madmxx
asked on
vpn on sbs 2003
I have a site to site vpn using two sonicwalls tz190 and they work well. site A can communicate and share resources with site B and viceversa. Except that my DC SBS 2003 is unable to ping and be pinged by the external site. I uninstalled the ISA server and disabled antivirus. But I'm still unable to reach the server from the external site. I would appreciate your help.
ASKER
No, each site routers has their own internet connectivity.
How many NICs installed in SBS and if two, is the second NIC connected to a router supplying an Internet connection besides the router supplying the VPN connection? (2 routers on the SBS LAN).
Philip
Philip
ASKER
I am only using one nic the other one is disable. The routers are providing dhcp and internet connectivity on their own respective sites. I only have 1 dc sbs 2003 server in site A. site B has no servers.
SBS must have DHCP enabled and configured for routing to work properly. The same is true for the Win2K3 box that should be serving the subnet at that site. DHCP should have the dynamic DNS update settings enabled and an account set in Credentials to allow for DNS updating.
Once DHCP is resident on the servers, the gateway IP on the server's NIC should point to the router that gives Internet and VPN access. This is the case for both server sites. Static routes in RRAS are only needed if there was more than one router at the site.
From there, if routing is correct, a ping of the server's name should resolve to the correct IP address of the server at the other site. You may need to add an A record if Win2K3 is not a DC.
Philip
Once DHCP is resident on the servers, the gateway IP on the server's NIC should point to the router that gives Internet and VPN access. This is the case for both server sites. Static routes in RRAS are only needed if there was more than one router at the site.
From there, if routing is correct, a ping of the server's name should resolve to the correct IP address of the server at the other site. You may need to add an A record if Win2K3 is not a DC.
Philip
ASKER
I only have one sever sbs2003 in one site. the other site does not have any servers only workstations. So you are saying that I should setup dhcp on the server sbs 2003 from site A and enable dynamic dns. Now the dynamic dns is set on the server not the router? on the other side since there is no server present only the router do I need to do anything there? Also, this change in dhcp is only intended to for the local network? because right now the router is serving and the local computer can communicate just fine with the server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
okay, but do I need to disable the dhcp from the router that is on the server side. Also do I need to make any changes on the either routers dns settings?
DHCP on the router on the SBS side is disabled.
The systems on the network need to query the SBS DNS for everything. The gateway setting on the SBS NIC tells SBS where to look when it cannot find anything on the internal side of the network. So, nothing should need to be changed ... unless there are some settings that are not proper.
Philip
The systems on the network need to query the SBS DNS for everything. The gateway setting on the SBS NIC tells SBS where to look when it cannot find anything on the internal side of the network. So, nothing should need to be changed ... unless there are some settings that are not proper.
Philip
ASKER
Do I make any changes on the dns from the router that's on sbs side?
DNS on the router (WAN) should point to the SBS if possible, or the ISP depending on how it needs to be configured. The unit's manual should indicate that for you.
Philip
Philip
ASKER
Thanks for your response. I followed your instructions but I am still unable to ping any computer or the other side of the vpn from the sbs 2003 server. It's very strange because I any computer from the sbs side are able to ping the computers on the other side of the Vpn. Any ideas of what else I can try would be really appreciated.
I need the server to reach the computers on the other side because the sbs runs remote web desktop and it cannot connect to those computers.
I need the server to reach the computers on the other side because the sbs runs remote web desktop and it cannot connect to those computers.
ASKER
Also, do I need to do any changes on RRAS on the sbs server? Does this have any effect on the issues at hand?
Did you set any static routes in RRAS on SBS for the VPN setup?
Please post an IPConfig /all from the SBS.
Philip
Please post an IPConfig /all from the SBS.
Philip
ASKER
No, I have not done any config. on rras and under sevices it shows as manual and with no service running. here is the sbs ipconfig.
Windows IP Configuration
Host Name . . . . . . . . . . . . : server2
Primary Dns Suffix . . . . . . . : clcpallets.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : clcpallets.local
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0E-0C-4E-7A-94
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
66.80.130.23
Windows IP Configuration
Host Name . . . . . . . . . . . . : server2
Primary Dns Suffix . . . . . . . : clcpallets.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : clcpallets.local
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0E-0C-4E-7A-94
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
66.80.130.23
What is the 66.x.x.x IP address doing in the DNS on the NIC?
