This is (simplified) setup: 10.1.1.1 default gateway | HUB ----- 10.1.1.X - subnet with workgroup clients | 10.1.1.2 as "external IP of SBS server | 192.168.30.10 as internal IP of SBS server | HUB | 192.168.30.11 Terminal server IP address I know that setup is not very clever, but that is what I inherited and can not change. The question is how to allow trafic originating from 10.1.1.X subnet to reach 192.168.30.11 (terminal server) Regards, Alex
The first thing you have to do is enable IP routing on the server, so that it can forward the traffic. The next thing you need to do is add extra routing to get the traffic to the internal router. The routing would look like this. Internet | gateway 10.1.1.1 | workstations 10.1.1.x dg 10.1.1.1 | 10.1.1.2 dg 10.1.1.1 server 192.168.30.10 dg blank | 192.168.30.11 dg 192.168.30.10 To get the traffic from 10.1.1 to 192.168.30. you need to add a static route to the gateway router. 192.168.30.0 255.255.255.0 10.1.1.2 If for some reason you can't add this to the gateway router you will need to add it to every client in the 10.1.1 subnet which needs to access the TS in 192.168.
Hi Bill, Thanks for your answer. I have Cisco 877 router on that site and that one has static route to 192.168.30.X setup. I have RRAS active on a SBS server and no firewall software I know of. One of the concerns is the following: When I traceroute from 10.1.1.1 cisco router to 192.168.30.10, I am geting no IP addresses showing in path. I presume 10.1.1.2 is suppose to show as a step in a path, but I can not see it. Is that because Cisco router is not routing to the right gateway or because some block exists on SBS external interface (10.1.1.2)? Unfortunately, the site is far away and i do not have access to it. I also have no remote access to 10.1.1.X workstations (no credentials to log on). Regards, Alex
Sites? There was no mention of sites before. It was just two hubs. Exactly how are these two LANs connected? Routing is a two-way process. There must be a route (default or specific) from A to B and also from B to A. If the default gateway for 192.168.30.11 is to the RRAS router and the default gateway for the RRAS router is the Cisco, routing in that direction is fine. In the other direction, all you should need is the static route on the Cisco to forward traffic for 192.168.30 to the RRAS router. Once it gets to the RRAS router it will be delivered directly. If the static route on the Cisco is correct you should be able to tracert from 10.1.1.x (including the Cisco) to 192.168.30.11 (and yes, 10.1.1.2 should show up as a step in the path).
Hi Bill, Thanks for your continious help. "Site" is the office where computers are. Both networks are in one location. I am remoting into networks through PPTP and RDP and am on a subnet not related to subnets in question. It looks like routing through external adapter to internal adapter is not possible, since external adapter is default gateway and NAT for subnet connected to internal adapter. Following is the replay I've got on MS Partners group: ******************************************************** According to your post, I understand that you have some concerns how to make your clients from 10.1.1.x subnets connects to the terminal server in 192.168.30.0 subnet, behind o f SBS Server. If I am off-base on that, please let me know. First of all, based on your configuration, the SBS server act as the gateway and proxy server for 192.168.30.x client computers. As this is a proxy server, it cannot work as a router to route packets from 10.1.1.x to 192.168.30.x. ******************************************************** I still have to confirm whart was the meaning of "Proxy Server" term he used, but if he was refering to NAT, then routing to inside is not possible. Just to confirm here, I am not aware of SBS acting as a proxy server at present. It is Gateway and NAT for 192.168.30.X, but no proxy. What do you think of this answer? Will keep you posted if more replays from MS Partner group. Regards, Alex
Hi, Im trying to use VPN to connect to my private network. When I print my routing table, the VPN Gateway is equal to Interface: 0.0.0.0 0.0.0.0 172.16.1.5 172.16.1.5 1 This is right? I cannot see my network clients using VPN. How can I configure my VPN to use the right route? Thanks Daniel
That is correct. What you see is a default route to the "received" IP. All it really means is that your default gateway is now the VPN connection.
Yes, proxy server is quite different from NAT. It is possible to run sbs as a proxy server using ISA server (I think it only comes with sbs premium). The comments on NAT are correct. You cannot access a machine on the "private" side of a NAT from the "public" side. NAT is a one-way address translation to allow machines on a private network to access machines on a public network. To access machines on the 192.168.30 subnet from 10.1.1 you need to use normal IP routing, not NAT. You should still be able to access the Internet from the 192.168.30 subnet. Whatever does NAT for the 10. addresses should do it for the 192.168. addresses as well.
Hi Bill, Thanks for your support. By MS experts on MS partner portal, SBS is not able to do what I want and "Address Mapping" is not what they would suggest. They said the following: ********************************************************* The Proxy Server I mean here is the NAT. In SBS Server, once we run the "Connect to the Internet", the SBS Server will be the NAT Server for internal client computers. In SBS Server, you do not need the address mapping, using the Remote Desktop feature on Remote Web Workspace is the best option. Address Mapping in SBS Server involves more configuration and changes on system configuration, these are not recommended option and once we run the "Connect to the Internet" again, the settings will be removed. ********************************************************* Good to know this for the future reference. At the end i've decided to make workaround with another router connected to both, internal (192.168.30.X) and external (10.1.1.X) subnets. The whole pictuire of the problem was as the following diagram: http://www.sourcenet.co.nz/CSIproblem.gif The resolution was like this: http://www.sourcenet.co.nz/CSIresolution.gif Router C has NAT enabled and router A has static route 192.168.30.0 255.255.255.0 10.1.1.5, so all trafic going to 192.168.30.0 comming to router A is to be forwarded to router C. I hope this will help someone to resolve simmilar issue. Regards, Alex
Bill, thanks for your reply. So, why I can't access the network resources? The only client that I can see is my machine. Bill Grant escreveu:
Hi Daniel, I am afraid you have not given us enough info to troubleshoot your problem. I will give you some guidelines here: -Make sure that client PC is not on a same numbered subnet as VPN server (so if VPN server is 192.168.0.1 inside, your client's IPs are not supposed to be 192.168.0.X) -Make sure your clients get VPN IP assigned by DHCP on network where VPN server is. -Make sure enough IPs are available for clients. Post more info and I will try to help. Regards, Alex
The "solution" gif apears to be empty! Yes, SBS can be a bit of a pain to work with. If what the wizard does is exactly what you want, it's fine. If you want to customise something it can get nasty.
Alex, thank you for your response. are >not supposed to be > 192.168.0.X) The PC Client is using 192.168.0.x and VPN is using 10.30.71.X. The VPN server isn't the DHCP server of my network. The DHCP server is another machine, but in the same network. When I make a connection to VPN server, I receive a IP number and the connection show me also a Server IP, which I dont know the source of it. In RAS, I don't set the option to distribute IP's by DHCP. Yes, Im using a range of 254 and are IP's available. A important information is that my VPN estruture has only one Network Board. I enable the VPN in win 2003 server, using the option CUSTOM CONFIGURATION. thanks Daniel
When your VPN connects, the client receives an IP from the RRAS server. This is part of the negotiation to set up the connection. The RRAS server has an IP in the same IP subnet which it gets from the same pool of addresses. You now have a point-to-point link between these two IP addresses (ie between host and guest). That is all that VPN gives you - an IP connection between client and server. To access machines beyond the VPN server itself you need two things - IP routing and name resolution. IP routing only works automatically if the VPN address pool is in the same IP subnet as the server's LAN. In that case, the server does proxy ARP on the LAN for the remote client. The client"appears" to be actually on the LAN because the server is acting as a proxy for it. If the VPN is using a different IP subnet, normal IP routing rules apply. You need to enable IP routing on the VPN server. You also need extra routing to get remote traffic to the VPN server (unless the VPN server is the default gateway for the LAN).
My problem was resolved. Thank you!The configuration was OK, the problem was another services that was blocking the connection. Daniel Correa escreveu: