Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please advise regarding a VPN configuration

Status
Not open for further replies.
jayscot

jayscot

MIS
Feb 2, 2001
25
US
The desire is to allow clients to connect to the lan via an internet connection.

-To start off, the lan is a win2k domain. The domain server is a seperate box on the network running dhcp, dns and wins.

-The vpn server is also running win2k with 2 nics. TCPIP Filtering for nic1(wan) is configured to only permit tcp port 1723 and udp port 47. No other tcp, udp ports or ip protocols are permitted for the wan adapter (this may be a problem, I'm not sure).

-nic1(wan): has a static internal ip which has been mapped by the T1 provider to a static public ip:
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix :
Description . . . . . . . . . . : 10/100adapter
Physical Address. . . . . . . . : 00-20-78-1E-E
DHCP Enabled. . . . . . . . . . : No
IP Address. . . . . . . . . . . : 192.168.0.60
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . : 192.168.0.254
DNS Servers . . . . . . . . . . : 64.90.1.22
64.90.1.14
Primary WINS Server . . . . . . : 192.168.0.10

-nic2(lan): has a static internal ip:
Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix :
Description . . . . . . . . . . : 10/100adapter #2
Physical Address. . . . . . . . : 00-04-5A-57-D
DHCP Enabled. . . . . . . . . . : No
IP Address. . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . :
DNS Servers . . . . . . . . . . : 192.168.0.57
192.168.0.10
Primary WINS Server . . . . . . : 192.168.0.10

-Used the routing and remote access wizard setup the vpn.

-Added the vpn server to "RAS and IAS Servers" group in the active directory.

-configured DHCP Relay for nic1(wan) using the lan's win2k dhcp server

-allowed "Dial-in" acces to the user account(s) logging in.


At this point I had a client using winME test the connection. The client got as far as "Verifying user name and password" then got the error "Error 603: Unable to establish a connection". The client is behind a router, so I'm not sure if he needs to open any ports or not.


So far I'm stuck. Thanks in advance for any suggestions concerning my configuration.


Jay
 
Sort by date Sort by votes
If you have a T1 you must have a router of your own. What type of router is it? If it is a Cisco router you may need to make some changes. If you don't have control of the router. Many ISP's do the config for you. Give them a call. The techs should know how to set up the router. Cisco blocks all ports out of the box and needs to allow GRE packets through and 1723. If you have any other router brand you will want to make sure it too has the right ports open. It is good practice to only allow traffic thru your router that you need. You may also want to get a public IP for your wan connection. Your LAN and WAN cards are on the same subnet and depending on your networks physical connections you might be giving people access to your entire network, by bypassing the firewall. With the current setup your LAN and WAN do not need to be routed. Your router is doing NAT and must know where to send VPN traffic. Never open you router up completely if you don't have to. If this doesn't work. We can look at your ISA server config.

Lots to think about keep me posted
 
Upvote 0 Downvote
Thanks,

Our ISP has given us a block of six public IP's which are directly mapped to six internal Lan IP's...for example:

192.168.0.10(lan) = 66.147.10.10(public)

this would be an example of the ip used for the multihomed vpn server. Basically its DMZ'd(so to speak) with tcpip filtering enabled(only allowing tcp-1723 and udp-47). To the server's tcpip settings the ip is 192.168.0.10. To the rest of the internet it's 66.147.10.10.

The router is not a cisco, and it is controled by the isp. It's actually and "Addtran" - "Total Access 850".

Jay

 
Upvote 0 Downvote
well, I permitted all IP protocols in tcpip filtering and it worked. I can't browse yet, but this is further than where I was.
 
Upvote 0 Downvote
Did you do this on your ISA server? I wouldn't leave that to long. Your ISA server only needs 2 filters per protocol. 2 for L2TP and 2 for PPTP. Any other traffic is up to you, but allow all or deny none isn't safe. How is you routing and remote access setup? If I remember the ISA VPN wizard will configure you RRAS for you. If you want a good ISA server site visit.


Make sure your clients get you DNS or WINS box for browsing. Try connecting to shares using IP addresses if this work traffic is flowing you just need to resolve names.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
594
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
435
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
381
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
341
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
401
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top