route trafic from external to internal adapter

Discussion in 'Server Networking' started by Alex, Nov 16, 2006.

  1. Alex

    Alex Guest

    This is (simplified) setup: default gateway
    HUB ----- 10.1.1.X - subnet with workgroup clients
    | as "external IP of SBS server
    | as internal IP of SBS server
    | Terminal server IP address

    I know that setup is not very clever, but that is what I inherited and can
    not change.
    The question is how to allow trafic originating from 10.1.1.X subnet to
    reach (terminal server)

    Alex, Nov 16, 2006
    1. Advertisements

  2. Alex

    Bill Grant Guest

    The first thing you have to do is enable IP routing on the server, so
    that it can forward the traffic. The next thing you need to do is add extra
    routing to get the traffic to the internal router.

    The routing would look like this.

    10.1.1.x dg
    | dg
    server dg blank
    | dg

    To get the traffic from 10.1.1 to 192.168.30. you need to add a
    static route to the gateway router.

    If for some reason you can't add this to the gateway router you will
    need to add it to every client in the 10.1.1 subnet which needs to access
    the TS in 192.168.
    Bill Grant, Nov 16, 2006
    1. Advertisements

  3. Alex

    Alex Guest

    Hi Bill,
    Thanks for your answer.
    I have Cisco 877 router on that site and that one has static route to
    192.168.30.X setup.
    I have RRAS active on a SBS server and no firewall software I know of.
    One of the concerns is the following:
    When I traceroute from cisco router to, I am geting
    no IP addresses showing in path. I presume is suppose to show as a
    step in a path, but I can not see it. Is that because Cisco router is not
    routing to the right gateway or because some block exists on SBS external
    interface (
    Unfortunately, the site is far away and i do not have access to it. I also
    have no remote access to 10.1.1.X workstations (no credentials to log on).

    Alex, Nov 16, 2006
  4. Alex

    Bill Grant Guest

    Sites? There was no mention of sites before. It was just two hubs. Exactly
    how are these two LANs connected?

    Routing is a two-way process. There must be a route (default or
    specific) from A to B and also from B to A.

    If the default gateway for is to the RRAS router and the
    default gateway for the RRAS router is the Cisco, routing in that direction
    is fine. In the other direction, all you should need is the static route on
    the Cisco to forward traffic for 192.168.30 to the RRAS router. Once it gets
    to the RRAS router it will be delivered directly. If the static route on the
    Cisco is correct you should be able to tracert from 10.1.1.x (including the
    Cisco) to (and yes, should show up as a step in the
    Bill Grant, Nov 16, 2006
  5. Alex

    Alex Guest

    Hi Bill,
    Thanks for your continious help.
    "Site" is the office where computers are. Both networks are in one location.
    I am remoting into networks through PPTP and RDP and am on a subnet not
    related to subnets in question.
    It looks like routing through external adapter to internal adapter is not
    possible, since external adapter is default gateway and NAT for subnet
    connected to internal adapter.
    Following is the replay I've got on MS Partners group:

    According to your post, I understand that you have some concerns how to
    make your clients from 10.1.1.x subnets connects to the terminal server in subnet, behind o f SBS Server. If I am off-base on that,
    please let me know.

    First of all, based on your configuration, the SBS server act as the
    gateway and proxy server for 192.168.30.x client computers. As this is a
    proxy server, it cannot work as a router to route packets from 10.1.1.x to


    I still have to confirm whart was the meaning of "Proxy Server" term he
    used, but if he was refering to NAT, then routing to inside is not possible.
    Just to confirm here, I am not aware of SBS acting as a proxy server at
    present. It is Gateway and NAT for 192.168.30.X, but no proxy.

    What do you think of this answer?

    Will keep you posted if more replays from MS Partner group.

    Alex, Nov 16, 2006
  6. Hi,

    Im trying to use VPN to connect to my private network. When I print my
    routing table, the VPN Gateway is equal to Interface: 1

    This is right?
    I cannot see my network clients using VPN.

    How can I configure my VPN to use the right route?

    Daniel Correa, Nov 16, 2006
  7. Alex

    Bill Grant Guest

    That is correct. What you see is a default route to the "received" IP. All
    it really means is that your default gateway is now the VPN connection.
    Bill Grant, Nov 16, 2006
  8. Alex

    Bill Grant Guest

    Yes, proxy server is quite different from NAT. It is possible to run sbs
    as a proxy server using ISA server (I think it only comes with sbs premium).

    The comments on NAT are correct. You cannot access a machine on the
    "private" side of a NAT from the "public" side. NAT is a one-way address
    translation to allow machines on a private network to access machines on a
    public network.

    To access machines on the 192.168.30 subnet from 10.1.1 you need to use
    normal IP routing, not NAT. You should still be able to access the Internet
    from the 192.168.30 subnet. Whatever does NAT for the 10. addresses should
    do it for the 192.168. addresses as well.
    Bill Grant, Nov 16, 2006
  9. Alex

    Alex Guest

    Hi Bill,
    Thanks for your support.

    By MS experts on MS partner portal, SBS is not able to do what I want and
    "Address Mapping" is not what they would suggest. They said the following:

    The Proxy Server I mean here is the NAT. In SBS Server, once we run the
    "Connect to the Internet", the SBS Server will be the NAT Server for
    internal client computers. In SBS Server, you do not need the address
    mapping, using the Remote Desktop feature on Remote Web Workspace is the
    best option. Address Mapping in SBS Server involves more configuration and
    changes on system configuration, these are not recommended option and once
    we run the "Connect to the Internet" again, the settings will be removed.


    Good to know this for the future reference.

    At the end i've decided to make workaround with another router connected to
    both, internal (192.168.30.X) and external (10.1.1.X) subnets.
    The whole pictuire of the problem was as the following diagram:
    The resolution was like this:
    Router C has NAT enabled and router A has static route, so all trafic going to comming to router
    A is to be forwarded to router C.

    I hope this will help someone to resolve simmilar issue.

    Alex, Nov 17, 2006
  10. Bill, thanks for your reply.
    So, why I can't access the network resources?
    The only client that I can see is my machine.

    Bill Grant escreveu:
    Daniel Correa, Nov 17, 2006
  11. Alex

    Alex Guest

    Hi Daniel,
    I am afraid you have not given us enough info to troubleshoot your problem.
    I will give you some guidelines here:

    -Make sure that client PC is not on a same numbered subnet as VPN server (so
    if VPN server is inside, your client's IPs are not supposed to be

    -Make sure your clients get VPN IP assigned by DHCP on network where VPN
    server is.

    -Make sure enough IPs are available for clients.

    Post more info and I will try to help.

    Alex, Nov 18, 2006
  12. Alex

    Bill Grant Guest

    The "solution" gif apears to be empty!

    Yes, SBS can be a bit of a pain to work with. If what the wizard does is
    exactly what you want, it's fine. If you want to customise something it can
    get nasty.
    Bill Grant, Nov 18, 2006
  13. Alex

    Bill Grant Guest

    I can see the gif fine now. Not a pretty sight, but at least it works!
    Bill Grant, Nov 18, 2006
  14. Alex, thank you for your response.
    are >not supposed to be > 192.168.0.X)

    The PC Client is using 192.168.0.x and VPN is using 10.30.71.X.
    The VPN server isn't the DHCP server of my network. The DHCP server is
    another machine, but in the same network. When I make a connection to
    VPN server, I receive a IP number and the connection show me also a
    Server IP, which I dont know the source of it.

    In RAS, I don't set the option to distribute IP's by DHCP.
    Yes, Im using a range of 254 and are IP's available.

    A important information is that my VPN estruture has only one Network
    Board. I enable the VPN in win 2003 server, using the option CUSTOM

    Daniel Correa, Nov 23, 2006
  15. Alex

    Bill Grant Guest

    When your VPN connects, the client receives an IP from the RRAS server.
    This is part of the negotiation to set up the connection. The RRAS server
    has an IP in the same IP subnet which it gets from the same pool of
    addresses. You now have a point-to-point link between these two IP addresses
    (ie between host and guest). That is all that VPN gives you - an IP
    connection between client and server.

    To access machines beyond the VPN server itself you need two things - IP
    routing and name resolution.

    IP routing only works automatically if the VPN address pool is in the
    same IP subnet as the server's LAN. In that case, the server does proxy ARP
    on the LAN for the remote client. The client"appears" to be actually on the
    LAN because the server is acting as a proxy for it.

    If the VPN is using a different IP subnet, normal IP routing rules
    apply. You need to enable IP routing on the VPN server. You also need extra
    routing to get remote traffic to the VPN server (unless the VPN server is
    the default gateway for the LAN).
    Bill Grant, Nov 24, 2006
  16. Bill, how can I enable IP routing in the VPN server?

    Bill Grant escreveu:
    Daniel Correa, Nov 24, 2006
  17. My problem was resolved.
    Thank you!The configuration was OK, the problem was another services
    that was blocking the connection.

    Daniel Correa escreveu:
    Daniel Correa, Nov 24, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.