REPOST: VPN basic firewall, how to configure for multiple IP addresses

hi,
i have a VPN set up with RRAS on a single NIC server 2003, it is also a
web
server. VPN clients are allocated addresses from a static pool. i
have a basic firewall enabled on the LAN connection, allowing http
traffic on port 80 and https traffic, and a few other services. before
now, the server only had one static IP address and the services and
ports were configured based on this IP address.
i have now added a second IP address to the same LAN interface, and i
find that web traffic is being blocked by the basic firewall. under
Nat/Basic Firewall, i opened the properties of the LAN interface, and
tried to add in a new service called 'Web server, xx.xx.xx.171' with
the new ip address, TCP, on port 80 incoming and outgoing, but i got a
message telling me to "choose a unique special port". i presume this
is because there is already a 'service' set up for http on port 80 on
the existing IP address. how can i unblock services for the new ip
address?

thanks
tim

You can edit the existing service opening in Basic firewall by editing the
address to include both the addresses. for eg. if your first IP was
192.168.1.23 and your second new IP is 192.168.1.34, edit the IP address in
the service opening in Basic firewall to '192.168.1.0' to include both the
IPs

--
Thanks,
Janani
---------------------------------------------------------------------------
"This posting is provided "AS IS" with no warranties, and confers no
rights."

"Tim_Mac" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> hi,
> i have a VPN set up with RRAS on a single NIC server 2003, it is also a
> web
> server. VPN clients are allocated addresses from a static pool. i
> have a basic firewall enabled on the LAN connection, allowing http
> traffic on port 80 and https traffic, and a few other services. before
> now, the server only had one static IP address and the services and
> ports were configured based on this IP address.
> i have now added a second IP address to the same LAN interface, and i
> find that web traffic is being blocked by the basic firewall. under
> Nat/Basic Firewall, i opened the properties of the LAN interface, and
> tried to add in a new service called 'Web server, xx.xx.xx.171' with
> the new ip address, TCP, on port 80 incoming and outgoing, but i got a
> message telling me to "choose a unique special port". i presume this
> is because there is already a 'service' set up for http on port 80 on
> the existing IP address. how can i unblock services for the new ip
> address?
>
> thanks
> tim
>

hi Janini,
many thanks for your reply. i see now that i did not have an address
pool set up on the interface in basic firewall.
the ip addresses i have been allocated are in the same group, but are
not sequential.
e.g. they are of the form xx.xx.xx.157, xx.xx.xx.161 and xx.xx.xx.199.
i will need to configure the services to run for all 3 addresses. is
it ok to put in the range xx.xx.xx.157-199? does it matter that i
don't have the use of the in-between addresses?

thanks for your help.
tim

Yes, its ok. That shouldn't be a problem.

--
Thanks,
Janani
---------------------------------------------------------------------------
"This posting is provided "AS IS" with no warranties, and confers no
rights."

"Tim_Mac" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> hi Janini,
> many thanks for your reply. i see now that i did not have an address
> pool set up on the interface in basic firewall.
> the ip addresses i have been allocated are in the same group, but are
> not sequential.
> e.g. they are of the form xx.xx.xx.157, xx.xx.xx.161 and xx.xx.xx.199.
> i will need to configure the services to run for all 3 addresses. is
> it ok to put in the range xx.xx.xx.157-199? does it matter that i
> don't have the use of the in-between addresses?
>
> thanks for your help.
> tim
>

hi Janini.
thanks for the reply. i am still having difficulty setting the firewall
services on multiple IPs. i would have thought you could just select
the entire address pool, instead of having to choose an 'address pool
entry'. my address pool starts at x.x.x.167 and ends at x.x.x.179,
with a subnet mask of 255.255.255.224. so i guessed from your original
post i should put in x.x.x.0 as the 'address pool entry'. when i
started the RRAS none of the packets for that service were getting
through.
basically i want 'all' the packets on port 80 to get through, for 'all'
ip addresses. but i am required to choose an IP address to forward the
packets to, i can set it up for one IP address, but not several! i
tried entering x.x.x.0 as the private IP address but that didn't work.
i do have a fair grasp of routing and firewall concepts, but i can't
seem to specify the behaviour i want.
from your original post, what is the 'service opening' referring to? i
couldn't find this terminology in any documentation, and guessed it was
the private IP address.

it may help to explain that my web server is the only machine in the
network (connected directly to datacenter), so i think the private IP
address is the same as the public one too.

thanks again for any light you may be able to shed on the situation.
tim

just posting the answer to my problem here for reference.
i understand how the address pools work now, the documentation should
really spell it out.
you have to add the service + port for each IP address in the range
that you want to take effect. so you add a HTTP port 80 on .171,
another one for .172 and so on. i had to add in a HTTPS one aswell on
port 443. i guess it makes sense now, but the terminology isn't clear
and the lack of documentation is a poor show by MS.
see this thread
http://groups-beta.google.com/group/...301905f7e2ed67
that helped me work it out.
tim