vpn probl

Hello everyone
I've Site to site Vpn configuration and both rras servers can ping eachother
and they also can ping both sites workstations, the problem is that the
workstations on each site can't ping the server on the remote site or the
workstations on remote site. I've setup a static route in both sites for
each Remote router vpn connection, another thing i only can initiace
connection from on site, if i try to iniciate connection from the second
site i'll receive an error telling me that the router can't acept
connection, but if i start the vpn connection from the 1 site both routers
connect eachother with no problems.
Some help would be very app.
Best Regards.

"JMS" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello everyone
> I've Site to site Vpn configuration and both rras servers can ping
eachother
> and they also can ping both sites workstations, the problem is that the
> workstations on each site can't ping the server on the remote site or the
> workstations on remote site. I've setup a static route in both sites for
> each Remote router vpn connection,

I don't think you need any other "route". The routing is working if those
RRAS boxes can ping workstations on the opposite side. Ping requires two way
functionality (the reply has to know how to get back to the sender), so that
implies a valid path is established.

But at this point I don't know what to tell you. Your setup is still just a
little bit too "fuzzy" for me. What is the topology like at each Site?
Single subnet or multple? If multiple, is a LAN Router being used or are you
trying to "double" a Firewall or Proxy as some kind of LAN Router? Is the
RRAS VPN Server also acting as the LAN's "Firewall" by using the NAT ability
of RRAS?

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Ok i think that i discovered the problem...

i've the gateway on workstations in remote site pointing to adsl router and
not to vpn server, so when workstations needed to reply to the ping requests
they were trying to respond though their gateway that was the adsl router
and not the vpn rras server so to solve this problem I a add in my vpn
server two static routes 0.0.0.0 with gateway pointing to adsl router and a
static route 172.16.x..x pointing to vpn remote router in rras, and now the
gateway in my remote workstations is now my vpn server so My vpn server is
now handeling the static routes so, when remote workstations need to ping
172.16.x.x they go though Vpn remote router, and when they need to go to
internet they go to adsl router. I think this is the right way to proceed??
Is it???. do i need to enable RIP on my vpn server? i need to join more two
remote sites to this two....

Site 1 :
Vpn server(Windows2003 With ISA server)

Nic1: Tcp/Ip: 172.16.0.254
Mask: 255.255.248.0
Dns: 172.16.0.254

Nic 2:
Tcp/Ip: 192.168.200.2
Mask: 255.255.252.0
Gateway: 192.168.200.1
Dns: 172.16.0.254

Vpn Static Routes:
Static routes: 0.0.0.0 Mask 0.0.0.0 Gateway:
192.168.200.1
192.168.2 Mask 255.255.255.0 Gateway:
RemoteRouterSite1 (With userAccount assign)

Router On site 1
Tcp/Ip: 192.168.200.1

Workstations on site 1:
From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)

------------------------------------------------------------------------
Site 2
Vpn server (Windows2003 no isa server installed)
Only one nic Tcp/Ip: 192.168.2.254
Mask: 255.255.255.0
Gateway: 192.168.2.2
Dns: 192.168.2.254
Vpn Static routes:
Static routes: 0.0.0.0 Mask: 0.0.0.0 Gateway:
192.168.2.2
10.10.0.0 Mask: 10.10.0.0 Gateway:
192.168.2.1 (Cisco router with dedicated line connected to another site it's
working with no problems)
172.16.x.x Mask:255.255.0.0 Gateway:
RemoteRouterSite2(With userAccount assign)

Router1 with Firewall On site 2 (dedicated line)
Tcp/Ip: 192.168.2.1

Router2 (with Firewall On site 2)
Tcp/Ip: 192.168.2.2

Workstations on site 2:
From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
------------------------------------------------------------------------


Onother thing
I just don't understand why i only can initiate my remote router vpn
connection only from my 1 site???
i configured a remote router (assigned to a user account) on the 1 and 2
site, so when one is connected the other connects automaticaly and it works
fine the problem is that i need to initiate connections from both sites when
needed.. so if i ping some workstation on 2 site that is on 192.168.2.x the
remote router connects with no problems and the router on 2 site
automaticaly connects too. But if i try to connect from 2 site to the 1
gives me error telling me that the remote router on site 1 can't accept more
connections because it reach the limit??? and i go to see if that router is
already connect and its not??
Thanks again for your time...
















"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "JMS" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hello everyone
>> I've Site to site Vpn configuration and both rras servers can ping
> eachother
>> and they also can ping both sites workstations, the problem is that the
>> workstations on each site can't ping the server on the remote site or the
>> workstations on remote site. I've setup a static route in both sites for
>> each Remote router vpn connection,
>
> I don't think you need any other "route". The routing is working if those
> RRAS boxes can ping workstations on the opposite side. Ping requires two
> way
> functionality (the reply has to know how to get back to the sender), so
> that
> implies a valid path is established.
>
> But at this point I don't know what to tell you. Your setup is still just
> a
> little bit too "fuzzy" for me. What is the topology like at each Site?
> Single subnet or multple? If multiple, is a LAN Router being used or are
> you
> trying to "double" a Firewall or Proxy as some kind of LAN Router? Is the
> RRAS VPN Server also acting as the LAN's "Firewall" by using the NAT
> ability
> of RRAS?
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>

1. No, you don't need RIP. Static routing can handle a straight-forward
setup like this.

2. You should not really need to have these connect from both ends. The
one connection handles the routing in both directions. It is probably better
to standardise on having the branches connect to the main office. That way
they all validate against the same database.

3. Have you considered how you are going to handle the routing when you
have more than one branch? Do you want the branches to be able to see each
other, or just branch to HO? You can set it up either way.

4. If the VPN router is not the default router, I prefer to use the
following method. Set the clients to use the default router as their default
gateway, and add a static route to the default router to redirect private
traffic to the VPN router. The clients will "learn" to use this gateway
automatically (through redirect messages from the router). You don't need
RIP to do it.

JMS wrote:
> Ok i think that i discovered the problem...
>
> i've the gateway on workstations in remote site pointing to adsl
> router and not to vpn server, so when workstations needed to reply to
> the ping requests they were trying to respond though their gateway
> that was the adsl router and not the vpn rras server so to solve this
> problem I a add in my vpn server two static routes 0.0.0.0 with
> gateway pointing to adsl router and a static route 172.16.x..x
> pointing to vpn remote router in rras, and now the gateway in my
> remote workstations is now my vpn server so My vpn server is now
> handeling the static routes so, when remote workstations need to ping
> 172.16.x.x they go though Vpn remote router, and when they need to go
> to internet they go to adsl router. I think this is the right way to
> proceed?? Is it???. do i need to enable RIP on my vpn server? i need
> to join more two remote sites to this two....
> Site 1 :
> Vpn server(Windows2003 With ISA server)
>
> Nic1: Tcp/Ip: 172.16.0.254
> Mask: 255.255.248.0
> Dns: 172.16.0.254
>
> Nic 2:
> Tcp/Ip: 192.168.200.2
> Mask: 255.255.252.0
> Gateway: 192.168.200.1
> Dns: 172.16.0.254
>
> Vpn Static Routes:
> Static routes: 0.0.0.0 Mask 0.0.0.0 Gateway:
> 192.168.200.1
> 192.168.2 Mask 255.255.255.0 Gateway:
> RemoteRouterSite1 (With userAccount assign)
>
> Router On site 1
> Tcp/Ip: 192.168.200.1
>
> Workstations on site 1:
> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
>
> ------------------------------------------------------------------------
> Site 2
> Vpn server (Windows2003 no isa server installed)
> Only one nic Tcp/Ip: 192.168.2.254
> Mask: 255.255.255.0
> Gateway: 192.168.2.2
> Dns: 192.168.2.254
> Vpn Static routes:
> Static routes: 0.0.0.0 Mask: 0.0.0.0 Gateway:
> 192.168.2.2
> 10.10.0.0 Mask: 10.10.0.0 Gateway:
> 192.168.2.1 (Cisco router with dedicated line connected to another
> site it's working with no problems)
> 172.16.x.x Mask:255.255.0.0 Gateway:
> RemoteRouterSite2(With userAccount assign)
>
> Router1 with Firewall On site 2 (dedicated line)
> Tcp/Ip: 192.168.2.1
>
> Router2 (with Firewall On site 2)
> Tcp/Ip: 192.168.2.2
>
> Workstations on site 2:
> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
> ------------------------------------------------------------------------
>
>
> Onother thing
> I just don't understand why i only can initiate my remote router vpn
> connection only from my 1 site???
> i configured a remote router (assigned to a user account) on the 1
> and 2 site, so when one is connected the other connects automaticaly
> and it works fine the problem is that i need to initiate connections
> from both sites when needed.. so if i ping some workstation on 2 site
> that is on 192.168.2.x the remote router connects with no problems
> and the router on 2 site automaticaly connects too. But if i try to
> connect from 2 site to the 1 gives me error telling me that the
> remote router on site 1 can't accept more connections because it
> reach the limit??? and i go to see if that router is already connect
> and its not?? Thanks again for your time...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> "JMS" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Hello everyone
>>> I've Site to site Vpn configuration and both rras servers can ping
>>> eachother and they also can ping both sites workstations, the
>>> problem is that the workstations on each site can't ping the server
>>> on the remote site or the workstations on remote site. I've setup a
>>> static route in both sites for each Remote router vpn connection,
>>
>> I don't think you need any other "route". The routing is working if
>> those RRAS boxes can ping workstations on the opposite side. Ping
>> requires two way
>> functionality (the reply has to know how to get back to the sender),
>> so that
>> implies a valid path is established.
>>
>> But at this point I don't know what to tell you. Your setup is still
>> just a
>> little bit too "fuzzy" for me. What is the topology like at each
>> Site? Single subnet or multple? If multiple, is a LAN Router being
>> used or are you
>> trying to "double" a Firewall or Proxy as some kind of LAN Router? Is the
>> RRAS VPN Server also acting as the LAN's "Firewall" by using
>> the NAT ability
>> of RRAS?
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------

