Client Cannot Ping Host VPN from Internet

From the internet my client cannot ping the IP address or VPN to a new
Windows 2003 sp1 server. I can VPN if I plug into the same T1 router that
the server is connected to and use a different internet IP address for my
client. For example lets say the VPN port of the server is 66.66.66.19 and
my client is set up as 66.66.66.20. Everything works perfect which leads me
to believe that my client is configured correctly. It was also connecting
fine to an older windows 2000 server same network settings with no problems.

Connecting from the internet I get the following errors on my client:
Error 678 - VPN Network properties set to PPTP
Error 781 - Set to L2TP IPSec
Error 800 - Set to Automatic
(Client Firewall enabled or disabled)

I configured the server VPN using the win2003 wizard. The only changes I
made are to set up a static address pool of 10 IP address instead of using
DHCP and to cut back on
the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).

The server has two network connections. One to my LAN and the other to my T1
Router.

The following rolls are set up in this server, VPN, AD, DNS, DHCP and WINS
DS. I have a second Win2003 server on the domain setup to run file sharing
and tape backup.

Thanks in advance
Lou

"Lou Cetrangelo" <Lou (E-Mail Removed)> wrote in message
news:4A9C21A7-A204-4B31-B536-(E-Mail Removed)...
> From the internet my client cannot ping the IP address or VPN to a new
> Windows 2003 sp1 server. I can VPN if I plug into the same T1 router
that
> the server is connected to and use a different internet IP address for my
> client. For example lets say the VPN port of the server is 66.66.66.19
and
> my client is set up as 66.66.66.20. Everything works perfect which leads
me
> to believe that my client is configured correctly. It was also
connecting
> fine to an older windows 2000 server same network settings with no
problems.

Some ISP's do not allow VPN.

Or you have something on the VPN Server that tells it to not accept
connections from anything not on the same subnet as it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

Hi Phillip:

With a cable modem and a dial up account I see the same issue. Both would
connect with the old Win2k server. I think it must have something to do
with the Win2k3 VPN Server blocking. If it is any help I used "Manage Your
Server Wizard" to set up the VPN.

Any suggestions on where I could look?

"Phillip Windell" wrote:

> "Lou Cetrangelo" <Lou (E-Mail Removed)> wrote in message
> news:4A9C21A7-A204-4B31-B536-(E-Mail Removed)...
> > From the internet my client cannot ping the IP address or VPN to a new
> > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router
> that
> > the server is connected to and use a different internet IP address for my
> > client. For example lets say the VPN port of the server is 66.66.66.19
> and
> > my client is set up as 66.66.66.20. Everything works perfect which leads
> me
> > to believe that my client is configured correctly. It was also
> connecting
> > fine to an older windows 2000 server same network settings with no
> problems.
>
> Some ISP's do not allow VPN.
>
> Or you have something on the VPN Server that tells it to not accept
> connections from anything not on the same subnet as it.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>
>

some isp's block pings also, so you can't trust that any more either.

"Lou Cetrangelo" <(E-Mail Removed)> wrote in message
news:284150B0-1272-4A8B-AEAB-(E-Mail Removed)...
> Hi Phillip:
>
> With a cable modem and a dial up account I see the same issue. Both would
> connect with the old Win2k server. I think it must have something to do
> with the Win2k3 VPN Server blocking. If it is any help I used "Manage
> Your
> Server Wizard" to set up the VPN.
>
> Any suggestions on where I could look?
>
> "Phillip Windell" wrote:
>
>> "Lou Cetrangelo" <Lou (E-Mail Removed)> wrote in
>> message
>> news:4A9C21A7-A204-4B31-B536-(E-Mail Removed)...
>> > From the internet my client cannot ping the IP address or VPN to a new
>> > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router
>> that
>> > the server is connected to and use a different internet IP address for
>> > my
>> > client. For example lets say the VPN port of the server is 66.66.66.19
>> and
>> > my client is set up as 66.66.66.20. Everything works perfect which
>> > leads
>> me
>> > to believe that my client is configured correctly. It was also
>> connecting
>> > fine to an older windows 2000 server same network settings with no
>> problems.
>>
>> Some ISP's do not allow VPN.
>>
>> Or you have something on the VPN Server that tells it to not accept
>> connections from anything not on the same subnet as it.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>>
>> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>> http://www.microsoft.com/technet/pro...isaserver.mspx
>> -----------------------------------------------------
>>
>>
>>
>>

Hi Dave:

Thanks for your reply.

