Need Help with RRAS

I have a vpn router that I can VPN into. Unfortunately that router is still
on the outside NIC of my windows 2003 server.
172.16.7.1 = MAIN-router internal
192.168.1.5 = MAIN-router external.

192.168.8.1 = Windows 2003 server internal
172.16.7.4 = Windows 2003 server external.

When I'm on my VPN connection I can ping the external IP of the server but I
cannot ping it by name.
Is there a way to allow NetBIOS to the outside NIC or maybe allow internal
DNS to the external NIC?

How can I allow connection from my VPN connection without opening my hole
server to the internet?

I'm desperate please help.

Thanks.

What DNS server is the VPN client using? I would expect it to use the
one in the 172.16 subnet if it connects to a router with IP address
172.16.7.1 . If it is set to use your internal DNS on 192.168.8 , does it
have the correct DNS suffix configured? Can you resolve the server name if
you specify the full FQDN?

"1SE" wrote:
> I have a vpn router that I can VPN into. Unfortunately that router
> is still on the outside NIC of my windows 2003 server.
> 172.16.7.1 = MAIN-router internal
> 192.168.1.5 = MAIN-router external.
>
> 192.168.8.1 = Windows 2003 server internal
> 172.16.7.4 = Windows 2003 server external.
>
> When I'm on my VPN connection I can ping the external IP of the
> server but I cannot ping it by name.
> Is there a way to allow NetBIOS to the outside NIC or maybe allow
> internal DNS to the external NIC?
>
> How can I allow connection from my VPN connection without opening my
> hole server to the internet?
>
> I'm desperate please help.
>
> Thanks.

These are REALLY good questions. I hope I don't loose your interest taking
a couple of days to get back to you. I will not be able to get back out to
this site before 4-11-05.
Here's what I know now.
The VPN client is another router at another site
192.168.9.1 = PH-01-router internal
216.86.137.39 = PH-01-router external.
The workstation on the other side of that is using an external DNS 4.2.2.2
and a secondary DNS of the internal DNS 192.168.8.1.
I've also put the internal DNS on the MAIN-router as one of it's DNS
servers.
I don't believe there is any internal DNS information on the 172.16.7.4
I've not tried to resolve the servername with the FQDN, I will try that on
the 11th.

I didn't think to configure the DNS suffix for the workstation.
I know where to do that in the IP config but what should it be?


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> What DNS server is the VPN client using? I would expect it to use the
> one in the 172.16 subnet if it connects to a router with IP address
> 172.16.7.1 . If it is set to use your internal DNS on 192.168.8 , does it
> have the correct DNS suffix configured? Can you resolve the server name if
> you specify the full FQDN?
>
> "1SE" wrote:
> > I have a vpn router that I can VPN into. Unfortunately that router
> > is still on the outside NIC of my windows 2003 server.
> > 172.16.7.1 = MAIN-router internal
> > 192.168.1.5 = MAIN-router external.
> >
> > 192.168.8.1 = Windows 2003 server internal
> > 172.16.7.4 = Windows 2003 server external.
> >
> > When I'm on my VPN connection I can ping the external IP of the
> > server but I cannot ping it by name.
> > Is there a way to allow NetBIOS to the outside NIC or maybe allow
> > internal DNS to the external NIC?
> >
> > How can I allow connection from my VPN connection without opening my
> > hole server to the internet?
> >
> > I'm desperate please help.
> >
> > Thanks.
>
>

I would manually configure the remote client to use your local DNS (ie
the one for your 192.168.8 network) in the connection properties. To be
able to resolve names by just using the machine name, also set the domain
suffix to the suffix of this network.

For example, if your local network is mydomain.local you should be able
to resolve the name of a machine called fred by doing an nslookup for
fred.mydomain.local . If you set the domain suffix for the client to
domain.local, you can just use nslookup fred .

"1SE" wrote:
> These are REALLY good questions. I hope I don't loose your interest
> taking a couple of days to get back to you. I will not be able to
> get back out to this site before 4-11-05.
> Here's what I know now.
> The VPN client is another router at another site
> 192.168.9.1 = PH-01-router internal
> 216.86.137.39 = PH-01-router external.
> The workstation on the other side of that is using an external DNS
> 4.2.2.2 and a secondary DNS of the internal DNS 192.168.8.1.
> I've also put the internal DNS on the MAIN-router as one of it's DNS
> servers.
> I don't believe there is any internal DNS information on the
> 172.16.7.4 I've not tried to resolve the servername with the FQDN, I
> will try that on the 11th.
>
> I didn't think to configure the DNS suffix for the workstation.
> I know where to do that in the IP config but what should it be?
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> What DNS server is the VPN client using? I would expect it to
>> use the one in the 172.16 subnet if it connects to a router with IP
>> address 172.16.7.1 . If it is set to use your internal DNS on
>> 192.168.8 , does it have the correct DNS suffix configured? Can you
>> resolve the server name if you specify the full FQDN?
>>
>> "1SE" wrote:
>>> I have a vpn router that I can VPN into. Unfortunately that router
>>> is still on the outside NIC of my windows 2003 server.
>>> 172.16.7.1 = MAIN-router internal
>>> 192.168.1.5 = MAIN-router external.
>>>
>>> 192.168.8.1 = Windows 2003 server internal
>>> 172.16.7.4 = Windows 2003 server external.
>>>
>>> When I'm on my VPN connection I can ping the external IP of the
>>> server but I cannot ping it by name.
>>> Is there a way to allow NetBIOS to the outside NIC or maybe allow
>>> internal DNS to the external NIC?
>>>
>>> How can I allow connection from my VPN connection without opening my
>>> hole server to the internet?
>>>
>>> I'm desperate please help.
>>>
>>> Thanks.

"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> I would manually configure the remote client to use your local DNS (ie
> the one for your 192.168.8 network) in the connection properties. To be
> able to resolve names by just using the machine name, also set the domain
> suffix to the suffix of this network.

Bill,
If the Windows Server is running NAT then the 192.168.8 network won't be at
all reachable. The 172.16.7 network is effectively a DMZ in a Back-toBack
DMZ model, which is "untrusted" by the 192.168.8 network.

If the Windows Server is not running NAT (just routing only) then it
probably should only run one Nic since the 172.16.7 network is just a
"useless appendage" sort of speak.

I think he needs to clarify that when he gets back to make it more clear
what is being dealt with.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Good point, Phillip. It wouldn't be the first time we have seen problems
connecting to a remote access server in a DMZ which couldn't see the private
LAN, would it?

Phillip Windell wrote:
> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
>> I would manually configure the remote client to use your local
>> DNS (ie the one for your 192.168.8 network) in the connection
>> properties. To be able to resolve names by just using the machine
>> name, also set the domain suffix to the suffix of this network.
>
> Bill,
> If the Windows Server is running NAT then the 192.168.8 network won't
> be at all reachable. The 172.16.7 network is effectively a DMZ in a
> Back-toBack DMZ model, which is "untrusted" by the 192.168.8 network.
>
> If the Windows Server is not running NAT (just routing only) then it
> probably should only run one Nic since the 172.16.7 network is just a
> "useless appendage" sort of speak.
>
> I think he needs to clarify that when he gets back to make it more
> clear what is being dealt with.

This is IN FACT true that it is NATing and I cannot see the 192.168.8.x
network.
I have set the primary DNS servers to the 192.168.8.x DC but since it cannot
be seen this does no good.


"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> Good point, Phillip. It wouldn't be the first time we have seen
problems
> connecting to a remote access server in a DMZ which couldn't see the
private
> LAN, would it?
>
> Phillip Windell wrote:
> > "Bill Grant" <not.available@online> wrote in message
> > news:%(E-Mail Removed)...
> >> I would manually configure the remote client to use your local
> >> DNS (ie the one for your 192.168.8 network) in the connection
> >> properties. To be able to resolve names by just using the machine
> >> name, also set the domain suffix to the suffix of this network.
> >
> > Bill,
> > If the Windows Server is running NAT then the 192.168.8 network won't
> > be at all reachable. The 172.16.7 network is effectively a DMZ in a
> > Back-toBack DMZ model, which is "untrusted" by the 192.168.8 network.
> >
> > If the Windows Server is not running NAT (just routing only) then it
> > probably should only run one Nic since the 172.16.7 network is just a
> > "useless appendage" sort of speak.
> >
> > I think he needs to clarify that when he gets back to make it more
> > clear what is being dealt with.
>
>

> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
> Good point, Phillip. It wouldn't be the first time we have seen
problems
> connecting to a remote access server in a DMZ which couldn't see the
> private LAN, would it?

