NAT help for 'simple' VPN configuration

hi,
i am stumbling along trying to get this VPN working. i've spent ages
reading up about it but can't seem to get NAT to work.

the VPN is on a stand-alone windows 2003 server, in a datacenter
environment. Routing and RRAS is active. the configured roles are:
file server, VPN, application server. no DHCP or DNS server. i should
emphasise there are no other computers on the network, it is entirely
stand-alone, with an external web connection. the server is housing all
the files for the VPN.

the RRAS IP address assignment is done with a static pool of
192.168.0.1-255.
NAT/Basic Firewall is set up on the only NIC on the server. in the
NAT/firewall properties, IP address assignment is not done via DHCP
because i think this would conflict with the static pool configured in
RRAS properties.
on the LAN interface then within NAT/firewall, i have "enable NAT" and
"enable firewall" ticked. the external address pool is set up, and i
have several ports enabled.
my clients can connect to the VPN no problem, but there is no NAT and
external DNS doesn't work. i'd like to solve the NAT problem first.
i can browse to the server IP which is 192.168.0.1 and see files etc.
i really need to browse to the server name though.

when i look in the event log, there is a warning for each port on the
VPN as follows:

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20171
Date: 22/09/2005
Time: 16:52:30
User: N/A
Computer: BBWEB
Description:
Failed to apply IP Security on port VPN2-79 because of error: The
binding handle is invalid.
.. No calls will be accepted to this port.
Data:
0000: a6 06 00 00 ¦...

but i can still connect from windows clients across the web without
difficulty. any help is GREATLY appreciated.. i'm tearing my hear out
here!
thanks
tim

There is no NAT when you are using VPN. NAT is when you are *not* using VPN
and you are already starting out in the inside (not the outside) and want to
get to the outside (no the inside).

VPN also operates under the assumption that you have a multi-home VPN
machine. The VPN user becomes associated with the internal side of the
machine not the external side and resources are all accessed using the
internal address, not the public addresses.

Get rid of the NAT.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



"Tim_Mac" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
hi,
i am stumbling along trying to get this VPN working. i've spent ages
reading up about it but can't seem to get NAT to work.

the VPN is on a stand-alone windows 2003 server, in a datacenter
environment. Routing and RRAS is active. the configured roles are:
file server, VPN, application server. no DHCP or DNS server. i should
emphasise there are no other computers on the network, it is entirely
stand-alone, with an external web connection. the server is housing all
the files for the VPN.

the RRAS IP address assignment is done with a static pool of
192.168.0.1-255.
NAT/Basic Firewall is set up on the only NIC on the server. in the
NAT/firewall properties, IP address assignment is not done via DHCP
because i think this would conflict with the static pool configured in
RRAS properties.
on the LAN interface then within NAT/firewall, i have "enable NAT" and
"enable firewall" ticked. the external address pool is set up, and i
have several ports enabled.
my clients can connect to the VPN no problem, but there is no NAT and
external DNS doesn't work. i'd like to solve the NAT problem first.
i can browse to the server IP which is 192.168.0.1 and see files etc.
i really need to browse to the server name though.

when i look in the event log, there is a warning for each port on the
VPN as follows:

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20171
Date: 22/09/2005
Time: 16:52:30
User: N/A
Computer: BBWEB
Description:
Failed to apply IP Security on port VPN2-79 because of error: The
binding handle is invalid.
.. No calls will be accepted to this port.
Data:
0000: a6 06 00 00 ¦...

but i can still connect from windows clients across the web without
difficulty. any help is GREATLY appreciated.. i'm tearing my hear out
here!
thanks
tim

Tim,

You seem to misunderstand how this works. When you connect to your
server by VPN, the point-to-point connection is made using the private IP
addresses from the pool. So the remote client need to use the private IP of
the server (just as a LAN client would do). That is why it is called a
virtual private network. The client appears to be on the private LAN.

External DNS will not resolve the name to this IP. As you have no
internal DNS, you will need to add a hosts file to the client to resolve the
server's name to its internal IP if you want to use the server name to find
files.

Tim_Mac wrote:
> hi,
> i am stumbling along trying to get this VPN working. i've spent ages
> reading up about it but can't seem to get NAT to work.
>
> the VPN is on a stand-alone windows 2003 server, in a datacenter
> environment. Routing and RRAS is active. the configured roles are:
> file server, VPN, application server. no DHCP or DNS server. i should
> emphasise there are no other computers on the network, it is entirely
> stand-alone, with an external web connection. the server is housing
> all the files for the VPN.
>
> the RRAS IP address assignment is done with a static pool of
> 192.168.0.1-255.
> NAT/Basic Firewall is set up on the only NIC on the server. in the
> NAT/firewall properties, IP address assignment is not done via DHCP
> because i think this would conflict with the static pool configured in
> RRAS properties.
> on the LAN interface then within NAT/firewall, i have "enable NAT" and
> "enable firewall" ticked. the external address pool is set up, and i
> have several ports enabled.
> my clients can connect to the VPN no problem, but there is no NAT and
> external DNS doesn't work. i'd like to solve the NAT problem first.
> i can browse to the server IP which is 192.168.0.1 and see files etc.
> i really need to browse to the server name though.
>
> when i look in the event log, there is a warning for each port on the
> VPN as follows:
>
> Event Type: Warning
> Event Source: RemoteAccess
> Event Category: None
> Event ID: 20171
> Date: 22/09/2005
> Time: 16:52:30
> User: N/A
> Computer: BBWEB
> Description:
> Failed to apply IP Security on port VPN2-79 because of error: The
> binding handle is invalid.
> . No calls will be accepted to this port.
> Data:
> 0000: a6 06 00 00 ¦...
>
> but i can still connect from windows clients across the web without
> difficulty. any help is GREATLY appreciated.. i'm tearing my hear out
> here!
> thanks
> tim