That may be true but I am able to ping a linksys router that is one digit
lower in IP then the VPN. I can do that on the dial up and cable modem
connections now. Just 10 days ago I also had no problem with both
connections on a Win2K VPN server with the same network settings.

I have a feeling that with all the extra security with Win2k3 and SP1
something is going on in the server to block everything coming in.

Any suggestions?

"Dave" wrote:

> some isp's block pings also, so you can't trust that any more either.
>
> "Lou Cetrangelo" <(E-Mail Removed)> wrote in message
> news:284150B0-1272-4A8B-AEAB-(E-Mail Removed)...
> > Hi Phillip:
> >
> > With a cable modem and a dial up account I see the same issue. Both would
> > connect with the old Win2k server. I think it must have something to do
> > with the Win2k3 VPN Server blocking. If it is any help I used "Manage
> > Your
> > Server Wizard" to set up the VPN.
> >
> > Any suggestions on where I could look?
> >
> > "Phillip Windell" wrote:
> >
> >> "Lou Cetrangelo" <Lou (E-Mail Removed)> wrote in
> >> message
> >> news:4A9C21A7-A204-4B31-B536-(E-Mail Removed)...
> >> > From the internet my client cannot ping the IP address or VPN to a new
> >> > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router
> >> that
> >> > the server is connected to and use a different internet IP address for
> >> > my
> >> > client. For example lets say the VPN port of the server is 66.66.66.19
> >> and
> >> > my client is set up as 66.66.66.20. Everything works perfect which
> >> > leads
> >> me
> >> > to believe that my client is configured correctly. It was also
> >> connecting
> >> > fine to an older windows 2000 server same network settings with no
> >> problems.
> >>
> >> Some ISP's do not allow VPN.
> >>
> >> Or you have something on the VPN Server that tells it to not accept
> >> connections from anything not on the same subnet as it.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >> -----------------------------------------------------
> >> Understanding the ISA 2004 Access Rule Processing
> >> http://www.isaserver.org/articles/IS...cessRules.html
> >>
> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> http://www.microsoft.com/isaserver/t...dance/2004.asp
> >> http://www.microsoft.com/isaserver/t...dance/2000.asp
> >>
> >> Microsoft Internet Security & Acceleration Server: Partners
> >> http://www.microsoft.com/isaserver/partners/default.asp
> >>
> >> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> >> http://www.microsoft.com/technet/pro...isaserver.mspx
> >> -----------------------------------------------------
> >>
> >>
> >>
> >>
>
>
>

Lou,

What kind of tunnel are we using? PPTP? L2TP? Is the VPN server using a
public IP address? Is the client machine behind a NAT box? If it is beware
of the Nat editor necessary for PPTP connections- in addition becareful with
IPSec behind a NAT. Always good times.

alexk

"Lou Cetrangelo" wrote:

> From the internet my client cannot ping the IP address or VPN to a new
> Windows 2003 sp1 server. I can VPN if I plug into the same T1 router that
> the server is connected to and use a different internet IP address for my
> client. For example lets say the VPN port of the server is 66.66.66.19 and
> my client is set up as 66.66.66.20. Everything works perfect which leads me
> to believe that my client is configured correctly. It was also connecting
> fine to an older windows 2000 server same network settings with no problems.
>
> Connecting from the internet I get the following errors on my client:
> Error 678 - VPN Network properties set to PPTP
> Error 781 - Set to L2TP IPSec
> Error 800 - Set to Automatic
> (Client Firewall enabled or disabled)
>
> I configured the server VPN using the win2003 wizard. The only changes I
> made are to set up a static address pool of 10 IP address instead of using
> DHCP and to cut back on
> the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).
>
> The server has two network connections. One to my LAN and the other to my T1
> Router.
>
> The following rolls are set up in this server, VPN, AD, DNS, DHCP and WINS
> DS. I have a second Win2003 server on the domain setup to run file sharing
> and tape backup.
>
> Thanks in advance
> Lou

Hi Alex

I have defined 10 PPTP ports and 10 L2TP ports. I am not sure which one it
is using though. The server is using a public IP address. There are two
network ports on the server. One for my LAN that is on a private IP of
192.168.0.xx and the second is on a public IP that I would prefer not to
list. It is directly connected to a T1 router. I have 14 useable Public
IP address at the T1 Router.

The client (when connected to the cable modem) is behind a Linksys NAT
router that has it's VPN ports open (same settings were working before).
The second way I can connect the client is with a dial up account that also
worked before to connect via VPN.

One point that baffles me is that if I connect the client to one of my other
public IP address then everything is wonderful. The difference of course
is that the VPN is not going through any routers.

I am thinking of blowing out the RRA and setting it up manually using:
http://support.microsoft.com/default...b/323441/en-us (How to install
and configure a Virtual Private Network server in Windows Server 2003)

Best regards
Lou (E-Mail Removed)

"alexk" <(E-Mail Removed)> wrote in message
news:007B6877-0A73-4266-8476-(E-Mail Removed)...
> Lou,
>
> What kind of tunnel are we using? PPTP? L2TP? Is the VPN server using a
> public IP address? Is the client machine behind a NAT box? If it is
> beware
> of the Nat editor necessary for PPTP connections- in addition becareful
> with
> IPSec behind a NAT. Always good times.
>
> alexk
>
> "Lou Cetrangelo" wrote:
>
>> From the internet my client cannot ping the IP address or VPN to a new
>> Windows 2003 sp1 server. I can VPN if I plug into the same T1 router
>> that
>> the server is connected to and use a different internet IP address for my
>> client. For example lets say the VPN port of the server is 66.66.66.19
>> and
>> my client is set up as 66.66.66.20. Everything works perfect which leads
>> me
>> to believe that my client is configured correctly. It was also
>> connecting
>> fine to an older windows 2000 server same network settings with no
>> problems.
>>
>> Connecting from the internet I get the following errors on my client:
>> Error 678 - VPN Network properties set to PPTP
>> Error 781 - Set to L2TP IPSec
>> Error 800 - Set to Automatic
>> (Client Firewall enabled or disabled)
>>
>> I configured the server VPN using the win2003 wizard. The only changes I
>> made are to set up a static address pool of 10 IP address instead of
>> using
>> DHCP and to cut back on
>> the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).
>>
>> The server has two network connections. One to my LAN and the other to my
>> T1
>> Router.
>>
>> The following rolls are set up in this server, VPN, AD, DNS, DHCP and
>> WINS
>> DS. I have a second Win2003 server on the domain setup to run file
>> sharing
>> and tape backup.
>>
>> Thanks in advance
>> Lou

Hi Alex

I have defined 10 PPTP ports and 10 L2TP ports. I am not sure which is
being used though. The server is using a public IP address. There are two
network ports on the server. One for my LAN that is on a private IP of
192.168.0.xx and the second is on a public IP that I would prefer not to
list. It is directly connected to a T1 router. I have 14 useable Public
IP address at the T1 Router.

The client (when connected to the cable modem) is behind a Linksys NAT
router that has its VPN ports open (same settings were working before). The
second way I can connect the client is with a dial up account that also
worked before to connect via VPN.

One point that baffles me is that if I connect the client to one of my other
public IP address then everything is wonderful. The difference of course is
that the VPN is not going through any routers.

I am thinking of blowing out RRA and setting it up manually with:
http://support.microsoft.com/kb/323441/en-us (How to install and
configure a Virtual Private Network server in Windows Server 2003)

Best regards
Lou

"alexk" wrote:

> Lou,
>
> What kind of tunnel are we using? PPTP? L2TP? Is the VPN server using a
> public IP address? Is the client machine behind a NAT box? If it is beware
> of the Nat editor necessary for PPTP connections- in addition becareful with
> IPSec behind a NAT. Always good times.
>
> alexk
>
> "Lou Cetrangelo" wrote:
>
> > From the internet my client cannot ping the IP address or VPN to a new
> > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router that
> > the server is connected to and use a different internet IP address for my
> > client. For example lets say the VPN port of the server is 66.66.66.19 and
> > my client is set up as 66.66.66.20. Everything works perfect which leads me
> > to believe that my client is configured correctly. It was also connecting
> > fine to an older windows 2000 server same network settings with no problems.
> >
> > Connecting from the internet I get the following errors on my client:
> > Error 678 - VPN Network properties set to PPTP
> > Error 781 - Set to L2TP IPSec
> > Error 800 - Set to Automatic
> > (Client Firewall enabled or disabled)
> >
> > I configured the server VPN using the win2003 wizard. The only changes I
> > made are to set up a static address pool of 10 IP address instead of using
> > DHCP and to cut back on
> > the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).
> >
> > The server has two network connections. One to my LAN and the other to my T1
> > Router.
> >
> > The following rolls are set up in this server, VPN, AD, DNS, DHCP and WINS
> > DS. I have a second Win2003 server on the domain setup to run file sharing
> > and tape backup.
> >
> > Thanks in advance
> > Lou

Lou,

It seems the problem has to do with the external ip address of the VPN
server. (IP, routing table, packetfiltering, something ihere).

when you run ipconfig on the external address you should see

IP address - public address
SM - 255.255.255.240
Gateway - I assume the adapter of the t1 router connected to the network
segment of the VPN server.

the second adapter should have no default gateway configured.

Disable the internal adapter and attempt to connect to the Internet on the
VPN server without any proxy features- can you?

let me know what you get.

alexk


"Lou Cetrangelo" wrote:

> Hi Alex
>
> I have defined 10 PPTP ports and 10 L2TP ports. I am not sure which is
> being used though. The server is using a public IP address. There are two
> network ports on the server. One for my LAN that is on a private IP of
> 192.168.0.xx and the second is on a public IP that I would prefer not to
> list. It is directly connected to a T1 router. I have 14 useable Public
> IP address at the T1 Router.
>
> The client (when connected to the cable modem) is behind a Linksys NAT
> router that has its VPN ports open (same settings were working before). The
> second way I can connect the client is with a dial up account that also
> worked before to connect via VPN.
>
> One point that baffles me is that if I connect the client to one of my other
> public IP address then everything is wonderful. The difference of course is
> that the VPN is not going through any routers.
>
> I am thinking of blowing out RRA and setting it up manually with:
> http://support.microsoft.com/kb/323441/en-us (How to install and
> configure a Virtual Private Network server in Windows Server 2003)
>
> Best regards
> Lou
>
> "alexk" wrote:
>
> > Lou,
> >
> > What kind of tunnel are we using? PPTP? L2TP? Is the VPN server using a
> > public IP address? Is the client machine behind a NAT box? If it is beware
> > of the Nat editor necessary for PPTP connections- in addition becareful with
> > IPSec behind a NAT. Always good times.
> >
> > alexk
> >
> > "Lou Cetrangelo" wrote:
> >
> > > From the internet my client cannot ping the IP address or VPN to a new
> > > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router that
> > > the server is connected to and use a different internet IP address for my
> > > client. For example lets say the VPN port of the server is 66.66.66.19 and
> > > my client is set up as 66.66.66.20. Everything works perfect which leads me
> > > to believe that my client is configured correctly. It was also connecting
> > > fine to an older windows 2000 server same network settings with no problems.
> > >
> > > Connecting from the internet I get the following errors on my client:
> > > Error 678 - VPN Network properties set to PPTP
> > > Error 781 - Set to L2TP IPSec
> > > Error 800 - Set to Automatic
> > > (Client Firewall enabled or disabled)
> > >
> > > I configured the server VPN using the win2003 wizard. The only changes I
> > > made are to set up a static address pool of 10 IP address instead of using
> > > DHCP and to cut back on
> > > the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).
> > >
> > > The server has two network connections. One to my LAN and the other to my T1
> > > Router.
> > >
> > > The following rolls are set up in this server, VPN, AD, DNS, DHCP and WINS
> > > DS. I have a second Win2003 server on the domain setup to run file sharing
> > > and tape backup.
> > >
> > > Thanks in advance
> > > Lou

Hi Alex:

I got it working!

