Don't uncheck the VPN services in the router.  Make sure the ports in the router are open as well as the ports in ISA.  You want to make sure that the PPTP tunnel is able to go inbound and outbound.
0
 

Author Comment

by:HKFuey
ID: 22679479
mmm not sure about that, see note on VPN page. ISA server is on the LAN so I want VPN pass through?
Router.bmp
0
 
LVL 5

Expert Comment

by:gzarnick
ID: 22679664
I would enable PPTP VPN Service.  You're not really running a VPN server on your LAN.  You are allowing to go through with ISA but the server running it is the router.
0
 

Author Comment

by:HKFuey
ID: 22679910
I tried it both ways, I can't get a connection. Not showing on ISA logs so I asume router is still blocking.
0
 
LVL 5

Expert Comment

by:gzarnick
ID: 22679957
http://www.draytek.co.uk/support/kb_vigor_vpncheck.html

Check out that page and see if it will help.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 14

Expert Comment

by:plug1
ID: 22982924
You  NEED to uncheck the pptp services as you already have done, the only other thing is to redirect port 1723 to the server can you post your config of that. I haver this working on a few 2820's so I can post my configs up if need be. TBH though in your situation Id be looking at ISA blocking the VPN before the router.
0
 

Author Comment

by:HKFuey
ID: 22986202
Hi chaps, I have already redirected port 1723 from one of the WAN ip alias's to the local IP.
I used this article which is quite easy to follow to set up ISA for VPN: -
http://www.isaserver.org/articles/2004vpnserver.html
I get to the part where you test the VPN on the local network and I still get no connection.
I think maybe I have the network settings wrong on the 2 ISA NICS??
0
 
LVL 14

Expert Comment

by:plug1
ID: 22986300
Easy way to test it is to try and VPN in locally, take the internet out of the equation, make sure vpns are allowed on both NIC's.
0
 

Author Comment

by:HKFuey
ID: 22992490
VPN local does not work.
 Have gone through the setup as defined here: - http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html
But I get this error:-
Technical Information (for support personnel) Error Code 12206: Proxy chain loop Background: The gateway has detected a proxy chain loop. This condition might indicate a configuration problem on a proxy server. Date: 19/11/2008 08:39:00 Server: Users.xxxxxxxx.com Source: Proxy
 
0
 
LVL 14

Expert Comment

by:plug1
ID: 22993084
Can you post an IPCONFIG /ALL from the ISA box?
0
 

Author Comment

by:HKFuey
ID: 22993258
Windows 2000 IP Configuration
        Host Name . . . . . . . . . . . . : Users
        Primary DNS Suffix  . . . . . . . : ######.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ######.com
Ethernet adapter Int:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Allied Telesyn AT-2700TX PCI 10/100
Ethernet Adapter
        Physical Address. . . . . . . . . : 00-30-84-6D-E2-A9
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.238
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.1.251
                                            192.168.1.1
        Primary WINS Server . . . . . . . : 150.0.0.130
Ethernet adapter Ext:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PI
LA8470B)
        Physical Address. . . . . . . . . : 00-02-B3-65-6D-E2
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : ########.253
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        IP Address. . . . . . . . . . . . : ########.252
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        IP Address. . . . . . . . . . . . : ########.251
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        IP Address. . . . . . . . . . . . : ########.250
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        IP Address. . . . . . . . . . . . : ########.249
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled
0
 
LVL 14

Accepted Solution

by:
plug1 earned 500 total points
ID: 22993457
I take it the blocked out address's arent on the subnet 192.168.1.0? It looks to me like the are as the default gateway is 192.168.1.1. If thats the case then thats why its not working, the external adapter needs a different range than the internal so if the internal is 192.168.1.2 then the external HAS to be on another subnet I.E 10.1.1.0 or 192.168.100.0.

It wont work otherwise.
0
 

Author Comment

by:HKFuey
ID: 22995118
I also tried the external address of the router as the default gateway on the external nic:  217.xxx.xxx.254 (with 255.255.225.248 as the subnet)
0
 
LVL 14

Expert Comment

by:plug1
ID: 22995151
what is the actual address of the external nic at the moment? Change it slightly if you feel you have to but only by 1 digit.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now