NAT router

Hi, I have a windows 2008 server (sorry, I know this is a Server 2003
newsgroup but I cannot find a 2008 one) running RAS with VPN and NAT enabled.

When clients connect to the network via VPN they can access the internet
through the server without any problems, but local clients cannot.

The server connects to our private network on Local Area Connection, static
IP 192.168.1.1, subnet 255.255.0.0.

The internet is connected on Local Area Connection 2, IP 192.168.1.10,
subnet 255.255.255.0 gateway 192.168.1.254.

DHCP ranges for local clients are 192.168.1.11 - 192.168.1.30 with default
gateway set to 192.168.1.1.

The server also runs DNS with forwarding to the ISP and DNS lookups are
working correctly from all machines.

Its using the default settings for the IP routing table. What else do I need
to do to allow client computers on the private network to route to the
internet?

Thanks in advance for any help on this.

Fix your IP Scheme.
Use the mask 255.255.255.0,...not 255.255.0.0
For the Server to run as a NAT Box it must have two nic (Internal -vs-
External).
The two nics must be in different subnets
RRAS must be configured to properly identify the Internal Side.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Simon James Owen" <(E-Mail Removed)> wrote in
message newsC8E3A19-1D33-4F38-B155-(E-Mail Removed)...
> Hi, I have a windows 2008 server (sorry, I know this is a Server 2003
> newsgroup but I cannot find a 2008 one) running RAS with VPN and NAT
> enabled.
>
> When clients connect to the network via VPN they can access the internet
> through the server without any problems, but local clients cannot.
>
> The server connects to our private network on Local Area Connection,
> static
> IP 192.168.1.1, subnet 255.255.0.0.
>
> The internet is connected on Local Area Connection 2, IP 192.168.1.10,
> subnet 255.255.255.0 gateway 192.168.1.254.
>
> DHCP ranges for local clients are 192.168.1.11 - 192.168.1.30 with default
> gateway set to 192.168.1.1.
>
> The server also runs DNS with forwarding to the ISP and DNS lookups are
> working correctly from all machines.
>
> Its using the default settings for the IP routing table. What else do I
> need
> to do to allow client computers on the private network to route to the
> internet?
>
> Thanks in advance for any help on this.

Thanks for the response. I have changed the IP scheme of the internal
interface to subnet 255.255.255.0 and the subnet of the external interface to
255.255.254.0. I have disabled and reconfigured RAS stating the connection to
use for the internet.

VPN clients can still access the internet but local clients cannot

"Phillip Windell" wrote:

> Fix your IP Scheme.
> Use the mask 255.255.255.0,...not 255.255.0.0
> For the Server to run as a NAT Box it must have two nic (Internal -vs-
> External).
> The two nics must be in different subnets
> RRAS must be configured to properly identify the Internal Side.
>
> --
> Phillip Windell
> www.wandtv.com

"Simon James Owen" <(E-Mail Removed)> wrote in
message news:49A4F749-2357-4010-B96E-(E-Mail Removed)...
> Thanks for the response. I have changed the IP scheme of the internal
> interface to subnet 255.255.255.0 and the subnet of the external interface
> to
> 255.255.254.0. I have disabled and reconfigured RAS stating the connection
> to
> use for the internet.

Those are not subnets,...those are Subnet Masks.
Use 255.255.255.0 on *Everything*

The Subnet is identified by the Net-ID in combination with the mask.
Multiple subnets can (and usually do) have the same Mask. Here is an
example of multiple subnets:

Net-ID=192.168.25.0
Mask = 255.255.255.0
Broadcast = 192.168.25.255
Host Range = 192.168.25.1-192.168.25.254

Net-ID=192.168.26.0
Mask = 255.255.255.0
Host Range = 192.168.26.1-192.168.26.254

Net-ID=192.168.27.0
Mask = 255.255.255.0
Host Range = 192.168.27.1-192.168.27.254

Net-ID=192.168.28.0
Mask = 255.255.255.0
Host Range = 192.168.28.1-192.168.28.254

Avoid the heavily *over-used* lower numbers (like 192.168.1.0).

The External side of the RRAS NAT Box will be a Public IP# (not
192.168.*.*).
The RRAS NAT box will *replace* any other "NAT router" that may be there.
The RRAS box *is* your "router".

