Basics of Setting Up Win2000 VPN Behind a Firewall

Basics of Setting Up Win2000 VPN Behind a Firewall

Post by Alex Anderso » Fri, 09 Mar 2001 12:13:17



I'm not having much luck setting up VPN on Windows 2000 Server at our small
office.

The setup is as follows:

The Firewall is running WinRoute Pro (on Win2KPro) for the firewall software
and is handling NAT and DHCP in addition to firewall.  It has two NICs:
Internet NIC = xxx.xxx.xxx.66
LAN NIC = 192.168.12.2

Our Fileserver is running Windows 2000 Server and has one NIC:
LAN NIC = 192.168.12.1

I've got Routing and Remote Access installed and running.  It's configured
for PPTP port access (I think).

Now here are the conceptual problems I'm having....

I understand I need to configure WinRoute Pro to somehow pass on VPN traffic
to the Fileserver (VPN Server) but not exactly sure how.  Within the
WinRoute Port Mapping configuration, I could have it map port 1723 to the
LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
to the client?  So I'm guess I don't want to actually "map" the port, but
instead just "open" the port to VPN traffic.  (Not sure how to do this, but
I'm working on it).

I'm also confused as to how to properly setup Routing and Remote Access on
the Fileserver.  I believe I've got the IP addresses configured properly
(using a small range beginning at 192.168.12.50).  But within the Port
Properties, it has a field for the "Phone number" where you're to enter the
IP address that clients are "calling".  However I'm assuming that I have
users "call" the firewall's Internet NIC.  I wouldn't think that that is
what I'm supposed to enter there.  Maybe I just leave that blank.

So anyway, this is conceptually what I think is supposed to happen:
- Firewall is somehow configured to pass VPN traffic (port 1723) to
Fileserver
- Fileserver (VPN Server) is automatically listening to traffic on port 1723
on the only NIC it has (I'm assuming this is automatic in the fact that I
have Routing and Remote Access running)
- Fileserver assigns an "internal" IP address (starting with 192.168.12.50)
for all traffic coming in on that port for that client's IP address.
- Internal networking requests are done using the "internal" IP address and
then information is passed back to the client via the client's actual
internet IP address (passed back through the firewall)

Well, seems simple enough, but whenever I try to VPN connect from a client,
it comes back saying the request is denied.  I can ping the firewall fine
from the client computer, so it's seeing it.  So, I'm thinking my main
problem is not having the firewall configured properly, but I've probably
got my VPN server configuration horked too.

Any pointers you can give to straighten me out would be appreciated.

- Alex

 
 
 

Basics of Setting Up Win2000 VPN Behind a Firewall

Post by jes » Sat, 10 Mar 2001 06:06:31


In addition to opening TCP/IP port 1723, you also have to enable IP protocol
47.
See the following link for tips...

http://www.winntmag.com/articles/print.cfm?action=print&articleid=8290

Jeff


Quote:> I'm not having much luck setting up VPN on Windows 2000 Server at our
small
> office.

> The setup is as follows:

> The Firewall is running WinRoute Pro (on Win2KPro) for the firewall
software
> and is handling NAT and DHCP in addition to firewall.  It has two NICs:
> Internet NIC = xxx.xxx.xxx.66
> LAN NIC = 192.168.12.2

> Our Fileserver is running Windows 2000 Server and has one NIC:
> LAN NIC = 192.168.12.1

> I've got Routing and Remote Access installed and running.  It's configured
> for PPTP port access (I think).

> Now here are the conceptual problems I'm having....

> I understand I need to configure WinRoute Pro to somehow pass on VPN
traffic
> to the Fileserver (VPN Server) but not exactly sure how.  Within the
> WinRoute Port Mapping configuration, I could have it map port 1723 to the
> LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
> to the client?  So I'm guess I don't want to actually "map" the port, but
> instead just "open" the port to VPN traffic.  (Not sure how to do this,
but
> I'm working on it).

> I'm also confused as to how to properly setup Routing and Remote Access on
> the Fileserver.  I believe I've got the IP addresses configured properly
> (using a small range beginning at 192.168.12.50).  But within the Port
> Properties, it has a field for the "Phone number" where you're to enter
the
> IP address that clients are "calling".  However I'm assuming that I have
> users "call" the firewall's Internet NIC.  I wouldn't think that that is
> what I'm supposed to enter there.  Maybe I just leave that blank.

