W2003 VPN Setup

I'm entirely confused by VPN setups. I'm reading through the MS
documents on it but they don't address certain things. A history:

I have a clean W2003 box with 2 nics. One is currently configured as
10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
IP; ie. 207.81.101.11. I believe this is what will accept incoming
VPN connections. Now the MS document seems to indicate the other
adapter should have an internal address. This is where the problem
comes in. Since we have a hardware firewall doing IP mapping, that
would mean both adapters would have internal addresses. I've tried
this and it freaks, telling me I can't have 2 identical gateways.

I ran the RAS setup for VPN and the second adapter is telling me there
is no or limited connectivity. It has a wierd IP address but the
gateway and DNS servers are empty.

Any document from MS assumes I'm not running a hardware firewall and
doesn't apply. Can anyone clear up what I'm supposed to do in this
situation?

Thanks!



Tom wilson

On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
> I'm entirely confused by VPN setups. I'm reading through the MS
> documents on it but they don't address certain things. A history:
>
> I have a clean W2003 box with 2 nics. One is currently configured as
> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
> IP; ie. 207.81.101.11. I believe this is what will accept incoming
> VPN connections. Now the MS document seems to indicate the other
> adapter should have an internal address. This is where the problem
> comes in. Since we have a hardware firewall doing IP mapping, that
> would mean both adapters would have internal addresses. I've tried
> this and it freaks, telling me I can't have 2 identical gateways.
>
> I ran the RAS setup for VPN and the second adapter is telling me there
> is no or limited connectivity. It has a wierd IP address but the
> gateway and DNS servers are empty.
>
> Any document from MS assumes I'm not running a hardware firewall and
> doesn't apply. Can anyone clear up what I'm supposed to do in this
> situation?
>
> Thanks!

You need to set the "external nic" with all of its settings, ie: ip,
subnet mask, default gateway, etc. and set the other nice with just
IP, SM, DNS and leave the DG blank. create a persistant route on the
server that points back to the LAN DG. you can use either routing and
remote access in the vpn setup to accomplish this or you can pull up a
command prompt and setup a persistant route this way "route add"

Ok...

I've set the second adapter to 10.0.0.12 without a gateway and it's
connected. The primary and external nic is set to 10.0.0.11 and
mapped externally with the firewall as the gateway. So I need to add
a route? To where for what?

Do I route the second interface to the first? So would I add a route
to the second interface (10.0.0.12) with a destination to the first?
(10.0.0.11)

Thanks!



On 30 Apr 2007 12:43:42 -0700, RC <(E-Mail Removed)> wrote:

>On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
>> I'm entirely confused by VPN setups. I'm reading through the MS
>> documents on it but they don't address certain things. A history:
>>
>> I have a clean W2003 box with 2 nics. One is currently configured as
>> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
>> IP; ie. 207.81.101.11. I believe this is what will accept incoming
>> VPN connections. Now the MS document seems to indicate the other
>> adapter should have an internal address. This is where the problem
>> comes in. Since we have a hardware firewall doing IP mapping, that
>> would mean both adapters would have internal addresses. I've tried
>> this and it freaks, telling me I can't have 2 identical gateways.
>>
>> I ran the RAS setup for VPN and the second adapter is telling me there
>> is no or limited connectivity. It has a wierd IP address but the
>> gateway and DNS servers are empty.
>>
>> Any document from MS assumes I'm not running a hardware firewall and
>> doesn't apply. Can anyone clear up what I'm supposed to do in this
>> situation?
>>
>> Thanks!
>
>You need to set the "external nic" with all of its settings, ie: ip,
>subnet mask, default gateway, etc. and set the other nice with just
>IP, SM, DNS and leave the DG blank. create a persistant route on the
>server that points back to the LAN DG. you can use either routing and
>remote access in the vpn setup to accomplish this or you can pull up a
>command prompt and setup a persistant route this way "route add"

If you are behind a firewall/router you do not need two NICs in your
server. The documents you mention assume that the server has a direct
connection to the Internet. The public NIC is the Internet connection and
the private NIC is the LAN interface.

In your case the firewall is your public connection to the Internet.
Remote users trying to connect to your LAN by VPN will need to connect to
the firewall's public interface (by IP address or by name). Your VPN server
sits on the LAN with only one NIC connected to the local LAN. Your
firewall/router can extend the VPN connection to the VPN server on the LAN
by forwarding the VPN traffic to the server's LAN IP.

Disable RRAS and get rid of the extra NIC. Enable RRAS and configure it as
a remote access server. Check that it works by connecting from a workstation
on the LAN to the server's LAN name or IP address. (VPN works fine over any
IP connection).

When this is working, set your firewall to forward VPN traffic (tcp 1723
for pptp) to the LAN IP of your VPN server. If you are using pptp, make sure
that your firewall is not blocking IP protocol 47 (GRE). From an external
machine try to connect using the firewall's external name or IP address.

"Tom wilson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Ok...
>
> I've set the second adapter to 10.0.0.12 without a gateway and it's
> connected. The primary and external nic is set to 10.0.0.11 and
> mapped externally with the firewall as the gateway. So I need to add
> a route? To where for what?
>
> Do I route the second interface to the first? So would I add a route
> to the second interface (10.0.0.12) with a destination to the first?
> (10.0.0.11)
>
> Thanks!
>
>
>
> On 30 Apr 2007 12:43:42 -0700, RC <(E-Mail Removed)> wrote:
>
>>On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
>>> I'm entirely confused by VPN setups. I'm reading through the MS
>>> documents on it but they don't address certain things. A history:
>>>
>>> I have a clean W2003 box with 2 nics. One is currently configured as
>>> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
>>> IP; ie. 207.81.101.11. I believe this is what will accept incoming
>>> VPN connections. Now the MS document seems to indicate the other
>>> adapter should have an internal address. This is where the problem
>>> comes in. Since we have a hardware firewall doing IP mapping, that
>>> would mean both adapters would have internal addresses. I've tried
>>> this and it freaks, telling me I can't have 2 identical gateways.
>>>
>>> I ran the RAS setup for VPN and the second adapter is telling me there
>>> is no or limited connectivity. It has a wierd IP address but the
>>> gateway and DNS servers are empty.
>>>
>>> Any document from MS assumes I'm not running a hardware firewall and
>>> doesn't apply. Can anyone clear up what I'm supposed to do in this
>>> situation?
>>>
>>> Thanks!
>>
>>You need to set the "external nic" with all of its settings, ie: ip,
>>subnet mask, default gateway, etc. and set the other nice with just
>>IP, SM, DNS and leave the DG blank. create a persistant route on the
>>server that points back to the LAN DG. you can use either routing and
>>remote access in the vpn setup to accomplish this or you can pull up a
>>command prompt and setup a persistant route this way "route add"
>

Thanks! That makes sense.

So I did exactly as described below. I disabled RAS and disabled the
second nic. So now I have a nic configured as 10.0.0.11 with a valid
gateway (the firewall) and DNS servers. I configured RAS as a RAS/VPN
server with defaults. I then allowed connections into RAS as
specified in the help files.

Nothing works now. The server will only ping itself. If I try to
ping anything from that server I get "Destination host unreachable",
including the firewall. I can't ping that server from anywhere.

Did I miss something?
Thanks!



On Tue, 1 May 2007 09:46:58 +1000, "Bill Grant" <not.available@online>
wrote:

> If you are behind a firewall/router you do not need two NICs in your
>server. The documents you mention assume that the server has a direct
>connection to the Internet. The public NIC is the Internet connection and
>the private NIC is the LAN interface.
>
> In your case the firewall is your public connection to the Internet.
>Remote users trying to connect to your LAN by VPN will need to connect to
>the firewall's public interface (by IP address or by name). Your VPN server
>sits on the LAN with only one NIC connected to the local LAN. Your
>firewall/router can extend the VPN connection to the VPN server on the LAN
>by forwarding the VPN traffic to the server's LAN IP.
>
> Disable RRAS and get rid of the extra NIC. Enable RRAS and configure it as
>a remote access server. Check that it works by connecting from a workstation
>on the LAN to the server's LAN name or IP address. (VPN works fine over any
>IP connection).
>
> When this is working, set your firewall to forward VPN traffic (tcp 1723
>for pptp) to the LAN IP of your VPN server. If you are using pptp, make sure
>that your firewall is not blocking IP protocol 47 (GRE). From an external
>machine try to connect using the firewall's external name or IP address.
>
>"Tom wilson" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> Ok...
>>
>> I've set the second adapter to 10.0.0.12 without a gateway and it's
>> connected. The primary and external nic is set to 10.0.0.11 and
>> mapped externally with the firewall as the gateway. So I need to add
>> a route? To where for what?
>>
>> Do I route the second interface to the first? So would I add a route
>> to the second interface (10.0.0.12) with a destination to the first?
>> (10.0.0.11)
>>
>> Thanks!
>>
>>
>>
>> On 30 Apr 2007 12:43:42 -0700, RC <(E-Mail Removed)> wrote:
>>
>>>On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
>>>> I'm entirely confused by VPN setups. I'm reading through the MS
>>>> documents on it but they don't address certain things. A history:
>>>>
>>>> I have a clean W2003 box with 2 nics. One is currently configured as
>>>> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
>>>> IP; ie. 207.81.101.11. I believe this is what will accept incoming
>>>> VPN connections. Now the MS document seems to indicate the other
>>>> adapter should have an internal address. This is where the problem
>>>> comes in. Since we have a hardware firewall doing IP mapping, that
>>>> would mean both adapters would have internal addresses. I've tried
>>>> this and it freaks, telling me I can't have 2 identical gateways.
>>>>
>>>> I ran the RAS setup for VPN and the second adapter is telling me there
>>>> is no or limited connectivity. It has a wierd IP address but the
>>>> gateway and DNS servers are empty.
>>>>
>>>> Any document from MS assumes I'm not running a hardware firewall and
>>>> doesn't apply. Can anyone clear up what I'm supposed to do in this
>>>> situation?
>>>>
>>>> Thanks!
>>>
>>>You need to set the "external nic" with all of its settings, ie: ip,
>>>subnet mask, default gateway, etc. and set the other nice with just
>>>IP, SM, DNS and leave the DG blank. create a persistant route on the
>>>server that points back to the LAN DG. you can use either routing and
>>>remote access in the vpn setup to accomplish this or you can pull up a
>>>command prompt and setup a persistant route this way "route add"
>>
>

Sounds like you somehow configured it as a "VPN Only" server. This sets
up packet filters to block all non-VPN traffic. I am not sure how you
managed to do that if you only have one NIC in the server. Check the packet
filters on the NIC from the RRAS MMC.

"Tom wilson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Thanks! That makes sense.
>
> So I did exactly as described below. I disabled RAS and disabled the
> second nic. So now I have a nic configured as 10.0.0.11 with a valid
> gateway (the firewall) and DNS servers. I configured RAS as a RAS/VPN
> server with defaults. I then allowed connections into RAS as
> specified in the help files.
>
> Nothing works now. The server will only ping itself. If I try to
> ping anything from that server I get "Destination host unreachable",
> including the firewall. I can't ping that server from anywhere.
>
> Did I miss something?
> Thanks!
>
>
>
> On Tue, 1 May 2007 09:46:58 +1000, "Bill Grant" <not.available@online>
> wrote:
>
>> If you are behind a firewall/router you do not need two NICs in your
>>server. The documents you mention assume that the server has a direct
>>connection to the Internet. The public NIC is the Internet connection and
>>the private NIC is the LAN interface.
>>
>> In your case the firewall is your public connection to the Internet.
>>Remote users trying to connect to your LAN by VPN will need to connect to
>>the firewall's public interface (by IP address or by name). Your VPN
>>server
>>sits on the LAN with only one NIC connected to the local LAN. Your
>>firewall/router can extend the VPN connection to the VPN server on the LAN
>>by forwarding the VPN traffic to the server's LAN IP.
>>
>> Disable RRAS and get rid of the extra NIC. Enable RRAS and configure it
>> as
>>a remote access server. Check that it works by connecting from a
>>workstation
>>on the LAN to the server's LAN name or IP address. (VPN works fine over
>>any
>>IP connection).
>>
>> When this is working, set your firewall to forward VPN traffic (tcp
>> 1723
>>for pptp) to the LAN IP of your VPN server. If you are using pptp, make
>>sure
>>that your firewall is not blocking IP protocol 47 (GRE). From an external
>>machine try to connect using the firewall's external name or IP address.
>>
>>"Tom wilson" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed). ..
>>> Ok...
>>>
>>> I've set the second adapter to 10.0.0.12 without a gateway and it's
>>> connected. The primary and external nic is set to 10.0.0.11 and
>>> mapped externally with the firewall as the gateway. So I need to add
>>> a route? To where for what?
>>>
>>> Do I route the second interface to the first? So would I add a route
>>> to the second interface (10.0.0.12) with a destination to the first?
>>> (10.0.0.11)
>>>
>>> Thanks!
>>>
>>>
>>>
>>> On 30 Apr 2007 12:43:42 -0700, RC <(E-Mail Removed)> wrote:
>>>
>>>>On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
>>>>> I'm entirely confused by VPN setups. I'm reading through the MS
>>>>> documents on it but they don't address certain things. A history:
>>>>>
>>>>> I have a clean W2003 box with 2 nics. One is currently configured as
>>>>> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
>>>>> IP; ie. 207.81.101.11. I believe this is what will accept incoming
>>>>> VPN connections. Now the MS document seems to indicate the other
>>>>> adapter should have an internal address. This is where the problem
>>>>> comes in. Since we have a hardware firewall doing IP mapping, that
>>>>> would mean both adapters would have internal addresses. I've tried
>>>>> this and it freaks, telling me I can't have 2 identical gateways.
>>>>>
>>>>> I ran the RAS setup for VPN and the second adapter is telling me there
>>>>> is no or limited connectivity. It has a wierd IP address but the
>>>>> gateway and DNS servers are empty.
>>>>>
>>>>> Any document from MS assumes I'm not running a hardware firewall and
>>>>> doesn't apply. Can anyone clear up what I'm supposed to do in this
>>>>> situation?
>>>>>
>>>>> Thanks!
>>>>
>>>>You need to set the "external nic" with all of its settings, ie: ip,
>>>>subnet mask, default gateway, etc. and set the other nice with just
>>>>IP, SM, DNS and leave the DG blank. create a persistant route on the
>>>>server that points back to the LAN DG. you can use either routing and
>>>>remote access in the vpn setup to accomplish this or you can pull up a
>>>>command prompt and setup a persistant route this way "route add"
>>>
>>
>

It's an option when you slect the connection interface. I had to
disable RAS, re-do it and not check the 'set up packet filters'
checkbox. Now the server talks again, thanks. Whether the VPN works
or not is another question but I'll leave it at that.

THANKS!


On Wed, 2 May 2007 09:00:23 +1000, "Bill Grant" <not.available@online>
wrote:

> Sounds like you somehow configured it as a "VPN Only" server. This sets
>up packet filters to block all non-VPN traffic. I am not sure how you
>managed to do that if you only have one NIC in the server. Check the packet
>filters on the NIC from the RRAS MMC.
>
>"Tom wilson" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>
>> Thanks! That makes sense.
>>
>> So I did exactly as described below. I disabled RAS and disabled the
>> second nic. So now I have a nic configured as 10.0.0.11 with a valid
>> gateway (the firewall) and DNS servers. I configured RAS as a RAS/VPN
>> server with defaults. I then allowed connections into RAS as
>> specified in the help files.
>>
>> Nothing works now. The server will only ping itself. If I try to
>> ping anything from that server I get "Destination host unreachable",
>> including the firewall. I can't ping that server from anywhere.
>>
>> Did I miss something?
>> Thanks!
>>
>>
>>
>> On Tue, 1 May 2007 09:46:58 +1000, "Bill Grant" <not.available@online>
>> wrote:
>>
>>> If you are behind a firewall/router you do not need two NICs in your
>>>server. The documents you mention assume that the server has a direct
>>>connection to the Internet. The public NIC is the Internet connection and
>>>the private NIC is the LAN interface.
>>>
>>> In your case the firewall is your public connection to the Internet.
>>>Remote users trying to connect to your LAN by VPN will need to connect to
>>>the firewall's public interface (by IP address or by name). Your VPN
>>>server
>>>sits on the LAN with only one NIC connected to the local LAN. Your
>>>firewall/router can extend the VPN connection to the VPN server on the LAN
>>>by forwarding the VPN traffic to the server's LAN IP.
>>>
>>> Disable RRAS and get rid of the extra NIC. Enable RRAS and configure it
>>> as
>>>a remote access server. Check that it works by connecting from a
>>>workstation
>>>on the LAN to the server's LAN name or IP address. (VPN works fine over
>>>any
>>>IP connection).
>>>
>>> When this is working, set your firewall to forward VPN traffic (tcp
>>> 1723
>>>for pptp) to the LAN IP of your VPN server. If you are using pptp, make
>>>sure
>>>that your firewall is not blocking IP protocol 47 (GRE). From an external
>>>machine try to connect using the firewall's external name or IP address.
>>>
>>>"Tom wilson" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed) ...
>>>> Ok...
>>>>
>>>> I've set the second adapter to 10.0.0.12 without a gateway and it's
>>>> connected. The primary and external nic is set to 10.0.0.11 and
>>>> mapped externally with the firewall as the gateway. So I need to add
>>>> a route? To where for what?
>>>>
>>>> Do I route the second interface to the first? So would I add a route
>>>> to the second interface (10.0.0.12) with a destination to the first?
>>>> (10.0.0.11)
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> On 30 Apr 2007 12:43:42 -0700, RC <(E-Mail Removed)> wrote:
>>>>
>>>>>On Apr 30, 3:18 pm, Tom wilson <yeahri...@nospam.com> wrote:
>>>>>> I'm entirely confused by VPN setups. I'm reading through the MS
>>>>>> documents on it but they don't address certain things. A history:
>>>>>>
>>>>>> I have a clean W2003 box with 2 nics. One is currently configured as
>>>>>> 10.0.0.11 (our DMZ), mapped through our hardware firewall as a public
>>>>>> IP; ie. 207.81.101.11. I believe this is what will accept incoming
>>>>>> VPN connections. Now the MS document seems to indicate the other
>>>>>> adapter should have an internal address. This is where the problem
>>>>>> comes in. Since we have a hardware firewall doing IP mapping, that
>>>>>> would mean both adapters would have internal addresses. I've tried
>>>>>> this and it freaks, telling me I can't have 2 identical gateways.
>>>>>>
>>>>>> I ran the RAS setup for VPN and the second adapter is telling me there
>>>>>> is no or limited connectivity. It has a wierd IP address but the
>>>>>> gateway and DNS servers are empty.
>>>>>>
>>>>>> Any document from MS assumes I'm not running a hardware firewall and
>>>>>> doesn't apply. Can anyone clear up what I'm supposed to do in this
>>>>>> situation?
>>>>>>
>>>>>> Thanks!
>>>>>
>>>>>You need to set the "external nic" with all of its settings, ie: ip,
>>>>>subnet mask, default gateway, etc. and set the other nice with just
>>>>>IP, SM, DNS and leave the DG blank. create a persistant route on the
>>>>>server that points back to the LAN DG. you can use either routing and
>>>>>remote access in the vpn setup to accomplish this or you can pull up a
>>>>>command prompt and setup a persistant route this way "route add"
>>>>
>>>
>>
>