It happens frustratingly offten. ;-)

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

""1SE"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is IN FACT true that it is NATing and I cannot see the 192.168.8.x
network.
> I have set the primary DNS servers to the 192.168.8.x DC but since it
cannot
> be seen this does no good.

You can't. It just doesn't work that way.

To use VPN the VPN Tunnel must terminate at the edge of the LAN and the VPN
Device must "live on both the LAN and the External Network at the same time.
Here's what you have,..it won't work:

[LAN]--Server/NAT--[B2B DMZ]--NAT Device as VPN Server--[Internet]

The Server/NAT and the B2B DMZ is "in the way",...it won't work.

Two options:

1. You have to run the Windows Server as both a NAT Server and a VPN Server
at the same time. RRAS can do this. Your "NAT Device" will require the
ability to do what is often called on those things "VPN Passthrough" whick
will pass on the Tunnel to the RRAS/VPN where the Tunnel will "terminate".

[LAN]--Server/NAT/VPN--[B2B DMZ]--NAT Device with VPN
Passthrough--[Internet]

2. The other option is to eliminate the second Nic in the Server and
shutdown RRAS and eliminate the NAT, which would also eliminate the B2B DMZ.
The server would just exist on the LAN with one nic just like all the other
machines. The Intenet NAT Device would have its internal facing Nic's IP#
changed to correspond to the LAN. The Internet NAT Device would then do its
VPN the way you are doing it now. It would look like this,..the server is
not shown because it would no longer be relevant to the "path":

[LAN]---NAT/VPN Device--[Internet]


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I don't think I can shutdown RRAS if people are going to connect to the
server from home machines via MS-VPN.???

I think option 2 sounds the easiest way to go but I don't think it will
work.

I have this constant VPN connection(s) that needs to be made for WAN
locations but I also need to have the users be able to VPN into the
server/network.

Can I use option 2 and still get both types of VPN connections?

Option number 1 seems to be the way I need to go. I'm not sure how to
complete the task though?
Are you saying I need to have the WAN location's VPN router tunnel directly
into the 2003 server and NOT the router.
This makes good sense, and to be honest is what I thought I'd have to do,
But I don't have a good enough understanding of RRAS to know how to create a
constant VPN tunnel for my WAN location's router.
The WAN router uses IKE policies and all sorts of encryption options. I"m
sure it can be done but I'm not sure how.
Can anyone help with that??



"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> ""1SE"" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > This is IN FACT true that it is NATing and I cannot see the 192.168.8.x
> network.
> > I have set the primary DNS servers to the 192.168.8.x DC but since it
> cannot
> > be seen this does no good.
>
> You can't. It just doesn't work that way.
>
> To use VPN the VPN Tunnel must terminate at the edge of the LAN and the
VPN
> Device must "live on both the LAN and the External Network at the same
time.
> Here's what you have,..it won't work:
>
> [LAN]--Server/NAT--[B2B DMZ]--NAT Device as VPN Server--[Internet]
>
> The Server/NAT and the B2B DMZ is "in the way",...it won't work.
>
> Two options:
>
> 1. You have to run the Windows Server as both a NAT Server and a VPN
Server
> at the same time. RRAS can do this. Your "NAT Device" will require the
> ability to do what is often called on those things "VPN Passthrough" whick
> will pass on the Tunnel to the RRAS/VPN where the Tunnel will "terminate".
>
> [LAN]--Server/NAT/VPN--[B2B DMZ]--NAT Device with VPN
> Passthrough--[Internet]
>
> 2. The other option is to eliminate the second Nic in the Server and
> shutdown RRAS and eliminate the NAT, which would also eliminate the B2B
DMZ.
> The server would just exist on the LAN with one nic just like all the
other
> machines. The Intenet NAT Device would have its internal facing Nic's IP#
> changed to correspond to the LAN. The Internet NAT Device would then do
its
> VPN the way you are doing it now. It would look like this,..the server is
> not shown because it would no longer be relevant to the "path":
>
> [LAN]---NAT/VPN Device--[Internet]
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>