• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2237
  • Last Modified:

Site-to-Site VPN and Routing

I have two offices, site A with SBS 2003, single nic, subnet 192.168.200.0, and B with Windows Server 2008, single nic, subnet 192.168.201.0. I have configured site B with RRAS to VPN to A. The server can ping site A just fine, but none of the clients on site B can ping through to A.
The gateway at site B is setup correctly to route traffic to that subnet through the server. When I created the demand dial interface on the server it asked for a static route, and I put in 192.168.200.0, mask 255.255.255.0, metric 1.
I've done this before at another time and place using Windows 2003, and I remember running into the same problem, but for the life of me I can't remember how I fixed it.

Thanks in adance,
Kevin
0
kevincurrey
Asked:
kevincurrey
  • 6
  • 4
1 Solution
 
Dusan_BajicCommented:
Can you run "route print" on both servers and paste here
0
 
kevincurreyAuthor Commented:
Interface List
 21 ........................... Remote Router
 10 ...00 15 f2 5a 11 0c ...... NVIDIA nForce 10/100/1000 Mbps Ethernet
 12 ........................... RAS (Dial In) Interface
  1 ........................... Software Loopback Interface 1
 11 ...00 00 00 00 00 00 00 e0  isatap.{E86C6192-CC73-48B9-81EA-8C41A0134039}
 20 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #2
 14 ...00 00 00 00 00 00 00 e0  isatap.{074876A9-C0F6-4412-B856-694E2247E4C7}
 22 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #4

Active Routes:
Network Dest.      Netmask                 Gateway             Interface                 Metric
0.0.0.0                    0.0.0.0                     192.168.201.1 192.168.201.60     276
127.0.0.0               255.0.0.0                  On-link              127.0.0.1               306
127.0.0.1               255.255.255.255    On-link              127.0.0.1               306
127.255.255.255 255.255.255.255    On-link              127.0.0.1                 306
(public ip A)          255.255.255.255    192.168.201.1   192.168.201.60     21
192.168.201.0     255.255.255.0          On-link                192.168.201.60   276
192.168.201.15   255.255.255.255     On-link                  192.168.201.15  306
192.168.201.60   255.255.255.255     On-link                  192.168.201.60  276
192.168.201.255 255.255.255.255     On-link                 192.168.201.60   276
192.168.200.0      255.255.255.0         192.168.200.26 192.168.200.24    21
192.168.200.24    255.255.255.255    On-link                 192.168.200.24    276
224.0.0.0                240.0.0.0                  On-link                 127.0.0.1               306
224.0.0.0                240.0.0.0                  On-link                 192.168.201.60   277
224.0.0.0                240.0.0.0                  On-link                 192.168.201.15   306
255.255.255.255 255.255.255.255     On-link                 127.0.0.1               306
255.255.255.255 255.255.255.255     On-link                 192.168.201.60   276
255.255.255.255 255.255.255.255     On-link                 192.168.201.15   306
255.255.255.255 255.255.255.255     On-link                 192.168.200.24   276

Persistent Routes:
Network Address     Netmask         Gateway Address       Metric
0.0.0.0                         0.0.0.0             192.168.201.1            Default
0
 
kevincurreyAuthor Commented:
I should have also posted results from tracert:
Tracert on server B:
 1    73 ms    73 ms    73 ms  serverA.domain.local [192.168.200.2]
Tracert on client:
  1    <1 ms    <1 ms    <1 ms  192.168.201.1  (router)
 2    <1 ms     *       <1 ms  192.168.201.60      (server B)
 3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Dusan_BajicCommented:
can you run route print on server A also?
0
 
kevincurreyAuthor Commented:
There are not any routes from site A to site B, and this is intentional as I only need and want traffic to go one way.