Philip
Philip
ASKER
do i need to take that out. its the isp dns
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
okay, I made all changes you recommended but I still haven't been able to solve the issues I need. 1st is beening able to ping the server from the remote vpn clients by either name or ip and second have the server be able to ping the remote vpn clients.
Is the tunnel up? Does the VPN routers indicate the tunnel is functional and do they have some sort of internal testing abilities to make sure the tunnel is functional?
Philip
Philip
ASKER
They're two tz190 series and it shows to be functional. I think they are working well because I am able to reach both sides of the vpn using their lan ip's. I just think the problem should be related to the sbs 2003 server because it is the only thing that cannot communicate with the remote vpn and viceversa. Any input would be really appreciated. My client is being very patient. But, the remote site needs to be able to use their client outlooks to authenticate with exchange and also the remote web desktop for the remote site computers.
Please post an IPConfig /all for a workstation on the SBS side and a workstation on the VPN side.
Philip
Philip
ASKER
here is the local vpn site ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : TSserver
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration #2
Physical Address. . . . . . . . . : 00-15-17-55-53-89
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration
Physical Address. . . . . . . . . : 00-15-17-55-53-88
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
remote vpn lan ip :
Windows IP Configuration
Host Name . . . . . . . . . . . . : carlos
Primary Dns Suffix . . . . . . . : clcpallets.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : clcpallets.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-07-E9-52-E2-CE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.178
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.2
DHCP Server . . . . . . . . . . . : 192.168.2.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
66.80.130.23
Lease Obtained. . . . . . . . . . : Monday, May 04, 2009 9:51:22 AM
Lease Expires . . . . . . . . . . : Tuesday, May 05, 2009 9:51:22 AM
Windows IP Configuration
Host Name . . . . . . . . . . . . : TSserver
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration #2
Physical Address. . . . . . . . . : 00-15-17-55-53-89
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration
Physical Address. . . . . . . . . : 00-15-17-55-53-88
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
remote vpn lan ip :
Windows IP Configuration
Host Name . . . . . . . . . . . . : carlos
Primary Dns Suffix . . . . . . . : clcpallets.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : clcpallets.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-07-E9-52-E2-CE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.178
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.2
DHCP Server . . . . . . . . . . . : 192.168.2.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
66.80.130.23
Lease Obtained. . . . . . . . . . : Monday, May 04, 2009 9:51:22 AM
Lease Expires . . . . . . . . . . : Tuesday, May 05, 2009 9:51:22 AM
What is 192.168.2.2? Is that the remote VPN router?
Note that the workstation still has the ISP DNS IP bound to it. Check your DHCP settings to remove that IP address from the served DNS Server IPs!
Once the ISP's DNS IP has been flushed out of the system, the workstations on both sides should be able to resolve SBS and ping it.
Philip
Note that the workstation still has the ISP DNS IP bound to it. Check your DHCP settings to remove that IP address from the served DNS Server IPs!
Once the ISP's DNS IP has been flushed out of the system, the workstations on both sides should be able to resolve SBS and ping it.
Philip
ASKER
what happens if I do that and remove the isp DNS the remote computers loose internet access. It has to do with the sbs box. There is something wrong there.
https://www.experts-exchange.com/questions/24378578/site-to-site-vpn-with-tz190-firewall-unable-to-ping-from-sbs-2003-remote-vpn-client.html
A server at site 2 would resolve the routing issue as the VPN devices are probably not robust enough to do that for you.
The VPN devices need to be intelligent enough to know when packets need to get back to the SBS site. Without that, the devices will poll DNS and not get anywhere when they get a "Huh?" from the ISP's DNS servers for your SBS site.
Philip
A server at site 2 would resolve the routing issue as the VPN devices are probably not robust enough to do that for you.
The VPN devices need to be intelligent enough to know when packets need to get back to the SBS site. Without that, the devices will poll DNS and not get anywhere when they get a "Huh?" from the ISP's DNS servers for your SBS site.
Philip
ASKER
Well, what would you suggest trying for the routers as far as routing maybe they can handle it. these sonicwall are pretty robust? what would I need to configure on them?
ASKER
Another question can I enable rras and add a static route on the sbs server? would that help?
ASKER
Do you have any more suggestions??
ASKER
How about if I enable isa server would that be an advisable solution?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Philip