Port forward through a VPN link

Hello everyone,

I have a Win2003 Web edition server (remote server)
directly connected to the Internet with static IPs. It has
a persistent VPN connection established to the branch
office. All branch IPs are pingable and services
accessible from the remote server. I am trying to map some
ports (25, 110 and 143) on one of my Internet IPs on the
remote server to a mailserver I have in my branch office.
It goes like this:

Internet <- Remote server -> VPN LINK -> Branch Server

Why does a port map through the vpn link does not work? I
am using RRAS with NAT/Basic firewall.

Any clues?

Thanks, Vincent

Port forwarding only applies to packets arriving at the public interface.
VPN traffic is still encrypted and encapsulated when it reaches this point,
so the NAT software only sees the outer wrapper. It cannot see the encrypted
packet inside. That is also why VPN packets are not seen by filters on the
public interface.

The VPN data packet is stripped and decrypted after this point, then
transferred to the LAN interface.

"Vincent Mooney-Chopin" <(E-Mail Removed)> wrote in
message news:1a3801c47c16$78e4c5c0$(E-Mail Removed)...
> Hello everyone,
>
> I have a Win2003 Web edition server (remote server)
> directly connected to the Internet with static IPs. It has
> a persistent VPN connection established to the branch
> office. All branch IPs are pingable and services
> accessible from the remote server. I am trying to map some
> ports (25, 110 and 143) on one of my Internet IPs on the
> remote server to a mailserver I have in my branch office.
> It goes like this:
>
> Internet <- Remote server -> VPN LINK -> Branch Server
>
> Why does a port map through the vpn link does not work? I
> am using RRAS with NAT/Basic firewall.
>
> Any clues?
>
> Thanks, Vincent

I do not agree on the explanation given:

Port forwarding applies to my case because I am trying to forward packets
from the public interface to a private address, it should work regardless
the host being on the same lan segment or the other side of a vpn tunnel.

I would like to have a workaround for this problem.

Thanks,
Vincent Mooney-Chopin


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Port forwarding only applies to packets arriving at the public
interface.
> VPN traffic is still encrypted and encapsulated when it reaches this
point,
> so the NAT software only sees the outer wrapper. It cannot see the
encrypted
> packet inside. That is also why VPN packets are not seen by filters on the
> public interface.
>
> The VPN data packet is stripped and decrypted after this point, then
> transferred to the LAN interface.
>
> "Vincent Mooney-Chopin" <(E-Mail Removed)> wrote in
> message news:1a3801c47c16$78e4c5c0$(E-Mail Removed)...
> > Hello everyone,
> >
> > I have a Win2003 Web edition server (remote server)
> > directly connected to the Internet with static IPs. It has
> > a persistent VPN connection established to the branch
> > office. All branch IPs are pingable and services
> > accessible from the remote server. I am trying to map some
> > ports (25, 110 and 143) on one of my Internet IPs on the
> > remote server to a mailserver I have in my branch office.
> > It goes like this:
> >
> > Internet <- Remote server -> VPN LINK -> Branch Server
> >
> > Why does a port map through the vpn link does not work? I
> > am using RRAS with NAT/Basic firewall.
> >
> > Any clues?
> >
> > Thanks, Vincent
>
>

OK, I see the picture more clearly now.

I think that the port forwarding actually works. The problem will be
getting a reply back. The reply needs to go to the requesting machine's
public IP. What is the default route of the mailserver? The reply probably
goes to the Internet from the Branch office RRAS server. Most machines
reject a reply which doesn't seem to come from the machine which was
queried.

The basic problem is that a VPN router to router link is only configured
to route between the subnets in the two sites. Public traffic goes via the
Internet.
Port forwarding works in most cases because the default gateway of the
target machine is back to the forwarding NAT router.

"Vincent Mooney-Chopin" <(E-Mail Removed)> wrote in
message news:#(E-Mail Removed)...
> I do not agree on the explanation given:
>
> Port forwarding applies to my case because I am trying to forward packets
> from the public interface to a private address, it should work regardless
> the host being on the same lan segment or the other side of a vpn tunnel.
>
> I would like to have a workaround for this problem.
>
> Thanks,
> Vincent Mooney-Chopin
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
> > Port forwarding only applies to packets arriving at the public
> interface.
> > VPN traffic is still encrypted and encapsulated when it reaches this
> point,
> > so the NAT software only sees the outer wrapper. It cannot see the
> encrypted
> > packet inside. That is also why VPN packets are not seen by filters on
the
> > public interface.
> >
> > The VPN data packet is stripped and decrypted after this point, then
> > transferred to the LAN interface.
> >
> > "Vincent Mooney-Chopin" <(E-Mail Removed)> wrote in
> > message news:1a3801c47c16$78e4c5c0$(E-Mail Removed)...
> > > Hello everyone,
> > >
> > > I have a Win2003 Web edition server (remote server)
> > > directly connected to the Internet with static IPs. It has
> > > a persistent VPN connection established to the branch
> > > office. All branch IPs are pingable and services
> > > accessible from the remote server. I am trying to map some
> > > ports (25, 110 and 143) on one of my Internet IPs on the
> > > remote server to a mailserver I have in my branch office.
> > > It goes like this:
> > >
> > > Internet <- Remote server -> VPN LINK -> Branch Server
> > >
> > > Why does a port map through the vpn link does not work? I
> > > am using RRAS with NAT/Basic firewall.
> > >
> > > Any clues?
> > >
> > > Thanks, Vincent
> >
> >
>
>