Hello Bill

If i have only 1 connection from the 2nd site for example the vpn it only
connects if someone from the 2nd site try to reach at someone at site 1
but and if someone at site 1 try to reach at someone at site 2?? it can't
because if i only have one connection - Site 2 ---> to ----> Site 1, isn't
right?
I need to both ends can initiate connections (this isn't a persistent
connection to save bandwidth).
About the other sites that i need to join, they all need to see eachother,
i'll connect all to the main office and then i think that they will be able
to see eachother.after configuring dns, wins, stabilishing trusts, static
routes, etc....
But if i put the staitc routes on routers on my adsl router as you suggested
i don't know how this will work... i've never tryed similar configuration...
Remember the vpn connection is made by rras servers not from routers.....

Obs(I still don't understande why my vpn remote routers can only initiate
connection from at site one, i'm sorry to insist but i would like to
understand what is causing this...)

Thanks
Best regards

"Bill Grant" <not.available@online> escreveu na mensagem
news:(E-Mail Removed)...
> 1. No, you don't need RIP. Static routing can handle a straight-forward
> setup like this.
>
> 2. You should not really need to have these connect from both ends. The
> one connection handles the routing in both directions. It is probably
> better to standardise on having the branches connect to the main office.
> That way they all validate against the same database.
>
> 3. Have you considered how you are going to handle the routing when you
> have more than one branch? Do you want the branches to be able to see each
> other, or just branch to HO? You can set it up either way.
>
> 4. If the VPN router is not the default router, I prefer to use the
> following method. Set the clients to use the default router as their
> default gateway, and add a static route to the default router to redirect
> private traffic to the VPN router. The clients will "learn" to use this
> gateway automatically (through redirect messages from the router). You
> don't need RIP to do it.
>
> JMS wrote:
>> Ok i think that i discovered the problem...
>>
>> i've the gateway on workstations in remote site pointing to adsl
>> router and not to vpn server, so when workstations needed to reply to
>> the ping requests they were trying to respond though their gateway
>> that was the adsl router and not the vpn rras server so to solve this
>> problem I a add in my vpn server two static routes 0.0.0.0 with
>> gateway pointing to adsl router and a static route 172.16.x..x
>> pointing to vpn remote router in rras, and now the gateway in my
>> remote workstations is now my vpn server so My vpn server is now
>> handeling the static routes so, when remote workstations need to ping
>> 172.16.x.x they go though Vpn remote router, and when they need to go
>> to internet they go to adsl router. I think this is the right way to
>> proceed?? Is it???. do i need to enable RIP on my vpn server? i need
>> to join more two remote sites to this two....
>> Site 1 :
>> Vpn server(Windows2003 With ISA server)
>>
>> Nic1: Tcp/Ip: 172.16.0.254
>> Mask: 255.255.248.0
>> Dns: 172.16.0.254
>>
>> Nic 2:
>> Tcp/Ip: 192.168.200.2
>> Mask: 255.255.252.0
>> Gateway: 192.168.200.1
>> Dns: 172.16.0.254
>>
>> Vpn Static Routes:
>> Static routes: 0.0.0.0 Mask 0.0.0.0 Gateway:
>> 192.168.200.1
>> 192.168.2 Mask 255.255.255.0 Gateway:
>> RemoteRouterSite1 (With userAccount assign)
>>
>> Router On site 1
>> Tcp/Ip: 192.168.200.1
>>
>> Workstations on site 1:
>> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
>>
>> ------------------------------------------------------------------------
>> Site 2
>> Vpn server (Windows2003 no isa server installed)
>> Only one nic Tcp/Ip: 192.168.2.254
>> Mask: 255.255.255.0
>> Gateway: 192.168.2.2
>> Dns: 192.168.2.254
>> Vpn Static routes:
>> Static routes: 0.0.0.0 Mask: 0.0.0.0 Gateway:
>> 192.168.2.2
>> 10.10.0.0 Mask: 10.10.0.0 Gateway:
>> 192.168.2.1 (Cisco router with dedicated line connected to another
>> site it's working with no problems)
>> 172.16.x.x Mask:255.255.0.0 Gateway:
>> RemoteRouterSite2(With userAccount assign)
>>
>> Router1 with Firewall On site 2 (dedicated line)
>> Tcp/Ip: 192.168.2.1
>>
>> Router2 (with Firewall On site 2)
>> Tcp/Ip: 192.168.2.2
>>
>> Workstations on site 2:
>> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
>> ------------------------------------------------------------------------
>>
>>
>> Onother thing
>> I just don't understand why i only can initiate my remote router vpn
>> connection only from my 1 site???
>> i configured a remote router (assigned to a user account) on the 1
>> and 2 site, so when one is connected the other connects automaticaly
>> and it works fine the problem is that i need to initiate connections
>> from both sites when needed.. so if i ping some workstation on 2 site
>> that is on 192.168.2.x the remote router connects with no problems
>> and the router on 2 site automaticaly connects too. But if i try to
>> connect from 2 site to the 1 gives me error telling me that the
>> remote router on site 1 can't accept more connections because it
>> reach the limit??? and i go to see if that router is already connect
>> and its not?? Thanks again for your time...
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:(E-Mail Removed)...
>>> "JMS" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> Hello everyone
>>>> I've Site to site Vpn configuration and both rras servers can ping
>>>> eachother and they also can ping both sites workstations, the
>>>> problem is that the workstations on each site can't ping the server
>>>> on the remote site or the workstations on remote site. I've setup a
>>>> static route in both sites for each Remote router vpn connection,
>>>
>>> I don't think you need any other "route". The routing is working if
>>> those RRAS boxes can ping workstations on the opposite side. Ping
>>> requires two way
>>> functionality (the reply has to know how to get back to the sender),
>>> so that
>>> implies a valid path is established.
>>>
>>> But at this point I don't know what to tell you. Your setup is still
>>> just a
>>> little bit too "fuzzy" for me. What is the topology like at each
>>> Site? Single subnet or multple? If multiple, is a LAN Router being
>>> used or are you
>>> trying to "double" a Firewall or Proxy as some kind of LAN Router? Is
>>> the RRAS VPN Server also acting as the LAN's "Firewall" by using
>>> the NAT ability
>>> of RRAS?
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>> -----------------------------------------------------
>>> Understanding the ISA 2004 Access Rule Processing
>>> http://www.isaserver.org/articles/IS...cessRules.html
>>>
>>> Microsoft Internet Security & Acceleration Server: Guidance
>>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>>
>>> Microsoft Internet Security & Acceleration Server: Partners
>>> http://www.microsoft.com/isaserver/partners/default.asp
>>> -----------------------------------------------------
>
>

"JMS" <(E-Mail Removed)> wrote in message
news:%23zIQo$(E-Mail Removed)...
> Ok i think that i discovered the problem...

No. I think you are digging a deeper hole to bury yourself in. It would have
been better for you to just explain you topology better so this could be
solved instead of making it even more "murky" and piling on more "settings"
that may be incorrect.

> i've the gateway on workstations in remote site pointing to adsl router
and
> not to vpn server, so when workstations needed to reply to the ping
requests
> they were trying to respond though their gateway that was the adsl router
> and not the vpn rras server so to solve this problem I a add in my vpn
> server two static routes 0.0.0.0 with gateway pointing to adsl router and
a

That is not a Static route that is a Default Route. You cannot use more
than one 0.0.0.0 Route, and the one is already created by the Default
Gateway entry in the GUI. Your Static Routes must use a specific Network
(not 0.0.0.0).

The right way to do this is place a Static route for the opposite Site on
the ADSL Router that tells it that traffic to that segment must use the VPN
Device. The ADSL Device also needs the remote segments IP Range added to it
Local Address Table. Repeat the process on the opposite Site.

The LAN at each side of the VPN must designate *something* to behave as the
LAN Router for that particular segment (a real router, a NAT-Firewall, the
VPN Device, whatever). Whatever you use you must be consistant and not run
around all over the place clicking here, changing there, adding here, and
deleteing over there.

Choose whatever device is the most dependable, leastly likely to be changed,
least likely to ever be removed. Then that device becomes the Default
Gateway for all the Clients. If that Device is not the DSL Device, then
*its* Default Gateway becomses the DSL Device.

The NAT-Device (DSL Device) then it must "know" that the IP Range of both
segments are *local* and will include them in the Local Address Table (or
whatever that vendor calls the equivalent). If this Device is going to be
the Segment's LAN Router, then needs to have a Static Route that tells it to
get to the opposite Site it must use the VPN Device. You don not have to
alter the Route Table on the Clients,..the Clients is the last place to ever
create routes. Imagine if you had 3000 Clients,..how would you ever expect
to maintain all that?

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Hello Phillip Windell

Ok, no questions about it, the best place to put the routing tables is in
the router device as you said, but in my configuration I don't need to
update routing tables in clients. if I have 3000 workstations They'll only
have 1 default gateway (only one 0.0.0.0 static route) that is my vpn server
and then in my vpn server has the several static routes redirecting the
their needs.

But I agreed with you when you say that there's no need to put that static
routes on my vpn server because I already have a router that can make this
job for me, instead of vpn server.

Anyway my routing topology is a distributed messaging topology.

I not quit sure if you saw my reply to Bill Grant about my network
configuration but here it is again (only the par I'm working now):



Obs : (until now no one could explain me why I can initiate my vpn
connection only from one site??

Here it goes again my explanation about this problem as I said before:

>> Onother thing
>> I just don't understand why i only can initiate my remote router vpn
>> connection only from my 1 site???
>> i configured a remote router (assigned to a user account) on the 1
>> and 2 site, so when one is connected the other connects automaticaly
>> and it works fine the problem is that i need to initiate connections
>> from both sites when needed.. so if i ping some workstation on 2 site
>> that is on 192.168.2.x the remote router connects with no problems
>> and the router on 2 site automaticaly connects too. But if i try to
>> connect from 2 site to the 1 gives me error telling me that the
>> remote router on site 1 can't accept more connections because it
>> reach the limit??? and i go to see if that router is already connect
>> and its not?? Thanks again for your time...

)







Site 1 :
Vpn server(Windows2003 With ISA server)
Nic1:

Tcp/Ip: 172.16.0.254
Mask: 255.255.248.0
Dns: 172.16.0.254

Nic 2:

Tcp/Ip: 192.168.200.2
Mask: 255.255.252.0
Gateway: 192.168.200.1
Dns: 172.16.0.254

Server Vpn Static Routes:
0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)

192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
userAccount assign)
Tcp/Ip range to Workstations on site 1:
From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
------------------------------------------------------------------------
Site 2
Vpn server (Windows2003 no isa server installed)
Only has one nic

Tcp/Ip: 192.168.2.254
Mask: 255.255.255.0
Gateway: 192.168.2.2
Dns: 192.168.2.254
Server Vpn Static routes:
0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with Firewall)
10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco router with
dedicated line connected to another site and it's working with no problems)
172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With userAccount
assign)
Tcp/Ip range to Workstations on site 2:
From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
------------------------------------------------------------------------



Thanks again for your time
Best regards



"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> "JMS" <(E-Mail Removed)> wrote in message
> news:%23zIQo$(E-Mail Removed)...
>> Ok i think that i discovered the problem...
>
> No. I think you are digging a deeper hole to bury yourself in. It would
> have
> been better for you to just explain you topology better so this could be
> solved instead of making it even more "murky" and piling on more
> "settings"
> that may be incorrect.
>
>> i've the gateway on workstations in remote site pointing to adsl router
> and
>> not to vpn server, so when workstations needed to reply to the ping
> requests
>> they were trying to respond though their gateway that was the adsl router
>> and not the vpn rras server so to solve this problem I a add in my vpn
>> server two static routes 0.0.0.0 with gateway pointing to adsl router and
> a
>
> That is not a Static route that is a Default Route. You cannot use more
> than one 0.0.0.0 Route, and the one is already created by the Default
> Gateway entry in the GUI. Your Static Routes must use a specific Network
> (not 0.0.0.0).
>
> The right way to do this is place a Static route for the opposite Site on
> the ADSL Router that tells it that traffic to that segment must use the
> VPN
> Device. The ADSL Device also needs the remote segments IP Range added to
> it
> Local Address Table. Repeat the process on the opposite Site.
>
> The LAN at each side of the VPN must designate *something* to behave as
> the
> LAN Router for that particular segment (a real router, a NAT-Firewall, the
> VPN Device, whatever). Whatever you use you must be consistant and not run
> around all over the place clicking here, changing there, adding here, and
> deleteing over there.
>
> Choose whatever device is the most dependable, leastly likely to be
> changed,
> least likely to ever be removed. Then that device becomes the Default
> Gateway for all the Clients. If that Device is not the DSL Device, then
> *its* Default Gateway becomses the DSL Device.
>
> The NAT-Device (DSL Device) then it must "know" that the IP Range of both
> segments are *local* and will include them in the Local Address Table (or
> whatever that vendor calls the equivalent). If this Device is going to be
> the Segment's LAN Router, then needs to have a Static Route that tells it
> to
> get to the opposite Site it must use the VPN Device. You don not have to
> alter the Route Table on the Clients,..the Clients is the last place to
> ever
> create routes. Imagine if you had 3000 Clients,..how would you ever expect
> to maintain all that?
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>

I suspect one reason you are having trouble getting this working is the
fact that you have ISA server at one end and not at the other. Setting up a
site to site link in ISA creates a file to configure the "answering" router.
The RRAS setup does not have this feature. You will probably need to
configure the RRAS end manually, including creating an account for the
connection (if you want to be able to connect from the ISA end). It will get
a bit messy.

Having some sites using 192.168. addresses and some using 172.16.
isn't going to make things easy if you want to route between them. The usual
way to set up the routing is a hub and spoke model. The central site is the
hub (as all other sites have a VPN link {or spoke} to the hub). All traffic
from one site to another goes down a spoke, then up another spoke if
necessary.

From a routing point of view, this is easiest if the sites all use IP
addresses which are easily bundled. So if all sites use 172.16.x.0/24
addresses, the routing is simple. At the non-central sites you just sent all
172.16 traffic down the spoke (using 172.16.0.0/16) . Only the central site
need routes to these other sites.

JMS wrote:
> Hello Phillip Windell
>
> Ok, no questions about it, the best place to put the routing tables
> is in the router device as you said, but in my configuration I don't
> need to update routing tables in clients. if I have 3000 workstations
> They'll only have 1 default gateway (only one 0.0.0.0 static route)
> that is my vpn server and then in my vpn server has the several
> static routes redirecting the their needs.
>
> But I agreed with you when you say that there's no need to put that
> static routes on my vpn server because I already have a router that
> can make this job for me, instead of vpn server.
>
> Anyway my routing topology is a distributed messaging topology.
>
> I not quit sure if you saw my reply to Bill Grant about my network
> configuration but here it is again (only the par I'm working now):
>
>
>
> Obs : (until now no one could explain me why I can initiate my vpn
> connection only from one site??
>
> Here it goes again my explanation about this problem as I said before:
>
>>> Onother thing
>>> I just don't understand why i only can initiate my remote router vpn
>>> connection only from my 1 site???
>>> i configured a remote router (assigned to a user account) on the 1
>>> and 2 site, so when one is connected the other connects automaticaly
>>> and it works fine the problem is that i need to initiate connections
>>> from both sites when needed.. so if i ping some workstation on 2
>>> site that is on 192.168.2.x the remote router connects with no
>>> problems and the router on 2 site automaticaly connects too. But if i
>>> try to
>>> connect from 2 site to the 1 gives me error telling me that the
>>> remote router on site 1 can't accept more connections because it
>>> reach the limit??? and i go to see if that router is already connect
>>> and its not?? Thanks again for your time...
>
> )
>
>
>
>
>
>
>
> Site 1 :
> Vpn server(Windows2003 With ISA server)
> Nic1:
>
> Tcp/Ip: 172.16.0.254
> Mask: 255.255.248.0
> Dns: 172.16.0.254
>
> Nic 2:
>
> Tcp/Ip: 192.168.200.2
> Mask: 255.255.252.0
> Gateway: 192.168.200.1
> Dns: 172.16.0.254
>
> Server Vpn Static Routes:
> 0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)
>
> 192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
> userAccount assign)
> Tcp/Ip range to Workstations on site 1:
> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
> ------------------------------------------------------------------------
> Site 2
> Vpn server (Windows2003 no isa server installed)
> Only has one nic
>
> Tcp/Ip: 192.168.2.254
> Mask: 255.255.255.0
> Gateway: 192.168.2.2
> Dns: 192.168.2.254
> Server Vpn Static routes:
> 0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with
> Firewall) 10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco router
> with
> dedicated line connected to another site and it's working with no
> problems) 172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With
> userAccount assign)
> Tcp/Ip range to Workstations on site 2:
> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
> ------------------------------------------------------------------------
>
>
>
> Thanks again for your time
> Best regards
>
>
>
> "Phillip Windell" <@.> wrote in message
> news:%(E-Mail Removed)...
>> "JMS" <(E-Mail Removed)> wrote in message
>> news:%23zIQo$(E-Mail Removed)...
>>> Ok i think that i discovered the problem...
>>
>> No. I think you are digging a deeper hole to bury yourself in. It
>> would have
>> been better for you to just explain you topology better so this
>> could be solved instead of making it even more "murky" and piling on
>> more "settings"
>> that may be incorrect.
>>
>>> i've the gateway on workstations in remote site pointing to adsl
>>> router and not to vpn server, so when workstations needed to reply
>>> to the ping requests they were trying to respond though their
>>> gateway that was the adsl router and not the vpn rras server so to
>>> solve this problem I a add in my vpn server two static routes
>>> 0.0.0.0 with gateway pointing to adsl router and a
>>
>> That is not a Static route that is a Default Route. You cannot use
>> more than one 0.0.0.0 Route, and the one is already created by the
>> Default Gateway entry in the GUI. Your Static Routes must use a
>> specific Network (not 0.0.0.0).
>>
>> The right way to do this is place a Static route for the opposite
>> Site on the ADSL Router that tells it that traffic to that segment
>> must use the VPN
>> Device. The ADSL Device also needs the remote segments IP Range
>> added to it
>> Local Address Table. Repeat the process on the opposite Site.
>>
>> The LAN at each side of the VPN must designate *something* to behave
>> as the
>> LAN Router for that particular segment (a real router, a
>> NAT-Firewall, the VPN Device, whatever). Whatever you use you must
>> be consistant and not run around all over the place clicking here,
>> changing there, adding here, and deleteing over there.
>>
>> Choose whatever device is the most dependable, leastly likely to be
>> changed,
>> least likely to ever be removed. Then that device becomes the
>> Default Gateway for all the Clients. If that Device is not the DSL
>> Device, then *its* Default Gateway becomses the DSL Device.
>>
>> The NAT-Device (DSL Device) then it must "know" that the IP Range of
>> both segments are *local* and will include them in the Local Address
>> Table (or whatever that vendor calls the equivalent). If this Device
>> is going to be the Segment's LAN Router, then needs to have a Static
>> Route that tells it to
>> get to the opposite Site it must use the VPN Device. You don not
>> have to alter the Route Table on the Clients,..the Clients is the
>> last place to ever
>> create routes. Imagine if you had 3000 Clients,..how would you ever
>> expect to maintain all that?
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------

Yeah, but is a little late for start changing ip config in all sites, that
in fact wasn't their initial configuration made by me..
For now i must deal with that, and latter I'll start changing some
configurations, for now i must start to get people working.
Thanks anyway...

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> I suspect one reason you are having trouble getting this working is the
> fact that you have ISA server at one end and not at the other. Setting up
> a site to site link in ISA creates a file to configure the "answering"
> router. The RRAS setup does not have this feature. You will probably need
> to configure the RRAS end manually, including creating an account for the
> connection (if you want to be able to connect from the ISA end). It will
> get a bit messy.
>
> Having some sites using 192.168. addresses and some using 172.16.
> isn't going to make things easy if you want to route between them. The
> usual way to set up the routing is a hub and spoke model. The central site
> is the hub (as all other sites have a VPN link {or spoke} to the hub). All
> traffic from one site to another goes down a spoke, then up another spoke
> if necessary.
>
> From a routing point of view, this is easiest if the sites all use IP
> addresses which are easily bundled. So if all sites use 172.16.x.0/24
> addresses, the routing is simple. At the non-central sites you just sent
> all 172.16 traffic down the spoke (using 172.16.0.0/16) . Only the central
> site need routes to these other sites.
>
> JMS wrote:
>> Hello Phillip Windell
>>
>> Ok, no questions about it, the best place to put the routing tables
>> is in the router device as you said, but in my configuration I don't
>> need to update routing tables in clients. if I have 3000 workstations
>> They'll only have 1 default gateway (only one 0.0.0.0 static route)
>> that is my vpn server and then in my vpn server has the several
>> static routes redirecting the their needs.
>>
>> But I agreed with you when you say that there's no need to put that
>> static routes on my vpn server because I already have a router that
>> can make this job for me, instead of vpn server.
>>
>> Anyway my routing topology is a distributed messaging topology.
>>
>> I not quit sure if you saw my reply to Bill Grant about my network
>> configuration but here it is again (only the par I'm working now):
>>
>>
>>
>> Obs : (until now no one could explain me why I can initiate my vpn
>> connection only from one site??
>>
>> Here it goes again my explanation about this problem as I said before:
>>
>>>> Onother thing
>>>> I just don't understand why i only can initiate my remote router vpn
>>>> connection only from my 1 site???
>>>> i configured a remote router (assigned to a user account) on the 1
>>>> and 2 site, so when one is connected the other connects automaticaly
>>>> and it works fine the problem is that i need to initiate connections
>>>> from both sites when needed.. so if i ping some workstation on 2
>>>> site that is on 192.168.2.x the remote router connects with no
>>>> problems and the router on 2 site automaticaly connects too. But if i
>>>> try to
>>>> connect from 2 site to the 1 gives me error telling me that the
>>>> remote router on site 1 can't accept more connections because it
>>>> reach the limit??? and i go to see if that router is already connect
>>>> and its not?? Thanks again for your time...
>>
>> )
>>
>>
>>
>>
>>
>>
>>
>> Site 1 :
>> Vpn server(Windows2003 With ISA server)
>> Nic1:
>>
>> Tcp/Ip: 172.16.0.254
>> Mask: 255.255.248.0
>> Dns: 172.16.0.254
>>
>> Nic 2:
>>
>> Tcp/Ip: 192.168.200.2
>> Mask: 255.255.252.0
>> Gateway: 192.168.200.1
>> Dns: 172.16.0.254
>>
>> Server Vpn Static Routes:
>> 0.0.0.0 Mask 0.0.0.0 Gateway: 192.168.200.1(Adsl Router)
>>
>> 192.168.2 Mask 255.255.255.0 Gateway: RemoteRouterSite1 (With
>> userAccount assign)
>> Tcp/Ip range to Workstations on site 1:
>> From 172.16.2.x (Gateway and dns pointing to 172.16.0.254)
>> ------------------------------------------------------------------------
>> Site 2
>> Vpn server (Windows2003 no isa server installed)
>> Only has one nic
>>
>> Tcp/Ip: 192.168.2.254
>> Mask: 255.255.255.0
>> Gateway: 192.168.2.2
>> Dns: 192.168.2.254
>> Server Vpn Static routes:
>> 0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with
>> Firewall) 10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1 (Cisco
>> router with
>> dedicated line connected to another site and it's working with no
>> problems) 172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2(With
>> userAccount assign)
>> Tcp/Ip range to Workstations on site 2:
>> From 192.168.2.x (Gateway and dns pointing to 192.168.2.254)
>> ------------------------------------------------------------------------
>>
>>
>>
>> Thanks again for your time
>> Best regards
>>
>>
>>
>> "Phillip Windell" <@.> wrote in message
>> news:%(E-Mail Removed)...
>>> "JMS" <(E-Mail Removed)> wrote in message
>>> news:%23zIQo$(E-Mail Removed)...
>>>> Ok i think that i discovered the problem...
>>>
>>> No. I think you are digging a deeper hole to bury yourself in. It
>>> would have
>>> been better for you to just explain you topology better so this
>>> could be solved instead of making it even more "murky" and piling on
>>> more "settings"
>>> that may be incorrect.
>>>
>>>> i've the gateway on workstations in remote site pointing to adsl
>>>> router and not to vpn server, so when workstations needed to reply
>>>> to the ping requests they were trying to respond though their
>>>> gateway that was the adsl router and not the vpn rras server so to
>>>> solve this problem I a add in my vpn server two static routes
>>>> 0.0.0.0 with gateway pointing to adsl router and a
>>>
>>> That is not a Static route that is a Default Route. You cannot use
>>> more than one 0.0.0.0 Route, and the one is already created by the
>>> Default Gateway entry in the GUI. Your Static Routes must use a
>>> specific Network (not 0.0.0.0).
>>>
>>> The right way to do this is place a Static route for the opposite
>>> Site on the ADSL Router that tells it that traffic to that segment
>>> must use the VPN
>>> Device. The ADSL Device also needs the remote segments IP Range
>>> added to it
>>> Local Address Table. Repeat the process on the opposite Site.
>>>
>>> The LAN at each side of the VPN must designate *something* to behave
>>> as the
>>> LAN Router for that particular segment (a real router, a
>>> NAT-Firewall, the VPN Device, whatever). Whatever you use you must
>>> be consistant and not run around all over the place clicking here,
>>> changing there, adding here, and deleteing over there.
>>>
>>> Choose whatever device is the most dependable, leastly likely to be
>>> changed,
>>> least likely to ever be removed. Then that device becomes the
>>> Default Gateway for all the Clients. If that Device is not the DSL
>>> Device, then *its* Default Gateway becomses the DSL Device.
>>>
>>> The NAT-Device (DSL Device) then it must "know" that the IP Range of
>>> both segments are *local* and will include them in the Local Address
>>> Table (or whatever that vendor calls the equivalent). If this Device
>>> is going to be the Segment's LAN Router, then needs to have a Static
>>> Route that tells it to
>>> get to the opposite Site it must use the VPN Device. You don not
>>> have to alter the Route Table on the Clients,..the Clients is the
>>> last place to ever
>>> create routes. Imagine if you had 3000 Clients,..how would you ever
>>> expect to maintain all that?
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>> -----------------------------------------------------
>>> Understanding the ISA 2004 Access Rule Processing
>>> http://www.isaserver.org/articles/IS...cessRules.html
>>>
>>> Microsoft Internet Security & Acceleration Server: Guidance
>>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>>
>>> Microsoft Internet Security & Acceleration Server: Partners
>>> http://www.microsoft.com/isaserver/partners/default.asp
>>> -----------------------------------------------------
>
>

