Solved

Double NAT VPN PPTP solution Server 2003

Posted on 2009-03-29
4
1,040 Views
Last Modified: 2012-05-06
I have a Snapgear Firewall with multiple public IP addresses. I need to prove that a company's current firewall is causing the VPN drops. In order to do this what I have done is install a Snapgear to utilize other of the public IPs. I have a test 2k3 server I am using and if I hook it up directly with a public (external) IP and NATing the internal connection with RRAS on it, people can VPN just fine. What I need to do is setup the Snapgear as the firewall and then have the 2k3 server connected to it. This is resulting in a double NAT situation. I need help in figuring out the best way to do double NAT on this configuration (if possible). In essence:

Internet
|
|
Snapgear
|
|
NAT
|
|
2k3 external
|
|
NAT
|
|
2k3 internal
0
Comment
Question by:kirk_lesser
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24017455
Avoid it - ignore the dual-NIC setup of the 2k3 server.  Making the facility available is fine but making it the "default" and "recommended" config for a server is one of the daftest things MS have done this decade.

UNLESS it's acting as your main firewall (and I *really* don't recommend THAT) then there's really nothing to be gained by using a WAN/LAN nic config on the 2k3 server. Either disuse one of the NICs or set them up in a bridged config for speed/failover, and then the ONLY Ip address on the 2k3 server is on the same network as all your workstations and the LAN side of your main firewall.


THAT SAID if this is just for a test situation so you don't *want* to change the 2k3 config I would suggest

1) Actually nothing wrong with double-NAT for *most* applications (VOIP will be a pain in teh arse and VPN from the inside probably won't work).

2) You could avoid the problem by using a test firewall which as a bridge (transparent) mode of operation (e.g. Sonicwall in transparent mode, Zywall in Bridging mode.)

0
 

Author Comment

by:kirk_lesser
ID: 24031759
Here is the issue... We have a main RRAS server going through a separate firewall. I want to prove to them that the firewall is causing the VPN dropoffs and so far the test IS showing that. So I have port 1723 going to the main RRAS server for their IP address on the main router/firewall. The CTO doesn't want this test server exposed directly to the outside and have it go through a Snapgear to provide some firewall control, thus the need for two NICs unless I can have the Snapgear examine the packets for the public IP address and forward that address to the external NIC on the server?
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 500 total points
ID: 24048490
If you are double-natting you do need to make sure the mappings are correct and make sense in both directions on each device that's doing it.

OR

You couod obtain as your test rig a device which works in bridge (transparent) mode. e.g. Sonicwall. This uses the SAME IP range on both LAN and WAN side and so NAT is not a factor.

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now