Use of Multiple Public IP Addresses

Our ISP is providing us two public IP addresses over our full T1
connection. One is being used by our Linksys router (directly
connected to the T1 "modem". I would like to utilize the second
public IP address to allow VPN connections to our Windows Server 2003
R2 SP2 based network by adding a second NIC card to the server and
assigning it the second public IP address. Do I simply break the
current connection between the T1 modem and Linksy router, connect the
modem to a switch, and then connect the router to one switch port and
the second NIC to another switch port? Thanks.
--
Bob Felton

Hello,

this may create a security breach, as your server will be fully exposed on
the Internet.

Check if your router can do nat and port forwarding. This would be much more
secure, just to let the vpn traffic coming and going to the server.


--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr


"Bob Felton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Our ISP is providing us two public IP addresses over our full T1
> connection. One is being used by our Linksys router (directly
> connected to the T1 "modem". I would like to utilize the second
> public IP address to allow VPN connections to our Windows Server 2003
> R2 SP2 based network by adding a second NIC card to the server and
> assigning it the second public IP address. Do I simply break the
> current connection between the T1 modem and Linksy router, connect the
> modem to a switch, and then connect the router to one switch port and
> the second NIC to another switch port? Thanks.
> --
> Bob Felton

I agree. However, MSKB Article 323381 (How to Allow Remote Users to
Access Your Network in Windows Server 2003) the VPN connection must be
made to a NIC which is "connected directly to the Internet". I read
this as the VPN NIC must be assigned a public IP address. Am I
reading the article wrong?


On Sat, 27 Oct 2007 00:11:42 +0200, "Mathieu CHATEAU"
<(E-Mail Removed)> wrote:

>Hello,
>
>this may create a security breach, as your server will be fully exposed on
>the Internet.
>
>Check if your router can do nat and port forwarding. This would be much more
>secure, just to let the vpn traffic coming and going to the server.

--
Bob Felton

It really depends on what your router can do an how it does it. You
should somehow be able to allocate the extra IP to the public interface of
the router (or allocate your public IPs to an address pool) and map the
second public IP to a private IP on the LAN. All traffic arriving at the
router using this IP would be mapped to the remote access server on the LAN
(which has just one NIC with a private IP address).

"Bob Felton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Our ISP is providing us two public IP addresses over our full T1
> connection. One is being used by our Linksys router (directly
> connected to the T1 "modem". I would like to utilize the second
> public IP address to allow VPN connections to our Windows Server 2003
> R2 SP2 based network by adding a second NIC card to the server and
> assigning it the second public IP address. Do I simply break the
> current connection between the T1 modem and Linksy router, connect the
> modem to a switch, and then connect the router to one switch port and
> the second NIC to another switch port? Thanks.
> --
> Bob Felton

So, even though MSKB 323381 says the VPN NIC must be "connected
directly to the Internet", it doesn't mean it needs a public IP
address?


On Sat, 27 Oct 2007 10:52:37 +1000, "Bill Grant"
<not.available@online> wrote:

> It really depends on what your router can do an how it does it. You
>should somehow be able to allocate the extra IP to the public interface of
>the router (or allocate your public IPs to an address pool) and map the
>second public IP to a private IP on the LAN. All traffic arriving at the
>router using this IP would be mapped to the remote access server on the LAN
>(which has just one NIC with a private IP address).
>
>"Bob Felton" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> Our ISP is providing us two public IP addresses over our full T1
>> connection. One is being used by our Linksys router (directly
>> connected to the T1 "modem". I would like to utilize the second
>> public IP address to allow VPN connections to our Windows Server 2003
>> R2 SP2 based network by adding a second NIC card to the server and
>> assigning it the second public IP address. Do I simply break the
>> current connection between the T1 modem and Linksy router, connect the
>> modem to a switch, and then connect the router to one switch port and
>> the second NIC to another switch port? Thanks.
>> --
>> Bob Felton

--
Bob Felton

It's still possible to do VPN's (PPTP, at least) to Servers behind a
NAT'ed firewall if you do GRE forwarding and TCP 1723 forwarding.

Same thing applies to L2TP, but you must change permissions in order
to get it to work on XP SP2 machines.

---
Jeffrey Randow
(E-Mail Removed)
Windows Networking MVP 2001-2006
http://www.networkblog.net

On Fri, 26 Oct 2007 16:04:26 -0700, Bob Felton
<(E-Mail Removed)> wrote:

>I agree. However, MSKB Article 323381 (How to Allow Remote Users to
>Access Your Network in Windows Server 2003) the VPN connection must be
>made to a NIC which is "connected directly to the Internet". I read
>this as the VPN NIC must be assigned a public IP address. Am I
>reading the article wrong?
>
>
>On Sat, 27 Oct 2007 00:11:42 +0200, "Mathieu CHATEAU"
><(E-Mail Removed)> wrote:
>
>>Hello,
>>
>>this may create a security breach, as your server will be fully exposed on
>>the Internet.
>>
>>Check if your router can do nat and port forwarding. This would be much more
>>secure, just to let the vpn traffic coming and going to the server.

Correct... It doesn't require a public IP if you properly forward
packets...

---
Jeffrey Randow
(E-Mail Removed)
Windows Networking MVP 2001-2006
http://www.networkblog.net

On Fri, 26 Oct 2007 18:04:49 -0700, Bob Felton
<(E-Mail Removed)> wrote:

>So, even though MSKB 323381 says the VPN NIC must be "connected
>directly to the Internet", it doesn't mean it needs a public IP
>address?
>
>
>On Sat, 27 Oct 2007 10:52:37 +1000, "Bill Grant"
><not.available@online> wrote:
>
>> It really depends on what your router can do an how it does it. You
>>should somehow be able to allocate the extra IP to the public interface of
>>the router (or allocate your public IPs to an address pool) and map the
>>second public IP to a private IP on the LAN. All traffic arriving at the
>>router using this IP would be mapped to the remote access server on the LAN
>>(which has just one NIC with a private IP address).
>>
>>"Bob Felton" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed). ..
>>> Our ISP is providing us two public IP addresses over our full T1
>>> connection. One is being used by our Linksys router (directly
>>> connected to the T1 "modem". I would like to utilize the second
>>> public IP address to allow VPN connections to our Windows Server 2003
>>> R2 SP2 based network by adding a second NIC card to the server and
>>> assigning it the second public IP address. Do I simply break the
>>> current connection between the T1 modem and Linksy router, connect the
>>> modem to a switch, and then connect the router to one switch port and
>>> the second NIC to another switch port? Thanks.
>>> --
>>> Bob Felton

OK, guys. Thanks! Do you see any problem in using the DMZ port of a
Linksys BEFSR41 router for connecting to the VPN NIC?



On Fri, 26 Oct 2007 20:51:39 -0500, Jeffrey Randow
<(E-Mail Removed)> wrote:

>Correct... It doesn't require a public IP if you properly forward
>packets...
>
>---
>Jeffrey Randow
>(E-Mail Removed)
>Windows Networking MVP 2001-2006
>http://www.networkblog.net
>
>On Fri, 26 Oct 2007 18:04:49 -0700, Bob Felton
><(E-Mail Removed)> wrote:
>
>>So, even though MSKB 323381 says the VPN NIC must be "connected
>>directly to the Internet", it doesn't mean it needs a public IP
>>address?
>>
>>
>>On Sat, 27 Oct 2007 10:52:37 +1000, "Bill Grant"
>><not.available@online> wrote:
>>
>>> It really depends on what your router can do an how it does it. You
>>>should somehow be able to allocate the extra IP to the public interface of
>>>the router (or allocate your public IPs to an address pool) and map the
>>>second public IP to a private IP on the LAN. All traffic arriving at the
>>>router using this IP would be mapped to the remote access server on the LAN
>>>(which has just one NIC with a private IP address).
>>>
>>>"Bob Felton" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed) ...
>>>> Our ISP is providing us two public IP addresses over our full T1
>>>> connection. One is being used by our Linksys router (directly
>>>> connected to the T1 "modem". I would like to utilize the second
>>>> public IP address to allow VPN connections to our Windows Server 2003
>>>> R2 SP2 based network by adding a second NIC card to the server and
>>>> assigning it the second public IP address. Do I simply break the
>>>> current connection between the T1 modem and Linksy router, connect the
>>>> modem to a switch, and then connect the router to one switch port and
>>>> the second NIC to another switch port? Thanks.
>>>> --
>>>> Bob Felton

--
Bob Felton

Yes, i do. The whole point of setting up a VPN connection is for the
remote client to have access to the private LAN. If the VPN server does
not have access to the private LAN, what hope is there for its remote
clients?

"Bob Felton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> OK, guys. Thanks! Do you see any problem in using the DMZ port of a
> Linksys BEFSR41 router for connecting to the VPN NIC?
>
>
>
> On Fri, 26 Oct 2007 20:51:39 -0500, Jeffrey Randow
> <(E-Mail Removed)> wrote:
>
>>Correct... It doesn't require a public IP if you properly forward
>>packets...
>>
>>---
>>Jeffrey Randow
>>(E-Mail Removed)
>>Windows Networking MVP 2001-2006
>>http://www.networkblog.net
>>
>>On Fri, 26 Oct 2007 18:04:49 -0700, Bob Felton
>><(E-Mail Removed)> wrote:
>>
>>>So, even though MSKB 323381 says the VPN NIC must be "connected
>>>directly to the Internet", it doesn't mean it needs a public IP
>>>address?
>>>
>>>
>>>On Sat, 27 Oct 2007 10:52:37 +1000, "Bill Grant"
>>><not.available@online> wrote:
>>>
>>>> It really depends on what your router can do an how it does it. You
>>>>should somehow be able to allocate the extra IP to the public interface
>>>>of
>>>>the router (or allocate your public IPs to an address pool) and map the
>>>>second public IP to a private IP on the LAN. All traffic arriving at the
>>>>router using this IP would be mapped to the remote access server on the
>>>>LAN
>>>>(which has just one NIC with a private IP address).
>>>>
>>>>"Bob Felton" <(E-Mail Removed)> wrote in message
>>>>news:(E-Mail Removed) m...
>>>>> Our ISP is providing us two public IP addresses over our full T1
>>>>> connection. One is being used by our Linksys router (directly
>>>>> connected to the T1 "modem". I would like to utilize the second
>>>>> public IP address to allow VPN connections to our Windows Server 2003
>>>>> R2 SP2 based network by adding a second NIC card to the server and
>>>>> assigning it the second public IP address. Do I simply break the
>>>>> current connection between the T1 modem and Linksy router, connect the
>>>>> modem to a switch, and then connect the router to one switch port and
>>>>> the second NIC to another switch port? Thanks.
>>>>> --
>>>>> Bob Felton
>
> --
> Bob Felton

Good point! I had completely overlooked that "small" issue. Thanks
for banging me on the head to wake me up.

All responses to my query were VERY much appreciated. Thanks, guys!


On Sat, 27 Oct 2007 17:08:17 +1000, "Bill Grant"
<not.available@online> wrote:

> Yes, i do. The whole point of setting up a VPN connection is for the
>remote client to have access to the private LAN. If the VPN server does
>not have access to the private LAN, what hope is there for its remote
>clients?
>
>"Bob Felton" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> OK, guys. Thanks! Do you see any problem in using the DMZ port of a
>> Linksys BEFSR41 router for connecting to the VPN NIC?
>>
>>
>>
>> On Fri, 26 Oct 2007 20:51:39 -0500, Jeffrey Randow
>> <(E-Mail Removed)> wrote:
>>
>>>Correct... It doesn't require a public IP if you properly forward
>>>packets...
>>>
>>>---
>>>Jeffrey Randow
>>>(E-Mail Removed)
>>>Windows Networking MVP 2001-2006
>>>http://www.networkblog.net
>>>
>>>On Fri, 26 Oct 2007 18:04:49 -0700, Bob Felton
>>><(E-Mail Removed)> wrote:
>>>
>>>>So, even though MSKB 323381 says the VPN NIC must be "connected
>>>>directly to the Internet", it doesn't mean it needs a public IP
>>>>address?
>>>>
>>>>
>>>>On Sat, 27 Oct 2007 10:52:37 +1000, "Bill Grant"
>>>><not.available@online> wrote:
>>>>
>>>>> It really depends on what your router can do an how it does it. You
>>>>>should somehow be able to allocate the extra IP to the public interface
>>>>>of
>>>>>the router (or allocate your public IPs to an address pool) and map the
>>>>>second public IP to a private IP on the LAN. All traffic arriving at the
>>>>>router using this IP would be mapped to the remote access server on the
>>>>>LAN
>>>>>(which has just one NIC with a private IP address).
>>>>>
>>>>>"Bob Felton" <(E-Mail Removed)> wrote in message
>>>>>news:(E-Mail Removed) om...
>>>>>> Our ISP is providing us two public IP addresses over our full T1
>>>>>> connection. One is being used by our Linksys router (directly
>>>>>> connected to the T1 "modem". I would like to utilize the second
>>>>>> public IP address to allow VPN connections to our Windows Server 2003
>>>>>> R2 SP2 based network by adding a second NIC card to the server and
>>>>>> assigning it the second public IP address. Do I simply break the
>>>>>> current connection between the T1 modem and Linksy router, connect the
>>>>>> modem to a switch, and then connect the router to one switch port and
>>>>>> the second NIC to another switch port? Thanks.
>>>>>> --
>>>>>> Bob Felton
>>
>> --
>> Bob Felton

--
Bob Felton