"JMS" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Site 1 :
> Vpn server(Windows2003 With ISA server)
> Nic1:
> Tcp/Ip: 172.16.0.254
> Mask: 255.255.248.0
> Dns: 172.16.0.254
<shortened for space>

Saw nothing wrong here.

> Site 2
> Vpn server (Windows2003 no isa server installed)
> Only has one nic

I am skeptical of the 1-nic setup, but I guess it works.

> Server Vpn Static routes:
> 0.0.0.0 Mask: 0.0.0.0 Gateway:192.168.2.2(Adsl router with
Firewall)
> 10.10.0.0 Mask: 255.255.0.0 Gateway:192.168.2.1
> 172.16.x.x Mask:255.255.0.0 Gateway:RemoteRouterSite2

The last one would be more accuarte with:
172.16.0.0 Mask:255.255.248.0 Gateway:RemoteRouterSite2
But is should still work the way it is.


Two other things,..one involving ISA, one involving the DSL NAT Device at
Site#2

On ISA:
ISA needs *both*" these networks configured in the Internal Network
Definition.
172.16.0.0 --172.16.2.255
192.168.2.0 -- 192.168.2.255
If there are multiple internal FQDNs for Active Directory Domains, then
those need entered in as well in the Domains Tab of the Internal Network
Definition.

On the DSL NAT/Firewall Device in Site #2.
It should have some kind of Local Address Table. The SOHO market has trashed
the industry's terminology, so God only knows what they call it,...but that
is what you are looking for. It needs the same two IP# ranges added to it
as with the ISA:
172.16.0.0 --172.16.2.255
192.168.2.0 -- 192.168.2.255

In both cases, the "172.16.0.0 --172.16.255.255" could be used as long as
those address are always found on the internal LAN in Site #2. Using any of
them in Site #1 is "doable" but can easily create a mess. It would be a
mess along the lines of what Bill was warning you of.

In the case of 192.168 you cannot use the full range in the same way
(192.168.0.0--192.168.255.255) due to the fact that
192.168.200.0--192.168.200.255 is actually an *external* range in your setup
and is used on the Back-to-Back DMZ in Site #1 that is between the ISA and
the ADSL Device. Therefore you will always have to deal with 192.168
segments separately rather than grouping them by using the larger full range
as you could with the 172.16 networks.

You would be much better off using 192.168 segments thorugh the entire thing
and then only using the 172.16 between the ISA & DSL Device in the
Back-to-Back DMZ. Or you could flip that and use 172.16 through the whole
system and then use 192.168 in the DMZ,...either way,..it just has to be
organized and logical. Again, I think that is part of what Bill was warning
you of.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------