VPN partially works

Discussion in 'Server Networking' started by Millie, Jul 15, 2004.

  1. Millie

    Millie Guest

    Hello,

    Hardware Firewall
    -has external ip
    -has internal ip #1
    -port 25 forwards to internal IP #2 (domain controller)
    -port 443 forwards to internal IP #2 (domain controller)
    -port 1723 forwards to internal IP #2 (domain controller)
    -port 81 forwards to internal IP #3 (member server)

    Domain Controller
    -has internal ip #2
    -W2K Standard with Exchange 2K on it
    -Remote Access Server
    -Certificate services

    Member Server
    -has internal ip #3
    -W2K Standard
    -intranet documents

    The branch office use a dialup network connection to
    establish a PPTP VPN connection, and then open their
    Outlook XP to access their email that is stored on the
    domain controller.

    With the VPN up, the branch office can't see the member
    server to access the intranet documents. I have had to
    create an Internet icon on each computer with the
    URL "http://external ip:81/directory name" in order for
    the branch office to access the intranet documents.

    I can't figure out how to get the VPN connection to see
    both the domain controller and the member server.

    Does anyone know how I can fix this problem?

    Thanks for your help,
    Millie
     
    Millie, Jul 15, 2004
    #1
    1. Advertisements

  2. Millie

    Miha Pihler Guest

    Can remote clients ping IP (not name!) of member server? What does tracert
    from client to member server show?

    How is routing configured on member server? How are your IP filters
    configured on RRAS server?. Can member server ping client's IP address? What
    does tracert from member server to client show?

    Mike
     
    Miha Pihler, Jul 15, 2004
    #2
    1. Advertisements

  3. I know it can be annoying,...but we need to clarify termiology to make sure
    we are on the "same page" together.

    Above, the "ports" aren't being forwarded. The IP# are being forwarded. Port
    forwarding is when the ports on IP#1 and IP#2 are not the same port#.
    I assume you mean that this part works?
    Let's use accuart terminology or we will never know what each other means.
    What do you actually mean by "branch office can't see the member server"?
    How are they attempting to do it? Network browsing? Internet Explorer
    combined with a intranet website? Are they using machine names?, FQDNs?,
    IP#s? Your example is a HTTP URL using the IP# on a non-standard port, this
    would imply the use of an internal website to gather these "intranet
    documents".
    Well VPN is just a encapsulated TCP/IP link,.... it doesn't "see" anything.
    Can you explain what you mean by that?
     
    Phillip Windell, Jul 15, 2004
    #3
  4. Millie

    Millie Guest

    1. When remote clients ping the IP of member server,
    they get error message "request timed out".

    2. Tracert from remote client to member server gets
    error message "tracing route to IP address over a
    maximum of 30 hops" and the "request timed out".

    3. Ping from member server to remote client gets error
    message "request timed out".

    4. Tracert from member server to remote client gets
    error message:

    tracing route to client IP over a maximum of 30 hops
    1 <10 ms <10 ms <10 ms gateway IP
    2 78 ms 16 ms 10 ms head office's ISP IP #1
    3 <10 ms 16 ms 10 ms head office's ISP IP #1

    4 <10 ms 16 ms <10 ms head office's ISP IP #2
    5 * * * request timed out.

    5. I don't think there is any routing configured on
    the member server (Routing and Remote Access Server
    does exists in Administrative Tools though).

    6. I don't know how the IP filters are configured on
    the RAS.

    As you can tell, I'm not very experienced with this
    subject matter.

    Thank you,
    Millie
     
    Millie, Jul 15, 2004
    #4
  5. Millie

    Millie Guest

    I'm not very experienced with VPNs and have a limited
    knowledge of the subject matter and terminology.

    Our hardware firewall has an external IP address. The
    firewall ports are mapped as follows: port 25 for smtp is
    mapped to internal IP #2 (domain controller), port 1723
    for vpn is mapped to internal IP #2 (domain controller),
    etc.

    Yes, the branch office can successfully access their email.

    The branch office can't use Windows Explorer to map a
    drive to the member server.

    My understanding is that if VPN is configured correctly,
    once the VPN session is established that the remote client
    will be able to access email on the domain controller and
    data (spreadsheets, word documents, etc) on the member
    server. But in our case, the remote client can only access
    email on the domain controller and not access data on the
    member server.

    Thank you,
    Millie
     
    Millie, Jul 15, 2004
    #5
  6. Millie

    Miha Pihler Guest

    Hi,

    when remote client connects to RRAS it gets new private IP from RRAS. Are
    these IPs from same subnet or different subnet then IPs on remote office.
    Can you ping and perform tracert from member server to this private IP of
    remote client.

    Mike
     
    Miha Pihler, Jul 15, 2004
    #6
  7. Millie

    Millie Guest

    The RAS has a range of 10 IPs: 172.16.0.x with subnet
    255.255.255.255 which is assigned to the remote clients
    when they connect. The remote office computers have IPs:
    192.168.0.x with subnet 255.255.255.0. The head office
    computers have IPs: 192.168.1.x with subnet 255.255.255.0.

    When I ping 172.16.0.x from the member server, the request
    times out.

    When I tracert 172.16.0.x from the member server, the
    following is displayed:

    tracing route to client IP over a maximum of 30 hops
    1 <10 ms <10 ms <10 ms gateway IP
    2 78 ms 16 ms 10 ms head office's ISP IP #1
    3 <10 ms 16 ms 10 ms head office's ISP IP #1

    4 <10 ms 16 ms <10 ms head office's ISP IP #2
    5 * * * request timed out.