> So anyway, this is conceptually what I think is supposed to happen:
> - Firewall is somehow configured to pass VPN traffic (port 1723) to
> Fileserver
> - Fileserver (VPN Server) is automatically listening to traffic on port
1723
> on the only NIC it has (I'm assuming this is automatic in the fact that I
> have Routing and Remote Access running)
> - Fileserver assigns an "internal" IP address (starting with
192.168.12.50)
> for all traffic coming in on that port for that client's IP address.
> - Internal networking requests are done using the "internal" IP address
and
> then information is passed back to the client via the client's actual
> internet IP address (passed back through the firewall)

> Well, seems simple enough, but whenever I try to VPN connect from a
client,
> it comes back saying the request is denied.  I can ping the firewall fine
> from the client computer, so it's seeing it.  So, I'm thinking my main
> problem is not having the firewall configured properly, but I've probably
> got my VPN server configuration horked too.

> Any pointers you can give to straighten me out would be appreciated.

> - Alex


 
 
 

Basics of Setting Up Win2000 VPN Behind a Firewall

Post by Bill Somervill » Sat, 10 Mar 2001 11:33:18


One thing you can do to isolate firewall problems from server problems is to
VPN into your server from within your local LAN (using the internal IP
address of your server).  You should be able to connect, assuming that the
server will accept connections on the internal NIC.  Once you get that
working, you can tackle any firewall issues.

--  Bill


Quote:> I'm not having much luck setting up VPN on Windows 2000 Server at our
small
> office.

> The setup is as follows:

> The Firewall is running WinRoute Pro (on Win2KPro) for the firewall
software
> and is handling NAT and DHCP in addition to firewall.  It has two NICs:
> Internet NIC = xxx.xxx.xxx.66
> LAN NIC = 192.168.12.2

> Our Fileserver is running Windows 2000 Server and has one NIC:
> LAN NIC = 192.168.12.1

> I've got Routing and Remote Access installed and running.  It's configured
> for PPTP port access (I think).

> Now here are the conceptual problems I'm having....

> I understand I need to configure WinRoute Pro to somehow pass on VPN
traffic
> to the Fileserver (VPN Server) but not exactly sure how.  Within the
> WinRoute Port Mapping configuration, I could have it map port 1723 to the
> LAN NIC of the Fileserver, but then how does WinRoute map VPN traffic back
> to the client?  So I'm guess I don't want to actually "map" the port, but
> instead just "open" the port to VPN traffic.  (Not sure how to do this,
but
> I'm working on it).

> I'm also confused as to how to properly setup Routing and Remote Access on
> the Fileserver.  I believe I've got the IP addresses configured properly
> (using a small range beginning at 192.168.12.50).  But within the Port
> Properties, it has a field for the "Phone number" where you're to enter
the
> IP address that clients are "calling".  However I'm assuming that I have
> users "call" the firewall's Internet NIC.  I wouldn't think that that is
> what I'm supposed to enter there.  Maybe I just leave that blank.

> So anyway, this is conceptually what I think is supposed to happen:
> - Firewall is somehow configured to pass VPN traffic (port 1723) to
> Fileserver
> - Fileserver (VPN Server) is automatically listening to traffic on port
1723
> on the only NIC it has (I'm assuming this is automatic in the fact that I
> have Routing and Remote Access running)
> - Fileserver assigns an "internal" IP address (starting with
192.168.12.50)
> for all traffic coming in on that port for that client's IP address.
> - Internal networking requests are done using the "internal" IP address
and
> then information is passed back to the client via the client's actual
> internet IP address (passed back through the firewall)

> Well, seems simple enough, but whenever I try to VPN connect from a
client,
> it comes back saying the request is denied.  I can ping the firewall fine
> from the client computer, so it's seeing it.  So, I'm thinking my main
> problem is not having the firewall configured properly, but I've probably
> got my VPN server configuration horked too.

> Any pointers you can give to straighten me out would be appreciated.

> - Alex

 
 
 

1. Win2000 VPN behind Linux Firewall

I'm setting up a Win2000 VPN behind a Linux firewall, and am running
into trouble on the firewall end (I think).  I'm not sure what kind of
port forwarding setup I need to specify.  Has anyone had success with
this config? Can someone point me to a step-by-step HOWTO or just help
with the port forwarding configuration?

Thanks,

James

Sent via Deja.com http://www.deja.com/
Before you buy.

2. Help me with C... I need an expert to teach me!

3. How to set NT VPN behind Pix firewall???

4. A good find in a dumpster

5. how to set up dns server behind a PIX firewall?

6. Where can I find chat room server and client SDK

7. Help with Setting up a DNS Behind a Firewall...

8. Is there a IBM VAC 3 demo on the net?

9. Q: Newbie setting up behind firewall

10. win2000 IPSEC / VPN to remote firewall ??

11. Firewall/VPN behind Cisco 2621...oh boy...

12. using Cisco VPN Client 3.6.3 from behind proxy and firewall

13. Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX