Solved

Accepting connections from specific IP Ranges

Posted on 2010-11-11
22
317 Views
Last Modified: 2012-06-21
Currently setting up a managed SSL VPN on a firewall that needs to be on an IP Range that is different to the internal LAN.

The internal LAN range is 192.168.20.0 /24

SSL VPN Range is 172.33.255.0/24

How do I get the Windows Servers on the internal LAN range to see the SSL VPN Range without too much work?

0
Comment
Question by:Mr_OCD
  • 10
  • 9
  • 3
22 Comments
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110434
you can look at adding a static route as follows: -

route add 172.33.255.0 mask 255.255.255.0 {IP of the internal address of the firewall handling the VPN}

regards
0
 
LVL 4

Expert Comment

by:tausifsfarid
ID: 34110447
You can manually add an additional static ip, and i works.

by the way private IP range is from 172.16.0.0 – 172.31.255.255.

IP which you are using 172.33.255.0 to configure VPN is Public IP.
0
 

Author Comment

by:Mr_OCD
ID: 34110477
How do I add the static route? Or do you mean add the static range to the network cards on the server?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110488
On the server, bring up a command prompt and try the command I gave you
0
 
LVL 4

Expert Comment

by:tausifsfarid
ID: 34110668
yes on the server you can manually add the static IP of VPN range...
0
 

Author Comment

by:Mr_OCD
ID: 34110732
Correct range will be 172.31.255.0 / 25...

so the new route needs to be:

route add 172.31.255.0 mask 255.255.255.0 172.31.255.1

Is there anyway I can verify this on the network card? Actually I'm pretty sure this can be done under TCP/IP advanced properties!?

0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110747
it can't be done under advances properties.

you can check this by typing route print at a command prompt.

0
 

Author Comment

by:Mr_OCD
ID: 34110867
Ok thanks but now I'm being given conflicting information in that I'm being told I should not need to add routes on the servers but simply need to ensure the servers will respond to requests from the SSL-VPN range.

Without routes how can that happen! ?

0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110890
it all depends

the VPN tunnel - where does it terminate?  Is it at your internal firewall?

If it's on the internal firewall and it is the same firewall that all your servers use as their default gateway, then the firewall will know how to handle the VPN traffic.

If the firewall you are setting up the VPN tunnel on ISN'T the default gateway for your servers, then you will need to setup routes.

You didn't state what role the firewall plays in your configuration so it's a case of second guessing what the answer might be.

So, what is the IP address of your firewall and what is the default gateway on your servers?
0
 

Author Comment

by:Mr_OCD
ID: 34111039
Ok thats making more sense to me now. Appreciate the info.

Basically the VPN tunnel is NOT the default gateway for the servers.

Gateway of the servers is 192.168.20.167 on the 192.168.20.0/24 subnet (internal LAN) which points to Firewall.

SSL VPN traffic will be on the 172.31.255.0/24 subnet.

Basically we can now connect to the VPN from outside but when we do so we cannot connect to file shares / email servers / etc and cannot ping them.

I'm finding this frustrating as I installed an ISA Server easily to do the job but we are now using a managed firewall which supports multiple WAN connections (for load balancing) which works fine but are struggling to get a VPN connection that works properly.





0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111227
so the firewall is 192.168.20.167

does the firewall also handle the VPN connection to your other office?
0
 

Author Comment

by:Mr_OCD
ID: 34111790
Yes it is... and yes the firewall handles the VPN connection / traffic.

Getting somewhere now as we can access DNS / File Servers now with the new VPN range but we cant connect to Exchange Server... I presume something is blocking the exchange connection.

Any idea?

Thanks for your help!
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111859
OK - if your firewall (192.168.20.167) handles the VPN and is the default gateway for the servers - then you don't need to add any routing information as the firewall will handle that for you.

what will happen is this...the server will send a packet out to 172.33.255.10.  this will get delivered straight to the firewall as the server doesn't know where the IP address is as it's not on it's local network.  the firewall will look at the IP addresss and see that it's on the other end of it's VPN tunnel and route the traffic for you.

can you ping the exchange server?
0
 

Author Comment

by:Mr_OCD
ID: 34111949
Excellent thanks!

No cannot ping the Exchange server from the firewall.
0
 

Author Comment

by:Mr_OCD
ID: 34111955
Or rather cannot ping the Exchange server from the VPN client connected so I think something is blocking the connection.
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111972
the VPN tunnel may be configured to block all traffic except the ports that are open.

can you ping anything over the VPN?
0
 

Author Comment

by:Mr_OCD
ID: 34113938
Can ping the file servers now easily and connect to them fine. Can also RDP to them... so getting somewhere but not able to ping the email servers at all. Looks like ports maybe blocked?
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34113955
are you sure the e-mail server is in the correct IP address range for the VPN?
0
 

Author Comment

by:Mr_OCD
ID: 34114095
Yes. The email servers are on same range as the file servers which we can ping fine.
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34114159
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34114165
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 4

Accepted Solution

by:
tausifsfarid earned 500 total points
ID: 34119219
Forget everything, i had given you a simple solution that is:

Manually add an additional free IP address of the range 172.31.255.0 from tcpip advanced properties....like 172.31.255.2
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question