RRAS VPN - remote client access to Internet

I have setup a Windows Server 2003 as a VPN gateway and it works perfectly
well for accessing corporate resources. It is setup on a DMZ behind a FW in
order to log all accesses from the Internet, with a separate interface on the
internal LAN.

But, I have a problem accessing the Internet while connected to the VPN. I
am aware of split-tunneling, but do not want to use that. I want all Internet
traffic to go through the central firewall, in order to get all traffic
logged.

Is a proxy server the only solution to this problem?

/Fredrik

if you wan to all Internet traffic to go through the central firewall, you
mat want to modify the routing table. This may help.
http://www.howtonetworking.com/routingissuesonvpn.htm

Can't access the Internet while using VPN
Symptom: after establishing a VPN connection, you may not be able to access
the Internet because the VPN takes over your existing connection and all
traffic to use the VPN default gateway on the remote network. The remote
network may not allow VPN clients to access the Internet via their gateway.

Resolutions:
1) If you don't need to access the entire VPN resources, disable the "use
default gateway on remote network" option in the properties of the VPN
connection.
2) Edit route table manually if you know how to or check routing page on
this web site.
3) For the security reason, some firewall/routers like Cisco PIX do not
allow access the Internet after establishing the VPN and you cannot modify
the routing table. You may setup split-tunnel.


--
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on
http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
"Fredrik" <(E-Mail Removed)> wrote in message
news:A259B16E-8B0A-481C-8E2C-(E-Mail Removed)...
>I have setup a Windows Server 2003 as a VPN gateway and it works perfectly
> well for accessing corporate resources. It is setup on a DMZ behind a FW
> in
> order to log all accesses from the Internet, with a separate interface on
> the
> internal LAN.
>
> But, I have a problem accessing the Internet while connected to the VPN. I
> am aware of split-tunneling, but do not want to use that. I want all
> Internet
> traffic to go through the central firewall, in order to get all traffic
> logged.
>
> Is a proxy server the only solution to this problem?
>
> /Fredrik

There isn't really enough info here to diagnose the problem. How do your
LAN clients access the Internet? Do they use NAT on the firewall or some
other device?

What about the VPN clients. Do they get IP addresses in the same IP
subnet as the LAN machines, or are they in their own subnet routed through
the VPN server?

"Fredrik" <(E-Mail Removed)> wrote in message
news:A259B16E-8B0A-481C-8E2C-(E-Mail Removed)...
>I have setup a Windows Server 2003 as a VPN gateway and it works perfectly
> well for accessing corporate resources. It is setup on a DMZ behind a FW
> in
> order to log all accesses from the Internet, with a separate interface on
> the
> internal LAN.
>
> But, I have a problem accessing the Internet while connected to the VPN. I
> am aware of split-tunneling, but do not want to use that. I want all
> Internet
> traffic to go through the central firewall, in order to get all traffic
> logged.
>
> Is a proxy server the only solution to this problem?
>
> /Fredrik

"Robert L [MS-MVP]" wrote:

>1) If you don't need to access the entire VPN resources, disable the "use
>default gateway on remote network" option in the properties of the VPN
>connection.

That would mean split-tunneling, which I don't want?

>2) Edit route table manually if you know how to or check routing page on
>this web site.

This must work for any user, including non-techs.

>3) For the security reason, some firewall/routers like Cisco PIX do not
>allow access the Internet after establishing the VPN and you cannot modify
>the routing table. You may setup split-tunnel.

Well, in my knowledge, the firewall wouldn't know that the VPN client is
connected via VPN at all. It just sees an IP address that is ok, and should
be allowed Internet access.

And as I said, I don't want an insecure split-tunneling solution.

"Bill Grant" wrote:

> There isn't really enough info here to diagnose the problem. How do your
> LAN clients access the Internet? Do they use NAT on the firewall or some
> other device?

The LAN clients are NATted on the firewall, does that matter?

> What about the VPN clients. Do they get IP addresses in the same IP
> subnet as the LAN machines, or are they in their own subnet routed through
> the VPN server?

As the design is right now, they get their addresses from the same DHCP
server as the LAN machines and use the same scope. Would it matter if I got
them their own subnet?

As a temporary solution I've setup a squid proxy to use, works fine but is
another system that I don't really want.


Thanks,

Fredrik

I agree with your comment in your reply to Bob Lin. If the remotes are
getting IP addresses in the same IP subnet as the LAN clients, they should
look just the same as LAN clients to the firewall. The server should be
doing proxy ARP for them on the LAN, and forwarding the traffic on, just as
it does for LAN access.

Are you on a switched network? Some switches don't handle proxy ARP in
the same way as straight Ethernet and a hub.

