?
Solved

Accepting connections from specific IP Ranges

Posted on 2010-11-11
22
Medium Priority
?
323 Views
Last Modified: 2012-06-21
Currently setting up a managed SSL VPN on a firewall that needs to be on an IP Range that is different to the internal LAN.

The internal LAN range is 192.168.20.0 /24

SSL VPN Range is 172.33.255.0/24

How do I get the Windows Servers on the internal LAN range to see the SSL VPN Range without too much work?

0
Comment
Question by:Mr_OCD
  • 10
  • 9
  • 3
22 Comments
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110434
you can look at adding a static route as follows: -

route add 172.33.255.0 mask 255.255.255.0 {IP of the internal address of the firewall handling the VPN}

regards
0
 
LVL 4

Expert Comment

by:tausifsfarid
ID: 34110447
You can manually add an additional static ip, and i works.

by the way private IP range is from 172.16.0.0 – 172.31.255.255.

IP which you are using 172.33.255.0 to configure VPN is Public IP.
0
 

Author Comment

by:Mr_OCD
ID: 34110477
How do I add the static route? Or do you mean add the static range to the network cards on the server?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110488
On the server, bring up a command prompt and try the command I gave you
0
 
LVL 4

Expert Comment

by:tausifsfarid
ID: 34110668
yes on the server you can manually add the static IP of VPN range...
0
 

Author Comment

by:Mr_OCD
ID: 34110732
Correct range will be 172.31.255.0 / 25...

so the new route needs to be:

route add 172.31.255.0 mask 255.255.255.0 172.31.255.1

Is there anyway I can verify this on the network card? Actually I'm pretty sure this can be done under TCP/IP advanced properties!?

0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110747
it can't be done under advances properties.

you can check this by typing route print at a command prompt.

0
 

Author Comment

by:Mr_OCD
ID: 34110867
Ok thanks but now I'm being given conflicting information in that I'm being told I should not need to add routes on the servers but simply need to ensure the servers will respond to requests from the SSL-VPN range.

Without routes how can that happen! ?

0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34110890
it all depends

the VPN tunnel - where does it terminate?  Is it at your internal firewall?

If it's on the internal firewall and it is the same firewall that all your servers use as their default gateway, then the firewall will know how to handle the VPN traffic.

If the firewall you are setting up the VPN tunnel on ISN'T the default gateway for your servers, then you will need to setup routes.

You didn't state what role the firewall plays in your configuration so it's a case of second guessing what the answer might be.

So, what is the IP address of your firewall and what is the default gateway on your servers?
0
 

Author Comment

by:Mr_OCD
ID: 34111039
Ok thats making more sense to me now. Appreciate the info.

Basically the VPN tunnel is NOT the default gateway for the servers.

Gateway of the servers is 192.168.20.167 on the 192.168.20.0/24 subnet (internal LAN) which points to Firewall.

SSL VPN traffic will be on the 172.31.255.0/24 subnet.

Basically we can now connect to the VPN from outside but when we do so we cannot connect to file shares / email servers / etc and cannot ping them.

I'm finding this frustrating as I installed an ISA Server easily to do the job but we are now using a managed firewall which supports multiple WAN connections (for load balancing) which works fine but are struggling to get a VPN connection that works properly.





0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111227
so the firewall is 192.168.20.167

does the firewall also handle the VPN connection to your other office?
0
 

Author Comment

by:Mr_OCD
ID: 34111790
Yes it is... and yes the firewall handles the VPN connection / traffic.

Getting somewhere now as we can access DNS / File Servers now with the new VPN range but we cant connect to Exchange Server... I presume something is blocking the exchange connection.

Any idea?

Thanks for your help!
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111859
OK - if your firewall (192.168.20.167) handles the VPN and is the default gateway for the servers - then you don't need to add any routing information as the firewall will handle that for you.

what will happen is this...the server will send a packet out to 172.33.255.10.  this will get delivered straight to the firewall as the server doesn't know where the IP address is as it's not on it's local network.  the firewall will look at the IP addresss and see that it's on the other end of it's VPN tunnel and route the traffic for you.

can you ping the exchange server?
0
 

Author Comment

by:Mr_OCD
ID: 34111949
Excellent thanks!

No cannot ping the Exchange server from the firewall.
0
 

Author Comment

by:Mr_OCD
ID: 34111955
Or rather cannot ping the Exchange server from the VPN client connected so I think something is blocking the connection.
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34111972
the VPN tunnel may be configured to block all traffic except the ports that are open.

can you ping anything over the VPN?
0
 

Author Comment

by:Mr_OCD
ID: 34113938
Can ping the file servers now easily and connect to them fine. Can also RDP to them... so getting somewhere but not able to ping the email servers at all. Looks like ports maybe blocked?
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34113955
are you sure the e-mail server is in the correct IP address range for the VPN?
0
 

Author Comment

by:Mr_OCD
ID: 34114095
Yes. The email servers are on same range as the file servers which we can ping fine.
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34114159
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 23

Expert Comment

by:jakethecatuk
ID: 34114165
If you can't even ping the exchange server, then it's possible that the problem lies at the other end.

Try doing a trace route to see where the traffic goes by typing in at a commend prompt 'tracert {ip address}'
0
 
LVL 4

Accepted Solution

by:
tausifsfarid earned 2000 total points
ID: 34119219
Forget everything, i had given you a simple solution that is:

Manually add an additional free IP address of the range 172.31.255.0 from tcpip advanced properties....like 172.31.255.2
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question