Need Help with RRAS

Discussion in 'Server Networking' started by \1SE\, Apr 8, 2005.

  1. \1SE\

    \1SE\ Guest

    I have a vpn router that I can VPN into. Unfortunately that router is still
    on the outside NIC of my windows 2003 server.
    172.16.7.1 = MAIN-router internal
    192.168.1.5 = MAIN-router external.

    192.168.8.1 = Windows 2003 server internal
    172.16.7.4 = Windows 2003 server external.

    When I'm on my VPN connection I can ping the external IP of the server but I
    cannot ping it by name.
    Is there a way to allow NetBIOS to the outside NIC or maybe allow internal
    DNS to the external NIC?

    How can I allow connection from my VPN connection without opening my hole
    server to the internet?

    I'm desperate please help.

    Thanks.
     
    \1SE\, Apr 8, 2005
    #1
    1. Advertisements

  2. \1SE\

    Bill Grant Guest

    What DNS server is the VPN client using? I would expect it to use the
    one in the 172.16 subnet if it connects to a router with IP address
    172.16.7.1 . If it is set to use your internal DNS on 192.168.8 , does it
    have the correct DNS suffix configured? Can you resolve the server name if
    you specify the full FQDN?
     
    Bill Grant, Apr 9, 2005
    #2
    1. Advertisements

  3. \1SE\

    \1SE\ Guest

    These are REALLY good questions. I hope I don't loose your interest taking
    a couple of days to get back to you. I will not be able to get back out to
    this site before 4-11-05.
    Here's what I know now.
    The VPN client is another router at another site
    192.168.9.1 = PH-01-router internal
    216.86.137.39 = PH-01-router external.
    The workstation on the other side of that is using an external DNS 4.2.2.2
    and a secondary DNS of the internal DNS 192.168.8.1.
    I've also put the internal DNS on the MAIN-router as one of it's DNS
    servers.
    I don't believe there is any internal DNS information on the 172.16.7.4
    I've not tried to resolve the servername with the FQDN, I will try that on
    the 11th.

    I didn't think to configure the DNS suffix for the workstation.
    I know where to do that in the IP config but what should it be?
     
    \1SE\, Apr 9, 2005
    #3
  4. \1SE\

    Bill Grant Guest

    I would manually configure the remote client to use your local DNS (ie
    the one for your 192.168.8 network) in the connection properties. To be
    able to resolve names by just using the machine name, also set the domain
    suffix to the suffix of this network.

    For example, if your local network is mydomain.local you should be able
    to resolve the name of a machine called fred by doing an nslookup for
    fred.mydomain.local . If you set the domain suffix for the client to
    domain.local, you can just use nslookup fred .
     
    Bill Grant, Apr 10, 2005
    #4
  5. Bill,
    If the Windows Server is running NAT then the 192.168.8 network won't be at
    all reachable. The 172.16.7 network is effectively a DMZ in a Back-toBack
    DMZ model, which is "untrusted" by the 192.168.8 network.

    If the Windows Server is not running NAT (just routing only) then it
    probably should only run one Nic since the 172.16.7 network is just a
    "useless appendage" sort of speak.

    I think he needs to clarify that when he gets back to make it more clear
    what is being dealt with.
     
    Phillip Windell, Apr 11, 2005
    #5
  6. \1SE\

    Bill Grant Guest

    Good point, Phillip. It wouldn't be the first time we have seen problems
    connecting to a remote access server in a DMZ which couldn't see the private
    LAN, would it?
     
    Bill Grant, Apr 12, 2005
    #6
  7. \1SE\

    \1SE\ Guest

    This is IN FACT true that it is NATing and I cannot see the 192.168.8.x
    network.
    I have set the primary DNS servers to the 192.168.8.x DC but since it cannot
    be seen this does no good.
     
    \1SE\, Apr 15, 2005
    #7
  8. It happens frustratingly offten. ;-)
     
    Phillip Windell, Apr 15, 2005
    #8
  9. You can't. It just doesn't work that way.

    To use VPN the VPN Tunnel must terminate at the edge of the LAN and the VPN
    Device must "live on both the LAN and the External Network at the same time.
    Here's what you have,..it won't work:

    [LAN]--Server/NAT--[B2B DMZ]--NAT Device as VPN Server--[Internet]

    The Server/NAT and the B2B DMZ is "in the way",...it won't work.

    Two options:

    1. You have to run the Windows Server as both a NAT Server and a VPN Server
    at the same time. RRAS can do this. Your "NAT Device" will require the
    ability to do what is often called on those things "VPN Passthrough" whick
    will pass on the Tunnel to the RRAS/VPN where the Tunnel will "terminate".

    [LAN]--Server/NAT/VPN--[B2B DMZ]--NAT Device with VPN
    Passthrough--[Internet]

    2. The other option is to eliminate the second Nic in the Server and
    shutdown RRAS and eliminate the NAT, which would also eliminate the B2B DMZ.
    The server would just exist on the LAN with one nic just like all the other
    machines. The Intenet NAT Device would have its internal facing Nic's IP#
    changed to correspond to the LAN. The Internet NAT Device would then do its
    VPN the way you are doing it now. It would look like this,..the server is
    not shown because it would no longer be relevant to the "path":

    [LAN]---NAT/VPN Device--[Internet]
     
    Phillip Windell, Apr 15, 2005
    #9
  10. \1SE\

    \1SE\ Guest

    I don't think I can shutdown RRAS if people are going to connect to the
    server from home machines via MS-VPN.???

    I think option 2 sounds the easiest way to go but I don't think it will
    work.

    I have this constant VPN connection(s) that needs to be made for WAN
    locations but I also need to have the users be able to VPN into the
    server/network.

    Can I use option 2 and still get both types of VPN connections?

    Option number 1 seems to be the way I need to go. I'm not sure how to
    complete the task though?
    Are you saying I need to have the WAN location's VPN router tunnel directly
    into the 2003 server and NOT the router.
    This makes good sense, and to be honest is what I thought I'd have to do,
    But I don't have a good enough understanding of RRAS to know how to create a
    constant VPN tunnel for my WAN location's router.
    The WAN router uses IKE policies and all sorts of encryption options. I"m
    sure it can be done but I'm not sure how.
    Can anyone help with that??



     
    \1SE\, Apr 16, 2005
    #10
  11. You aren't "using it" now. The Internet Sharing NAT Device is accepting the
    VPN connection. RRAS isn't doing anything.
    I use it everyday.
    The documentation of your NAT Device will tell you that.
    I don't think I'm going to be able to explain it within email messages to a
    degree that you will understand. I think you are going to have to study it
    with careful attention to topology design. You need to understand what a
    Back-to-Back DMZ is,..the characteristics of it, and how it is "in the way"
    of the VPN connection.
     
    Phillip Windell, Apr 18, 2005
    #11
  12. \1SE\

    \1SE\ Guest

    I do understand the topology and the Back to back DMZ's that I have.
    I don't think you're completely understanding the setup.

    I have TWO (2) DIFFERENT TYPES OF VPN CONNECTIONS.
    My VPN router, (what I believe you're referring to as a NAT device) AND the
    2003 server.
    RRAS IS accepting the normal Microsoft VPN connections from remote users.
    The VPN router is only accepting connections from the other VPN router at a
    remote site.

    I guess what my problem is... is that I need BOTH RRAS and the VPN router
    connections.

    I need the remote site's VPN router (not users) to connect to the VPN router
    at the main location,(where the 2003 server is) and be able to route to the
    local LAN & I ALSO NEED the users to be able to connect to the 2003
    server's RRAS Microsoft VPN.
     
    \1SE\, Apr 18, 2005
    #12
  13. That won't work.
    No you don't. All VPN connections regaurdless of the "type" use the same VPN
    Device.

    If the VPN Device is the NAT Device then you are only VPN'ing into the DMZ
    and not the LAN,...the LAN is unreachable.

    If the VPN Device is the RRAS Box then it is unreachable because the NAT
    Device and the DMZ are in the way.

    I understand exactly what you have. As I said before,...either the NAT
    Device must be capable of "VPN Passthrough" so that you can use the RRAS box
    as the VPN Device,...

    .........or you must get rid of the DMZ by either making the Server a
    single-homed box and using the NAT Device for everything,...or you must get
    rid of the NAT Device and use the RRAS box for everything
     
    Phillip Windell, Apr 18, 2005
    #13
  14. \1SE\

    \1SE\ Guest

    OK,
    I do not want my users to have to load special software to connect to the
    LAN via VPN so I have to go with the 2003 box using RRAS.

    But if I eliminate one NIC from the server will Users still be able to VPN
    in to the 2003 server?

    (The NAT device IS capable of VPN pass-through, But I don't know how to
    create a connection for the WAN NAT device in RRAS.)
     
    \1SE\, Apr 19, 2005
    #14
  15. They never would have,..in anything I have suggested.
    You are not reading what I write and are blending different things I write
    together that aren't supposed to be.

    If the Server has one NIC, then you are doing *everything* with the NAT
    Device (NAT, VPN, everything)
    You don't. That is not what VPN Passthrough does. It simply "relays" the
    Tunnel to the RRAS box and allows the Tunnel to terminate there. The
    connection is between the "caller" and the RRAS Server.

    I can't do anymore with this. There is no way can teach you what you need to
    know in email messages. You need to study how this stuff works on your own
    and get a better understanding of how the different theories and models
    work.
     
    Phillip Windell, Apr 19, 2005
    #15
  16. \1SE\

    \1SE\ Guest

    I have studied, I thank you, VERY MUCH, for your help you're not hearing all
    or understanding all about my setup.
    The 'Caller' is another vpn router. from the WAN location.
    I also have 'Callers' being individual users.
    2, types of 'callers'

    If you'll recall my original setup, I know it was along time back, I have
    Three (3) VPN routers. One at a remote site One as a DMZ at the Main
    location and One on the other side of the main location. I then have the
    2003 server using RRAS to take 'Users' connecting VIA MS-VPN. The Main
    router on the inside of the DMZ is accepting the Tunnel from the Router at
    the remote site.
    The Routers have 'pass-through' capabilities because they are all the same
    model and VPN is already passing thru the DMZ to the Main router and the
    users are passing thru DMZ and Main routers to the 2003 server.
    If their is a way to have the remote location router VPN directly into RRAS.
    THAT's what I'd like to know how to do.
    That seems to be the way to get this to work.
    If I'm understanding correctly, if the remote router could VPN tunnel
    directly into the 2003 box, then the users could connect as they normally do
    and the remote site could sustain it's connection as well.

    Please tell me this makes better sense now?

    George.
    MCSA, MCDBA, MCSEnt4, MCSE2K. MBA-IS

    With this statement???
    {{ (The NAT device IS capable of VPN pass-through, But I don't know how to
    create a connection for the WAN NAT device in RRAS.)

    You don't. That is not what VPN Pass-through does. It simply "relays" the
    Tunnel to the RRAS box and allows the Tunnel to terminate there. The
    connection is between the "caller" and the RRAS Server.}}

    Are you saying that just by enabling the pass thru for VPN on the Main
    router to the RRAS box. that my VPN tunnel will be created from the remote,
    or WAN, location? without any IKE policies needed or user name and
    password? And that my users will still be able to connect via MS-VPN as
    always?
     
    \1SE\, Apr 19, 2005
    #16
  17. I replied to the indentical post under the new thread subject.
     
    Phillip Windell, Apr 21, 2005
    #17
  18. \1SE\

    \1SE\ Guest

    As did I.
    Thank you.

     
    \1SE\, Apr 21, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.