mhdcommunications
asked on
Accessing remote networks over windows VPN without 'Use remote default gateway' being checked.
I have two locations setup with a Cisco VPN tunnel. Location A (192.168.12.0/255.255.255.
There is a server at each location:
Location A: SBS 2011
Location B: 2008 R2 Std
RRAS is setup on both servers at both locations, for speed and redundancy (upload speed at Location B is much faster than Location A). E-mail is hosted on-site at Location A (Exchange 2010), as well as som printers, and network shares. Location B only hosts a few printers and a share.
The problem is when accessing the VPN on Location B, i am unable to access e-mail or anything at Location A only when 'Use default gateway on remote network' is unchecked on the client's Windows VPN . This was unchecked due to the limited bandwidth at each location, and it allows remote users to use their own bandwidth for everything EXCEPT network resources. The problem with this being unchecked is there is no route to Location A when connected to the VPN @ Location B (and vice versa). The only real complaint is not being able to access e-mail while connected to the VPN at Location B, but in reality nothing is accessible at Location A (because it's attempting to access the resources using the LAN IP @ Location A (192.168.12.x), but since the VPN is NOT using the default gateway (as stated above), the user has no route to the remote location) . If I add a static route on the machine from the command prompt (route add 192.168.12.0 mask 255.255.255.0 192.168.13.1 metric 1) on ANY remote computer connecting to Location B VPN, im able to get to Location A (obviously) without having 'Use default gateway on remote network' checked.... This is NOT a solution. There has to be a way to do this via RRAS. I've even attempted adding a Static Route in RRAS on Location B's server with the same settings - did not work.
In short - i want to be able to access Location A + B from either the A or B VPN without having to 'Use default gateway on remote network' being checked on clients to avoid unecessary bandwidth usage from remote users.
Any ideas?
There is a server at each location:
Location A: SBS 2011
Location B: 2008 R2 Std
RRAS is setup on both servers at both locations, for speed and redundancy (upload speed at Location B is much faster than Location A). E-mail is hosted on-site at Location A (Exchange 2010), as well as som printers, and network shares. Location B only hosts a few printers and a share.
The problem is when accessing the VPN on Location B, i am unable to access e-mail or anything at Location A only when 'Use default gateway on remote network' is unchecked on the client's Windows VPN . This was unchecked due to the limited bandwidth at each location, and it allows remote users to use their own bandwidth for everything EXCEPT network resources. The problem with this being unchecked is there is no route to Location A when connected to the VPN @ Location B (and vice versa). The only real complaint is not being able to access e-mail while connected to the VPN at Location B, but in reality nothing is accessible at Location A (because it's attempting to access the resources using the LAN IP @ Location A (192.168.12.x), but since the VPN is NOT using the default gateway (as stated above), the user has no route to the remote location) . If I add a static route on the machine from the command prompt (route add 192.168.12.0 mask 255.255.255.0 192.168.13.1 metric 1) on ANY remote computer connecting to Location B VPN, im able to get to Location A (obviously) without having 'Use default gateway on remote network' checked.... This is NOT a solution. There has to be a way to do this via RRAS. I've even attempted adding a Static Route in RRAS on Location B's server with the same settings - did not work.
In short - i want to be able to access Location A + B from either the A or B VPN without having to 'Use default gateway on remote network' being checked on clients to avoid unecessary bandwidth usage from remote users.
Any ideas?
rauenpc
The site to site vpn tunnel should include the RRAS vpn subnet if it is not within the 192.168.12/13.0 range. If it is outside those ranges, the firewall will also need a static route pointed at the local RRAS server for the vpn subnet. You shouldn't need a route for the remote RRAS server's vpn subnet. Configure RRAS to include all 4 subnets for tunneling. Everything else will go directly out the user's internet connection.
ASKER
The Site to Site tunnel and the Windows VPN (RRAS) Server's are seperate. The tunnel is between the two locations, setup and controlled by Cisco equipment, so LAN users can communicate with eachother.
The Windows VPN (RRAS) Server's (one at each location) enable VPN connectivity to BOTH locations from the outside. There are only 2 subnets, not 4. Doing anything on the Firewalls/Routers will have no affect on the Windows VPN. Please re-read my post.
