RevelinoSuriname
Technical User
Hi,
We have set up a DMZ for one of our customers. I used a NVR600 and an ISA sever 2004 to set up this solution. A schematic overview should look like this: Internet ->
NVR600 -> DMZ -> LAN. On the external side of the DMZ we have an NVR600 with 3 interfaces. 2 of those intefaces are public interfaces and are connected to different
ISP's. The Lan interface is connected to a DMZ switch. The ISA server has 2 interfaces. The ISA server's public interface is connected to the DMZ and the private interface is
connected to the LAN. On the NVR600 I created a static route to the internal LAN so that VPN clients will be able to access the internal LAN. On the ISA server the
appropriate rules have been created to allow traffic to and from the DMZ and the internal network.
We are facing 2 problems:
Problem 1 has a higher priority at this moment.
Problem 1: We have set up and enabled VPN on the NVR600 for external clients. We are able to create the VPN connection from an external client to the NVR600. After
the tunnel has been created we are able to ping servers on the internal network. The traffic flows from the VPN client to the NVR600 which looks up it's routing table and
sends the traffic to the public interface of the ISA server. On the ISA server we created a route relationship between the DMZ and the internal network. So finally the ping
traffic reaches the internal servers. We have an exchange server runing on the internal network and als some file and application servers. The VPN client is also able to ping
those servers by hostname so DNS works ok. I should mention that the client only uses DNS and no WINS. I mentioned that because I read something about WINS that is
needed for the VPN client to be able to browse the internal network. But if you know a fileshare by UNC it's not necessary I think.
From the VPN client we are not able to browse the file shares on the internal network and also can't the client connect to the exchange server. Does anyone has an idea
what the problem might be? or give me some clues where I can look? Is WINS needed for Nortel VPN to work?
Problem 2: Remeber me saying we have 2 ISP's connected to the NVR. Say for example ISP A and ISP B.
On the NVR the default route 0.0.0.0 goes via ISP A by default because it has a higher metric and I also added a default route with a lower metric to go via ISP B. Only after
the link with ISP A goes down does the default route for ISP B comes up. Some sort of fallback/redundancy. Now saying that the default route is using the interface for ISP
A, when I connect from a client connected to ISP A's network I am able to create the VPN connection to the ISP A public address on the NVR600. Now when I try to create
a tunnel from a client connected to ISP's A network to the public IP of ISP B on the NVR 600 I am not able to create the VPN connection. When I change the metrics for the
default routes so that ISP B's interface handles default route traffic, the opposite happens. I am able to create a tunnel from a client connected to ISP A to the public IP of
ISP B on the NVR600 but not able to create the tunnel to the public IP of ISP A on the NVR600. The ultimate goal is to make a VPN connection from any client on the
internet to both Public IP adresses of both ISP's. Any help would be appreciated.
We have set up a DMZ for one of our customers. I used a NVR600 and an ISA sever 2004 to set up this solution. A schematic overview should look like this: Internet ->
NVR600 -> DMZ -> LAN. On the external side of the DMZ we have an NVR600 with 3 interfaces. 2 of those intefaces are public interfaces and are connected to different
ISP's. The Lan interface is connected to a DMZ switch. The ISA server has 2 interfaces. The ISA server's public interface is connected to the DMZ and the private interface is
connected to the LAN. On the NVR600 I created a static route to the internal LAN so that VPN clients will be able to access the internal LAN. On the ISA server the
appropriate rules have been created to allow traffic to and from the DMZ and the internal network.
We are facing 2 problems:
Problem 1 has a higher priority at this moment.
Problem 1: We have set up and enabled VPN on the NVR600 for external clients. We are able to create the VPN connection from an external client to the NVR600. After
the tunnel has been created we are able to ping servers on the internal network. The traffic flows from the VPN client to the NVR600 which looks up it's routing table and
sends the traffic to the public interface of the ISA server. On the ISA server we created a route relationship between the DMZ and the internal network. So finally the ping
traffic reaches the internal servers. We have an exchange server runing on the internal network and als some file and application servers. The VPN client is also able to ping
those servers by hostname so DNS works ok. I should mention that the client only uses DNS and no WINS. I mentioned that because I read something about WINS that is
needed for the VPN client to be able to browse the internal network. But if you know a fileshare by UNC it's not necessary I think.
From the VPN client we are not able to browse the file shares on the internal network and also can't the client connect to the exchange server. Does anyone has an idea
what the problem might be? or give me some clues where I can look? Is WINS needed for Nortel VPN to work?
Problem 2: Remeber me saying we have 2 ISP's connected to the NVR. Say for example ISP A and ISP B.
On the NVR the default route 0.0.0.0 goes via ISP A by default because it has a higher metric and I also added a default route with a lower metric to go via ISP B. Only after
the link with ISP A goes down does the default route for ISP B comes up. Some sort of fallback/redundancy. Now saying that the default route is using the interface for ISP
A, when I connect from a client connected to ISP A's network I am able to create the VPN connection to the ISP A public address on the NVR600. Now when I try to create
a tunnel from a client connected to ISP's A network to the public IP of ISP B on the NVR 600 I am not able to create the VPN connection. When I change the metrics for the
default routes so that ISP B's interface handles default route traffic, the opposite happens. I am able to create a tunnel from a client connected to ISP A to the public IP of
ISP B on the NVR600 but not able to create the tunnel to the public IP of ISP A on the NVR600. The ultimate goal is to make a VPN connection from any client on the
internet to both Public IP adresses of both ISP's. Any help would be appreciated.
