Solved

Site-to-Site VPN and Routing

Posted on 2008-10-31
12
2,232 Views
Last Modified: 2012-06-21
I have two offices, site A with SBS 2003, single nic, subnet 192.168.200.0, and B with Windows Server 2008, single nic, subnet 192.168.201.0. I have configured site B with RRAS to VPN to A. The server can ping site A just fine, but none of the clients on site B can ping through to A.
The gateway at site B is setup correctly to route traffic to that subnet through the server. When I created the demand dial interface on the server it asked for a static route, and I put in 192.168.200.0, mask 255.255.255.0, metric 1.
I've done this before at another time and place using Windows 2003, and I remember running into the same problem, but for the life of me I can't remember how I fixed it.

Thanks in adance,
Kevin
0
Comment
Question by:kevincurrey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
12 Comments
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 22856157
Can you run "route print" on both servers and paste here
0
 

Author Comment

by:kevincurrey
ID: 22859210
Interface List
 21 ........................... Remote Router
 10 ...00 15 f2 5a 11 0c ...... NVIDIA nForce 10/100/1000 Mbps Ethernet
 12 ........................... RAS (Dial In) Interface
  1 ........................... Software Loopback Interface 1
 11 ...00 00 00 00 00 00 00 e0  isatap.{E86C6192-CC73-48B9-81EA-8C41A0134039}
 20 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #2
 14 ...00 00 00 00 00 00 00 e0  isatap.{074876A9-C0F6-4412-B856-694E2247E4C7}
 22 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #4

Active Routes:
Network Dest.      Netmask                 Gateway             Interface                 Metric
0.0.0.0                    0.0.0.0                     192.168.201.1 192.168.201.60     276
127.0.0.0               255.0.0.0                  On-link              127.0.0.1               306
127.0.0.1               255.255.255.255    On-link              127.0.0.1               306
127.255.255.255 255.255.255.255    On-link              127.0.0.1                 306
(public ip A)          255.255.255.255    192.168.201.1   192.168.201.60     21
192.168.201.0     255.255.255.0          On-link                192.168.201.60   276
192.168.201.15   255.255.255.255     On-link                  192.168.201.15  306
192.168.201.60   255.255.255.255     On-link                  192.168.201.60  276
192.168.201.255 255.255.255.255     On-link                 192.168.201.60   276
192.168.200.0      255.255.255.0         192.168.200.26 192.168.200.24    21
192.168.200.24    255.255.255.255    On-link                 192.168.200.24    276
224.0.0.0                240.0.0.0                  On-link                 127.0.0.1               306
224.0.0.0                240.0.0.0                  On-link                 192.168.201.60   277
224.0.0.0                240.0.0.0                  On-link                 192.168.201.15   306
255.255.255.255 255.255.255.255     On-link                 127.0.0.1               306
255.255.255.255 255.255.255.255     On-link                 192.168.201.60   276
255.255.255.255 255.255.255.255     On-link                 192.168.201.15   306
255.255.255.255 255.255.255.255     On-link                 192.168.200.24   276

Persistent Routes:
Network Address     Netmask         Gateway Address       Metric
0.0.0.0                         0.0.0.0             192.168.201.1            Default
0
 

Author Comment

by:kevincurrey
ID: 22859242
I should have also posted results from tracert:
Tracert on server B:
 1    73 ms    73 ms    73 ms  serverA.domain.local [192.168.200.2]
Tracert on client:
  1    <1 ms    <1 ms    <1 ms  192.168.201.1  (router)
 2    <1 ms     *       <1 ms  192.168.201.60      (server B)
 3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 22887781
can you run route print on server A also?
0
 

Author Comment

by:kevincurrey
ID: 22888149
There are not any routes from site A to site B, and this is intentional as I only need and want traffic to go one way.

