Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VPN

From: "Bill Grant" <not.available@online>
Date: Sat, 27 Jan 2007 11:10:28 +1100

My guess is that it is related to your use of on-subnet addressing (ie the
remote user gets an IP in the same IP subnet as the LAN machines). What
happens when you use that is that the VPN server acts as a proxy for the
remote and does proxy ARP on the LAN. This usually works OK, but it is not a
good idea in a routed network. (Also some switches don't handle proxy ARP
too well). It was really intended to allow remote access to a simple LAN (so
that the sysadmin didn't have to know how routing worked).

I would use off-subnet addressing for the remotes. That is, put the
remotes in their own IP subnet (using a static pool rather than DHCP) and
route that subnet through the VPN server. You can then add specific routing
to get that subnet to/from the DMZ.

"Bill Grant" <not.available@online> wrote in message
news:%23wT74XNQHHA.3544@xxxxxxxxxxxxxxxxxxxxxxx

That is what I would expect. Although you initially connect to a public
IP, the VPN connection is effectively to your private LAN, because the
private traffic is tunnelled through the Internet and the DMZ. (In other
words, the traffic is encrypted and encapsulated until it reaches the VPN
server.)

Can you access machines on the DMZ from your private LAN?

"Henry" <Henry@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D332FDA0-3B06-421C-A00D-8FB47420FC4B@xxxxxxxxxxxxxxxx

I'm having problems accessing DMZ addresses when I'm connected to our
Windows
PPTP VPN. Machines on the LAN can be accessed w/o any problems and I
also
have internet connectivity. I assume that it might be a routing issue.
Here's the current setup:

- VPN Server has 2 NICs (LAN 10.0.3../DMZ 192.168.4..)
- Clients connect to a publlic address which resolves to the DMZ address
for
the VPN Server.
- VPN clients gets assigned an IP address from a DHCP server on our LAN
(10.0.3..)

Here's a copy of the routing table when I'm connected to to the VPN:

===========================================================================
Interface List
14 ........................... VPN Connection
8 ...00 30 1b ba 3e a5 ...... Broadcom NetLink (TM) Gigabit Ethernet
1 ........................... Software Loopback Interface 1
9 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ma.comcast.net.
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100
4245
0.0.0.0 0.0.0.0 On-link 10.0.3.37
21
10.0.3.37 255.255.255.255 On-link 10.0.3.37
276
127.0.0.0 255.0.0.0 On-link 127.0.0.1
4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1
4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1
4531
192.168.1.0 255.255.255.0 On-link 192.168.1.100
4501
192.168.1.100 255.255.255.255 On-link 192.168.1.100
4501
192.168.1.255 255.255.255.255 On-link 192.168.1.100
4501
209.31.138.54 255.255.255.255 192.168.1.1 192.168.1.100
4246
224.0.0.0 240.0.0.0 On-link 127.0.0.1
4531
224.0.0.0 240.0.0.0 On-link 192.168.1.100
4502
224.0.0.0 240.0.0.0 On-link 10.0.3.37
21
255.255.255.255 255.255.255.255 On-link 127.0.0.1
4531
255.255.255.255 255.255.255.255 On-link 192.168.1.100
4501
255.255.255.255 255.255.255.255 On-link 10.0.3.37
276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
8 276 fe80::/64 On-link
15 281 fe80::5efe:10.0.3.37/128 On-link
9 281 fe80::5efe:192.168.1.100/128
On-link
8 276 fe80::ad0b:7b74:ddc7:be67/128
On-link
1 306 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Thanks in advance.

References:
- Problems accessing DMZ (different subnet) addresses w/ PPTP VPN
  - From: Henry
- Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VPN
  - From: Bill Grant

Prev by Date: Re: Connect 2 client vpns through 1 vpn server
Next by Date: Re: VPN to single server
Previous by thread: Re: Problems accessing DMZ (different subnet) addresses w/ PPTP VP
Next by thread: Wins.dll is not recognized as a parser in netmon
Index(es):
- Date
- Thread

Relevant Pages

Re: VPN & firewalls question
... remote user's overall session "experience" may be slow when using just a VPN ... users are connected because all data will flow in and out of the LAN via the ...
(microsoft.public.backoffice.smallbiz2000)
Re: Gateway to Gateway VPN and SBS Server 2003
... Their is a static route on the RMT VPN Router to 192.168.16.0 through ... Communication works perfectly one way from the Servers Lan to any part WAN ... any machine on the remote site. ...
(microsoft.public.windows.server.sbs)
Re: VPN & firewalls question
... What types of things do your remote clients need to do after they ... If the need access to their WinXP Pro LAN computers, create a VPN and fire ...
(microsoft.public.backoffice.smallbiz2000)
Cant acces office LAN via VPN
... I can make the connection ... but I cannot in any way acces the remote LAN. ... up the VPN client to use remote DNS. ...
(microsoft.public.windowsxp.network_web)
Re: Remote Desktop to Other PC systems on the Network from Remote
... Do I need to have the external interface of the PIX at Branch side somewhere ... Sorry ..Yes my 1720 has an internal interface on the LAN. ... I have added the remote network ranges to the "Internal" network definition ... I also already have 2 persistent routes these identify ...
(microsoft.public.isaserver)