Help with RRAS PHILLIP Windell

Phil we were almost there still need your help.
I have studied, I thank you, VERY MUCH, for your help you're not hearing all
or understanding all about my setup.
The 'Caller' is another vpn router. from the WAN location.
I also have 'Callers' being individual users.
2, types of 'callers'

If you'll recall my original setup, I know it was along time back, I have
Three (3) VPN routers. One at a remote site One as a DMZ at the Main
location and One on the other side of the main location. I then have the
2003 server using RRAS to take 'Users' connecting VIA MS-VPN. The Main
router on the inside of the DMZ is accepting the Tunnel from the Router at
the remote site.
The Routers have 'pass-through' capabilities because they are all the same
model and VPN is already passing thru the DMZ to the Main router and the
users are passing thru DMZ and Main routers to the 2003 server.
If their is a way to have the remote location router VPN directly into RRAS.
THAT's what I'd like to know how to do.
That seems to be the way to get this to work.
If I'm understanding correctly, if the remote router could VPN tunnel
directly into the 2003 box, then the users could connect as they normally do
and the remote site could sustain it's connection as well.

Please tell me this makes better sense now?

George.
MCSA, MCDBA, MCSEnt4, MCSE2K. MBA-IS

With this statement???
{{ (The NAT device IS capable of VPN pass-through, But I don't know how to
create a connection for the WAN NAT device in RRAS.)

You don't. That is not what VPN Pass-through does. It simply "relays" the
Tunnel to the RRAS box and allows the Tunnel to terminate there. The
connection is between the "caller" and the RRAS Server.}}

Are you saying that just by enabling the pass thru for VPN on the Main
router to the RRAS box. that my VPN tunnel will be created from the remote,
or WAN, location? without any IKE policies needed or user name and
password? And that my users will still be able to connect via MS-VPN as
always?



"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I do not want my users to have to load special software to connect to
the
> > LAN via VPN so I have to go with the 2003 box using RRAS.
>
> They never would have,..in anything I have suggested.
>
> > But if I eliminate one NIC from the server will Users still be able to
VPN
> > in to the 2003 server?
>
> You are not reading what I write and are blending different things I write
> together that aren't supposed to be.
>
> If the Server has one NIC, then you are doing *everything* with the NAT
> Device (NAT, VPN, everything)
>
> > (The NAT device IS capable of VPN pass-through, But I don't know how to
> > create a connection for the WAN NAT device in RRAS.)
>
> You don't. That is not what VPN Passthrough does. It simply "relays" the
> Tunnel to the RRAS box and allows the Tunnel to terminate there. The
> connection is between the "caller" and the RRAS Server.
>
> I can't do anymore with this. There is no way can teach you what you need
to
> know in email messages. You need to study how this stuff works on your own
> and get a better understanding of how the different theories and models
> work.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

""1SE"" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Phil we were almost there still need your help.
> I have studied, I thank you, VERY MUCH, for your help you're not hearing
all
> or understanding all about my setup.
> The 'Caller' is another vpn router. from the WAN location.
> I also have 'Callers' being individual users.
> 2, types of 'callers'
>
> If you'll recall my original setup, I know it was along time back, I have
> Three (3) VPN routers. One at a remote site One as a DMZ at the Main
> location and One on the other side of the main location. I then have the
> 2003 server using RRAS to take 'Users' connecting VIA MS-VPN. The Main
> router on the inside of the DMZ is accepting the Tunnel from the Router at
> the remote site.
> The Routers have 'pass-through' capabilities because they are all the same
> model and VPN is already passing thru the DMZ to the Main router and the
> users are passing thru DMZ and Main routers to the 2003 server.
> If their is a way to have the remote location router VPN directly into
RRAS.
> THAT's what I'd like to know how to do.

It would do it the same as the "users" are doing it. But the NAT/VPN device
(I refuse to call the routers) may not be capable of running a Site2Site VPN
with RRAS. RRAS requires two connections (one each direction) for a
Site2Site VPN to work.

1. Forget RRAS, run a single Nic in the server.
2. Get rid of the DMZ and move/run the NAT/VPN device on the network edge.
3. Then things will work right, because all the NAT/VPN devices are the same
brand and model and will work fine together. There will no longer be any
need for the VPN Passthrough" feature.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thank you again Phil.
This is correct Phil.... EXCEPT. You are forgetting about the users VPN'ing
in.
I still need the users to be able to remote into the network. (as well as
the NAT/VPN device)

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Phil we were almost there still need your help.
> > I have studied, I thank you, VERY MUCH, for your help you're not hearing
> all
> > or understanding all about my setup.
> > The 'Caller' is another vpn router. from the WAN location.
> > I also have 'Callers' being individual users.
> > 2, types of 'callers'
> >
> > If you'll recall my original setup, I know it was along time back, I
have
> > Three (3) VPN routers. One at a remote site One as a DMZ at the Main
> > location and One on the other side of the main location. I then have the
> > 2003 server using RRAS to take 'Users' connecting VIA MS-VPN. The Main
> > router on the inside of the DMZ is accepting the Tunnel from the Router
at
> > the remote site.
> > The Routers have 'pass-through' capabilities because they are all the
same
> > model and VPN is already passing thru the DMZ to the Main router and the
> > users are passing thru DMZ and Main routers to the 2003 server.
> > If their is a way to have the remote location router VPN directly into
> RRAS.
> > THAT's what I'd like to know how to do.
>
> It would do it the same as the "users" are doing it. But the NAT/VPN
device
> (I refuse to call the routers) may not be capable of running a Site2Site
VPN
> with RRAS. RRAS requires two connections (one each direction) for a
> Site2Site VPN to work.
>
> 1. Forget RRAS, run a single Nic in the server.
> 2. Get rid of the DMZ and move/run the NAT/VPN device on the network edge.
> 3. Then things will work right, because all the NAT/VPN devices are the
same
> brand and model and will work fine together. There will no longer be any
> need for the VPN Passthrough" feature.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