I removed RRA and reinstalled it manually. Same situation. In Remote
Access Policies section under the server in RRA. I went to edit profile,
input filters and output filters. There was one filter under input filters
and none on output filters. I do not recall exactly what it was but it all
the parameters were marked as "any" I deleted it. I am not 100% sure that
fixed it but now it is working.

Maybe it just needed some time to build routing tables after I redefined it.

With regards to the gateways. I do have a default gateway for my local
private network port and one for the public one. When I save it I get a
message complaining that I should have only one default gateway. When I
remove the gateway for the private local network I can no longer get on-line
for browsing in the server. The local port is attached to a linksys router
sharing a public IP address across our LAN. I suppose this is a security
risk.

Best regards
Lou

"alexk" wrote:

> Lou,
>
> It seems the problem has to do with the external ip address of the VPN
> server. (IP, routing table, packetfiltering, something ihere).
>
> when you run ipconfig on the external address you should see
>
> IP address - public address
> SM - 255.255.255.240
> Gateway - I assume the adapter of the t1 router connected to the network
> segment of the VPN server.
>
> the second adapter should have no default gateway configured.
>
> Disable the internal adapter and attempt to connect to the Internet on the
> VPN server without any proxy features- can you?
>
> let me know what you get.
>
> alexk
>
>
> "Lou Cetrangelo" wrote:
>
> > Hi Alex
> >
> > I have defined 10 PPTP ports and 10 L2TP ports. I am not sure which is
> > being used though. The server is using a public IP address. There are two
> > network ports on the server. One for my LAN that is on a private IP of
> > 192.168.0.xx and the second is on a public IP that I would prefer not to
> > list. It is directly connected to a T1 router. I have 14 useable Public
> > IP address at the T1 Router.
> >
> > The client (when connected to the cable modem) is behind a Linksys NAT
> > router that has its VPN ports open (same settings were working before). The
> > second way I can connect the client is with a dial up account that also
> > worked before to connect via VPN.
> >
> > One point that baffles me is that if I connect the client to one of my other
> > public IP address then everything is wonderful. The difference of course is
> > that the VPN is not going through any routers.
> >
> > I am thinking of blowing out RRA and setting it up manually with:
> > http://support.microsoft.com/kb/323441/en-us (How to install and
> > configure a Virtual Private Network server in Windows Server 2003)
> >
> > Best regards
> > Lou
> >
> > "alexk" wrote:
> >
> > > Lou,
> > >
> > > What kind of tunnel are we using? PPTP? L2TP? Is the VPN server using a
> > > public IP address? Is the client machine behind a NAT box? If it is beware
> > > of the Nat editor necessary for PPTP connections- in addition becareful with
> > > IPSec behind a NAT. Always good times.
> > >
> > > alexk
> > >
> > > "Lou Cetrangelo" wrote:
> > >
> > > > From the internet my client cannot ping the IP address or VPN to a new
> > > > Windows 2003 sp1 server. I can VPN if I plug into the same T1 router that
> > > > the server is connected to and use a different internet IP address for my
> > > > client. For example lets say the VPN port of the server is 66.66.66.19 and
> > > > my client is set up as 66.66.66.20. Everything works perfect which leads me
> > > > to believe that my client is configured correctly. It was also connecting
> > > > fine to an older windows 2000 server same network settings with no problems.
> > > >
> > > > Connecting from the internet I get the following errors on my client:
> > > > Error 678 - VPN Network properties set to PPTP
> > > > Error 781 - Set to L2TP IPSec
> > > > Error 800 - Set to Automatic
> > > > (Client Firewall enabled or disabled)
> > > >
> > > > I configured the server VPN using the win2003 wizard. The only changes I
> > > > made are to set up a static address pool of 10 IP address instead of using
> > > > DHCP and to cut back on
> > > > the number of ports from 256 to 20 (10 PPTP and 10 L2TP ports).
> > > >
> > > > The server has two network connections. One to my LAN and the other to my T1
> > > > Router.
> > > >
> > > > The following rolls are set up in this server, VPN, AD, DNS, DHCP and WINS
> > > > DS. I have a second Win2003 server on the domain setup to run file sharing
> > > > and tape backup.
> > > >
> > > > Thanks in advance
> > > > Lou