    Thanks,
    Millie
     
    Millie, Jul 15, 2004
    #7
  8. Millie

    Miha Pihler Guest

    Hi,

    Did you write down wrong subnet mask for the 172.16.0.x subnet? You wrote
    255.255.255.255, but that means specific IP address. What is real subnet
    mask? It should be 255.255.0.0 but what are you using?

    To run successful tracert you actually have to have a client connected from
    remote office to RRAS and then ping the client's private IP (172.16.0.?). If
    there are no clients connected to RRAS there is nothing to answer your ping.

    Mike
     
    Miha Pihler, Jul 15, 2004
    #8
  9. No problem.
    Yes. That is "Static NAT" although the term may vary by firewall
    manufacturer.
    But what happens when they try? What does it do? What does it say?
     
    Phillip Windell, Jul 15, 2004
    #9
  10. Millie

    Millie Guest

    Microsoft Technical Support helped me to set up the RAS
    some time ago. They told me to enter the 172.16.0.x IP
    range for remote clients.

    I used VNC Connect to obtain remote control of a computer
    in the branch office, did an IPCONFIG /ALL and it said
    255.255.255.255 for the subnet mask for 172.16.0.x. If
    this is wrong, I don't know how to correct it and don't
    understand why the VPN works for accessing email on the
    Exchange Server here at head office.

    Yes, I took remote control of a branch office computer to
    establish a VPN connection before I tried pinging the
    172.16.0.x IP from the member server.

    Thank you,
    Millie
     
    Millie, Jul 16, 2004
    #10
  11. Millie

    Millie Guest

    After I established a VPN connection, I used Windows
    Explorer to map a network drive to the member server. When
    I click browse to select a shared network folder, I don't
    see the member server listed under "Computers Near Me" or
    our domain name under "Microsoft Windows Network".

    When I type the path "\\member server\share" (yes the
    folder is shared) I get the following error message:
    "The network path \\member server\share could not be
    found".

    Thank you,
    Millie
     
    Millie, Jul 16, 2004
    #11
  12. Millie

    catwalker63 Guest

    You say the error you are getting is "The network path \\member server\share
    could not be found".

    Sounds like name resolution issue. Check to make sure the path to the
    member server is correct. If you aren't seeing the server in My Network
    Places, check the DNS configuration and, if you are using WINS, the WINS
    configurations for both the member server and the client. Check to make
    sure DNS has a host (A) record for the member server.

    --
    Kelley
    aka catwalker
    IT Professional, MCP
     
    catwalker63, Jul 16, 2004
    #12
  13. Millie

    Miha Pihler Guest

    Instad of "\\member server\share" use IP number e.g.

    "\\a.b.c.d\share" replace a.b.c.d with IP of your member server.

    Mike

     
    Miha Pihler, Jul 16, 2004
    #13
  14. Millie

    Miha Pihler Guest

    Hi,

    what is the IP of member server?

    Mike

     
    Miha Pihler, Jul 16, 2004
    #14
  15. Millie

    Millie Guest

    member server IP is 192.x.1.z subnet 255.255.255.0
    branch office segment is 192.x.0.z subnet 255.255.255.0

    Thanks,
    Millie
     
    Millie, Jul 16, 2004
    #15
  16. Millie

    Millie Guest

    I used \\a.b.c.d\share and got the same error message.

    Millie
     
    Millie, Jul 16, 2004
    #16
  17. Millie

    Millie Guest

    The remote clients are all Windows 2000 Professional
    computers so WINS is not used.

    On the remote client computer, the VPN connection icon's
    TCP/IP properties show "obtain DNS server address
    automatically".

    On the domain controller, in Administrative Tool... DNS,
    under the forward lookup zone, under our domain name,
    there is a host record for the member server.

    Millie
     
    Millie, Jul 16, 2004
    #17
  18. Millie

    Miha Pihler Guest

    Hi,

    create static route on member server. It should be an entry like this:

    route add 172.16.0.0 mask 255.255.0.0 192.168.1.x

    replace 192.168.1.x with IP of your RRAS server. Try connecting with your
    client again. If it works perform this:

    route delete 172.16.0.0 mask 255.255.0.0 192.168.1.x
    route add -p 172.16.0.0 mask 255.255.0.0 192.168.1.x

    this will create permanent route that will persist on your system even after
    reboot.

    Let me know if you have any problems (errors) after this...

    Mike
     
    Miha Pihler, Jul 17, 2004
    #18
  19. Millie

    Millie Guest

    Hello,

    On the member server, I typed:

    route add 172.16.0.0 mask 255.255.0.0 192.168.1.x

    (I replaced 192.168.1.x with the IP for the RAS server)

    On the client, after I established the VPN connection, I
    went to Windows Explorer to map a drive to \\member server
    IP\share. When I click on browse I can see the shared
    folder. But when I click on the shared folder, I get the
    error message "\\member server IP\share is not accessible.
    The network path was not found".

    I think we are on the right track. At least now I can see
    the share in My Network Places.

    Thanks,
    Millie
     
    Millie, Jul 19, 2004
    #19
  20. Millie

    Miha Pihler Guest

    Can you now ping member server from remote client? How about tracert? How
    about the other way around?

    How about this share:

    \\memberserver IP\c$

    Mike
     
    Miha Pihler, Jul 19, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.