Re: RRAS, NAT & External VPN Problem

From: Bill (ijwalla_at_hotmail.com)
Date: 09/05/04 

Date: 5 Sep 2004 00:58:44 -0700

Thanks Bill,

I'll give that a go on Monday when I'm back to work and post my
results.

Just to be sure, I was told by someone that I would also need to look
into NAT traversal, something about packet headers being changed if
there exists a NAT router infront of the final destination address.
I have to be honest I'm not sure what that means..

Anyways your help has been greatly apreciated...

Bill Williams.

"Bill Grant" <not.available@online> wrote in message news:<ez5TVdikEHA.3556@TK2MSFTNGP12.phx.gbl>...
> You were on the right track, but you can't route directly from the
> firewall in LAN2 to the RRAS router in LAN1. Is the VPN actually configured
> between the two firewalls? (ie are the firewalls the endpoint of the VPN
> link?) If so, you can do it in two hops.
>
> So your original plan will work. But the target should be the VPN router
> (ie the firewall in LAN 1), not the RRAS router. On the firewall in LAN2,
> there should be a route to 10.0.0.0 255.255.255.0 using the tunnel
> endpoint in LAN2 as the interface. The traffic will go through the tunnel to
> the firewall in LAN1. This firewall should then have a static route to
> forward the traffic to the RRAS router. eg
>
> 10.0.0.0 255.255.255.0 192.168.10.12
>
> "Bill" <ijwalla@hotmail.com> wrote in message
> news:cbca622d.0409031039.79d32bd0@posting.google.com...
> > Hello, our company is the process of connecting two sites via a VPN,
> > however we have come to a stump as to how to address the following
> > problem, any assistance would be greatly appreciated.
> >
> > Here's the network (sorry about the diagram, it's the best I could
> > do):
> >
> > LAN 2
> >
> > (sUBNET 10.0.3.0)
> >
> > w/s1 w/s2 w/s3
> > ! ! !
> > ----------------------------------------
> > !
> > !
> > !
> > !(10.0.3.10 LAN)
> > zYWALL2 VPN
> > !(192.168.2.2 WAN)
> > !
> > !
> > !(192.168.2.1 LAN)
> > ADSL
> > !(212.34.23.123 WAN)
> > !
> > !
> > !
> > !
> > $VPN VPN VPN VPN$
> > !
> > !
> > !
> > !(212.34.23.124 WAN)
> > ADSL
> > !(192.168.3.1 LAN)
> > !
> > !
> > !(192.168.3.2 WAN)
> > zYWALL1 VPN
> > !(192.168.10.9 LAN)
> > !
> > !
> > !
> > !
> > !(192.168.10.12 NIC2)
> > W2K RRAS--------------------------- CABLE MODEM (192.168.10.10)
> > !(10.0.0.5 NIC1)
> > !
> > !
> > !
> > ----------------------------------------
> > ! ! !
> > w/s1 w/s2 w/s3
> > (sUBNET 10.0.0.0)
> >
> > LAN 1
> >
> >
> >
> > LAN 1 clients have their default gateway set to 10.0.0.5, the ip of
> > our RRAS NAT box. Within RRAS a static route has been setup to forward
> > all request for 10.0.3.0 to gateway 192.168.10.9 (out Zywall router),
> > which inturn sends it via the VPN link. All other requests to the RRAS
> > NAT server are routed to our cable modem for internet access.
> >
> > This works perfectly, however from LAN 2 no inbound request can get
> > through.
> > A static route has been setup on Zywall 1 to route anything for
> > 10.0.0.0 to our RRAS NAT server on 192.168.10.12 NIC2, however this
> > still does not work, and to be honest I am guessing it is not able to
> > do that either.
> >
> > So I then added another Network Card ((NIC3)ip 192.168.10.13) to our
> > RRAS NAT server and configured our Zywall to route anything to
> > 10.0.0.0 to that interfaces' IP. I added another static route to the
> > RRAS NAT server so that all incoming packets on NIC3 would be routed
> > through NIC1 to our LAN clients.
> >
> > I am not sure if this is the appropriate way to do this.
> > I should also point out that LAN 1 clients must use the cable line for
> > their internet and not the ADSL line as LAN 2 clients do.
> >
> > I am sure this would not be a problem if we didn't have two gateways.
> > Tho I'm not sure, can this be a NAT related issue?
> >
> > Your help is much appreciated.
> >
> > Bill

Loading