Thanks,
Kevin

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.200.1    192.168.200.2      1
   75.162.207.147  255.255.255.255     192.168.200.1    192.168.200.2      1
        127.0.0.0        255.0.0.0         127.0.0.1        127.0.0.1      1
  128.187.172.199  255.255.255.255     192.168.200.1    192.168.200.2      1
    192.168.200.0    255.255.255.0    1 92.168.200.2    192.168.200.2     10
    192.168.200.2  255.255.255.255         127.0.0.1        127.0.0.1     10
   192.168.200.21  255.255.255.255    192.168.200.2    192.168.200.26      1
   192.168.200.22  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.24  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.26  255.255.255.255         127.0.0.1        127.0.0.1     50
  192.168.200.255  255.255.255.255     192.168.200.2    192.168.200.2     10
        224.0.0.0        240.0.0.0     192.168.200.2    192.168.200.2     10
  255.255.255.255  255.255.255.255     192.168.200.2    192.168.200.2      1
Default Gateway:      192.168.200.1

Persistent Routes:
  None
0
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 22888268
That is hardly possible. Take ping for example. You send packet, you need to receive reply or it doesn't make much sense. You need that route if you want reply. In fact, you need that route, period.
0
 

Author Comment

by:kevincurrey
ID: 22888810
So you don't think its a problem in the routing of server B? Because I've done it this way before with success. I'm just missing a step that I took before, and I can't fiure out what that is. I believe it had something to do with NAT on the remote interface for server B.
I do appreciate the input though and will try it.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 22888847
The first route print shows some things I don't understand:

Network Dest.      Netmask                 Gateway             Interface                 Metric
0.0.0.0                    0.0.0.0                     192.168.201.1 192.168.201.60     276
...this tells me that this computer has .201.60 on a NIC.
192.168.201.15   255.255.255.255     On-link                  192.168.201.15  306
...this tells me that this computer has .201.15 on a NIC..??? you didn't mention it.
192.168.200.0      255.255.255.0         192.168.200.26 192.168.200.24    21
...this tells me that this computer has .200.24 on a NIC??? that doesn't make sense to me as the subnet is supposed to be on the other end of the VPN.  The VPN must have different subnets at each end.

I don't see any persistent routes.  Presumably 192.168.201.1 has the route to 192.168.200.0, right?  But, this is a problem because any packet going to 192.168.200.0 will go to 192.168.200.24    which appears to be a NIC on the first machine.

Now to the second route print:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.200.1    192.168.200.2      1
   75.162.207.147  255.255.255.255     192.168.200.1    192.168.200.2      1
        127.0.0.0        255.0.0.0         127.0.0.1        127.0.0.1      1
  128.187.172.199  255.255.255.255     192.168.200.1    192.168.200.2      1
    192.168.200.0    255.255.255.0    1 92.168.200.2    192.168.200.2     10
    192.168.200.2  255.255.255.255         127.0.0.1        127.0.0.1     10
   192.168.200.21  255.255.255.255    192.168.200.2    192.168.200.26      1
   192.168.200.22  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.24  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.26  255.255.255.255         127.0.0.1        127.0.0.1     50
  192.168.200.255  255.255.255.255     192.168.200.2    192.168.200.2     10
        224.0.0.0        240.0.0.0     192.168.200.2    192.168.200.2     10
  255.255.255.255  255.255.255.255     192.168.200.2    192.168.200.2      1
Default Gateway:      192.168.200.1

Persistent Routes:
  None
*******************
All this looks fine.  Presumably 192.168.200.1 knows how to route packets to 192.168.201.0, yes?
0
 
LVL 7

Accepted Solution

by:
Dusan_Bajic earned 500 total points
ID: 22888878
Oh, I see what you mean. You have to enable NAT (if it is not already enabled) at RRAS on server B, and add VPN interface as public and LAN as private.
0
 

Author Comment

by:kevincurrey
ID: 22888964
Dusan -
I think that's it! I was putting NAT on the VPN interface as private and didn't put NAT on the LAN interface. I don't have a way of checking it now, but I think that should do it.

Thank you, I'll accept as solution as soon as I can confirm that it works.
0
 

Author Closing Comment

by:kevincurrey
ID: 31512272
Thanks again! That was all I needed to do.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question