Multiple subnet routing issue from vpn

Discussion in 'Server Networking' started by DT, Jan 16, 2010.

  1. DT

    DT Guest

    I have two sites A and B. SiteA(192.168.75.x) has a cisco asa 5505, with a
    few machines connected to a switch. SiteB(192.168.175.x) has a cisco asa
    5505 also. They are connected via a site to site vpn. The vpn works fine
    and I can get to any device on the 192.168.175.x network from SiteA(75.x).
    My problem is that behind the asa on SiteB is an sbs2003 server, which has
    two network cards in it. The first card is connected to the
    asa, and the second card is, which is connect to a switch and
    where are other servers and workstations are. I can successfully rdp from
    10.27.37.x to SiteA, but I can't get from SiteA to the 10.27.37.x network.
    From doing some capturing on the cisco boxes the packets are getting to the
    sbs from SiteA but dying there somewhere. It appears that the sbs box
    doesn't know how to forward the packets from SiteA to the 10.27.37.x network.
    I dug all through RRAS, but was unable to find anything of value that would
    solve my problem. Any help would be appericated.
    DT, Jan 16, 2010
    1. Advertisements

  2. DT

    Bill Grant Guest

    That is basically what should happen. A site to site link works by
    forwarding all traffic for the "other" site through the VPN link. It does
    this by using the site's IP subnet. Each VPN router has a subnet route for
    the other site's subnet through the VPN link.

    Why would it route a 10. subnet through the VPN link? You would need to
    make changes to the routing on the Cisco boxes to get that through the VPN
    link. You can't do it by making changes to RRAS.
    Bill Grant, Jan 16, 2010
    1. Advertisements

  3. DT

    DT Guest

    I talked with cisco for two hours trying to figure it out and they agreed
    that it was being stopped because of the sbs box not the asa's. I tried
    puting static routes in RRAS but nothing seems to help. Is there anything
    else that I could try?
    DT, Jan 16, 2010

  4. I believe what you are seeing is the SBS is setup as a NAT, not a router,
    which is how SBS does it. Besides, you don't really want to multihome a DC.
    An SBS handles it a little better than a non-SBS, but even the SBS folks say
    the same thing, or expect problems with AD on it.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check
    for regional support phone numbers.
    Ace Fekay [MVP-DS, MCT], Jan 16, 2010
  5. DT

    DT Guest

    So is there a solution to what I am trying to do?
    DT, Jan 16, 2010
  6. DT

    Bill Grant Guest

    Not really. If the SBS is running as a NAT router, you probably can't even
    access the 10. machines from the the 192.168 machines at site B, let alone
    from site A! NAT is a one way address translation system by design. You can
    get out, but you can't get in.
    Bill Grant, Jan 16, 2010
  7. DT

    DT Guest

    I can get to the 10. machines from SiteB from the 192.168.175.x subnet
    though. Would reverse route injection with OSPF work in this situation?
    DT, Jan 17, 2010
  8. What exactly did the Cisco folks say when you called them other than it's
    just stopping at the SBS server?

    Have you tried it with a another firewall instead of the ASA?

    I don't know about OSPF, especially on an SBS machine, since it's not
    designed for this task. An SBS server is a multi-faceted machine to support
    business needs, directory services, email services, etc, but was not really
    fully designed for routing other than using it as a NAT device, especially
    that ISA is installed. Have you considered trying this with a real router?

    Ace Fekay [MVP-DS, MCT], Jan 17, 2010
  9. DT

    DT Guest

    All Cisco said that the packets were getting through the asa and stopping
    somewhere on the sbs box. I haven't tried it with another router since the
    asa's are my site to site vpn as well. ISA is not installed on this box if
    that matters at all.
    DT, Jan 17, 2010

  10. If you can, try using a router instead of SBS to see if it works.

    I still think SBS is NAT'ing and not routing. If it is truly routing, I also
    assume there's a static route correctly configured for that subnet on the
    ASA. Then again, I would assume Cisco support made sure of that.

    Ace Fekay [MVP-DS, MCT], Jan 18, 2010
  11. Get rid of the Second Nic in the SBS and forget it. Remove ISA if it is on
    the SBS and disable Routing and Remote Access. I don't know how many
    Wizards on the SBS you have to jump through to make that happen but don't
    skip any them,....there is nothing more angry than an SBS box without its
    Wizards. Make the SBS Box "live" on the LAN just like any other machine on
    the LAN and the ASA will be the Default Gateway of the LAN allowing it to
    act as both the "LAN Router" between the two sites and also be the
    "Firewall" to the Internet.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 18, 2010
  12. DT

    DT Guest

    My problem is the 10.x network is where all my workstations are also, and
    other servers. So I would need to change all of those machines to the other
    subnet. Then I could disable rras and route that way, but I was hoping there
    would be an easier way. Why does the sbs wizards ask you if you have two nics
    installed, just like the way I have them installed if this doesn't work. I
    have seen that wizard get mad if you only have one nic installed. Would
    migrating to standard edition help me?
    DT, Jan 19, 2010
  13. That's the way SBS works. If you want a single NIC, which is recommended, go
    through the motions and ignore the single NIC errors and don't opt for RRAS
    or anything else dealing with more than one NIC. It's designed to help small
    business for a one-stop, combined server role that can also handle internet
    NAT connectivity to an office, hence what you are seeing.

    All non-SBS servers can handle routing better, but honestly a Windows server
    to be used for a router is way overkill in the price and hardware
    department. That's why I suggested a real "router."

    Ace Fekay [MVP-DS, MCT], Jan 19, 2010
  14. DT

    Bill Grant Guest

    SBS is designed to run as a small business's only server. It is also
    designed so that it can directly connect to the Internet and act as a router
    for the LAN if required. Remember that the original version was SBS 2000 and
    ADSL routers were not all that common (or cheap).

    Because something is possible does not mean that it is a great idea. You
    can run a reasonable sized business as a workgroup but I certainly wouldn't
    recommend it.

    To return to your original problem. The configuration you have set up has
    made it difficult to do what you want to do. It is possible to do all sorts
    of fancy things with networking, but the simplest solution is always the

    If you have full routing between the 10. network and the LAN it is
    attached to, it is possible to route it through to the other site, but it
    won't be easy.

    First of all, can you confirm that the RRAS router is operating as a
    LAN router, not as a NAT router. That is the first essential link in the

    Second, what is the default gateway setting on this router? Does it point
    to the Cisco for Internet access or does it point to some other device?

    If the RRAS router uses the Cisco VPN device as its default router,
    routing the 10. subnet to the other site is doable. Traffic for the other
    site will automatically be sent through the VPN link because this router has
    a static route for it through the tunnel. The tricky bit is getting traffic
    to flow the other way (against the default route settings).

    1. The VPN router at the second site needs an extra static route so that
    it sends traffic for the 10. subnet through the tunnel (as well as traffic
    for the 192.168. network).

    2. The VPN router at the first site needs a static route so that it sends
    traffic for 10. to the RRAS router. The RRAS router can then deliver it in
    the 10. subnet.

    Here is a simple diagram. (Sorry I can't remember your actual network

    Site 2
    192.168.75.x dg
    Bill Grant, Jan 19, 2010

  15. Bill,

    Maybe my static route example pic may be helpful as a visual?

    Static Route Example

    Ace Fekay [MVP-DS, MCT], Jan 19, 2010

  16. No you don't have to go through all that, just change the Internal IP
    of the Firewall so that it is on the LAN with everything else. The segment
    that used to be between the SBS and the Firewall will simply no longer
    exist. The worst you will have to do is change all the Default Gateways to
    point to the new IP of the Firewall unless you want to give the Firewall the
    IP the SBS used to have and give the SBS a new one,...but I'd rather leave
    the SBS alone and change the Firewall and the gateway settings.

    If most of the machine on the LAN run with DHCP (and they should) you take
    care of most of them by adjusting the Scope.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 19, 2010
  17. you can still add routes with
    route add ...
    Juergen Kluth, Jan 19, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.