RRAS as VPN Server Configuration Questions... New one...

Hi all again,

With only one physical Internet connection and one Windows 2000 Advanced
Server (PDC), I need to setup VPN access to a local LAN while keeping
unauthenticated VPN traffic OFF the LAN where Client PC's are located. I
have three Hardware Routers in which to use. I know it's NOT advised to
use a PDC for this, but this is all we have. I also know that it would be
much easier to use just one NIC, but the client wants(needs) to
have unauthenticated VPN traffic OFF the LAN. Previous attempts have
failed,
so I'm wondering if this new setup should/will work?

Thanks for any help,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA

Previous question in newsgroup with old setup:
RE: RRAS as VPN Server Configuration Questions

Subnet Mask 255.255.255.0 for EVERYTHING

Because LAN PC's also VPN out:
IPSec - Passthrough on all Hardware Routers
PPTP - Passthrough on all Hardware Routers
PPPoE - Passthrough on all Hardware Routers

*** Router #1 gets feed from Internet.
*** Router #2 and #3 connect to LAN ports on Router #1.

Router #1
---------
For now, until VPN is setup than client will get static IP.
(External Address: Set by ISP; dns: Set by ISP)
(Internal Address: 192.168.118.1)
External Port 1723 Forwarded to Port 1723 on 192.168.118.2 (Router #2)

Router #2
---------
(External Address: 192.168.118.2 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.119.1)
Static Route: 192.168.120.0 255.255.255.0 192.168.119.2 on LAN
External Port 1723 Forwarded to Port 1723 on 192.168.119.2 (RRAS)

Router #3
---------
(External Address: 192.168.118.3 dg 192.168.118.1 dns 192.168.118.1)
(Internal Address: 192.168.120.1)
Static Route: 192.168.119.0 255.255.255.0 192.168.120.2 on LAN

Windows 2000 Advanced Server
----------------------------
- 2 NICs
Connection Name: WAN (192.168.119.2 dg 192.168.119.1)
Connection Name: LAN (192.168.120.2 dg Blank)
- PDC (domain: abc.local) with Active Directory
- DHCP (Bindings to both NICs 192.168.119.2 and 192.168.120.2)
Scope 192.168.119.0 (pool: 192.168.119.10 - 192.168.119.254)
Scope Options:
(003 Router) 192.168.119.1
(004 Time Server) 192.168.119.2
(005 Name Servers) 192.168.119.2
(006 DNS Server) 192.168.119.2
(007 Log Servers) 192.168.119.2
(042 NTP Servers) 192.168.119.2
(044 WINS/NBNS Servers) 192.168.119.2
(015 DNS Domain Name) is abc.local.
Scope 192.168.120.0 (pool: 192.168.120.10 - 192.168.120.254)
Scope Options:
(003 Router) 192.168.120.1
(004 Time Server) 192.168.120.2
(005 Name Servers) 192.168.120.2
(006 DNS Server) 192.168.120.2
(007 Log Servers) 192.168.120.2
(042 NTP Servers) 192.168.120.2
(044 WINS/NBNS Servers) 192.168.120.2
(015 DNS Domain Name) is abc.local.
- DNS (Listen on Both NICs 192.168.119.2 and 192.168.120.2)
One Forward Lookup Zone
"Name Servers" property page includes one entry with both IP's
Two Reverse Lookup Zones
120.168.192-in-addr.arpa
119.168.192-in-addr.arpa
- WINS
- RRAS
Configured on 192.168.119.2 using DHCP
Router - LAN and demand-dial routing and Remote Access Server
Windows Authentication
Use the following adapter to obtain DHCP, DNS, and WINS addresses
for dial-up clients. Adapter: WAN
Modified Policy to only allow one domain group for Remote Access
DHCP Relay Agent configured for 192.168.119.2
WAN interface only
IGMP
WAN - IGMP Router
LAN - IGMP Router
Need HELP with the rest of RRAS configuration?

==================================================================

Router #1
|
|
Router #2
|
|
Strictly for VPN Clients (dhcp clients 192.168.119.2 *see above)
VPN Clients do NOT "use default gateway on remote network" - which
allows them to access their local LAN and Internet connection?
|
|
192.168.119.2 dg 192.168.119.1
Windows 2000 Advanced Server
192.168.120.2 dg blank
|
|
Clients (dhcp clients 192.168.120.2 *see above)
|
|
Router #3
|
|
Router #1


.

Relevant Pages

  • Re: Exploits f=?ISO-8859-1?B?/A==?=r AFP
    ... bei OS X Server ja problemlos geht, aber bei einem normalen OS X müsste ich ... Warum kein VPN zwischen dem Kunden und dir? ... wird im Router terminiert, um Zugriff auf das gesamte LAN nehmen zu können. ...
    (de.comp.sys.mac.internet)
  • Re: VPN Advice...do I need a purchased static ip address on the external interface?
    ... >> Server then that server must have a been assigned a purchased static IP ... >> if I was to try and use Windows 2000 SBS as the server for the VPN, ... >> If I used a router instead then the router would have this purchased IP ... > supports dynamic dns, then users connect to the dynamic dns name and ...
    (comp.dcom.vpn)
  • Re: VPN Tunnel Connects,cant access resources
    ... VPN router is not on your LAN. ... I would run the server with one NIC and set the Linksys to be the ...
    (microsoft.public.windows.server.networking)
  • Re: VPN Tunnel Connects,cant access resources
    ... VPN router is not on your LAN. ... I would run the server with one NIC and set the Linksys to be the ... Internet and also is the endpoint of your VPN link to the remote site. ...
    (microsoft.public.windows.server.networking)
  • Re: Server/Network setup question
    ... currently the users are getting IP addresses from DHCP on the router. ... SBS server a static IP address in the same range as the router. ... be in a subnet that is different from the SBS LAN (with their own Internet ...
    (microsoft.public.windows.server.sbs)
Loading