Re: VPN - desparate housewife part 2
- From: "Bill Grant" <not.available@online>
- Date: Sun, 3 Jul 2005 12:53:58 +1000
Putting the router in DMZ mode opens up a whole new can of worms. You
would probably get three (or more) different answers from three security
experts on this!
My personal opinion would be to go back to a two NIC setup on the server
if you do that. You would connect only the "public" NIC of the server to the
router and connect your private LAN only to the "private" NIC of the server
(using a second hub/switch and a different IP subnet). This isolates your
private LAN from the rudimentary DMZ, which is the server-router link.
This would require a bit more work to configure. Your server is now the
default router for the private LAN, and you would need to configure NAT on
it as well as remote access. You would also need to configure DHCP on it for
your private LAN (unless you are happy to configure the clients manually).
They will not be able to use DHCP from the router. You could also set up a
software firewall on this server if you felt you needed to.
The setup would look like this.
Internet
|
public IP
router
192.168.1.254
|
192.168.1.10 dg 192.168.1.254
RRAS/NAT server
192.168.21.1 dg blank
|
clients
192.168.21.x dg 192.168.21.1
This setup does NAT translation twice but I don't think you would be
inconvenienced by that. You might like to configure the DNS address of your
ISP DNS server directly on the clients so that they access it directly
(rather than by DNS proxy in NAT). But VPN from outside should work fine
because all traffic reaching the router's public IP comes to the server. The
VPN clients will get IP addresses in the 192.168.21.x subnet and have
access to the LAN machines as well as the server itself.
This discussion has got a bit off topic. You could contact me directly
using the username grantaw at aliencamel dot com . I check my
mail most days. If you are in the US or Europe, there may be a delay because
of time zones. I'm in Australia.
Debora wrote:
> Bill, I'm extremely grateful for your help. I have also read a lot of
> your replies to others and I finally believe I have 'got' this Remote
> Access. I plan to start again when in office with approp. wizard.
>
> I will disable NIC (internet), run RRAS wizard with 'Remote Access'
> selection, NOT Vpn selection, setup Router with approp. ports and
> GRE(see below), and testing as you stated.
>
> Further to your reply and further study of the Router guide states a
> VPN server can be hosted but to allow Vpn client inbound the "Allow
> all applications" rules must be selected. All traffic is then
> directed to Server. The Server will be placed in DMZ mode, the Router
> will still provide Stateful Packet Inspection (Denial of
> Service/Attack Detection etc) but recommends another firewall be in
> place.
>
> I want to ask some more and hope your patience is still intact. 1. Is
> my thinking about right or have I missed it again. 2. With your
> solution and Router guidance, it will still allow for normal Lan
> access to server for Lan clients (being brave I assume YES as there
> are now NO blocking filters on NIC)? 3. I assume that our 5 Static
> IPs and 2nd NIC are really useless for this setup? 4. Lastly, do you
> feel it is important for a further firewall which will probably be
> software one.
>
> Bill thanks again for your invaluable help and advise. If I get this
> to work I will ask my boss to send you some sort of fee for my server
> training and RRAS setup help. I will post post again with outcome. (I
> hope I haven't broken any rules or offended you.) Debora x.
>
> "Bill Grant" wrote:
>
>> That makes things a bit clearer. Your RRAS server does not need
>> to know about the public IP of the router, so disable the second NIC
>> in the server and only use the one with a private (192.168.1.x)
>> address. Its default gateway will be automatically set to
>> 192.168.1.254 if it gets ite config from DHCP on the router.
>>
>> First make sure that all the clients and the server can access
>> the Internet through the DSL router. Next check that you can make a
>> VPN connection from a LAN client to your VPN server using its LAN
>> IP. This will check that your VPN server is correctly set up to
>> allow VPN access. Any problems with authorisation or policies can
>> then be fixed locally.
>>
>> The standard setup for a VPN server using two NICs assumes that
>> the server is directly connected to the Internet. In your case, your
>> Internet connection is via a NAT router. You only need one NIC in
>> the server because the router acts as your Internet connection.
>>
>> When you have your VPN server working correctly on the LAN, you
>> can enable VPN connection from the Internet by programming your
>> router. The remote clients connect through the Intenet to your
>> router's public interface and the router forwards the information
>> across the LAN to your VPN server. Exactly how you do this depends
>> on your router. (They all seem to use very different config
>> screens). What you need to do is forward PPTP (tcp port 1723) from
>> the router to the server. This extends the VPN connection from the
>> router to the server.
>>
>> The other problem you may meet is GRE. The data crossing the VPN
>> link is encrypted and encapsulated. The encapsulation protocol used
>> is GRE (Generic Routing Encapsulation). If your router is programmed
>> to block GRE, no data will be transferred and the connection will
>> close. This usually shows up as error 721. If you strike this
>> problem you will need to find out how to allow GRE. It might be
>> mentioned by name, by protocol number (it is IP protocol 47) or it
>> may be listed as pptp pass-through mode or even as VPN pass-through
>> mode.
>>
>> Debora wrote:
>>> Bill thanks again for help and understanding. You can see the
>>> desparation. Our Broadband Router(4 ports) has IP of 81.138.11.230,
>>> the Server NIC (internet) .225 and Server NIC (LAN) 192.168.1.10.
>>> The Gateway IP 192.168.1.254 was taken from the LAN settings,
>>> showed IP as gateway, if that makes sense. When NIC(internet)
>>> settings entered I assumed Gateway as above. I originally had
>>> NIC(internet) Gateway as Router IP .230 but changed it as VPN not
>>> working (this is where I feel a mistake made). The NIC(internet) is
>>> connected to Router port and NIC(lan) is connected to hub which in
>>> turn is connected to Router. The Router acts as DHCP for local LAN,
>>> Server has static IP(.10) range.All PC connected to hub.-- --Bill I
>>> hope you can help me as I'm attempting RRAS/VPN but as you can see
>>> initial setup may be at fault. If you need any more info please
>>> ask. Extremely grateful, Debora x.
>>>
>>> "Bill Grant" wrote:
>>>
>>>> That doesn't really make any sense. If the server is supposed
>>>> to access the Internet through a router at 192.168.1.254, why does
>>>> it have a NIC with a public address (81.138.119.225 )? Does this
>>>> NIC connect to anything?
>>>>
>>>> If the 81.138 NIC has a connection to the Internet you do not
>>>> need to use the router. If your router is the only connection to
>>>> the Internet, you do not need the second NIC with a public IP.
>>>>
>>>> So the first thing we need to know is what is the NIC with the
>>>> public address actually doing? If it is doing nothing, disable it
>>>> and use the router at 192.168.1.254 as your default gateway. If it
>>>> is connected to a public network you can use it as your Internet
>>>> connection.
>>>>
>>>> Debora wrote:
>>>>> Sorry for joke title. I posted weeks ago 6/17 (thanks BIll) and
>>>>> need more basic help. I have read lots of literature (this is
>>>>> effectively my server training) but basic questions about setup
>>>>> remain.-- --
>>>>> I have a Win Server 2000 (DNS/AD not DHCP) we use only for file
>>>>> store and it has 2 NIC's. NIC1(Internet) has static public IP
>>>>> 81.138.119.225 with Gateway as 192.168.1.254 , NIC2 (lan) IP
>>>>> 192.168.1.10 static from Router DHCP without Gateway entered.--
>>>>> --Vpn client is receiving IP from list 192.168.1.25-32 and
>>>>> connects to NIC1(internet) 81.138.119.225 works fine (only by IP
>>>>> address). Can view shared files only if I map drive using NIC
>>>>> (lan) 192.168.1.10 IP. i.e. \\192.168.1.10\Opendata etc.-- --Basic
>>>>> questions (this is the desparate part): What IP do I use to view
>>>>> shared files (it doesn't seem right to use .10)? Do I need to have
>>>>> vpn server name resolved anywhere? Internet cannot be browsed from
>>>>> vpn server is this an issue I need to do something about?-- -- I
>>>>> have more but please for now can anyone help me. If more info
>>>>> required please tell me. Debora x.
>>>>>
>>>>> Real basic questions are
.
- Follow-Ups:
- Re: VPN - desparate housewife part 2
- From: Debora
- Re: VPN - desparate housewife part 2
- References:
- Re: VPN - desparate housewife part 2
- From: Bill Grant
- Re: VPN - desparate housewife part 2
- From: Debora
- Re: VPN - desparate housewife part 2
- From: Bill Grant
- Re: VPN - desparate housewife part 2
- From: Debora
- Re: VPN - desparate housewife part 2
- Prev by Date: Re: VPN - desparate housewife part 2
- Next by Date: Troubleshooting PPTP Traffic Issues
- Previous by thread: Re: VPN - desparate housewife part 2
- Next by thread: Re: VPN - desparate housewife part 2
- Index(es):
Relevant Pages
|
