VPN Behind NAT Router Confusion

[dougcoulter]

Hello all - I am looking to configure our domain controller (Server 2003) as a VPN. It, along with the rest of our small network (about 10 PCs) sits behind an Adtran Total Access 612 router (provided by our ISP). All of our PCs have nonroutable, private IP addresses.

My initial confusion is with understanding how remote clients will be able to see our VPN Server (which does not have a routable IP address). I am reading through the Microsoft Press book, Deploying VPNs with Server 2003, and it states that the 1st thing that I need to do is ensure the VPN Server is reachable externally - but it doesn't really say how to do this.

Can anyone shed some light on this for me? Thanks!

...Doug

 

[dougcoulter]

Also, in working through the deployment chapter of this book, I am configuring Routing and Remote Access Services via the Wizard. I a receiving an error during this process because I only have 1 NIC installed in the VPN Server. Why are multiple NICs required?

Thanks again...

...Doug

 

[soloeagle]

The Adtran routers use a very simplistic striped down version of the Cisco IOS software. Since your router is ISP supplied, do you have permission/access to be able to make programming modifications in it ?

What ultimately needs to be setup is a Network Address Translation (NAT) between an globally unique public outside ip address and one of your private inside addresses. Not sure if the Adtran's IOS is so stripped down that it is capable of NATing or not. All a mute point if you aren't even able to get into the Adtran to be able to configure it.

 

[dougcoulter]

Thanks for the response soleagle.

I have to work through our ISP's tech support to configure the router (but they seem willing to help). The router is capable of NATing.

So if I understand correctly, the router (which currently has an internet IP of 64.0.92.5) needs to be configured for another internet IP that translates to my internal VPN Server (IP address of 192.168.100.23)?

 

[soloeagle]

Well, depends actually.

There are four different classes of IP addresses.

Outside Global
Inside Global

Outside Private
Inside Private

The outside global is the 64.0.92.5 you listed, and your 192.168.100.23 is one address within a range in your subnet that is your Inside Private.

Inside Global addresses are globally unique ranges that are assigned to customer to use. Usually the range is 6 or 14, or 30 ip addresses wide.

Ask your ISP what types of IP addresses you have already been assigned and how many.

More than likely though you have only been assigned 1 global outside address, and no inside global addresses. the best case scenario is to have 6 or 14 (depends on your needs) inside global ip addresses to be able to do with them whatever you want (webservers, email servers, etc)

If it is true that you only have 1 outside global address, then you are kinda in a tough spot because that address is being used by NAT to NAT to when your internal hosts communicate to the Internet. To the internet's perspective it looks like all of your traffic is coming from 1 ip address. so to try to then use that same address again for public services gets hairy when it is already being used by NAT for your hosts. Your ISP will have to be very careful when they go to do the configuration so they get all of the IP Address / TCP&UDP Ports all lined up and mapped just right.

 

[pmf71]

May i make one remark to Dougcoulter:

NEVER NEVER EVER EVER publish your real IP's here...

This is candy for a hacker.

just thought you should know.

 

[PeterHurst]

As long as you are using PPTP this should be ok. IPSEC may be a problem however.. unless the VPN server is NAT-T compliant IPSEC won't work.

I haven't read into NAT-T too much yet, however it sounds like what I knew as IPSEC-UDP. Basically IPSEC is protocol type 50 - but it has no ports in the way TCP/UDP do (like port 80 for HTTP or 23 for Telnet).

Nat creates a problem because NAT keeps track of all the different streams it is NATing by frigging port numbers. IPSEC=no ports=noNAT. IPSEC-UDP (and I think NAT-T) encapsulate the IPSEC in a UDP packet (to port 2746 I remember vaguely) so that nat is capable of handling it.