IP routing on VPN

I have a RRAS Server setup as a VPN with two NICs. One is
connected to a CISCO router and from there to the
internet. It has a public IP address. The second is
inside my LAN and has a private IP address. Neither of
them has a default gateway. I am using DHCP to get RAS
Client IP addresses from the LAN DHCP server. I setup a
static route with 0.0.0.0 as destination, 0.0.0.0 as mask,
and the router's IP address as the gateway. I also setup
static routes to route my LAN traffic through my frame
relay router. All my static routes have a metric of 1.
When clients connect to the VPN, they can resolve all
URLs, both internal and external, but they can only ping
or browse to the internal LAN servers. The first static
route does not appear to be working. When I perform a
tracert against and external address, it goes first to
the "internal" interface, rather than to the gateway of
the 0.0.0.0 static route. What am I doing wrong?


David N

"David N" <(E-Mail Removed)> wrote in message
news:eac801c3f0cc$63bea920$(E-Mail Removed)...
> I have a RRAS Server setup as a VPN with two NICs. One is
> connected to a CISCO router and from there to the
> internet. It has a public IP address. The second is
> inside my LAN and has a private IP address. Neither of
> them has a default gateway. I am using DHCP to get RAS
> Client IP addresses from the LAN DHCP server. I setup a
> static route with 0.0.0.0 as destination, 0.0.0.0 as mask,
> and the router's IP address as the gateway. I also setup

Remove that route. Just use the Internet Router (frame relay router?) as
the Default Gateway of the public NIC. The private NIC should never have a
Default Gateway.

If your private LAN is a single subnet there are no routes to create, and if
there are subnets on the private side but the RRAS box servers as the
central router then there still are no routes to create. All the clients on
the private network may or may not require a Default Gateway,...it just
depends on the situation. If they did need one it would most likely be the
RRAS machine, but that isn't an absolute.

If there are subnets on the private side then a static route to each segment
must be added to the RRAS/VPN Server (not including the Public side). The
routes would point to what ever router takes it to the destination. The
rest can get really complicated. All clients would use the router that is in
their immediate subnet, then the router directly facing the RRAS/VPN box
would probably use the RRAS/VPN box as its Default Gateway, but again that
isn't absolute....it just depends.

VPN Clients, when getting the DHCP assignment, must use a Default Gateway
that agrees with what other clients using an IP# of the same subnet use. VPN
is really irelevant, the client behaves just as any other client on the same
subnet behaves (VPN or no VPN) and is subject to the same settings and
rules.

Note that all public IP#s are meaningless to any of this VPN stuff. The
public IP#s do nothing more than serve as "phone numbers" for the VPN to
"dialup" to create the Tunnel. The public IP#s have no role in routing just
as the phone number serves no "routing purpose" for a typical modem based
dialup user.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phil-
If I don't have a static route for my external NIC, then
my VPN clients can't connect to the VPN server. Here's my
config:

External NIC 65.240.13.209 255.255.255.192
Internal NIC 192.168.30.2 255.255.255.0
Internal Subnets 192.168.30.0,192.168.32.0,192.168.33.0
Frame router that routes to subnets 192.168.30.1
External router 65.240.13.193

Static Routes
0.0.0.0 0.0.0.0 65.240.13.193 (External NIC)
192.168.30.0 255.255.255.0 192.168.30.1 (Internal NIC)
192.168.32.0 255.255.255.0 192.168.30.1 "
192.168.33.0 255.255.255.0 192.168.30.1 "

How does the public NIC know to get to the Frame router?
How do the VPN clients know to get to the outside NIC?

