Re: RRAS - Works on internal network, not past DMZ
- From: "000Mike000" <000Mike000@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Jun 2005 14:12:03 -0700
"Phillip Windell" wrote:
> Part of your confusion is that you don't really have a DMZ. The router that
> the T1 comes into is just a Router,...that's it, just a Router.
Yeah, I figured I had the terminology mixed up, I'll try and use the correct
terms from here on out.
> 2. Place the RRAS box "side-by-side" with the Firewall so they both operate
> independently of each other and neither depends on the other to function.
> VPN Users would connect directly to the Public interface of the RRAS box.
> The Firewall will still handle it normal job but will have nothing to do
> with the VPN. The Firewall would need some additional configuration if you
> were doing a Site-to-Site VPN, but that does not sound like what you were
> doing, it sounded like you were doing a Remote Access VPN which works on
> different principles.
I believe that I'm attempting to set things up in this scenario. I'm pretty
sure that my problem will be resolved once I figure out this multiple gateway
issue. Let me explain.
On the network connections configuration of the RRAS box, I have the
'inside' network connection set with a default gw of 192.168.1.1, subnet
255.255.255.0 (the firewall). That is the 'private' network that the rest of
the company uses. The 'outside' network connection is set with a default gw
of the router, we'll call it 10.0.0.1. subnet 255.255.255.192. This is the
same setup that I've used in the past to put a machine on the 'public'
network... always worked. We have the IPs from 1 to 65... 1 is the router,
10 is the firewall and we've used a few others for various machines that
aren't part of the private network (image hosts, et al).
If we say that the private interface on the RRAS box is working correctly
(internal clients can access it without a problem) - configured as
192.168.1.20, subnet 255.255.255.0, gw 192.168.1.1... I'll then go to
configure the 'public' interface - as 10.0.0.23, subnet 255.255.255.192, gw
10.0.0.1. As soon as I hit okay, I am met with the error:
"Warning - Multiple default gateways are intended to provide redundancy to a
single network (such as intranet or the Internet). They will not function
properly when the gateways are on two separate, disjoint networks (such as
one on your intranet and one on the internet). Do you want to save this
configuration?"
I hit 'yes' and proceed. Now both interfaces are configured as I think they
should, but the 'multiple gateway' error message has me spooked. This was
last week, I moved past that but am now back to it... convinced that it is
the problem.
It seems that the outside traffic (remote clients) come in... ask for
authentication from 10.0.0.23 (outside RRAS interface)... only get 'so far'
and then attempt to go out via the private interface. That's my best guess.
So, I configured the firewall to allow traffic from the RRAS server through
TCP port 1723 and IP protocol 47... thinking that "traffic was traffic, as
long as the RRAS box can talk to the remote client... who cares how it gets
there?" No dice.
So... here I am. You make it sound like I'm not the first person in the
history of mankind to make this attempt... and that's comforting :p.
However... what type of configuration is typical? It seems that to have a
'private' network and a truly 'public' one, two gateways are absolutely
necessary... if so, how will RRAS know which interface to use?
The most recent 'success' was when we decided to 'turn off' the gateway on
the private interface. All other settings were kept (private ip, dns,
subnet) but I left the gateway blank. The public interface was kept the
same. The remote test clients (on wireless cards) came RIGHT in. No
authentication problems at all, quicker than I've ever seen them. It *has*
to be this multi-gw problem... right?
Am I barking up the wrong tree?
As for your other suggestions (and they ARE appreciated), number 1 (swap the
firewall with the RRAS box) would be impossible... the firewall was expensive
and it'd be a REALLY hard sell on managment (it works great as a firewall at
least :p ).
Number 3 (use the firewall as a VPN server) "was" a great solution back when
our remote users were VERY standardized. Everyone was local, simply needed a
way to check email and such. As soon as people wanted laptops... wanted to
travel all over the world... use wireless cards... the VPN software showed
its true colors - buggy as heck. We came up with the idea to use RRAS
'through' the firewall (passed 1723/47)... but you hit the nail on the head
when you said, "Some Firewalls are simply not capable, and some just arent'
dependable." It only worked about 25% of the time and never when I was
trying to sleep!
So... it seems that option 2 was the best idea. I think I'm just in over my
head with the multiple gateways problem.
.
- References:
- RRAS - Works on internal network, not past DMZ
- From: 000Mike000
- RRAS - Works on internal network, not past DMZ
- Prev by Date: Re: Disable "Use Default Gateway on Remote Network" on the server?
- Next by Date: [networking] Online Public Chat Tomorrow: TCP/IP in Windows Server 2003 SP1 and Windows XP SP2
- Previous by thread: RRAS - Works on internal network, not past DMZ
- Next by thread: Netbios over Tcpip device failure
- Index(es):
Relevant Pages
|
