Port forward through a VPN link

Discussion in 'Windows Networking' started by Vincent Mooney-Chopin, Aug 7, 2004.

  1. Hello everyone,

    I have a Win2003 Web edition server (remote server)
    directly connected to the Internet with static IPs. It has
    a persistent VPN connection established to the branch
    office. All branch IPs are pingable and services
    accessible from the remote server. I am trying to map some
    ports (25, 110 and 143) on one of my Internet IPs on the
    remote server to a mailserver I have in my branch office.
    It goes like this:

    Internet <- Remote server -> VPN LINK -> Branch Server

    Why does a port map through the vpn link does not work? I
    am using RRAS with NAT/Basic firewall.

    Any clues?

    Thanks, Vincent
     
    Vincent Mooney-Chopin, Aug 7, 2004
    #1
    1. Advertisements

  2. Vincent Mooney-Chopin

    Bill Grant Guest

    Port forwarding only applies to packets arriving at the public interface.
    VPN traffic is still encrypted and encapsulated when it reaches this point,
    so the NAT software only sees the outer wrapper. It cannot see the encrypted
    packet inside. That is also why VPN packets are not seen by filters on the
    public interface.

    The VPN data packet is stripped and decrypted after this point, then
    transferred to the LAN interface.
     
    Bill Grant, Aug 7, 2004
    #2
    1. Advertisements

  3. I do not agree on the explanation given:

    Port forwarding applies to my case because I am trying to forward packets
    from the public interface to a private address, it should work regardless
    the host being on the same lan segment or the other side of a vpn tunnel.

    I would like to have a workaround for this problem.

    Thanks,
    Vincent Mooney-Chopin
     
    Vincent Mooney-Chopin, Aug 8, 2004
    #3
  4. Vincent Mooney-Chopin

    Bill Grant Guest

    OK, I see the picture more clearly now.

    I think that the port forwarding actually works. The problem will be
    getting a reply back. The reply needs to go to the requesting machine's
    public IP. What is the default route of the mailserver? The reply probably
    goes to the Internet from the Branch office RRAS server. Most machines
    reject a reply which doesn't seem to come from the machine which was
    queried.

    The basic problem is that a VPN router to router link is only configured
    to route between the subnets in the two sites. Public traffic goes via the
    Internet.
    Port forwarding works in most cases because the default gateway of the
    target machine is back to the forwarding NAT router.
     
    Bill Grant, Aug 8, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.