Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 424
  • Last Modified:

problem with routing/NAT in a LAN-LAN PPTP setup in Windows Server 2003

I am trying to make a setup for LAN-to-LAN over PPTP.  My pptp client is on Windows Server 2003, and connects to the remote network through a PIX515.  Connections to the remote network are fine, and I am able to connect to multiple machines on the remote network from the client just fine.

For other machines on the LAN, they are able to get TO the client machine, but no further.  The traceroute shows it getting to the client, and then nothing.  At first I was thinking that this was a routing issue, but after running WireShark on the pptp client, I can see packets coming into it and trying to get to the remote systems, but then no response.  So now I am thinking that the problem is related to translation, since the remote system would have no way of knowing how to get packets back to the originating machines.

I have Routing and Remote Access setup, and it connects to the pptp system via this (rather than manually selecting a new network connection).
0
Darkpaw
Asked:
Darkpaw
  • 5
  • 4
2 Solutions
 
ChiefITCommented:
What types of packets are  you having problems with.

Are they netbios packets? If so, those stop at the router because they are held to the broadcast domain.

Any broadcast packet will be stopped at the router.
0
 
DarkpawAuthor Commented:
It's not broadcast, it's all tcp traffic.  For example, telnet.  I need machines on the LAN to be able to telnet through the PPTP client onto the remote network.  SSH/SSL, as well.
0
 
QlemoC++ DeveloperCommented:
You need to define NAT on the dial-in interface in RRAS. That will substitute the PPTP Client IP  and a random port as source address.

In RRAS console, go to IP Routing => NAT / Firewall => New => Public Interface, NAT.

That will not allow communication initiated by the remote site, as there will be no corresponding NAT entry. As far as I understood you did not want to allow for such traffic.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DarkpawAuthor Commented:
There is no option for NAT/Firewall under IP Routing.  The only shown settings are General and Static Routes.  Right-clicking on it only allows me to change view and export list.
0
 
QlemoC++ DeveloperCommented:
Strange. You should have General, Static Routes, DHCP Relay, IGMP and NAT/Firewall there.

Please check settings of the RRAS service by opening the Property Page of the server entry in RRAS console.
In General tab, it should be set up as Router, LAN and Demand-Dial Routing.
In IP tab, the two topmost check marks should be checked.
You might have to restart RRAS after changes.
0
 
DarkpawAuthor Commented:
Strange.  They are all already set as that.  Should I also enable to act as a remote access server (in the General tab)?
0
 
QlemoC++ DeveloperCommented:
No need to enable "RAS Server", it's for incoming connections only.
I assume you do not use that RRAS as Internet router (with ICS).
Try to add a Routing Protocol (IP Routing => General => (Ctxt Menu) New Routing Protocol). Is IGMP and NAT listed there? If so, you need to add NAT.
0
 
DarkpawAuthor Commented:
OK, that allowed me to add it.  The connection to the LAN side is on "Local Area Connection".  I added this interface to NAT setting, with Private Interface on a Private Network, and no filters added (it appears to default to allow all).  

The stats for it (inbound/outbound packets, etc) all show 0, with no translations.  Traceroute from the other machine on the LAN that I'm using for testing still stops at the PPTP client and hangs.  I tried adding a mapping to a single static IP in the range of the remote machine, and added a static route.  Still nothing.  I think I'm getting closer, but am definitely stuck at the point of getting the inbound packets translated to something that would be usable to the remote network (or if it's not translating at all).
0
 
QlemoC++ DeveloperCommented:
LAN on private/private is correct.
You need to add the Dial-Out interface used as public / NAT / no firewall,
and create a static route for that interface (no gateway, it is put in automatically while connected).
0
 
DarkpawAuthor Commented:
That works perfectly now.

Thanks a lot.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now