Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 871W Wireless VPN to SBS 2003 Routing

Reply
Thread Tools

871W Wireless VPN to SBS 2003 Routing

 
 
Paul Smedshammer
Guest
Posts: n/a
 
      12-20-2006
Long one - sorry:

We have a CISCO 871W (router/firewall/with wireless). It is working
perfectly except for the ability to VPN from the wireless to our inside
SBS 2003 server. Here is the setup:

1 Static Internet IP to 871W (WAN).

Hardwired LAN is 10.0.0.X with three servers on 10.0.0.2, .3, .4. The
server on 10.0.0.2 is a Small Business Server 2003 running PPTP VPN, and
DHCP for the 10.0.0.X network.

Wireless on 871W is on 192.168.20.X and gets its DHCP from the 871W.

Concept: We want to be able to secure 10.0.0.X from everywhere but the
wired LAN. To gain access to the 10.0.0.X network from outside
(Internet or Wireless) we want to require a VPN connection to the
10.0.0.2 server.

Configuration: We are forwarding 1723 (pptp) from the WAN interface to
10.0.0.2 and blocking all other traffic. We have blocked all traffic
from 192.168.20.X to 10.0.0.X except for 1723 and GRE.

Working: Everything on the 10.0.0.X network is working perfectly. VPN
from the outside works perfectly (meaning from any Internet connection
we can make a PPTP VPN connection into the server and gain access to all
resources). Also with the Wireless we can gain Internet access on the
192.168.20.X network with WEP security. We can make a VPN connection to
10.0.0.X.

Not Working: When wireless we make a VPN connection to 10.0.0.2, we can
gain access to all 10.0.0.X resources EXCEPT 10.0.0.2 - which is
critical as it is our Exchange Server, Domain Controller and main file
server. Pinging 10.0.0.2 after the VPN connection is made results in
not reachable 192.168.20.1.

My Analsys: After making a wireless VPN connection, I can see there is
a route entry on the workstation for 10.0.0.2 routing to 192.168.20.1.
If I remove this entry, the VPN connection drops.

My thought is that the VPN connection is made directly to 10.0.0.2 from
192.168.20.X and that direct connection of course has to stay up or the
VPN will drop. Any other attempt to get to other resources on 10.0.0.X
succeeds because it goes through the VPN tunnel. But an attempt to get
to resources on 10.0.0.2 fail because the route is through the 871W and
not through the VPN tunnel.

Solutions?

1. Can we force the 192.168.20.X network to hit the outside WAN
interface for VPN to 10.0.0.2? Currently, outside on the internet we
make the VPN connection address to the public WAN interface that gets
forwarded to 10.0.0.2 through the router - wirelessly on 192.168.20.X that
fails and we have to make the VPN connection to 10.0.0.2 directly. CISCO
tech support says I can't make this happen. I feel that if we could,
everything would work because the VPN link would then be to the WAN
address and the route to 10.0.0.2 would then go through the VPN tunnel like
it does when connecting from the Internet.

2. Can we make a fake address in the 871W to forward to 10.0.0.2? The
idea would be to make a VPN connection to say 192.168.20.250 that would
then in the router get forwarded to 10.0.0.2. Result would be there
would be no entry in the routing table on workstation directing 10.0.0.2
to the 192.168.20.1. All 10.0.0.X traffic would be routed through the
VPN tunnel to 192.168.20.250 - we should then have access to 10.0.0.2
through the VPN tunnel.

Seems like both of these options should fix our problem. Any help in
implementing them or do I just need to give up? The CISCO tech says the
problem is in our SBS 2003 VPN configuration - however, it is working
perfectly except for this Wireless to VPN connection.

Thanks, Paul Smedshammer
 
Reply With Quote
 
 
 
 
Chad Mahoney
Guest
Posts: n/a
 
      12-20-2006
Paul Smedshammer wrote:
> Solutions?
>
> 1. Can we force the 192.168.20.X network to hit the outside WAN
> interface for VPN to 10.0.0.2? Currently, outside on the internet we
> make the VPN connection address to the public WAN interface that gets
> forwarded to 10.0.0.2 through the router - wirelessly on 192.168.20.X that
> fails and we have to make the VPN connection to 10.0.0.2 directly. CISCO
> tech support says I can't make this happen. I feel that if we could,
> everything would work because the VPN link would then be to the WAN
> address and the route to 10.0.0.2 would then go through the VPN tunnel like
> it does when connecting from the Internet.
>
> 2. Can we make a fake address in the 871W to forward to 10.0.0.2? The
> idea would be to make a VPN connection to say 192.168.20.250 that would
> then in the router get forwarded to 10.0.0.2. Result would be there
> would be no entry in the routing table on workstation directing 10.0.0.2
> to the 192.168.20.1. All 10.0.0.X traffic would be routed through the
> VPN tunnel to 192.168.20.250 - we should then have access to 10.0.0.2
> through the VPN tunnel.
>
> Seems like both of these options should fix our problem. Any help in
> implementing them or do I just need to give up? The CISCO tech says the
> problem is in our SBS 2003 VPN configuration - however, it is working
> perfectly except for this Wireless to VPN connection.
>
> Thanks, Paul Smedshammer


How bout a looksie at the NAT and ACL's applied on the router? If you
can connect from the internet via the VPN and gain access to all
resources then the issue is most likely in the NAT/ACL's in the router.
When you connect to the VPN what IP address are you getting from the
server? Is it on the 10.0.0.X subnet?
 
Reply With Quote
 
 
 
 
Paul Smedshammer
Guest
Posts: n/a
 
      12-20-2006
Chad Mahoney <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Paul Smedshammer wrote:
>> Solutions?
>> - snip -



I think these are the sections you are wanting to look at. When we make
a wireless connection we get a 192.168.20.X from the DHCP on the 871W.
Then we make a VPN connection to

10.0.0.2 and get another address from the DHCP on the SBServer that is
in the 10.0.0.X network.

We can not make a VPN connection using wireless connection to the WAN
address of the 871 (FastEthernet4). It just times out - no response. If
we could, I think this would solve our problem.

I'd be glad to hand off any other sections of our config. We are
stumped.

Thanks,

Paul


ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.2 1723 75.6.40.146 1723
extendable

access-list 120 permit tcp 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255 eq
1723 access-list 120 permit udp 192.168.20.0 0.0.0.255 10.0.0.0
0.0.0.255 eq 1723 access-list 120 permit gre 192.168.20.0 0.0.0.255
10.0.0.0 0.0.0.255 access-list 120 deny ip 192.168.20.0 0.0.0.255
10.0.0.0 0.0.0.255 access-list 120 permit ip host 192.168.20.0 any
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn with SBS 2003 RADIUS WCL Cisco 0 06-16-2006 11:52 AM
pix 501 VPN into SBS 2003 domain - RADIUS authentication fails. Zen Cisco 0 06-16-2006 11:05 AM
Can Wireless Security and VPN access Coexist on SBS 2003? Ernie Wireless Networking 0 09-14-2005 01:45 PM
VPN (2003 sbs vs Cisco) Matt Dwyer Cisco 0 11-04-2004 01:00 AM
SBS 2000 upgrade to SBS std or premium 2003 =?Utf-8?B?amlsbGJvYg==?= Microsoft Certification 1 04-19-2004 05:18 PM



Advertisments