[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1209
  • Last Modified:

Double NAT VPN PPTP solution Server 2003

I have a Snapgear Firewall with multiple public IP addresses. I need to prove that a company's current firewall is causing the VPN drops. In order to do this what I have done is install a Snapgear to utilize other of the public IPs. I have a test 2k3 server I am using and if I hook it up directly with a public (external) IP and NATing the internal connection with RRAS on it, people can VPN just fine. What I need to do is setup the Snapgear as the firewall and then have the 2k3 server connected to it. This is resulting in a double NAT situation. I need help in figuring out the best way to do double NAT on this configuration (if possible). In essence:

Internet
|
|
Snapgear
|
|
NAT
|
|
2k3 external
|
|
NAT
|
|
2k3 internal
0
kirk_lesser
Asked:
kirk_lesser
  • 2
2 Solutions
 
ccomleyCommented:
Avoid it - ignore the dual-NIC setup of the 2k3 server.  Making the facility available is fine but making it the "default" and "recommended" config for a server is one of the daftest things MS have done this decade.

UNLESS it's acting as your main firewall (and I *really* don't recommend THAT) then there's really nothing to be gained by using a WAN/LAN nic config on the 2k3 server. Either disuse one of the NICs or set them up in a bridged config for speed/failover, and then the ONLY Ip address on the 2k3 server is on the same network as all your workstations and the LAN side of your main firewall.


THAT SAID if this is just for a test situation so you don't *want* to change the 2k3 config I would suggest

1) Actually nothing wrong with double-NAT for *most* applications (VOIP will be a pain in teh arse and VPN from the inside probably won't work).

2) You could avoid the problem by using a test firewall which as a bridge (transparent) mode of operation (e.g. Sonicwall in transparent mode, Zywall in Bridging mode.)

0
 
kirk_lesserAuthor Commented:
Here is the issue... We have a main RRAS server going through a separate firewall. I want to prove to them that the firewall is causing the VPN dropoffs and so far the test IS showing that. So I have port 1723 going to the main RRAS server for their IP address on the main router/firewall. The CTO doesn't want this test server exposed directly to the outside and have it go through a Snapgear to provide some firewall control, thus the need for two NICs unless I can have the Snapgear examine the packets for the public IP address and forward that address to the external NIC on the server?
0
 
ccomleyCommented:
If you are double-natting you do need to make sure the mappings are correct and make sense in both directions on each device that's doing it.

OR

You couod obtain as your test rig a device which works in bridge (transparent) mode. e.g. Sonicwall. This uses the SAME IP range on both LAN and WAN side and so NAT is not a factor.

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now