David

>-----Original Message-----
>"David N" <(E-Mail Removed)> wrote in message
>news:eac801c3f0cc$63bea920$(E-Mail Removed)...
>> I have a RRAS Server setup as a VPN with two NICs. One
is
>> connected to a CISCO router and from there to the
>> internet. It has a public IP address. The second is
>> inside my LAN and has a private IP address. Neither of
>> them has a default gateway. I am using DHCP to get RAS
>> Client IP addresses from the LAN DHCP server. I setup a
>> static route with 0.0.0.0 as destination, 0.0.0.0 as
mask,
>> and the router's IP address as the gateway. I also setup
>
>Remove that route. Just use the Internet Router (frame
relay router?) as
>the Default Gateway of the public NIC. The private NIC
should never have a
>Default Gateway.
>
>If your private LAN is a single subnet there are no
routes to create, and if
>there are subnets on the private side but the RRAS box
servers as the
>central router then there still are no routes to create.
All the clients on
>the private network may or may not require a Default
Gateway,...it just
>depends on the situation. If they did need one it would
most likely be the
>RRAS machine, but that isn't an absolute.
>
>If there are subnets on the private side then a static
route to each segment
>must be added to the RRAS/VPN Server (not including the
Public side). The
>routes would point to what ever router takes it to the
destination. The
>rest can get really complicated. All clients would use
the router that is in
>their immediate subnet, then the router directly facing
the RRAS/VPN box
>would probably use the RRAS/VPN box as its Default
Gateway, but again that
>isn't absolute....it just depends.
>
>VPN Clients, when getting the DHCP assignment, must use a
Default Gateway
>that agrees with what other clients using an IP# of the
same subnet use. VPN
>is really irelevant, the client behaves just as any other
client on the same
>subnet behaves (VPN or no VPN) and is subject to the same
settings and
>rules.
>
>Note that all public IP#s are meaningless to any of this
VPN stuff. The
>public IP#s do nothing more than serve as "phone numbers"
for the VPN to
>"dialup" to create the Tunnel. The public IP#s have no
role in routing just
>as the phone number serves no "routing purpose" for a
typical modem based
>dialup user.
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>
>.
>

>Phil-
>If I don't have a static route for my external NIC, then
>my VPN clients can't connect to the VPN server. Here's
my
>config:
>
>External NIC 65.240.13.209 255.255.255.192
>Internal NIC 192.168.30.2 255.255.255.0
>Internal Subnets 192.168.30.0,192.168.32.0,192.168.33.0
>Frame router that routes to subnets 192.168.30.1
>External router 65.240.13.193
>
>Static Routes
>0.0.0.0 0.0.0.0 65.240.13.193 (External NIC)
>192.168.30.0 255.255.255.0 192.168.30.1 (Internal NIC)
>192.168.32.0 255.255.255.0 192.168.30.1 "
>192.168.33.0 255.255.255.0 192.168.30.1 "
>
>How does the public NIC know to get to the Frame router?
>How do the VPN clients know to get to the outside NIC?
>
>David
>
>>-----Original Message-----
>>"David N" <(E-Mail Removed)> wrote in message
>>news:eac801c3f0cc$63bea920$(E-Mail Removed)...
>>> I have a RRAS Server setup as a VPN with two NICs.
One
>is
>>> connected to a CISCO router and from there to the
>>> internet. It has a public IP address. The second is
>>> inside my LAN and has a private IP address. Neither of
>>> them has a default gateway. I am using DHCP to get RAS
>>> Client IP addresses from the LAN DHCP server. I setup
a
>>> static route with 0.0.0.0 as destination, 0.0.0.0 as
>mask,
>>> and the router's IP address as the gateway. I also
setup
>>
>>Remove that route. Just use the Internet Router (frame
>relay router?) as
>>the Default Gateway of the public NIC. The private NIC
>should never have a
>>Default Gateway.
>>
>>If your private LAN is a single subnet there are no
>routes to create, and if
>>there are subnets on the private side but the RRAS box
>servers as the
>>central router then there still are no routes to create.
>All the clients on
>>the private network may or may not require a Default
>Gateway,...it just
>>depends on the situation. If they did need one it would
>most likely be the
>>RRAS machine, but that isn't an absolute.
>>
>>If there are subnets on the private side then a static
>route to each segment
>>must be added to the RRAS/VPN Server (not including the
>Public side). The
>>routes would point to what ever router takes it to the
>destination. The
>>rest can get really complicated. All clients would use
>the router that is in
>>their immediate subnet, then the router directly facing
>the RRAS/VPN box
>>would probably use the RRAS/VPN box as its Default
>Gateway, but again that
>>isn't absolute....it just depends.
>>
>>VPN Clients, when getting the DHCP assignment, must use
a
>Default Gateway
>>that agrees with what other clients using an IP# of the
>same subnet use. VPN
>>is really irelevant, the client behaves just as any
other
>client on the same
>>subnet behaves (VPN or no VPN) and is subject to the
same
>settings and
>>rules.
>>
>>Note that all public IP#s are meaningless to any of this
>VPN stuff. The
>>public IP#s do nothing more than serve as "phone
numbers"
>for the VPN to
>>"dialup" to create the Tunnel. The public IP#s have no
>role in routing just
>>as the phone number serves no "routing purpose" for a
>typical modem based
>>dialup user.
>>
>>--
>>
>>Phillip Windell [MCP, MVP, CCNA]
>>www.wandtv.com
>>
>>
>>
>>.
>>
>.
>

Remove the Route. A Default Gateway *is* a "static" route and it will
enter the same thing into the routing table automatically that you entered
manually.