The Windows VPN (RRAS) Server's (one at each location) enable VPN connectivity to BOTH locations from the outside. There are only 2 subnets, not 4. Doing anything on the Firewalls/Routers will have no affect on the Windows VPN. Please re-read my post.
ASKER
Crude drawing of the layout of the network (dont have Viso on this PC).
With 'Use default gateway on remote network' unchecked on EITHER VPN connection, i can access the network that i connect to (A or B) but not both b/c there is no route to the other site (because im not using the Gateway over the VPN), and adding a Static Route in RRAS does not work (eventhough adding it locally on ANY PC works that is connecting to the VPN - as indicated in the original post).
There are switches, i just didnt see the need to draw them.
With 'Use default gateway on remote network' unchecked on EITHER VPN connection, i can access the network that i connect to (A or B) but not both b/c there is no route to the other site (because im not using the Gateway over the VPN), and adding a Static Route in RRAS does not work (eventhough adding it locally on ANY PC works that is connecting to the VPN - as indicated in the original post).
There are switches, i just didnt see the need to draw them.
the problem here is that you have the VPN run by the CISCO boxes, which are designed to fo the routing for you. but you have instead set the servers up as routers using RRAS and are ignoring the routing facilities of the CISCOs.
The CISCOs should be the default gateway for the network, including the server, at each site.
This will resolve the entire setup unless there is a reason you have set the servers as the default gateways.
The CISCOs should be the default gateway for the network, including the server, at each site.
This will resolve the entire setup unless there is a reason you have set the servers as the default gateways.
ASKER
The servers are not the gateway's, they are providing USERS with VPN access from home. That is all they are doing as far as my overall issue is concerned. The Gateway they (the VPN servers) provide to VPN users IS the Cisco (12.1 and 13.1 respectively), which is the Gateway at each location.
There is a setting (remote user side) on ALL Windows VPN connections to 'Use default gateway on remote network' - which is set by default. I have DISABLED this to prevent users from using VPN bandwidth just in case they decide to stream music, movies, or whatever it may be, and it wont affect their connection to the server.
The problem with doing this, is it prevents access to Location A when establishing a VPN connection with Location B - since 'Use default gateway on remote network' is UNCHECKED, there is no route to Location A.
Under RRAS (on either server) there is a 'Static Routes' section. I added the route, and it had no affect - still no access to Location A from a VPN connection to Location B (and Vice Versa).
I need to be able to access BOTH Location A and B (which have a Lan to Lan tunnel between them) from a VPN to EITHER location with the option 'Use default gateway on remote network' UNCHECKED.
There is a setting (remote user side) on ALL Windows VPN connections to 'Use default gateway on remote network' - which is set by default. I have DISABLED this to prevent users from using VPN bandwidth just in case they decide to stream music, movies, or whatever it may be, and it wont affect their connection to the server.
The problem with doing this, is it prevents access to Location A when establishing a VPN connection with Location B - since 'Use default gateway on remote network' is UNCHECKED, there is no route to Location A.
Under RRAS (on either server) there is a 'Static Routes' section. I added the route, and it had no affect - still no access to Location A from a VPN connection to Location B (and Vice Versa).
I need to be able to access BOTH Location A and B (which have a Lan to Lan tunnel between them) from a VPN to EITHER location with the option 'Use default gateway on remote network' UNCHECKED.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Splitting the points.
rauenpc provided a link to 'Classless Static Route DHCP' option, but the article doesn't specify the actual DHCP server, and refer's more to RRAS handling DHCP - may be my misunderstanding.
totallytonto pointed me to the DHCP server itself, where there is (in Scope and Server Options) a "Classless Static Routes" option, where you can define static routes.
Nice article below about how/where to set this up, eventhough its pretty self explanatory. Thanks for the help!
http://tmgblog.richardhicks.com/2009/01/08/using-dhcp-to-assign-static-routes/
rauenpc provided a link to 'Classless Static Route DHCP' option, but the article doesn't specify the actual DHCP server, and refer's more to RRAS handling DHCP - may be my misunderstanding.
totallytonto pointed me to the DHCP server itself, where there is (in Scope and Server Options) a "Classless Static Routes" option, where you can define static routes.
Nice article below about how/where to set this up, eventhough its pretty self explanatory. Thanks for the help!
http://tmgblog.richardhicks.com/2009/01/08/using-dhcp-to-assign-static-routes/