Using RRAS Nat inside a VPN connection

Posted on 2010-01-08
Last Modified: 2012-05-08
Hi. I have a Windows 2008 machine configured with RRAS and am connecting through a SSTP VPN tunnel to it. While it was no small miracle to get SSTP working, I am facing another issue at this time.

I have configured RRAS to hand out IP addresses in the 192.168.254.x range (the server's NIC is and that subnet is full, so I have to use NAT for VPN clients) and when I connect to the server with VPN, I am getting an IP address from RRAS and successfully pinging the "Internal" interface ( as well as the NIC interface ( The problem I am having is with NAT.

I would like outgoing requests from the VPN clients to translate to the server's IP of so I can have VPN clients connect to other servers on the 192.168.2.x subnet. I don't care about getting port address translation working, as the 192.168.2.x subnet does not have to initiate connections to any VPN computers.

I have fiddled around with the NAT module configuring adapters and IP ranges and static routes and all the like, but just can not get this working. It seems the NAT module is not even doing anything, since "total mappings" and "inbound packets transmitted" are all 0.

The clients routing tables should be set up correctly, as I have statically routed the 192.168.2.x subnet to go through the gateway. Still no luck.

Could someone please advise as to the proper configuration to get a VPN client with a private IP translating packets to reach destinations outside the RRAS server?
Question by:lbgaus
    LVL 77

    Accepted Solution

    You likely need to add routes to the VPN client computers and a return route to the servers to which you want to connect because they are more than a single hop away.
    On the client:
    route add  mask
    on the other server's (assuming the VPN server's LAN IP is not their default gateway, if it is this route is not necessary):
    route add
    If this works you could add these routes to the local router rather than each client and server.

    Author Closing Comment

    Wow. That was incredibly simple, I almost feel stupid for missing it.

    Thank you VERY much. You rock!
    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks lbgaus. Glad to hear it worked for you.

    Featured Post

    Too many email signature changes to deal with?

    Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

    Join & Write a Comment

    Let’s list some of the technologies that enable smooth teleworking. 
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now