2000 server, vpn, static IP

Hi guys, I'm not a full time IT guy, so bear with me.

We have a Windows 2000 server machine which serves as basic fileserver.
It, along with our 10 Win2k client machines, all get their IP
addresses from our DSL routers DHCP. Everything is hooked through a
switch and works fine.

We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
IP before).

We want to set up a VPN and I've done one before with the old setup
(though temporary), but I want to know if I should still use DHCP from
the router or set up DHCP on the server and any other hints to keeping a
simple but effective LAN and VPN.

In a small business (<10 employees), what are other uses for 5 static IPs?

~~Eric

On Mon, 28 Mar 2005 11:19:17 -0600, em <(E-Mail Removed)> wrote:

>Hi guys, I'm not a full time IT guy, so bear with me.
>
>We have a Windows 2000 server machine which serves as basic fileserver.
> It, along with our 10 Win2k client machines, all get their IP
>addresses from our DSL routers DHCP. Everything is hooked through a
>switch and works fine.

Servers should never be on a dynamic IP address.

>We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
>IP before).
>
>We want to set up a VPN and I've done one before with the old setup
>(though temporary), but I want to know if I should still use DHCP from
>the router or set up DHCP on the server and any other hints to keeping a
>simple but effective LAN and VPN.

Run DHCP off the server, disable it on the router.

>In a small business (<10 employees), what are other uses for 5 static IPs?

Five web sites with SSL.

There are quite a few uses for static public IP addresses, but if you
don't need them, don't use them.

Jeff

Jeff Cochran wrote:
> Five web sites with SSL.

Yea, I'll get right on that..

~~Eric

"em" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
> IP before).
>
> We want to set up a VPN and I've done one before with the old setup
> (though temporary), but I want to know if I should still use DHCP from
> the router or set up DHCP on the server and any other hints to keeping a
> simple but effective LAN and VPN.
>
> In a small business (<10 employees), what are other uses for 5 static IPs?

No uses at all. There is no benefit of having 5 Public IP#s from the ISP as
far as the Private LAN is concerned. Those 5 addresses go *outside* your
network. Since this is DSL,..they would all get bound to the DSL NAT Device
and you could then use Static NAT to make certain internal machines
available to the outside,....which is an *extremely bad* idea for someone
who isn't a full time IT guy who may not know all the security risks
involved in that, and who may not know for what reasons that might be done
and when it would be appropriate.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

OK, so what I want is a VPN with an IP address that doesn't change on a
whim. If I set up DHCP on the server, then set the modem/router to no
longer handle DHCP and to use the static IP, then that would work right
(the router would have to go through the server right..with its second NIC)?

I just want to know how people do simple VPNs with small setups like ours.

Thanks for any help

~~Eric



Phillip Windell wrote:
> "em" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
>>IP before).
>>
>>We want to set up a VPN and I've done one before with the old setup
>>(though temporary), but I want to know if I should still use DHCP from
>>the router or set up DHCP on the server and any other hints to keeping a
>>simple but effective LAN and VPN.
>>
>>In a small business (<10 employees), what are other uses for 5 static IPs?
>
>
> No uses at all. There is no benefit of having 5 Public IP#s from the ISP as
> far as the Private LAN is concerned. Those 5 addresses go *outside* your
> network. Since this is DSL,..they would all get bound to the DSL NAT Device
> and you could then use Static NAT to make certain internal machines
> available to the outside,....which is an *extremely bad* idea for someone
> who isn't a full time IT guy who may not know all the security risks
> involved in that, and who may not know for what reasons that might be done
> and when it would be appropriate.
>

On Mon, 28 Mar 2005 15:11:15 -0600, em <(E-Mail Removed)> wrote:

>OK, so what I want is a VPN with an IP address that doesn't change on a
>whim. If I set up DHCP on the server, then set the modem/router to no
>longer handle DHCP and to use the static IP, then that would work right
>(the router would have to go through the server right..with its second NIC)?

The description is confusing. You have an DSL router that connects to
a server, then the server is routing to the internal network? You
could do this easier with the router plugged into a switch (or a
router with an internal switch), and all internal devices, including
the server, also plugged into the switch.

>I just want to know how people do simple VPNs with small setups like ours.

Install the VPN server-side, install the VPN client, configure the VPN
user and policy, open and redirect the appropriate ports in your
firewall and get to work.

I'm not sure what part of this you're having troubles with. Have you
tried configuring a VPN and run into problems? If so, what were the
problems?

Jeff

>Thanks for any help
>
>~~Eric
>
>
>
>Phillip Windell wrote:
>> "em" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>>We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
>>>IP before).
>>>
>>>We want to set up a VPN and I've done one before with the old setup
>>>(though temporary), but I want to know if I should still use DHCP from
>>>the router or set up DHCP on the server and any other hints to keeping a
>>>simple but effective LAN and VPN.
>>>
>>>In a small business (<10 employees), what are other uses for 5 static IPs?
>>
>>
>> No uses at all. There is no benefit of having 5 Public IP#s from the ISP as
>> far as the Private LAN is concerned. Those 5 addresses go *outside* your
>> network. Since this is DSL,..they would all get bound to the DSL NAT Device
>> and you could then use Static NAT to make certain internal machines
>> available to the outside,....which is an *extremely bad* idea for someone
>> who isn't a full time IT guy who may not know all the security risks
>> involved in that, and who may not know for what reasons that might be done
>> and when it would be appropriate.
>>

"em" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> OK, so what I want is a VPN with an IP address that doesn't change on a
> whim. If I set up DHCP on the server, then set the modem/router to no
> longer handle DHCP and to use the static IP, then that would work right
> (the router would have to go through the server right..with its second
NIC)?


No. You will not go "through" the Windows Server for anything Internet
related and it will only have one NIC. The DSL NAT Device will be the VPN
Server. In fact the DSL NAT Device is "everything" all in one box as far as
the Internet is concerned.

The DSL NAT Device:
1. Has all the Public IP#s
2. Performs NAT for the LAN
3. Is effectively your "Firewall"
4. Is the VPN Server (assuming it has those features,... some dont')
5. Is the DHCP Server although I recommend you use the Windows Server for
that, as did Jeff.

Your Windows Server would just have one nic and act no different than any
other machine on the network. You will not go "through" the Windows Server
for anything Internet related. It is only concerned with the LAN and
nothing "Internet-wise".

The Windows Server does:
1. Proovides Domain logins for the LAN
2. Provide DNS for the LAN, forwards other DNS Queries to the ISP's DNS
3. Provides WINS for the LAN (if you use it)
4. Provides DHCP for tha LAN
5. Provides "File Serving" for the LAN
6. Can do other things too, but I don't want to get too carried away with
it....

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phillip Windell wrote:
> The DSL NAT Device:
> 1. Has all the Public IP#s
> 2. Performs NAT for the LAN
> 3. Is effectively your "Firewall"
> 4. Is the VPN Server (assuming it has those features,... some dont')
> 5. Is the DHCP Server although I recommend you use the Windows Server for
> that, as did Jeff.

> The Windows Server does:
> 1. Proovides Domain logins for the LAN
> 2. Provide DNS for the LAN, forwards other DNS Queries to the ISP's DNS
> 3. Provides WINS for the LAN (if you use it)
> 4. Provides DHCP for tha LAN
> 5. Provides "File Serving" for the LAN
> 6. Can do other things too, but I don't want to get too carried away with
> it....
>

Thank you both. The main issue I was having is not having a static
address to be able to access the DSL router from the internet. We have
had a VPN in the past, but it was a pain because our router's IP was
dynamic.

I had to call our ISP to get the static IP address range today and he
helped me set the DSL router to use them...well, we turned off NAT and
DHCP on the router and since the 2000 server wasn't running DHCP, it got
kindof screwy. I changed it all back to how it was.

Tomorrow morning I'll try setting up the dhcp/dns on the win 2000
server, disabling DHCP on the router, and setting up the static IP again.

Jeff, I do have everything running through a switch.

thanks guys, I;m not new to networking, but sadly I don't get to spend
enough learning everything..sorry about my semantics.

~~Eric

"em" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I had to call our ISP to get the static IP address range today and he
> helped me set the DSL router to use them...well, we turned off NAT and
> DHCP on the router and since the 2000 server wasn't running DHCP, it got
> kindof screwy. I changed it all back to how it was.

You can't turn NAT off on the DSL Device,...you *need* that,..but you don't
need DHCP on the DSL Device. I never said to turn off NAT.

I know that Jeff and I have gave slightly different suggestions, but that is
because there is more than one way to do things. You eventually have to
decide for yourself how you are going to do things.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phillip Windell wrote:
> You can't turn NAT off on the DSL Device,...you *need* that,..but you don't
> need DHCP on the DSL Device. I never said to turn off NAT.
>
> I know that Jeff and I have gave slightly different suggestions, but that is
> because there is more than one way to do things. You eventually have to
> decide for yourself how you are going to do things.
>

No, no, I meant I had called the ISP *before* I wrote to the newsgroup
and that's when we had turned off NAT..we turned it right back on as
soon as we had access back in yesterday.

Anyways, now DHCP on DSL router is off and NAT is on. I set up DHCP on
the server using a 192.168.5.*** scope...server is ...5.1 and the leases
go from ...5.2 to ...5.30

I set the internal DSL router's address to 192.168.5.30 and also made a
'reservation' for it on the DHCP settings, though I wasn't sure if that
was necessary. The DSL router doesn't show up on the DHCP lease list,
but it works fine..I assume because it's not using DHCP to get its
address. Same with a big printer/copier we have that won't
automatically get an address.

OK, so I also went to DHCP server option #6 to add a DNS, which I added
the routers address 192.168.5.30, so I don't have to manually set DNS
for every client.

The clients have all default TCPIP settings except I have to add the
default gateway address in. Is it possible to have the client
automatically figure out the gateway by some setting on the server?

Thanks again for the help. Things are working good. Just trying to
figure the best way to set a few last settings.

~~Eric

oh, we have no WINS, domain, or AD set up right now