Thanks,
Kevin

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.200.1    192.168.200.2      1
   75.162.207.147  255.255.255.255     192.168.200.1    192.168.200.2      1
        127.0.0.0        255.0.0.0         127.0.0.1        127.0.0.1      1
  128.187.172.199  255.255.255.255     192.168.200.1    192.168.200.2      1
    192.168.200.0    255.255.255.0    1 92.168.200.2    192.168.200.2     10
    192.168.200.2  255.255.255.255         127.0.0.1        127.0.0.1     10
   192.168.200.21  255.255.255.255    192.168.200.2    192.168.200.26      1
   192.168.200.22  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.24  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.26  255.255.255.255         127.0.0.1        127.0.0.1     50
  192.168.200.255  255.255.255.255     192.168.200.2    192.168.200.2     10
        224.0.0.0        240.0.0.0     192.168.200.2    192.168.200.2     10
  255.255.255.255  255.255.255.255     192.168.200.2    192.168.200.2      1
Default Gateway:      192.168.200.1

Persistent Routes:
  None
0
 
Dusan_BajicCommented:
That is hardly possible. Take ping for example. You send packet, you need to receive reply or it doesn't make much sense. You need that route if you want reply. In fact, you need that route, period.
0
 
kevincurreyAuthor Commented:
So you don't think its a problem in the routing of server B? Because I've done it this way before with success. I'm just missing a step that I took before, and I can't fiure out what that is. I believe it had something to do with NAT on the remote interface for server B.
I do appreciate the input though and will try it.
0
 
Fred MarshallPrincipalCommented:
The first route print shows some things I don't understand:

Network Dest.      Netmask                 Gateway             Interface                 Metric
0.0.0.0                    0.0.0.0                     192.168.201.1 192.168.201.60     276
...this tells me that this computer has .201.60 on a NIC.
192.168.201.15   255.255.255.255     On-link                  192.168.201.15  306
...this tells me that this computer has .201.15 on a NIC..??? you didn't mention it.
192.168.200.0      255.255.255.0         192.168.200.26 192.168.200.24    21
...this tells me that this computer has .200.24 on a NIC??? that doesn't make sense to me as the subnet is supposed to be on the other end of the VPN.  The VPN must have different subnets at each end.

I don't see any persistent routes.  Presumably 192.168.201.1 has the route to 192.168.200.0, right?  But, this is a problem because any packet going to 192.168.200.0 will go to 192.168.200.24    which appears to be a NIC on the first machine.

Now to the second route print:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.200.1    192.168.200.2      1
   75.162.207.147  255.255.255.255     192.168.200.1    192.168.200.2      1
        127.0.0.0        255.0.0.0         127.0.0.1        127.0.0.1      1
  128.187.172.199  255.255.255.255     192.168.200.1    192.168.200.2      1
    192.168.200.0    255.255.255.0    1 92.168.200.2    192.168.200.2     10
    192.168.200.2  255.255.255.255         127.0.0.1        127.0.0.1     10
   192.168.200.21  255.255.255.255    192.168.200.2    192.168.200.26      1
   192.168.200.22  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.24  255.255.255.255    192.168.200.26   192.168.200.26      1
   192.168.200.26  255.255.255.255         127.0.0.1        127.0.0.1     50
  192.168.200.255  255.255.255.255     192.168.200.2    192.168.200.2     10
        224.0.0.0        240.0.0.0     192.168.200.2    192.168.200.2     10
  255.255.255.255  255.255.255.255     192.168.200.2    192.168.200.2      1
Default Gateway:      192.168.200.1

Persistent Routes:
  None
*******************
All this looks fine.  Presumably 192.168.200.1 knows how to route packets to 192.168.201.0, yes?
0
 
Dusan_BajicCommented:
Oh, I see what you mean. You have to enable NAT (if it is not already enabled) at RRAS on server B, and add VPN interface as public and LAN as private.
0
 
kevincurreyAuthor Commented:
Dusan -
I think that's it! I was putting NAT on the VPN interface as private and didn't put NAT on the LAN interface. I don't have a way of checking it now, but I think that should do it.

Thank you, I'll accept as solution as soon as I can confirm that it works.
0
 
kevincurreyAuthor Commented:
Thanks again! That was all I needed to do.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now