Re: 2k VPN/RAS issues

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Phillip Windell (_at_.)
Date: 03/23/04 

Date: Tue, 23 Mar 2004 11:48:49 -0600

<anonymous@discussions.microsoft.com> wrote in message
news:11e1e01c4106b$b1f7d210$a101280a@phx.gbl...
> (r)outer --> (F)irewall --> switch --> (S)erver & LAN
>
> one - one NAT goes like this
>
> Private Public
> 192.168.20.40 --> 123.123.123.1

Ok, that clears that up. If you aren't using it, get rid of old "public"
NIC in the server before that comes back and bites you in the rear. But
don't just yank the card out, Windows sometimes has problems with "ghost"
NICs left behind that won't remove. So uninstall the driver for it first so
that the NIC disappears from the system, then shut it down and remove the
NIC.

Option #1
---VPN
Done entirely at the Firewall,...nothing else will have anything to do with
it. Typically you must create user accounts on the firewall itself to
authenticate the users. It also usually has an "address pool" to assign to
incoming VPN callers. Make sure this doesn't duplicate any used addresses on
the system.
---RRAS
No longer has any purpose in life. There is nothing to use it for,...and
there is nothing to "route".

Option #2
There may be a way to "reverse-NAT" the incomming VPN to the Server's
internal IP# and have the RRAS handle the VPN, but I really don't know how
well that would work nor can I give any real advice or details on that. I'm
not even sure how RRAS will respond with only one NIC in the machine.

Option #3
Use two NICs in the Server and place it "side-by-side" with the Firewall
(like it used to be) and then the VPN users would connect directly to the
Server's External IP# and RRAS would handle the VPN. The Firewall would not
be involved in any way at all with this method.

Do *not* play "mix-and-match" with these methods, choose the one you want to
use and do only that. 

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Relevant Pages

  • Re: RRAS, NAT & External VPN Problem
    ... You were on the right track, but you can't route directly from the ... (ie are the firewalls the endpoint of the VPN ... (ie the firewall in LAN 1), not the RRAS router. ...
    (microsoft.public.win2000.ras_routing)
  • Re: VPN not connecting
    ... VPN connection on the internal LAN I'm just using the "servername" to try ... > I'm assuming you have 2 NICs in your SBS, ... > Firewall and your Internet connection is broadband and not dial-up. ...
    (microsoft.public.windows.server.sbs)
  • RE: Windows Firewall Individual connection exceptions
    ... By Default MS Firewall Protects the NIC from attack. ... the VPN profiles in the "Network Connection Settings" Window. ... > disable Firewall on NICs through Group Policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: Security and Terminal Services
    ... I have an isolated test network setup with VPN access, but once RRAS is up ... There is NO firewall. ... If you use RRAS to setup a VPN Server then ...
    (microsoft.public.win2000.termserv.clients)
  • Re: 2k VPN/RAS issues
    ... >NICs left behind that won't remove. ... firewall itself to ... >incoming VPN callers. ... >internal IP# and have the RRAS handle the VPN, ...
    (microsoft.public.windows.server.networking)