Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Double NAT VPN PPTP solution Server 2003

Posted on 2009-03-29
4
Medium Priority
?
1,194 Views
Last Modified: 2012-05-06
I have a Snapgear Firewall with multiple public IP addresses. I need to prove that a company's current firewall is causing the VPN drops. In order to do this what I have done is install a Snapgear to utilize other of the public IPs. I have a test 2k3 server I am using and if I hook it up directly with a public (external) IP and NATing the internal connection with RRAS on it, people can VPN just fine. What I need to do is setup the Snapgear as the firewall and then have the 2k3 server connected to it. This is resulting in a double NAT situation. I need help in figuring out the best way to do double NAT on this configuration (if possible). In essence:

Internet
|
|
Snapgear
|
|
NAT
|
|
2k3 external
|
|
NAT
|
|
2k3 internal
0
Comment
Question by:kirk_lesser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
ccomley earned 2000 total points
ID: 24017455
Avoid it - ignore the dual-NIC setup of the 2k3 server.  Making the facility available is fine but making it the "default" and "recommended" config for a server is one of the daftest things MS have done this decade.

UNLESS it's acting as your main firewall (and I *really* don't recommend THAT) then there's really nothing to be gained by using a WAN/LAN nic config on the 2k3 server. Either disuse one of the NICs or set them up in a bridged config for speed/failover, and then the ONLY Ip address on the 2k3 server is on the same network as all your workstations and the LAN side of your main firewall.


THAT SAID if this is just for a test situation so you don't *want* to change the 2k3 config I would suggest

1) Actually nothing wrong with double-NAT for *most* applications (VOIP will be a pain in teh arse and VPN from the inside probably won't work).

2) You could avoid the problem by using a test firewall which as a bridge (transparent) mode of operation (e.g. Sonicwall in transparent mode, Zywall in Bridging mode.)

0
 

Author Comment

by:kirk_lesser
ID: 24031759
Here is the issue... We have a main RRAS server going through a separate firewall. I want to prove to them that the firewall is causing the VPN dropoffs and so far the test IS showing that. So I have port 1723 going to the main RRAS server for their IP address on the main router/firewall. The CTO doesn't want this test server exposed directly to the outside and have it go through a Snapgear to provide some firewall control, thus the need for two NICs unless I can have the Snapgear examine the packets for the public IP address and forward that address to the external NIC on the server?
0
 
LVL 17

Assisted Solution

by:ccomley
ccomley earned 2000 total points
ID: 24048490
If you are double-natting you do need to make sure the mappings are correct and make sense in both directions on each device that's doing it.

OR

You couod obtain as your test rig a device which works in bridge (transparent) mode. e.g. Sonicwall. This uses the SAME IP range on both LAN and WAN side and so NAT is not a factor.

0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question