Double NAT VPN PPTP solution Server 2003

Posted on 2009-03-29
Last Modified: 2012-05-06
I have a Snapgear Firewall with multiple public IP addresses. I need to prove that a company's current firewall is causing the VPN drops. In order to do this what I have done is install a Snapgear to utilize other of the public IPs. I have a test 2k3 server I am using and if I hook it up directly with a public (external) IP and NATing the internal connection with RRAS on it, people can VPN just fine. What I need to do is setup the Snapgear as the firewall and then have the 2k3 server connected to it. This is resulting in a double NAT situation. I need help in figuring out the best way to do double NAT on this configuration (if possible). In essence:

2k3 external
2k3 internal
Question by:kirk_lesser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 17

Accepted Solution

ccomley earned 500 total points
ID: 24017455
Avoid it - ignore the dual-NIC setup of the 2k3 server.  Making the facility available is fine but making it the "default" and "recommended" config for a server is one of the daftest things MS have done this decade.

UNLESS it's acting as your main firewall (and I *really* don't recommend THAT) then there's really nothing to be gained by using a WAN/LAN nic config on the 2k3 server. Either disuse one of the NICs or set them up in a bridged config for speed/failover, and then the ONLY Ip address on the 2k3 server is on the same network as all your workstations and the LAN side of your main firewall.

THAT SAID if this is just for a test situation so you don't *want* to change the 2k3 config I would suggest

1) Actually nothing wrong with double-NAT for *most* applications (VOIP will be a pain in teh arse and VPN from the inside probably won't work).

2) You could avoid the problem by using a test firewall which as a bridge (transparent) mode of operation (e.g. Sonicwall in transparent mode, Zywall in Bridging mode.)


Author Comment

ID: 24031759
Here is the issue... We have a main RRAS server going through a separate firewall. I want to prove to them that the firewall is causing the VPN dropoffs and so far the test IS showing that. So I have port 1723 going to the main RRAS server for their IP address on the main router/firewall. The CTO doesn't want this test server exposed directly to the outside and have it go through a Snapgear to provide some firewall control, thus the need for two NICs unless I can have the Snapgear examine the packets for the public IP address and forward that address to the external NIC on the server?
LVL 17

Assisted Solution

ccomley earned 500 total points
ID: 24048490
If you are double-natting you do need to make sure the mappings are correct and make sense in both directions on each device that's doing it.


You couod obtain as your test rig a device which works in bridge (transparent) mode. e.g. Sonicwall. This uses the SAME IP range on both LAN and WAN side and so NAT is not a factor.


Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question