Your best bet at this point is to remove all manually entered routes, give
the NIC a Default Gateway and reboot the machine so it can rebuild the
Routing Table correctly.

1. Give the External NIC a Default Gateway of "65.240.13.193"
Keep Internal NIC's DF blank.

2. Remove gateways with this command "C:\ROUTE -F"

3. Reboot the machine to let the Table rebuild

4. After the reboot finishes, enter the following 2 static routes:
Route Add -p 192.168.32.0 mask 255.255.255.0 192.168.30.1
Route Add -p 192.168.33.0 mask 255.255.255.0 192.168.30.1

There is no need to add one for the "30" subnet because that is where it
lives and it already knows where itself is. The 0.0.0.0 route will have
automatically been put into the routing table by the Default Gateway setting
when the machine was rebooted.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


<(E-Mail Removed)> wrote in message
news:ee7901c3f0d5$0d083d90$(E-Mail Removed)...
> Phil-
> If I don't have a static route for my external NIC, then
> my VPN clients can't connect to the VPN server. Here's my
> config:
>
> External NIC 65.240.13.209 255.255.255.192
> Internal NIC 192.168.30.2 255.255.255.0
> Internal Subnets 192.168.30.0,192.168.32.0,192.168.33.0
> Frame router that routes to subnets 192.168.30.1
> External router 65.240.13.193
>
> Static Routes
> 0.0.0.0 0.0.0.0 65.240.13.193 (External NIC)
> 192.168.30.0 255.255.255.0 192.168.30.1 (Internal NIC)
> 192.168.32.0 255.255.255.0 192.168.30.1 "
> 192.168.33.0 255.255.255.0 192.168.30.1 "
>
> How does the public NIC know to get to the Frame router?
> How do the VPN clients know to get to the outside NIC?
>
> David
>
> >-----Original Message-----
> >"David N" <(E-Mail Removed)> wrote in message
> >news:eac801c3f0cc$63bea920$(E-Mail Removed)...
> >> I have a RRAS Server setup as a VPN with two NICs. One
> is
> >> connected to a CISCO router and from there to the
> >> internet. It has a public IP address. The second is
> >> inside my LAN and has a private IP address. Neither of
> >> them has a default gateway. I am using DHCP to get RAS
> >> Client IP addresses from the LAN DHCP server. I setup a
> >> static route with 0.0.0.0 as destination, 0.0.0.0 as
> mask,
> >> and the router's IP address as the gateway. I also setup
> >
> >Remove that route. Just use the Internet Router (frame
> relay router?) as
> >the Default Gateway of the public NIC. The private NIC
> should never have a
> >Default Gateway.
> >
> >If your private LAN is a single subnet there are no
> routes to create, and if
> >there are subnets on the private side but the RRAS box
> servers as the
> >central router then there still are no routes to create.
> All the clients on
> >the private network may or may not require a Default
> Gateway,...it just
> >depends on the situation. If they did need one it would
> most likely be the
> >RRAS machine, but that isn't an absolute.
> >
> >If there are subnets on the private side then a static
> route to each segment
> >must be added to the RRAS/VPN Server (not including the
> Public side). The
> >routes would point to what ever router takes it to the
> destination. The
> >rest can get really complicated. All clients would use
> the router that is in
> >their immediate subnet, then the router directly facing
> the RRAS/VPN box
> >would probably use the RRAS/VPN box as its Default
> Gateway, but again that
> >isn't absolute....it just depends.
> >
> >VPN Clients, when getting the DHCP assignment, must use a
> Default Gateway
> >that agrees with what other clients using an IP# of the
> same subnet use. VPN
> >is really irelevant, the client behaves just as any other
> client on the same
> >subnet behaves (VPN or no VPN) and is subject to the same
> settings and
> >rules.
> >
> >Note that all public IP#s are meaningless to any of this
> VPN stuff. The
> >public IP#s do nothing more than serve as "phone numbers"
> for the VPN to
> >"dialup" to create the Tunnel. The public IP#s have no
> role in routing just
> >as the phone number serves no "routing purpose" for a
> typical modem based
> >dialup user.
> >
> >--
> >
> >Phillip Windell [MCP, MVP, CCNA]
> >www.wandtv.com
> >
> >
> >
> >.
> >