""1SE"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thank you again Phil.
> This is correct Phil.... EXCEPT. You are forgetting about the users
VPN'ing
> in.
> I still need the users to be able to remote into the network. (as well as
> the NAT/VPN device)

Same suggestions. Those NAT/VPN Devices should be able to accept Remote
Access VPN (humans "dialing in") as well as doing Site2Site VPNs, and should
be able to do both at the same time.

1. Forget RRAS, run a single Nic in the server.
2. Get rid of the DMZ and move/run the NAT/VPN device on the network edge.
3. Then things will work right, because all the NAT/VPN devices are the
same brand and model and will work fine together. There will no longer be
any need for the VPN Passthrough" feature.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I cannot use the NAT/VPN devices for Remote Access VPN (humans "dialing in")
This has been my issue from the beginning. I have to use RRAS for the
Remote Access VPN (humans "dialing in").
I do NOT want to have my users try and figure out third party software to
make a connection.


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thank you again Phil.
> > This is correct Phil.... EXCEPT. You are forgetting about the users
> VPN'ing
> > in.
> > I still need the users to be able to remote into the network. (as well
as
> > the NAT/VPN device)
>
> Same suggestions. Those NAT/VPN Devices should be able to accept Remote
> Access VPN (humans "dialing in") as well as doing Site2Site VPNs, and
should
> be able to do both at the same time.
>
> 1. Forget RRAS, run a single Nic in the server.
> 2. Get rid of the DMZ and move/run the NAT/VPN device on the network
edge.
> 3. Then things will work right, because all the NAT/VPN devices are the
> same brand and model and will work fine together. There will no longer be
> any need for the VPN Passthrough" feature.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

""1SE"" <(E-Mail Removed)> wrote in message
news:%23kY9%(E-Mail Removed)...
> I took the second nic, the one that was the WAN, and put it on the same
> subnet as the LAN NIC. I disabled all DNS notifications (so this 'xWAN'
nic
> wouldn't register in DNS) Then I reconfigured RRAS custom to do LAN
routing
> and VPN acceptance. I then pointed my MSVPN users to this 'xWAN' NIC and
> kept my WAN-VPN hardware the way that it was. I connected the NAT/VPN
device
> to the LAN.

You are just creating more "comvolution" and mess. If it is now on the same
subnet as the LAN Nic then you don't need it to begin with and can just use
the LAN nic that is already there and run the server as a single-nic server.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Will RRAS still allow VPN connection from the outside with only one NIC?

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:%23kY9%(E-Mail Removed)...
> > I took the second nic, the one that was the WAN, and put it on the same
> > subnet as the LAN NIC. I disabled all DNS notifications (so this 'xWAN'
> nic
> > wouldn't register in DNS) Then I reconfigured RRAS custom to do LAN
> routing
> > and VPN acceptance. I then pointed my MSVPN users to this 'xWAN' NIC and
> > kept my WAN-VPN hardware the way that it was. I connected the NAT/VPN
> device
> > to the LAN.
>
> You are just creating more "comvolution" and mess. If it is now on the
same
> subnet as the LAN Nic then you don't need it to begin with and can just
use
> the LAN nic that is already there and run the server as a single-nic
server.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

""1SE"" <(E-Mail Removed)> wrote...
>Will RRAS still allow VPN connection from the outside with only one NIC?

Yes, but the connection will terminate at the RRAS itself and it would be a
client/server connection only - you couldn't make a site-to-site VPN out of
it.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

That's fine that's all I want the clients to be able to do. Sounds like it?

Will they be able to VPN in and launch remote desktop to get to their
desktops?


"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote...
> >Will RRAS still allow VPN connection from the outside with only one NIC?
>
> Yes, but the connection will terminate at the RRAS itself and it would be
a
> client/server connection only - you couldn't make a site-to-site VPN out
of
> it.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>

I think it is working with the ONE NIC now.
Hardware Site to Site VPN and RRAS VPN for clients.

The VPN only stays connected for 2 MIN. though. I'm not sure if this is
related or a separated issue. But Every 2 min the MS vpn disconnects,
without error. disconnects just like it was requested by the client. I've
tried multiple clients 2K, XP, and multiple ISP's just to confirm. It's is
like clock work 2min, disconnect.
The server is now Windows2003 SP1.


""1SE"" <(E-Mail Removed)> wrote in message
news:uIUB00$(E-Mail Removed)...
> That's fine that's all I want the clients to be able to do. Sounds like
it?
>
> Will they be able to VPN in and launch remote desktop to get to their
> desktops?
>
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > ""1SE"" <(E-Mail Removed)> wrote...
> > >Will RRAS still allow VPN connection from the outside with only one
NIC?
> >
> > Yes, but the connection will terminate at the RRAS itself and it would
be
> a
> > client/server connection only - you couldn't make a site-to-site VPN out
> of
> > it.
> >
> > --
> > Todd J Heron, MCSE
> > Windows Server 2003/2000/NT; CCA
>
> --------------------------------------------------------------------------
> --
> > This posting is provided "as is" with no warranties and confers no
rights
> >
>
>