hi Philip, Bill, many thanks for the replies.
firstly to Philip, i removed NAT and ticked 'Basic Firewall Only', and
i have the same functionality, so that simplifies the matter greatly,
thanks.

Bill, i do understand about the private internal IP addresses. my
client connects to the server via it's internal IP when the VPN is
connected. i mention the external DNS because the client cannot browse
web sites outside the VPN while it is connected, which is no good. the
client's have DSL connections, and they connect to the VPN by PPTP.
the VPN should not disable external internet access.

i read on a microsoft artcle
(http://www.microsoft.com/technet/pro...084387465.mspx)
that you don't need DNS to resolve computer names to IP addresses on a
VPN, thanks to NetBT Proxy.
i quote: "The result is that network nodes on network segments that are
attached to the VPN server (and all connected VPN clients) can
automatically resolve each other's names without a DNS or WINS server."

i can actually browse to \\serverName if i turn off the firewall on my
XP Pro SP2 test client. but that's not desirable either for obvious
reasons. once i turn the firewall back on, i can only browse by IP
address.

any ideas for how to enable computer browsing (by name) with the
default client XP firewall turned on?

thanks
tim

i turned on the firewall logger and found that windows firewall was
dropping the NetBios packets on port 137. this happened when i
requested a share while connected to the VPN, using \\ServerName.
here's the relevant contents of the log.

2005-09-24 20:00:30 DROP UDP 192.168.0.1 192.168.0.2 137 137 90 - - - -
- - - RECEIVE

does windows XP sp2 firewall block these packets by default?
i'm really keen not to start introducing client config requirements, so
is the best thing for me to add a DNS role to the server? will that
let me browse shares with \\servername?

thanks
tim

i turned on the firewall logger and found that windows firewall was
dropping the NetBios packets on port 137. this happened when i
requested a share while connected to the VPN, using \\ServerName.
here's the relevant contents of the log.

2005-09-24 20:00:30 DROP UDP 192.168.0.1 192.168.0.2 137 137 90 - - - -
- - - RECEIVE

does windows XP sp2 firewall block these packets by default?
i'm really keen not to start introducing client config requirements, so
is the best thing for me to add a DNS role to the server? will that
let me browse shares with \\servername?

thanks
tim

Tim_Mac wrote:
> hi Philip, Bill, many thanks for the replies.
> firstly to Philip, i removed NAT and ticked 'Basic Firewall Only', and
> i have the same functionality, so that simplifies the matter greatly,
> thanks.
>
> Bill, i do understand about the private internal IP addresses. my
> client connects to the server via it's internal IP when the VPN is
> connected. i mention the external DNS because the client cannot
> browse web sites outside the VPN while it is connected, which is no
> good. the client's have DSL connections, and they connect to the VPN
> by PPTP. the VPN should not disable external internet access.
>
> i read on a microsoft artcle
> (http://www.microsoft.com/technet/pro...084387465.mspx)
> that you don't need DNS to resolve computer names to IP addresses on a
> VPN, thanks to NetBT Proxy.
> i quote: "The result is that network nodes on network segments that
> are attached to the VPN server (and all connected VPN clients) can
> automatically resolve each other's names without a DNS or WINS
> server."
>
> i can actually browse to \\serverName if i turn off the firewall on my
> XP Pro SP2 test client. but that's not desirable either for obvious
> reasons. once i turn the firewall back on, i can only browse by IP
> address.
>
> any ideas for how to enable computer browsing (by name) with the
> default client XP firewall turned on?
>
> thanks
> tim

I know that Microsoft introduced the NetBT proxy in Server 2003 but I
have never used it. (It wasn't there in W2k). If you don't have a DNS server
on the LAN I would use hosts or lmhosts files on the client for name
resolution.

The Internet browsing is a client setting. By default, all traffic is
redirected to to the VPN link. To keep the default route to the Internet
(split tunnel), you need to clear the "Use default router.." box in TCP/IP
of the client's connection properties. See KB 254231.

The Netbios firewall settings on the server won't worry you. When the
VPN traffic goes through it is still encrypted. The firewall only sees the
PPTP header.

The firewall settings on the client will have to allow file sharing and
allow traffic on the 192.168.0 subnet.