Link to home
Start Free TrialLog in
Avatar of madmxx
madmxx

asked on

vpn on sbs 2003

I have a site to site vpn using two sonicwalls tz190 and they work well. site A can communicate and share resources with site B and viceversa. Except that my DC SBS 2003 is unable to ping and be pinged by the external site. I uninstalled the ISA server and disabled antivirus. But I'm still unable to reach the server from the external site. I would appreciate your help.
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Is the VPN router also supplying an Internet connection?

Philip
Avatar of madmxx
madmxx

ASKER

No, each site routers has their own internet connectivity.
How many NICs installed in SBS and if two, is the second NIC connected to a router supplying an Internet connection besides the router supplying the VPN connection? (2 routers on the SBS LAN).

Philip
Avatar of madmxx

ASKER

I am only using one nic the other one is disable. The routers are providing dhcp and internet connectivity on their own respective sites. I only have 1 dc sbs 2003 server in site A. site B has no servers.
SBS must have DHCP enabled and configured for routing to work properly. The same is true for the Win2K3 box that should be serving the subnet at that site. DHCP should have the dynamic DNS update settings enabled and an account set in Credentials to allow for DNS updating.

Once DHCP is resident on the servers, the gateway IP on the server's NIC should point to the router that gives Internet and VPN access. This is the case for both server sites. Static routes in RRAS are only needed if there was more than one router at the site.

From there, if routing is correct, a ping of the server's name should resolve to the correct IP address of the server at the other site. You may need to add an A record if Win2K3 is not a DC.

Philip
Avatar of madmxx

ASKER

I only have one sever sbs2003 in one site. the other site does not have any servers only workstations. So you are saying that I should setup dhcp on the server sbs 2003 from site A and enable dynamic dns. Now the dynamic dns is set on the server not the router? on the other side since there is no server present only the router do I need to do anything there? Also, this  change in dhcp is only intended to for the local network? because right now the router is serving and the local computer can communicate just fine with the server.
ASKER CERTIFIED SOLUTION
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of madmxx

ASKER

okay, but do I need to disable the dhcp from the router that is on the server side. Also do I need to make any changes on the either routers dns settings?
DHCP on the router on the SBS side is disabled.

The systems on the network need to query the SBS DNS for everything. The gateway setting on the SBS NIC tells SBS where to look when it cannot find anything on the internal side of the network. So, nothing should need to be changed ... unless there are some settings that are not proper.

Philip
Avatar of madmxx

ASKER



Do I make any changes on the dns from the router that's on sbs side?
DNS on the router (WAN) should point to the SBS if possible, or the ISP depending on how it needs to be configured. The unit's manual should indicate that for you.

Philip
Avatar of madmxx

ASKER

Thanks for your response. I followed your instructions but I am still unable to ping any computer or the other side of the vpn from the sbs 2003 server. It's very strange because I any computer from the sbs side are able to ping the computers on the other side of the Vpn. Any ideas of what else I can try would be really appreciated.
I need the server to reach the computers on the other side because the sbs runs remote web desktop and it cannot connect to those computers.
Avatar of madmxx

ASKER

Also, do I need to do any changes on RRAS on the sbs server? Does this have any effect on the issues at hand?
Did you set any static routes in RRAS on SBS for the VPN setup?

Please post an IPConfig /all from the SBS.

Philip
Avatar of madmxx

ASKER

No, I have not done any config. on rras and under sevices it shows as manual and with no service running. here is the sbs ipconfig.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server2
   Primary Dns Suffix  . . . . . . . : clcpallets.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : clcpallets.local

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0E-0C-4E-7A-94
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.2
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       66.80.130.23
What is the 66.x.x.x IP address doing in the DNS on the NIC?

Philip
Avatar of madmxx

ASKER

do i need to take that out. its the isp dns
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of madmxx

ASKER

okay, I made all changes you recommended but I still haven't been able to solve the issues I need. 1st is beening able to ping the server from the remote vpn clients by either name or ip and second have the server be able to ping the remote vpn clients.
Is the tunnel up? Does the VPN routers indicate the tunnel is functional and do they have some sort of internal testing abilities to make sure the tunnel is functional?

Philip
Avatar of madmxx

ASKER

They're  two tz190 series and it shows to be functional. I think they are working well because I am able to  reach both sides of the vpn using their lan ip's. I just think the problem should be related to the sbs 2003 server because it is the only thing that cannot communicate with the remote vpn and viceversa. Any input would be really appreciated. My client is being very patient. But, the remote site needs to be able to use their client outlooks to authenticate with exchange and also the remote web desktop for the remote site computers.
Please post an IPConfig /all for a workstation on the SBS side and a workstation on the VPN side.

Philip
Avatar of madmxx

ASKER

here is the local vpn site ipconfig:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : TSserver
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration #2
   Physical Address. . . . . . . . . : 00-15-17-55-53-89

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration
   Physical Address. . . . . . . . . : 00-15-17-55-53-88
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.2
   DNS Servers . . . . . . . . . . . : 192.168.1.1

remote vpn lan ip :


Windows IP Configuration

        Host Name . . . . . . . . . . . . : carlos
        Primary Dns Suffix  . . . . . . . : clcpallets.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : clcpallets.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-07-E9-52-E2-CE
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.2.178
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.2
        DHCP Server . . . . . . . . . . . : 192.168.2.2
        DNS Servers . . . . . . . . . . . : 192.168.1.1
                                            66.80.130.23
        Lease Obtained. . . . . . . . . . : Monday, May 04, 2009 9:51:22 AM
        Lease Expires . . . . . . . . . . : Tuesday, May 05, 2009 9:51:22 AM

What is 192.168.2.2? Is that the remote VPN router?

Note that the workstation still has the ISP DNS IP bound to it. Check your DHCP settings to remove that IP address from the served DNS Server IPs!

Once the ISP's DNS IP has been flushed out of the system, the workstations on both sides should be able to resolve SBS and ping it.

Philip
Avatar of madmxx

ASKER

what happens if I do that and remove the isp DNS the remote computers loose internet access. It has to do with the sbs box. There is something wrong there.
https://www.experts-exchange.com/questions/24378578/site-to-site-vpn-with-tz190-firewall-unable-to-ping-from-sbs-2003-remote-vpn-client.html

A server at site 2 would resolve the routing issue as the VPN devices are probably not robust enough to do that for you.

The VPN devices need to be intelligent enough to know when packets need to get back to the SBS site. Without that, the devices will poll DNS and not get anywhere when they get a "Huh?" from the ISP's DNS servers for your SBS site.

Philip
Avatar of madmxx

ASKER

Well, what would you suggest trying for the routers as far as routing maybe they can handle it. these sonicwall are pretty robust? what would I need to configure on them?
Avatar of madmxx

ASKER

Another question can I enable rras and add a static route on the sbs server? would that help?
Avatar of madmxx

ASKER

Do you have any more suggestions??
Avatar of madmxx

ASKER

How about if I enable isa server would that be an advisable solution?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial