Solved

Accepting connections from specific IP Ranges

Posted on 2010-11-11
22
316 Views
Last Modified: 2012-06-21
Currently setting up a managed SSL VPN on a firewall that needs to be on an IP Range that is different to the internal LAN.

The internal LAN range is 192.168.20.0 /24

SSL VPN Range is 172.33.255.0/24

How do I get the Windows Servers on the internal LAN range to see the SSL VPN Range without too much work?

0
Comment
Question by:Mr_OCD
  • 10
  • 9
  • 3
22 Comments
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
you can look at adding a static route as follows: -

route add 172.33.255.0 mask 255.255.255.0 {IP of the internal address of the firewall handling the VPN}

regards
0
 
LVL 4

Expert Comment

by:tausifsfarid
Comment Utility
You can manually add an additional static ip, and i works.

by the way private IP range is from 172.16.0.0 – 172.31.255.255.

IP which you are using 172.33.255.0 to configure VPN is Public IP.
0
 

Author Comment

by:Mr_OCD
Comment Utility
How do I add the static route? Or do you mean add the static range to the network cards on the server?
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
On the server, bring up a command prompt and try the command I gave you
0
 
LVL 4

Expert Comment

by:tausifsfarid
Comment Utility
yes on the server you can manually add the static IP of VPN range...
0
 

Author Comment

by:Mr_OCD
Comment Utility
Correct range will be 172.31.255.0 / 25...

so the new route needs to be:

route add 172.31.255.0 mask 255.255.255.0 172.31.255.1

Is there anyway I can verify this on the network card? Actually I'm pretty sure this can be done under TCP/IP advanced properties!?

0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
it can't be done under advances properties.

you can check this by typing route print at a command prompt.

0
 

Author Comment

by:Mr_OCD
Comment Utility
Ok thanks but now I'm being given conflicting information in that I'm being told I should not need to add routes on the servers but simply need to ensure the servers will respond to requests from the SSL-VPN range.

Without routes how can that happen! ?

0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
it all depends

the VPN tunnel - where does it terminate?  Is it at your internal firewall?

If it's on the internal firewall and it is the same firewall that all your servers use as their default gateway, then the firewall will know how to handle the VPN traffic.

If the firewall you are setting up the VPN tunnel on ISN'T the default gateway for your servers, then you will need to setup routes.

You didn't state what role the firewall plays in your configuration so it's a case of second guessing what the answer might be.

So, what is the IP address of your firewall and what is the default gateway on your servers?
0
 

Author Comment

by:Mr_OCD
Comment Utility
Ok thats making more sense to me now. Appreciate the info.

Basically the VPN tunnel is NOT the default gateway for the servers.

Gateway of the servers is 192.168.20.167 on the 192.168.20.0/24 subnet (internal LAN) which points to Firewall.

SSL VPN traffic will be on the 172.31.255.0/24 subnet.

Basically we can now connect to the VPN from outside but when we do so we cannot connect to file shares / email servers / etc and cannot ping them.

I'm finding this frustrating as I installed an ISA Server easily to do the job but we are now using a managed firewall which supports multiple WAN connections (for load balancing) which works fine but are struggling to get a VPN connection that works properly.





0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
so the firewall is 192.168.20.167

does the firewall also handle the VPN connection to your other office?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Mr_OCD
Comment Utility
Yes it is... and yes the firewall handles the VPN connection / traffic.

Getting somewhere now as we can access DNS / File Servers now with the new VPN range but we cant connect to Exchange Server... I presume something is blocking the exchange connection.

Any idea?

Thanks for your help!
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
OK - if your firewall (192.168.20.167) handles the VPN and is the default gateway for the servers - then you don't need to add any routing information as the firewall will handle that for you.

what will happen is this...the server will send a packet out to 172.33.255.10.  this will get delivered straight to the firewall as the server doesn't know where the IP address is as it's not on it's local network.  the firewall will look at the IP addresss and see that it's on the other end of it's VPN tunnel and route the traffic for you.

can you ping the exchange server?
0
 

Author Comment

by:Mr_OCD
Comment Utility
Excellent thanks!

No cannot ping the Exchange server from the firewall.
0
 

Author Comment

by:Mr_OCD
Comment Utility
Or rather cannot ping the Exchange server from the VPN client connected so I think something is blocking the connection.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
the VPN tunnel may be configured to block all traffic except the ports that are open.

can you ping anything over the VPN?
0
 

Author Comment

by:Mr_OCD
Comment Utility
Can ping the file servers now easily and connect to them fine. Can also RDP to them... so getting somewhere but not able to ping the email servers at all. Looks like ports maybe blocked?
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
are you sure the e-mail server is in the correct IP address range for the VPN?
0
 

Author Comment

by:Mr_OCD
Comment Utility
Yes. The email servers are on same range as the file servers which we can ping fine.
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 23

Expert Comment

by:jakethecatuk
Comment Utility
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 4

Accepted Solution

by:
tausifsfarid earned 500 total points
Comment Utility
Forget everything, i had given you a simple solution that is:

Manually add an additional free IP address of the range 172.31.255.0 from tcpip advanced properties....like 172.31.255.2
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now