Re: Unable to access private network from the VPN (NAT)

One nic gets you to the machine, if you want to go further you will need two
nics on two different subnets. Obviously it doesn't work the way you have it
and I have done this a million times. You need two nics and this problem
will go away.

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

"Bill Grant" <not.available@online> wrote in message
news:%23JWKEAzOFHA.688@xxxxxxxxxxxxxxxxxxxxxxx
> Right about what? I don't see anything that Scott and I disagree about.
> If you use two NICs, they must be in different IP subnets.
>
> Linh wrote:
>> Ok now I guess the question is who is right =/
>>
>> "Scott Harding" wrote:
>>
>>> This won't work with 1 nic. You need two nics on different subnets.
>>>
>>> --
>>> Scott Harding
>>> MCSE, MCSA, A+, Network+
>>> Microsoft MVP - Windows NT Server
>>>
>>> "BP" <anonymous> wrote in message
>>> news:OVzFodeOFHA.164@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Not sure how you are natting with one interface but
>>>> other posts with similar symptoms with vpn clients being
>>>> able to connect to local network servers have added
>>>> the internal interface to the nat protocol config using
>>>> netsh cmd line entry. It sounds like you have a dhcp
>>>> pool in rras that is registering a different network
>>>> address to remote vpn clients over your local nic's
>>>> assigned network address.
>>>>
>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:700EB76E-8193-4506-BF89-0DF7E42DFCAD@xxxxxxxxxxxxxxxx
>>>>> Bill,
>>>>>
>>>>> First off thanks for your time. I have the VPN setup with one
>>>>> network interface. Clients get assigned an ip address and they
>>>>> are on the same subnet. However they can't access any of the
>>>>> machines on the network. I'm
>>>>> back to the same problem where I had to specify services/ports for
>>>>> each machine then I can access the machine =/
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> "Bill Grant" wrote:
>>>>>
>>>>>> If the remotes are receiving IP addresses in the same IP
>>>>>> subnet as the
>>>>>> LAN machines it should happen automatically. The server acts as a
>>>>>> proxy for
>>>>>> the remotes and forwards traffic on to LAN machines. In the other
>>>>>> direction
>>>>>> the server does proxy ARP for the clients, gets the packet and
>>>>>> forwards it
>>>>>> across the VPN link.
>>>>>>
>>>>>> If the remotes are in a different IP subnet you need to route
>>>>>> the remote
>>>>>> traffic through the RRAS server.
>>>>>>
>>>>>> Linh wrote:
>>>>>>> Bill,
>>>>>>>
>>>>>>> I'm fine with having the router send traffic from the outside
>>>>>>> world to the VPN server. My problem then becomes how do I tell
>>>>>>> the win2k3 server that I want the VPN user to have access to
>>>>>>> entire private network?
>>>>>>>
>>>>>>> Thanks Bill...
>>>>>>>
>>>>>>> "Bill Grant" wrote:
>>>>>>>
>>>>>>>> If you use two NICs, they need to be in different IP
>>>>>>>> subnets. Whether you use one NIC or two depends on how you
>>>>>>>> configure the LAN. They will both work.
>>>>>>>>
>>>>>>>> With one NIC, the server is just another machine on the LAN
>>>>>>>> and uses the router as the gateway (as do the other LAN
>>>>>>>> machines). With two NICs, the server becomes the default
>>>>>>>> gateway for the LAN. The"public" NIC connects to the router on
>>>>>>>> a different IP subnet. You need to use this setup if you want
>>>>>>>> to use the server to filter traffic between the LAN and the
>>>>>>>> outside world. In the one NIC model, you would need to do that
>>>>>>>> at the router.
>>>>>>>>
>>>>>>>> Linh wrote:
>>>>>>>>> To be honest that doesnt make sense since you can run the VPN
>>>>>>>>> from one interface... Bill what is your take =)
>>>>>>>>>
>>>>>>>>> "Scott Harding" wrote:
>>>>>>>>>
>>>>>>>>>> You need two interfaces on 2 different subnets for this to
>>>>>>>>>> work.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Scott Harding
>>>>>>>>>> MCSE, MCSA, A+, Network+
>>>>>>>>>> Microsoft MVP - Windows NT Server
>>>>>>>>>>
>>>>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>>> news:AA4D7CDC-F89E-4CB0-910B-0A2C94C356A0@xxxxxxxxxxxxxxxx
>>>>>>>>>>> I've actually tired with only one interface... I'll give it
>>>>>>>>>>> a try
>>>>>>>>>>> again but
>>>>>>>>>>> it wasnt working before... =/
>>>>>>>>>>>
>>>>>>>>>>> Even before when I was using one interface the only way I
>>>>>>>>>>> could connect to specific servers was by clicking on
>>>>>>>>>>> NAT/Basic Filtering
>>>>>>>>>>> and then click on the
>>>>>>>>>>> interface ...under there you will see a Services and Ports
>>>>>>>>>>> ... I select a service or add a port and the ip I want to
>>>>>>>>>>> access and the
>>>>>>>>>>> next time I connect
>>>>>>>>>>> to the vpn I can access the machine.
>>>>>>>>>>>
>>>>>>>>>>> I'd like to access all machines without having to do that...
>>>>>>>>>>>
>>>>>>>>>>> thanks for all the help=) hopefully I can figure this out...
>>>>>>>>>>>
>>>>>>>>>>> "Bill Grant" wrote:
>>>>>>>>>>>
>>>>>>>>>>>> I don't understand the last bit. How can you "allow
>>>>>>>>>>>> routing on port 22"!
>>>>>>>>>>>> IP routing works on IP addresses. Port forwarding/filtering
>>>>>>>>>>>> is a completely
>>>>>>>>>>>> different thing.
>>>>>>>>>>>>
>>>>>>>>>>>> In addition, why does the server have two interfaces
>>>>>>>>>>>> in the same IP subnet? RRAS does funny things when this is
>>>>>>>>>>>> the case. You
>>>>>>>>>>>> only need two interfaces if the server if is directly
>>>>>>>>>>>> connected to the Internet (ie one public and one private).
>>>>>>>>>>>> If you are behind a router, the router is the public
>>>>>>>>>>>> interface.
>>>>>>>>>>>>
>>>>>>>>>>>> I would give the server just one NIC and one IP address.
>>>>>>>>>>>> Forward tcp port 1723 from the router to this IP address.
>>>>>>>>>>>> This extends the VPN connection to the server. All VPN
>>>>>>>>>>>> traffic will be
>>>>>>>>>>>> encrypted and encapsulated
>>>>>>>>>>>> between the remote client and the server. After it reaches
>>>>>>>>>>>> the server it will be decrypted and forwarded to the LAN
>>>>>>>>>>>> with its private address.
>>>>>>>>>>>>
>>>>>>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>>>>> news:C435BAD7-EC48-42E6-B7D6-172AFA6B735E@xxxxxxxxxxxxxxxx
>>>>>>>>>>>>> I have two interfaces on the windows2k3 machine. The first
>>>>>>>>>>>>> interface is 192.168.1.181 and the second is .182 (yes
>>>>>>>>>>>>> they are on the same router)
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm connecting to the VPN from an external site (some where
>>>>>>>>>>>>> over
>>>>>>>>>>>>> the internet)
>>>>>>>>>>>>> Yes i'm connected to the vpn! The external machine gets an
>>>>>>>>>>>>> internal ip address and its able to ping the interfaces on
>>>>>>>>>>>>> the VPN server. Not only
>>>>>>>>>>>>> that
>>>>>>>>>>>>> if I allow routing to 192.168.1.69 on port 22 I can ssh to
>>>>>>>>>>>>> that machine from
>>>>>>>>>>>>> the external computer. Yes the machine is on the VPN
>>>>>>>>>>>>>
>>>>>>>>>>>>> Its not an "internet" issue
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Bill Grant" wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Are you sure you are actually connecting by VPN? The
>>>>>>>>>>>>>> symptoms you describe fit the case when you are connecting
>>>>>>>>>>>>>> directly through the Internet!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you connect by VPN, your client should be
>>>>>>>>>>>>>> receiving a private IP
>>>>>>>>>>>>>> address. Its connection to the server should be through
>>>>>>>>>>>>>> the "virtual" interface of the server. Any port forwarding
>>>>>>>>>>>>>> settings
>>>>>>>>>>>>>> on the server should
>>>>>>>>>>>>>> have no effect on this connection. The VPN traffic comes
>>>>>>>>>>>>>> through the "public" interface encrypted and encapsulated
>>>>>>>>>>>>>> and is not seen by that interface.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>>>>>>> news:996258F3-F8E4-4813-906B-1099206896F3@xxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>> I'm sorry I guess I was unclear. I'm unable to access
>>>>>>>>>>>>>>> the machines on
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> private interface. I'm unable to ping them. However if
>>>>>>>>>>>>>>> I forward ports
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> these server then i'm able to connect to
>>>>>>>>>>>>>>> 192.168.1.machinIP
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I would like open access to all machines...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> thanks!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Scott Harding" wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is typically because of misconfigured DNS/WINS
>>>>>>>>>>>>>>>> settings.
>>>>>>>>>>>>>>>> They won't
>>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>>> able to browse through Network neighborhood but should
>>>>>>>>>>>>>>>> be able to access
>>>>>>>>>>>>>>>> resources by name.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Scott Harding
>>>>>>>>>>>>>>>> MCSE, MCSA, A+, Network+
>>>>>>>>>>>>>>>> Microsoft MVP - Windows NT Server
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Linh" <Linh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>>>>>>>>> news:174AF13F-9D3A-40E2-A292-B3E6F8BC1A73@xxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>>>> I have users successfully connecting to the VPN
>>>>>>>>>>>>>>>>> through my public, they
>>>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>>>> able to access both interfaces on the VPN server
>>>>>>>>>>>>>>>>> however they are unable
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> access any of the machines on the private network.
>>>>>>>>>>>>>>>>> Within the Windows
>>>>>>>>>>>>>>>>> 2003
>>>>>>>>>>>>>>>>> VPN setup I was able to forward ports to specific
>>>>>>>>>>>>>>>>> machines and have
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> VPN
>>>>>>>>>>>>>>>>> users access that but ideally I would like to give the
>>>>>>>>>>>>>>>>> users
>>>>>>>>>>>>>>>>> unrestricted
>>>>>>>>>>>>>>>>> access to the private network. Is this possible if so
>>>>>>>>>>>>>>>>> how? Private
>>>>>>>>>>>>>>>>> network
>>>>>>>>>>>>>>>>> is 192.168.1.0/24
>
>


.

Relevant Pages

  • Re: W2K3 Server with 2 NICs
    ... and so it is in th same subnet as Intranet nic. ... connecting it from other subnets. ... gateway address in Intranet nic but it didn't work and server warned about ...
    (microsoft.public.windows.server.networking)
  • Re: Default Gateway Setting not set after Reboot
    ... The fact remains that the server is connected to two subnets. ... gateways is not set for one of the subnets on one of the NICs. ... >> am convinced as per my situation above, if I remove the default gateway ... > D. All other possible routes are handled by using Static Routes in the ...
    (microsoft.public.win2000.networking)
  • Re: NLB IIS
    ... important to have them in separate subnets. ... I setup NLB with 2 servers and 2 NICS on each server. ... Default Gateway 10.217.216.1 ...
    (microsoft.public.windows.server.clustering)
  • Re: Intermittent outages on two subnets on 2003 server
    ... We have websites running on each of the subnets and obviously the ... I'm not sure if it is because of the way you've configured the server (multiple NICs with multiple gateways), ... If I may suggest, you said you may have to wait for the new firewall to come in, in order to be able to route between the subnets that you currently can't. ...
    (microsoft.public.windows.server.general)
  • Re: Windows 2003 Server Standard Domain Controller multiple NICs
    ... network that clients reside on with the DC on that network. ... They don't join subnets. ... Is it just because it has 2 NICs? ... So long as you configure your routing infrastructure so clients can get ...
    (microsoft.public.windows.server.active_directory)