 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
01-25-2007, 07:40 PM
|
Problems accessing DMZ (different subnet) addresses w/ PPTP VPN
I'm having problems accessing DMZ addresses when I'm connected to our Windows
PPTP VPN. Machines on the LAN can be accessed w/o any problems and I also have internet connectivity. I assume that it might be a routing issue. Here's the current setup: - VPN Server has 2 NICs (LAN 10.0.3../DMZ 192.168.4..) - Clients connect to a publlic address which resolves to the DMZ address for the VPN Server. - VPN clients gets assigned an IP address from a DHCP server on our LAN (10.0.3..) Here's a copy of the routing table when I'm connected to to the VPN: ================================================== ========================= Interface List 14 ........................... VPN Connection 8 ...00 30 1b ba 3e a5 ...... Broadcom NetLink (TM) Gigabit Ethernet 1 ........................... Software Loopback Interface 1 9 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ma.comcast.net. 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface 15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 ================================================== ========================= IPv4 Route Table ================================================== ========================= Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 4245 0.0.0.0 0.0.0.0 On-link 10.0.3.37 21 10.0.3.37 255.255.255.255 On-link 10.0.3.37 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 192.168.1.0 255.255.255.0 On-link 192.168.1.100 4501 192.168.1.100 255.255.255.255 On-link 192.168.1.100 4501 192.168.1.255 255.255.255.255 On-link 192.168.1.100 4501 209.31.138.54 255.255.255.255 192.168.1.1 192.168.1.100 4246 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531 224.0.0.0 240.0.0.0 On-link 192.168.1.100 4502 224.0.0.0 240.0.0.0 On-link 10.0.3.37 21 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 255.255.255.255 255.255.255.255 On-link 192.168.1.100 4501 255.255.255.255 255.255.255.255 On-link 10.0.3.37 276 ================================================== ========================= Persistent Routes: None IPv6 Route Table ================================================== ========================= Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 8 276 fe80::/64 On-link 15 281 fe80::5efe:10.0.3.37/128 On-link 9 281 fe80::5efe:192.168.1.100/128 On-link 8 276 fe80::ad0b:7b74:ddc7:be67/128 On-link 1 306 ff00::/8 On-link 8 276 ff00::/8 On-link ================================================== ========================= Persistent Routes: None Thanks in advance. Henry 
|
|
#2
01-25-2007, 11:10 PM
|
|||
|
|||
|
Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VPN
That is what I would expect. Although you initially connect to a public
IP, the VPN connection is effectively to your private LAN, because the private traffic is tunnelled through the Internet and the DMZ. (In other words, the traffic is encrypted and encapsulated until it reaches the VPN server.) Can you access machines on the DMZ from your private LAN? "Henry" <(E-Mail Removed)> wrote in message news  332FDA0-3B06-421C-A00D-(E-Mail Removed)...> I'm having problems accessing DMZ addresses when I'm connected to our > Windows > PPTP VPN. Machines on the LAN can be accessed w/o any problems and I also > have internet connectivity. I assume that it might be a routing issue. > Here's the current setup: > > - VPN Server has 2 NICs (LAN 10.0.3../DMZ 192.168.4..) > - Clients connect to a publlic address which resolves to the DMZ address > for > the VPN Server. > - VPN clients gets assigned an IP address from a DHCP server on our LAN > (10.0.3..) > > Here's a copy of the routing table when I'm connected to to the VPN: > > ================================================== ========================= > Interface List > 14 ........................... VPN Connection > 8 ...00 30 1b ba 3e a5 ...... Broadcom NetLink (TM) Gigabit Ethernet > 1 ........................... Software Loopback Interface 1 > 9 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ma.comcast.net. > 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface > 15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 > ================================================== ========================= > > IPv4 Route Table > ================================================== ========================= > Active Routes: > Network Destination Netmask Gateway Interface > Metric > 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 4245 > 0.0.0.0 0.0.0.0 On-link 10.0.3.37 21 > 10.0.3.37 255.255.255.255 On-link 10.0.3.37 276 > 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531 > 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531 > 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 > 192.168.1.0 255.255.255.0 On-link 192.168.1.100 4501 > 192.168.1.100 255.255.255.255 On-link 192.168.1.100 4501 > 192.168.1.255 255.255.255.255 On-link 192.168.1.100 4501 > 209.31.138.54 255.255.255.255 192.168.1.1 192.168.1.100 4246 > 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531 > 224.0.0.0 240.0.0.0 On-link 192.168.1.100 4502 > 224.0.0.0 240.0.0.0 On-link 10.0.3.37 21 > 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 > 255.255.255.255 255.255.255.255 On-link 192.168.1.100 4501 > 255.255.255.255 255.255.255.255 On-link 10.0.3.37 276 > ================================================== ========================= > Persistent Routes: > None > > IPv6 Route Table > ================================================== ========================= > Active Routes: > If Metric Network Destination Gateway > 1 306 ::1/128 On-link > 8 276 fe80::/64 On-link > 15 281 fe80::5efe:10.0.3.37/128 On-link > 9 281 fe80::5efe:192.168.1.100/128 > On-link > 8 276 fe80::ad0b:7b74:ddc7:be67/128 > On-link > 1 306 ff00::/8 On-link > 8 276 ff00::/8 On-link > ================================================== ========================= > Persistent Routes: > None > > Thanks in advance. >
|
|
#3
01-26-2007, 12:21 PM
|
|||
|
|||
|
Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VP
Yes, I can hit the DMZ from the private lan... the only problem is that I
can't hit it when I'm connected to the vpn. Any ideas how I can go about fixing this issue? "Bill Grant" wrote: > That is what I would expect. Although you initially connect to a public > IP, the VPN connection is effectively to your private LAN, because the > private traffic is tunnelled through the Internet and the DMZ. (In other > words, the traffic is encrypted and encapsulated until it reaches the VPN > server.) > > Can you access machines on the DMZ from your private LAN? > > "Henry" <(E-Mail Removed)> wrote in message > news 332FDA0-3B06-421C-A00D-(E-Mail Removed)...> > I'm having problems accessing DMZ addresses when I'm connected to our > > Windows > > PPTP VPN. Machines on the LAN can be accessed w/o any problems and I also > > have internet connectivity. I assume that it might be a routing issue. > > Here's the current setup: > > > > - VPN Server has 2 NICs (LAN 10.0.3../DMZ 192.168.4..) > > - Clients connect to a publlic address which resolves to the DMZ address > > for > > the VPN Server. > > - VPN clients gets assigned an IP address from a DHCP server on our LAN > > (10.0.3..) > > > > Here's a copy of the routing table when I'm connected to to the VPN: > > > > ================================================== ========================= > > Interface List > > 14 ........................... VPN Connection > > 8 ...00 30 1b ba 3e a5 ...... Broadcom NetLink (TM) Gigabit Ethernet > > 1 ........................... Software Loopback Interface 1 > > 9 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ma.comcast.net. > > 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface > > 15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 > > ================================================== ========================= > > > > IPv4 Route Table > > ================================================== ========================= > > Active Routes: > > Network Destination Netmask Gateway Interface > > Metric > > 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 4245 > > 0.0.0.0 0.0.0.0 On-link 10.0.3.37 21 > > 10.0.3.37 255.255.255.255 On-link 10.0.3.37 276 > > 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531 > > 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531 > > 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 > > 192.168.1.0 255.255.255.0 On-link 192.168.1.100 4501 > > 192.168.1.100 255.255.255.255 On-link 192.168.1.100 4501 > > 192.168.1.255 255.255.255.255 On-link 192.168.1.100 4501 > > 209.31.138.54 255.255.255.255 192.168.1.1 192.168.1.100 4246 > > 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531 > > 224.0.0.0 240.0.0.0 On-link 192.168.1.100 4502 > > 224.0.0.0 240.0.0.0 On-link 10.0.3.37 21 > > 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531 > > 255.255.255.255 255.255.255.255 On-link 192.168.1.100 4501 > > 255.255.255.255 255.255.255.255 On-link 10.0.3.37 276 > > ================================================== ========================= > > Persistent Routes: > > None > > > > IPv6 Route Table > > ================================================== ========================= > > Active Routes: > > If Metric Network Destination Gateway > > 1 306 ::1/128 On-link > > 8 276 fe80::/64 On-link > > 15 281 fe80::5efe:10.0.3.37/128 On-link > > 9 281 fe80::5efe:192.168.1.100/128 > > On-link > > 8 276 fe80::ad0b:7b74:ddc7:be67/128 > > On-link > > 1 306 ff00::/8 On-link > > 8 276 ff00::/8 On-link > > ================================================== ========================= > > Persistent Routes: > > None > > > > Thanks in advance. > > > > >
|
|
#4
01-27-2007, 12:10 AM
|
|||
|
|||
|
Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VPN
My guess is that it is related to your use of on-subnet addressing (ie the
remote user gets an IP in the same IP subnet as the LAN machines). What happens when you use that is that the VPN server acts as a proxy for the remote and does proxy ARP on the LAN. This usually works OK, but it is not a good idea in a routed network. (Also some switches don't handle proxy ARP too well). It was really intended to allow remote access to a simple LAN (so that the sysadmin didn't have to know how routing worked). I would use off-subnet addressing for the remotes. That is, put the remotes in their own IP subnet (using a static pool rather than DHCP) and route that subnet through the VPN server. You can then add specific routing to get that subnet to/from the DMZ. "Bill Grant" <not.available@online> wrote in message news:%(E-Mail Removed)... > That is what I would expect. Although you initially connect to a public > IP, the VPN connection is effectively to your private LAN, because the > private traffic is tunnelled through the Internet and the DMZ. (In other > words, the traffic is encrypted and encapsulated until it reaches the VPN > server.) > > Can you access machines on the DMZ from your private LAN? > > "Henry" <(E-Mail Removed)> wrote in message > news 332FDA0-3B06-421C-A00D-(E-Mail Removed)...>> I'm having problems accessing DMZ addresses when I'm connected to our >> Windows >> PPTP VPN. Machines on the LAN can be accessed w/o any problems and I >> also >> have internet connectivity. I assume that it might be a routing issue. >> Here's the current setup: >> >> - VPN Server has 2 NICs (LAN 10.0.3../DMZ 192.168.4..) >> - Clients connect to a publlic address which resolves to the DMZ address >> for >> the VPN Server. >> - VPN clients gets assigned an IP address from a DHCP server on our LAN >> (10.0.3..) >> >> Here's a copy of the routing table when I'm connected to to the VPN: >> >> ================================================== ========================= >> Interface List >> 14 ........................... VPN Connection >> 8 ...00 30 1b ba 3e a5 ...... Broadcom NetLink (TM) Gigabit Ethernet >> 1 ........................... Software Loopback Interface 1 >> 9 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ma.comcast.net. >> 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface >> 15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 >> ================================================== ========================= >> >> IPv4 Route Table >> ================================================== ========================= >> Active Routes: >> Network Destination Netmask Gateway Interface >> Metric >> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 >> 4245 >> 0.0.0.0 0.0.0.0 On-link 10.0.3.37 >> 21 >> 10.0.3.37 255.255.255.255 On-link 10.0.3.37 >> 276 >> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 >> 4531 >> 127.0.0.1 255.255.255.255 On-link 127.0.0.1 >> 4531 >> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 >> 4531 >> 192.168.1.0 255.255.255.0 On-link 192.168.1.100 >> 4501 >> 192.168.1.100 255.255.255.255 On-link 192.168.1.100 >> 4501 >> 192.168.1.255 255.255.255.255 On-link 192.168.1.100 >> 4501 >> 209.31.138.54 255.255.255.255 192.168.1.1 192.168.1.100 >> 4246 >> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 >> 4531 >> 224.0.0.0 240.0.0.0 On-link 192.168.1.100 >> 4502 >> 224.0.0.0 240.0.0.0 On-link 10.0.3.37 >> 21 >> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 >> 4531 >> 255.255.255.255 255.255.255.255 On-link 192.168.1.100 >> 4501 >> 255.255.255.255 255.255.255.255 On-link 10.0.3.37 >> 276 >> ================================================== ========================= >> Persistent Routes: >> None >> >> IPv6 Route Table >> ================================================== ========================= >> Active Routes: >> If Metric Network Destination Gateway >> 1 306 ::1/128 On-link >> 8 276 fe80::/64 On-link >> 15 281 fe80::5efe:10.0.3.37/128 On-link >> 9 281 fe80::5efe:192.168.1.100/128 >> On-link >> 8 276 fe80::ad0b:7b74:ddc7:be67/128 >> On-link >> 1 306 ff00::/8 On-link >> 8 276 ff00::/8 On-link >> ================================================== ========================= >> Persistent Routes: >> None >> >> Thanks in advance. >> > >
|
Linear Mode
