Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Does Win2k support NAT and VPN on the same box?

Status
Not open for further replies.
ParticleMan

ParticleMan

MIS
Mar 27, 2002
5
US
I have a client that has a Win2K server running NAT. There is an ISDN adapter setup with a persistant connection in RRAS. The other interface is a NIC to the local network. The client has subscribed to a service that requires VPN. So I am tring to initiate a VPN client connection from the Win2k server. I have setup a VPN connection (in Network and Dialup connections) and it connects but will not pass any traffic. If the "use remote default gateway" is checked then my internet connection drops and if not then internet stays up but no traffic across the VPN either way. I have setup the VPN as a router-to-router demand dial connection in RRAS and it still passes no traffic. I am testing the traffic using a ping from the Win2k server to a server on the VPN. Everything times out. Other clients have no trouble connecting to this service and are able to ping the server and get a reply so I believe that the service is setup correctly and the problem is on my end. I am begining to believe that it can not be done this way. Does Win2k support NAT and VPN on the same box? Any help or ideas is greatly appreciated as I have been beating on this for several days now.
 
Sort by date Sort by votes
I assume you're using Windows ICS and the answer is no. A quick search on windows ICS and IPSEC (Common VPN Protcol) will yield a response of no.

We use a piece of software called Wingate that is semi-ipsec/vpn friendly. When I say semi, it depends on the VPN provider's setup. Some VPN setups allow 'VPN through Firewall' and 'VPN over NAT' which basically tells the VPN server not to deny the packets if the headers are modified. If they run tight security on their VPN, most likely they won't allow modified headers and in which case you can't use any NAT method since NAT breaks some things with the IPSEC security.

Iota
 
Upvote 0 Downvote
I am not using ICS. I am using NAT through RRAS in Win2k server. To the best of my knowledge they are different. But I think you may be on to something when you say that if they are tight on security I can not use NAT of any kind. Any other comments on this?

Thanks for the help
 
Upvote 0 Downvote
First of all, a couple of questions for you.

W2K supports 2 types of vpn connections, L2TP (used in conjunction with IPSec) and PPTP.

Looking at the thread, I am assuming that you are using IPSec?

If this is the case, have you tried using PPTP?

When you say that other clients are are successful, how are they connecting? Is it through the W2KPro, WinXP, Win98...?

Does this client with the W2K server have machines running behind his server using a Private IP address scheme?

More info would be helpful in diagnosing this problem.

 
Upvote 0 Downvote
Lets see. I have tried Auto, PPTP, and L2TP and all of them I get the same results. I get connected but can pass no traffic.

The other clients cover all the bases. There are Win98, WinNT, Win2K Pro. I am not sure there are other Win2K servers out there connecting. Trying to recreate the problem from my home I configred my server and if I have RRAS stopped I can setup a connection and connect up fine. Once I start RRAS I can no longer use the connection.

The client does have machines behind the Win2K box using a 192.168.1.X network. The VPN network we are connecting to is a 10.1.X.X network. The only unique config of this client and the ones that work is the NAT and it being on the same box that I want to VPN from.

Everything I read says this should work, or at least I think it should, but I have yet to successfully get it to work.

I am begining to think that NAT and VPN have to be on seperate boxes.

I plan to check with the Service provider tomorrow 4/1 to see if they have a config on the VPN server to allow connections that come from a VPN. See the 1st response to this thread. It does act like maybe the server is just dropping the packets because they have altered headers, but I need to talk to the service provider and see what they think.

Again any help on this topic is greatly appreciated.

Thanks
 
Upvote 0 Downvote
Trust me, NAT and VPN CAN BE on the same boxes.

Do you have a IM account on Yahoo? If so, please let me know so that I can try and give you a hand since posting on this messageboard is so time consuming. Are you game? If you do have IM on Yahoo, let me know what your handle/nickname is.

3 questions for you...

1. When connecting through the VPN from the successful client machines, are you using PPTP or L2TP? Not sure if this really matters at this point, just trying to get a picture of what you are using.

2. Do you plan to pass VPN traffic to just the problem W2K server OR to the problem W2K server AND the clients behind the problem W2K server?

3. When you say that you are able to establish a VPN connection with the W2K server, but cannot pass traffic, does the VPN adapter IP address (PPP?)of the W2K server match the IP address scheme of the remote network?

Please let me know what the answers are. Not promising anything at this point, but I may be able to help...
 
Upvote 0 Downvote
I have an IM account on yahoo. WebGuy2478

I have another client of mine subscribed to the same service using WinNT and a PPTP connection that works fine. According the the people at the service the VPN Server supports both protocols.

On Question 2 which ever is easier. At first I just wanted to pass to the Win2K box, but if I can get it to work anywhere on the network now I would be happy.

Once the VPN connection estabilshes I get an IP on the remote VPN network a 10.1.X.X address. This IP and adapter will go away if I disconnect.

Thank you for all the help so far and I look forward to any insight you may or may not have :)
 
Upvote 0 Downvote
Just an update. The VPN server is a Cisco VPN 3000 concentrator. It has a feature for NAT Transparent Mode. As I read it that must be turned on to allow IPSec through a NAT(PAT) box. Since I am using PAT I think this must be enabled for my connection to work. The service provider is checking their config now. We shall see.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
445
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
333
GlobeTrekkerGal
GlobeTrekkerGal
eleafpod
  • Locked
  • Question
ISO the best security camera monitoring system
Replies
2
Views
947
Pigasque
Pigasque
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
274
sircles
sircles
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
314
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top