Re: Unable to access private network from the VPN (NAT)
- From: "BP" <anonymous>
- Date: Tue, 5 Apr 2005 09:57:26 -0400
Not sure how you are natting with one interface but
other posts with similar symptoms with vpn clients being
able to connect to local network servers have added
the internal interface to the nat protocol config using
netsh cmd line entry. It sounds like you have a dhcp
pool in rras that is registering a different network
address to remote vpn clients over your local nic's
assigned network address.
"Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:700EB76E-8193-4506-BF89-0DF7E42DFCAD@xxxxxxxxxxxxxxxx
> Bill,
>
> First off thanks for your time. I have the VPN setup with one network
> interface. Clients get assigned an ip address and they are on the same
> subnet. However they can't access any of the machines on the network. I'm
> back to the same problem where I had to specify services/ports for each
> machine then I can access the machine =/
>
> Any ideas?
>
> "Bill Grant" wrote:
>
> > If the remotes are receiving IP addresses in the same IP subnet as the
> > LAN machines it should happen automatically. The server acts as a proxy for
> > the remotes and forwards traffic on to LAN machines. In the other direction
> > the server does proxy ARP for the clients, gets the packet and forwards it
> > across the VPN link.
> >
> > If the remotes are in a different IP subnet you need to route the remote
> > traffic through the RRAS server.
> >
> > Linh wrote:
> > > Bill,
> > >
> > > I'm fine with having the router send traffic from the outside world
> > > to the VPN server. My problem then becomes how do I tell the win2k3
> > > server that I want the VPN user to have access to entire private
> > > network?
> > >
> > > Thanks Bill...
> > >
> > > "Bill Grant" wrote:
> > >
> > >> If you use two NICs, they need to be in different IP subnets.
> > >> Whether you use one NIC or two depends on how you configure the LAN.
> > >> They will both work.
> > >>
> > >> With one NIC, the server is just another machine on the LAN and
> > >> uses the router as the gateway (as do the other LAN machines). With
> > >> two NICs, the server becomes the default gateway for the LAN.
> > >> The"public" NIC connects to the router on a different IP subnet. You
> > >> need to use this setup if you want to use the server to filter
> > >> traffic between the LAN and the outside world. In the one NIC model,
> > >> you would need to do that at the router.
> > >>
> > >> Linh wrote:
> > >>> To be honest that doesnt make sense since you can run the VPN from
> > >>> one interface... Bill what is your take =)
> > >>>
> > >>> "Scott Harding" wrote:
> > >>>
> > >>>> You need two interfaces on 2 different subnets for this to work.
> > >>>>
> > >>>> --
> > >>>> Scott Harding
> > >>>> MCSE, MCSA, A+, Network+
> > >>>> Microsoft MVP - Windows NT Server
> > >>>>
> > >>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > >>>> news:AA4D7CDC-F89E-4CB0-910B-0A2C94C356A0@xxxxxxxxxxxxxxxx
> > >>>>> I've actually tired with only one interface... I'll give it a try
> > >>>>> again but
> > >>>>> it wasnt working before... =/
> > >>>>>
> > >>>>> Even before when I was using one interface the only way I could
> > >>>>> connect to specific servers was by clicking on NAT/Basic Filtering
> > >>>>> and then click on the
> > >>>>> interface ...under there you will see a Services and Ports ... I
> > >>>>> select a service or add a port and the ip I want to access and the
> > >>>>> next time I connect
> > >>>>> to the vpn I can access the machine.
> > >>>>>
> > >>>>> I'd like to access all machines without having to do that...
> > >>>>>
> > >>>>> thanks for all the help=) hopefully I can figure this out...
> > >>>>>
> > >>>>> "Bill Grant" wrote:
> > >>>>>
> > >>>>>> I don't understand the last bit. How can you "allow routing
> > >>>>>> on port 22"!
> > >>>>>> IP routing works on IP addresses. Port forwarding/filtering is a
> > >>>>>> completely
> > >>>>>> different thing.
> > >>>>>>
> > >>>>>> In addition, why does the server have two interfaces in the
> > >>>>>> same IP subnet? RRAS does funny things when this is the case. You
> > >>>>>> only need two interfaces if the server if is directly connected
> > >>>>>> to the Internet (ie one public and one private). If you are
> > >>>>>> behind a router, the router is the public interface.
> > >>>>>>
> > >>>>>> I would give the server just one NIC and one IP address.
> > >>>>>> Forward tcp port 1723 from the router to this IP address. This
> > >>>>>> extends the VPN connection to the server. All VPN traffic will be
> > >>>>>> encrypted and encapsulated
> > >>>>>> between the remote client and the server. After it reaches the
> > >>>>>> server it will be decrypted and forwarded to the LAN with its
> > >>>>>> private address.
> > >>>>>>
> > >>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > >>>>>> news:C435BAD7-EC48-42E6-B7D6-172AFA6B735E@xxxxxxxxxxxxxxxx
> > >>>>>>> I have two interfaces on the windows2k3 machine. The first
> > >>>>>>> interface is 192.168.1.181 and the second is .182 (yes they are
> > >>>>>>> on the same router)
> > >>>>>>>
> > >>>>>>> I'm connecting to the VPN from an external site (some where over
> > >>>>>>> the internet)
> > >>>>>>> Yes i'm connected to the vpn! The external machine gets an
> > >>>>>>> internal ip address and its able to ping the interfaces on the
> > >>>>>>> VPN server. Not only
> > >>>>>>> that
> > >>>>>>> if I allow routing to 192.168.1.69 on port 22 I can ssh to that
> > >>>>>>> machine from
> > >>>>>>> the external computer. Yes the machine is on the VPN
> > >>>>>>>
> > >>>>>>> Its not an "internet" issue
> > >>>>>>>
> > >>>>>>> "Bill Grant" wrote:
> > >>>>>>>
> > >>>>>>>> Are you sure you are actually connecting by VPN? The
> > >>>>>>>> symptoms you describe fit the case when you are connecting
> > >>>>>>>> directly through the Internet!
> > >>>>>>>>
> > >>>>>>>> If you connect by VPN, your client should be receiving a
> > >>>>>>>> private IP
> > >>>>>>>> address. Its connection to the server should be through the
> > >>>>>>>> "virtual" interface of the server. Any port forwarding settings
> > >>>>>>>> on the server should
> > >>>>>>>> have no effect on this connection. The VPN traffic comes
> > >>>>>>>> through the "public" interface encrypted and encapsulated and
> > >>>>>>>> is not seen by that interface.
> > >>>>>>>>
> > >>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > >>>>>>>> news:996258F3-F8E4-4813-906B-1099206896F3@xxxxxxxxxxxxxxxx
> > >>>>>>>>> I'm sorry I guess I was unclear. I'm unable to access the
> > >>>>>>>>> machines on
> > >>>>>>>>> the
> > >>>>>>>>> private interface. I'm unable to ping them. However if I
> > >>>>>>>>> forward ports
> > >>>>>>>>> to
> > >>>>>>>>> these server then i'm able to connect to 192.168.1.machinIP
> > >>>>>>>>>
> > >>>>>>>>> I would like open access to all machines...
> > >>>>>>>>>
> > >>>>>>>>> thanks!
> > >>>>>>>>>
> > >>>>>>>>> "Scott Harding" wrote:
> > >>>>>>>>>
> > >>>>>>>>>> This is typically because of misconfigured DNS/WINS settings.
> > >>>>>>>>>> They won't
> > >>>>>>>>>> be
> > >>>>>>>>>> able to browse through Network neighborhood but should be
> > >>>>>>>>>> able to access
> > >>>>>>>>>> resources by name.
> > >>>>>>>>>>
> > >>>>>>>>>> --
> > >>>>>>>>>> Scott Harding
> > >>>>>>>>>> MCSE, MCSA, A+, Network+
> > >>>>>>>>>> Microsoft MVP - Windows NT Server
> > >>>>>>>>>>
> > >>>>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > >>>>>>>>>> news:174AF13F-9D3A-40E2-A292-B3E6F8BC1A73@xxxxxxxxxxxxxxxx
> > >>>>>>>>>>> I have users successfully connecting to the VPN through my
> > >>>>>>>>>>> public, they
> > >>>>>>>>>>> are
> > >>>>>>>>>>> able to access both interfaces on the VPN server however
> > >>>>>>>>>>> they are unable
> > >>>>>>>>>>> to
> > >>>>>>>>>>> access any of the machines on the private network. Within
> > >>>>>>>>>>> the Windows
> > >>>>>>>>>>> 2003
> > >>>>>>>>>>> VPN setup I was able to forward ports to specific machines
> > >>>>>>>>>>> and have
> > >>>>>>>>>>> the
> > >>>>>>>>>>> VPN
> > >>>>>>>>>>> users access that but ideally I would like to give the users
> > >>>>>>>>>>> unrestricted
> > >>>>>>>>>>> access to the private network. Is this possible if so how?
> > >>>>>>>>>>> Private
> > >>>>>>>>>>> network
> > >>>>>>>>>>> is 192.168.1.0/24
> >
> >
> >
.
- Follow-Ups:
- Re: Unable to access private network from the VPN (NAT)
- From: Scott Harding
- Re: Unable to access private network from the VPN (NAT)
- References:
- Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Scott Harding
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Bill Grant
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Bill Grant
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Scott Harding
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Bill Grant
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Re: Unable to access private network from the VPN (NAT)
- From: Bill Grant
- Re: Unable to access private network from the VPN (NAT)
- From: Linh
- Unable to access private network from the VPN (NAT)
- Prev by Date: Re: Unable to access private network from the VPN (NAT)
- Next by Date: W2K VPN - Problems using a single server
- Previous by thread: Re: Unable to access private network from the VPN (NAT)
- Next by thread: Re: Unable to access private network from the VPN (NAT)
- Index(es):
Relevant Pages
|