If you can't get it to work that way, you could try giving the remotes
their own subnet, and enable IP routing on the VPN server. You could then
specifically route traffic for this "remotes only" subnet from the firewall
via the VPN router. This does away with the proxy ARP situation.

"Fredrik" <(E-Mail Removed)> wrote in message
news:215BDA0A-8E15-486C-A61C-(E-Mail Removed)...
> "Robert L [MS-MVP]" wrote:
>
>>1) If you don't need to access the entire VPN resources, disable the "use
>>default gateway on remote network" option in the properties of the VPN
>>connection.
>
> That would mean split-tunneling, which I don't want?
>
>>2) Edit route table manually if you know how to or check routing page on
>>this web site.
>
> This must work for any user, including non-techs.
>
>>3) For the security reason, some firewall/routers like Cisco PIX do not
>>allow access the Internet after establishing the VPN and you cannot modify
>>the routing table. You may setup split-tunnel.
>
> Well, in my knowledge, the firewall wouldn't know that the VPN client is
> connected via VPN at all. It just sees an IP address that is ok, and
> should
> be allowed Internet access.
>
> And as I said, I don't want an insecure split-tunneling solution.
>
> "Bill Grant" wrote:
>
>> There isn't really enough info here to diagnose the problem. How do
>> your
>> LAN clients access the Internet? Do they use NAT on the firewall or some
>> other device?
>
> The LAN clients are NATted on the firewall, does that matter?
>
>> What about the VPN clients. Do they get IP addresses in the same IP
>> subnet as the LAN machines, or are they in their own subnet routed
>> through
>> the VPN server?
>
> As the design is right now, they get their addresses from the same DHCP
> server as the LAN machines and use the same scope. Would it matter if I
> got
> them their own subnet?
>
> As a temporary solution I've setup a squid proxy to use, works fine but is
> another system that I don't really want.
>
>
> Thanks,
>
> Fredrik

Here's a cool trick.

http://support.microsoft.com/default...b;en-us;310888

Steve Riley
(E-Mail Removed)



> I have setup a Windows Server 2003 as a VPN gateway and it works
> perfectly well for accessing corporate resources. It is setup on a DMZ
> behind a FW in order to log all accesses from the Internet, with a
> separate interface on the internal LAN.
>
> But, I have a problem accessing the Internet while connected to the
> VPN. I am aware of split-tunneling, but do not want to use that. I
> want all Internet traffic to go through the central firewall, in order
> to get all traffic logged.
>
> Is a proxy server the only solution to this problem?
>
> /Fredrik
>

But it really only works if the RRAS server is doing NAT itself. And you
don't need to use the netsh command in W2003. They fixed it so that the
internal interface shows in the RRAS NAT console, and you can do it from
there.

"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here's a cool trick.
>
> http://support.microsoft.com/default...b;en-us;310888
>
> Steve Riley
> (E-Mail Removed)
>
>
>
>> I have setup a Windows Server 2003 as a VPN gateway and it works
>> perfectly well for accessing corporate resources. It is setup on a DMZ
>> behind a FW in order to log all accesses from the Internet, with a
>> separate interface on the internal LAN.
>>
>> But, I have a problem accessing the Internet while connected to the
>> VPN. I am aware of split-tunneling, but do not want to use that. I
>> want all Internet traffic to go through the central firewall, in order
>> to get all traffic logged.
>>
>> Is a proxy server the only solution to this problem?
>>
>> /Fredrik
>>
>
>

Enabling NAT to get this "reflection" (my own term) capability to work won't
cause other problems. I've got at least one customer who used this method
a couple years ago in an 80,000 node VPN deployment. Works well.

You're right about it being easier in Windows Server 2003.

Steve Riley
(E-Mail Removed)



> But it really only works if the RRAS server is doing NAT itself.
> And you don't need to use the netsh command in W2003. They fixed it so
> that the internal interface shows in the RRAS NAT console, and you can
> do it from there.
>
> "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Here's a cool trick.
>>
>> http://support.microsoft.com/default...b;en-us;310888
>>
>> Steve Riley
>> (E-Mail Removed)
>>> I have setup a Windows Server 2003 as a VPN gateway and it works
>>> perfectly well for accessing corporate resources. It is setup on a
>>> DMZ behind a FW in order to log all accesses from the Internet, with
>>> a separate interface on the internal LAN.
>>>
>>> But, I have a problem accessing the Internet while connected to the
>>> VPN. I am aware of split-tunneling, but do not want to use that. I
>>> want all Internet traffic to go through the central firewall, in
>>> order to get all traffic logged.
>>>
>>> Is a proxy server the only solution to this problem?
>>>
>>> /Fredrik
>>>