Solved

Double NAT VPN PPTP solution Server 2003

Posted on 2009-03-29
4
1,095 Views
Last Modified: 2012-05-06
I have a Snapgear Firewall with multiple public IP addresses. I need to prove that a company's current firewall is causing the VPN drops. In order to do this what I have done is install a Snapgear to utilize other of the public IPs. I have a test 2k3 server I am using and if I hook it up directly with a public (external) IP and NATing the internal connection with RRAS on it, people can VPN just fine. What I need to do is setup the Snapgear as the firewall and then have the 2k3 server connected to it. This is resulting in a double NAT situation. I need help in figuring out the best way to do double NAT on this configuration (if possible). In essence:

Internet
|
|
Snapgear
|
|
NAT
|
|
2k3 external
|
|
NAT
|
|
2k3 internal
0
Comment
Question by:kirk_lesser
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24017455
Avoid it - ignore the dual-NIC setup of the 2k3 server.  Making the facility available is fine but making it the "default" and "recommended" config for a server is one of the daftest things MS have done this decade.

UNLESS it's acting as your main firewall (and I *really* don't recommend THAT) then there's really nothing to be gained by using a WAN/LAN nic config on the 2k3 server. Either disuse one of the NICs or set them up in a bridged config for speed/failover, and then the ONLY Ip address on the 2k3 server is on the same network as all your workstations and the LAN side of your main firewall.


THAT SAID if this is just for a test situation so you don't *want* to change the 2k3 config I would suggest

1) Actually nothing wrong with double-NAT for *most* applications (VOIP will be a pain in teh arse and VPN from the inside probably won't work).

2) You could avoid the problem by using a test firewall which as a bridge (transparent) mode of operation (e.g. Sonicwall in transparent mode, Zywall in Bridging mode.)

0
 

Author Comment

by:kirk_lesser
ID: 24031759
Here is the issue... We have a main RRAS server going through a separate firewall. I want to prove to them that the firewall is causing the VPN dropoffs and so far the test IS showing that. So I have port 1723 going to the main RRAS server for their IP address on the main router/firewall. The CTO doesn't want this test server exposed directly to the outside and have it go through a Snapgear to provide some firewall control, thus the need for two NICs unless I can have the Snapgear examine the packets for the public IP address and forward that address to the external NIC on the server?
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 500 total points
ID: 24048490
If you are double-natting you do need to make sure the mappings are correct and make sense in both directions on each device that's doing it.

OR

You couod obtain as your test rig a device which works in bridge (transparent) mode. e.g. Sonicwall. This uses the SAME IP range on both LAN and WAN side and so NAT is not a factor.

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question