If you intend to keep an existing NAT Device then there is no real point in
having the Windows RRAS NAT Box in the first place. It is a waist of time
and is over-complicating the network by introducting a Back-to-back DMZ
where there is no point in one being.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Simon James Owen" <(E-Mail Removed)> wrote in
> message news:49A4F749-2357-4010-B96E-(E-Mail Removed)...
>> Thanks for the response. I have changed the IP scheme of the internal
>> interface to subnet 255.255.255.0 and the subnet of the external
>> interface to
>> 255.255.254.0. I have disabled and reconfigured RAS stating the
>> connection to
>> use for the internet.
>
> Those are not subnets,...those are Subnet Masks.
> Use 255.255.255.0 on *Everything*
>
> The Subnet is identified by the Net-ID in combination with the mask.
> Multiple subnets can (and usually do) have the same Mask. Here is an
> example of multiple subnets:
>
> Net-ID=192.168.25.0
> Mask = 255.255.255.0
> Broadcast = 192.168.25.255
> Host Range = 192.168.25.1-192.168.25.254
>
> Net-ID=192.168.26.0
> Mask = 255.255.255.0
> Host Range = 192.168.26.1-192.168.26.254
>
> Net-ID=192.168.27.0
> Mask = 255.255.255.0
> Host Range = 192.168.27.1-192.168.27.254
>
> Net-ID=192.168.28.0
> Mask = 255.255.255.0
> Host Range = 192.168.28.1-192.168.28.254
>
> Avoid the heavily *over-used* lower numbers (like 192.168.1.0).
>
> The External side of the RRAS NAT Box will be a Public IP# (not
> 192.168.*.*).
> The RRAS NAT box will *replace* any other "NAT router" that may be there.
> The RRAS box *is* your "router".
>
> If you intend to keep an existing NAT Device then there is no real point
> in having the Windows RRAS NAT Box in the first place. It is a waist of
> time and is over-complicating the network by introducting a Back-to-back
> DMZ where there is no point in one being.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

I agree with Phillip. You have overcomplicated your network setup. If
your network already connects to the Internet through a NAT router you do
not need NAT on your server. In fact you do not need two NICs in your
server. The only reason to have two NICs is to have one NIC in the private
LAN and one connected to the Internet and have this device as your Internet
router. If you do have two NICs, they must be in different IP subnets (as
Phillip pointed out).

You basically have two options.

1. Get rid of the existing NAT device and use the server instead. Set
it up as a NAT/VPN server. You can configure NAT so thet both LAN and remote
users can access the Internet through this device by adding the RRAS
internal interface (which is the VPN connction interface) as a private
interface in NAT.

2. Keep the existing NAT device and get rid of the second NIC in the
server. The LAN machines (and the server) still use the NAT device as
default gateway. Configure the server as a VPN server and test it locally.
Configure your NAT device to forward VPN traffic to the server's LAN IP.
Your remote access clients can now connect to the VPN server by using the
router's public IP or name.

In news:(E-Mail Removed),
Bill Grant <not.available@online> typed:
> I agree with Phillip. You have overcomplicated your network
> setup. If your network already connects to the Internet through a NAT
> router you do not need NAT on your server. In fact you do not need
> two NICs in your server. The only reason to have two NICs is to have
> one NIC in the private LAN and one connected to the Internet and have
> this device as your Internet router. If you do have two NICs, they
> must be in different IP subnets (as Phillip pointed out).
>
> You basically have two options.
>
> 1. Get rid of the existing NAT device and use the server instead.
> Set it up as a NAT/VPN server. You can configure NAT so thet both LAN
> and remote users can access the Internet through this device by
> adding the RRAS internal interface (which is the VPN connction
> interface) as a private interface in NAT.
>
> 2. Keep the existing NAT device and get rid of the second NIC in
> the server. The LAN machines (and the server) still use the NAT
> device as default gateway. Configure the server as a VPN server and
> test it locally. Configure your NAT device to forward VPN traffic to
> the server's LAN IP. Your remote access clients can now connect to
> the VPN server by using the router's public IP or name.

I agree with both you and Phillip. Besides using 255.255.255.0, simply
changing either the internal or external subnet to 192.168.2.0 255.255.255.0
may do the trick. From what I see he has overlapping subnets on both
interfaces (they're both 192.168.1.0, no matter what the subnet is), which
I'm surprised he's even getting any communications at all.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations