VPN (PPTP), DHCP??, Help!!!

I really don't know what category to put this in, since I don't know where
the problem is exactly. Ok this is the full story.



Are current ISP gives us an static fake ip address that's re-directed to an
static real address (for what ever reason). So for example my fake static ip
for an external address on my wg2500 box is 10.251.2.X (fake static). But if
you want to connect from outside the network via VPN you connect with
129.132.X.X (real static) address.



The SOHO WG2500 box is plugged into are windows 2000 server computer
(192.168.111.100) and does the DHCP for the local network and for the remote
access users(VPN). So the DHCP scope looks at the SOHO WG2500 box's IP which
is 192.168.111.1, then the DHCP address assigned are 192.168.111.33 to
192.168.111.88, then the DHCP servers are 192.168.111.100 and
192.168.111.101 (other server).



So my problem is the new ISP has no funny fake static ip's or anything. It's
a plan jane no restriction real static ip. So when I unplug the current ISP
and plug in are new ISP is just changed the external address info on the
SOHO box to new information. Once I did that the internet works great. So
really, the only thing I need to change is the IP address that my remote
user login with. So I changed the IP for the clients to the new static IP.
Once I did that, I could not connect to the server. It never said denied
access or anything. It just was not there. But on the client computers I can
ping the external address fine.



Once I had that problem, I plugged my old ISP box back in the SOHO and
everything started to work fine. I just can't find the problem stopping me
from fixing this for my new ISP. One thing I should mention, the old did
setup the windows 2000 server's. So I guess it is possible they have hidden
settings some where. But I can't find them!!!!







Any Idea's would really help.




travis

Hi, I can give you a starting point and a recomemdation...
1. If you have actual static IP's (as do I) you need a REAL FIREWALL. you
can buy them fairly inexpensively. I have used netscreen boxes before,
http://www.juniper.net/products/integrated/

I have also heard good things about Fortinet boxes...
http://www.fortinet.com/products/

If you have a static IP, you have an open window to the worlrd. If you want
real paranioia, load Zone-Alarm!.

I have heard that the cisco PIX series is OK, but they have limitations.
Also what you can buy at a superstore for $50 may allow you to set up VPN's,
but they don't do Stateful Packet Inspection. .....Again, how exposed do you
want to be????

Next, HIRE SOMEONE WHO KNOWS ABOUT SECURITY TO CONFIGURE YOUR FIREWALLS
(thats right, plural... you need a small one on each end of the tunnel,
preferably the same brand) Again, the question, how valuable is your data to
you (or to someone else). I had my ISP configure the first firewall we
bought. A friend of mine (who is a security consultant) and asked me if I
wanted him to run a test of my network. From a phone line he diled in, and
within a minute he had broken through my firewall. Also, get the update
subscription service.

Without seeing your exact network, I can't design a plan for you, but it
sounds like you need one....

Additionally, VPNS are usually dealing with Firewalls, and that newsgroup is
where you can get the best help in configuring one.

Again, My advice, Hire an Expert, Watch them and ask questions... That is
how we learn...

I hope this helps,
Sorry about getting on my soap-box
David Bock
"travis" <(E-Mail Removed)> wrote in message
news:Yle9e.41273$vt1.17355@edtnps90...
> I really don't know what category to put this in, since I don't know where
> the problem is exactly. Ok this is the full story.
>
>
>
> Are current ISP gives us an static fake ip address that's re-directed to
an
> static real address (for what ever reason). So for example my fake static
ip
> for an external address on my wg2500 box is 10.251.2.X (fake static). But
if
> you want to connect from outside the network via VPN you connect with
> 129.132.X.X (real static) address.
>
>
>
> The SOHO WG2500 box is plugged into are windows 2000 server computer
> (192.168.111.100) and does the DHCP for the local network and for the
remote
> access users(VPN). So the DHCP scope looks at the SOHO WG2500 box's IP
which
> is 192.168.111.1, then the DHCP address assigned are 192.168.111.33 to
> 192.168.111.88, then the DHCP servers are 192.168.111.100 and
> 192.168.111.101 (other server).
>
>
>
> So my problem is the new ISP has no funny fake static ip's or anything.
It's
> a plan jane no restriction real static ip. So when I unplug the current
ISP
> and plug in are new ISP is just changed the external address info on the
> SOHO box to new information. Once I did that the internet works great. So
> really, the only thing I need to change is the IP address that my remote
> user login with. So I changed the IP for the clients to the new static IP.
> Once I did that, I could not connect to the server. It never said denied
> access or anything. It just was not there. But on the client computers I
can
> ping the external address fine.
>
>
>
> Once I had that problem, I plugged my old ISP box back in the SOHO and
> everything started to work fine. I just can't find the problem stopping me
> from fixing this for my new ISP. One thing I should mention, the old did
> setup the windows 2000 server's. So I guess it is possible they have
hidden
> settings some where. But I can't find them!!!!
>
>
>
>
>
>
>
> Any Idea's would really help.
>
>

I have a SOHO WG2500, is that not a real firewall?


"David Bock" <(E-Mail Removed)> wrote in message
news:%23B%23W%(E-Mail Removed).. .
> Hi, I can give you a starting point and a recomemdation...
> 1. If you have actual static IP's (as do I) you need a REAL FIREWALL. you
> can buy them fairly inexpensively. I have used netscreen boxes before,
> http://www.juniper.net/products/integrated/
>
> I have also heard good things about Fortinet boxes...
> http://www.fortinet.com/products/
>
> If you have a static IP, you have an open window to the worlrd. If you
> want
> real paranioia, load Zone-Alarm!.
>
> I have heard that the cisco PIX series is OK, but they have limitations.
> Also what you can buy at a superstore for $50 may allow you to set up
> VPN's,
> but they don't do Stateful Packet Inspection. .....Again, how exposed do
> you
> want to be????
>
> Next, HIRE SOMEONE WHO KNOWS ABOUT SECURITY TO CONFIGURE YOUR FIREWALLS
> (thats right, plural... you need a small one on each end of the tunnel,
> preferably the same brand) Again, the question, how valuable is your data
> to
> you (or to someone else). I had my ISP configure the first firewall we
> bought. A friend of mine (who is a security consultant) and asked me if I
> wanted him to run a test of my network. From a phone line he diled in, and
> within a minute he had broken through my firewall. Also, get the update
> subscription service.
>
> Without seeing your exact network, I can't design a plan for you, but it
> sounds like you need one....
>
> Additionally, VPNS are usually dealing with Firewalls, and that newsgroup
> is
> where you can get the best help in configuring one.
>
> Again, My advice, Hire an Expert, Watch them and ask questions... That is
> how we learn...
>
> I hope this helps,
> Sorry about getting on my soap-box
> David Bock
> "travis" <(E-Mail Removed)> wrote in message
> news:Yle9e.41273$vt1.17355@edtnps90...
>> I really don't know what category to put this in, since I don't know
>> where
>> the problem is exactly. Ok this is the full story.
>>
>>
>>
>> Are current ISP gives us an static fake ip address that's re-directed to
> an
>> static real address (for what ever reason). So for example my fake static
> ip
>> for an external address on my wg2500 box is 10.251.2.X (fake static). But
> if
>> you want to connect from outside the network via VPN you connect with
>> 129.132.X.X (real static) address.
>>
>>
>>
>> The SOHO WG2500 box is plugged into are windows 2000 server computer
>> (192.168.111.100) and does the DHCP for the local network and for the
> remote
>> access users(VPN). So the DHCP scope looks at the SOHO WG2500 box's IP
> which
>> is 192.168.111.1, then the DHCP address assigned are 192.168.111.33 to
>> 192.168.111.88, then the DHCP servers are 192.168.111.100 and
>> 192.168.111.101 (other server).
>>
>>
>>
>> So my problem is the new ISP has no funny fake static ip's or anything.
> It's
>> a plan jane no restriction real static ip. So when I unplug the current
> ISP
>> and plug in are new ISP is just changed the external address info on the
>> SOHO box to new information. Once I did that the internet works great. So
>> really, the only thing I need to change is the IP address that my remote
>> user login with. So I changed the IP for the clients to the new static
>> IP.
>> Once I did that, I could not connect to the server. It never said denied
>> access or anything. It just was not there. But on the client computers I
> can
>> ping the external address fine.
>>
>>
>>
>> Once I had that problem, I plugged my old ISP box back in the SOHO and
>> everything started to work fine. I just can't find the problem stopping
>> me
>> from fixing this for my new ISP. One thing I should mention, the old did
>> setup the windows 2000 server's. So I guess it is possible they have
> hidden
>> settings some where. But I can't find them!!!!
>>
>>
>>
>>
>>
>>
>>
>> Any Idea's would really help.
>>
>>
>
>

On the watchguard device go to the firewall section. You want to enable
passthrough and allow incoming PPTP mapped to 192.168.111.100.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"travis" <(E-Mail Removed)> wrote in message
news:fyg9e.70896$7Q4.34510@clgrps13...
> I have a SOHO WG2500, is that not a real firewall?
>
>
> "David Bock" <(E-Mail Removed)> wrote in message
> news:%23B%23W%(E-Mail Removed).. .
> > Hi, I can give you a starting point and a recomemdation...
> > 1. If you have actual static IP's (as do I) you need a REAL FIREWALL.
you
> > can buy them fairly inexpensively. I have used netscreen boxes before,
> > http://www.juniper.net/products/integrated/
> >
> > I have also heard good things about Fortinet boxes...
> > http://www.fortinet.com/products/
> >
> > If you have a static IP, you have an open window to the worlrd. If you
> > want
> > real paranioia, load Zone-Alarm!.
> >
> > I have heard that the cisco PIX series is OK, but they have limitations.
> > Also what you can buy at a superstore for $50 may allow you to set up
> > VPN's,
> > but they don't do Stateful Packet Inspection. .....Again, how exposed do
> > you
> > want to be????
> >
> > Next, HIRE SOMEONE WHO KNOWS ABOUT SECURITY TO CONFIGURE YOUR FIREWALLS
> > (thats right, plural... you need a small one on each end of the tunnel,
> > preferably the same brand) Again, the question, how valuable is your
data
> > to
> > you (or to someone else). I had my ISP configure the first firewall we
> > bought. A friend of mine (who is a security consultant) and asked me if
I
> > wanted him to run a test of my network. From a phone line he diled in,
and
> > within a minute he had broken through my firewall. Also, get the update
> > subscription service.
> >
> > Without seeing your exact network, I can't design a plan for you, but it
> > sounds like you need one....
> >
> > Additionally, VPNS are usually dealing with Firewalls, and that
newsgroup
> > is
> > where you can get the best help in configuring one.
> >
> > Again, My advice, Hire an Expert, Watch them and ask questions... That
is
> > how we learn...
> >
> > I hope this helps,
> > Sorry about getting on my soap-box
> > David Bock
> > "travis" <(E-Mail Removed)> wrote in message
> > news:Yle9e.41273$vt1.17355@edtnps90...
> >> I really don't know what category to put this in, since I don't know
> >> where
> >> the problem is exactly. Ok this is the full story.
> >>
> >>
> >>
> >> Are current ISP gives us an static fake ip address that's re-directed
to
> > an
> >> static real address (for what ever reason). So for example my fake
static
> > ip
> >> for an external address on my wg2500 box is 10.251.2.X (fake static).
But
> > if
> >> you want to connect from outside the network via VPN you connect with
> >> 129.132.X.X (real static) address.
> >>
> >>
> >>
> >> The SOHO WG2500 box is plugged into are windows 2000 server computer
> >> (192.168.111.100) and does the DHCP for the local network and for the
> > remote
> >> access users(VPN). So the DHCP scope looks at the SOHO WG2500 box's IP
> > which
> >> is 192.168.111.1, then the DHCP address assigned are 192.168.111.33 to
> >> 192.168.111.88, then the DHCP servers are 192.168.111.100 and
> >> 192.168.111.101 (other server).
> >>
> >>
> >>
> >> So my problem is the new ISP has no funny fake static ip's or anything.
> > It's
> >> a plan jane no restriction real static ip. So when I unplug the current
> > ISP
> >> and plug in are new ISP is just changed the external address info on
the
> >> SOHO box to new information. Once I did that the internet works great.
So
> >> really, the only thing I need to change is the IP address that my
remote
> >> user login with. So I changed the IP for the clients to the new static
> >> IP.
> >> Once I did that, I could not connect to the server. It never said
denied
> >> access or anything. It just was not there. But on the client computers
I
> > can
> >> ping the external address fine.
> >>
> >>
> >>
> >> Once I had that problem, I plugged my old ISP box back in the SOHO and
> >> everything started to work fine. I just can't find the problem stopping
> >> me
> >> from fixing this for my new ISP. One thing I should mention, the old
did
> >> setup the windows 2000 server's. So I guess it is possible they have
> > hidden
> >> settings some where. But I can't find them!!!!
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Any Idea's would really help.
> >>
> >>
> >
> >
>
>