871W Wireless VPN to SBS 2003 Routing

Discussion in 'Cisco' started by Paul Smedshammer, Dec 20, 2006.

  1. Long one - sorry:

    We have a CISCO 871W (router/firewall/with wireless). It is working
    perfectly except for the ability to VPN from the wireless to our inside
    SBS 2003 server. Here is the setup:

    1 Static Internet IP to 871W (WAN).

    Hardwired LAN is 10.0.0.X with three servers on 10.0.0.2, .3, .4. The
    server on 10.0.0.2 is a Small Business Server 2003 running PPTP VPN, and
    DHCP for the 10.0.0.X network.

    Wireless on 871W is on 192.168.20.X and gets its DHCP from the 871W.

    Concept: We want to be able to secure 10.0.0.X from everywhere but the
    wired LAN. To gain access to the 10.0.0.X network from outside
    (Internet or Wireless) we want to require a VPN connection to the
    10.0.0.2 server.

    Configuration: We are forwarding 1723 (pptp) from the WAN interface to
    10.0.0.2 and blocking all other traffic. We have blocked all traffic
    from 192.168.20.X to 10.0.0.X except for 1723 and GRE.

    Working: Everything on the 10.0.0.X network is working perfectly. VPN
    from the outside works perfectly (meaning from any Internet connection
    we can make a PPTP VPN connection into the server and gain access to all
    resources). Also with the Wireless we can gain Internet access on the
    192.168.20.X network with WEP security. We can make a VPN connection to
    10.0.0.X.

    Not Working: When wireless we make a VPN connection to 10.0.0.2, we can
    gain access to all 10.0.0.X resources EXCEPT 10.0.0.2 - which is
    critical as it is our Exchange Server, Domain Controller and main file
    server. Pinging 10.0.0.2 after the VPN connection is made results in
    not reachable 192.168.20.1.

    My Analsys: After making a wireless VPN connection, I can see there is
    a route entry on the workstation for 10.0.0.2 routing to 192.168.20.1.
    If I remove this entry, the VPN connection drops.

    My thought is that the VPN connection is made directly to 10.0.0.2 from
    192.168.20.X and that direct connection of course has to stay up or the
    VPN will drop. Any other attempt to get to other resources on 10.0.0.X
    succeeds because it goes through the VPN tunnel. But an attempt to get
    to resources on 10.0.0.2 fail because the route is through the 871W and
    not through the VPN tunnel.

    Solutions?

    1. Can we force the 192.168.20.X network to hit the outside WAN
    interface for VPN to 10.0.0.2? Currently, outside on the internet we
    make the VPN connection address to the public WAN interface that gets
    forwarded to 10.0.0.2 through the router - wirelessly on 192.168.20.X that
    fails and we have to make the VPN connection to 10.0.0.2 directly. CISCO
    tech support says I can't make this happen. I feel that if we could,
    everything would work because the VPN link would then be to the WAN
    address and the route to 10.0.0.2 would then go through the VPN tunnel like
    it does when connecting from the Internet.

    2. Can we make a fake address in the 871W to forward to 10.0.0.2? The
    idea would be to make a VPN connection to say 192.168.20.250 that would
    then in the router get forwarded to 10.0.0.2. Result would be there
    would be no entry in the routing table on workstation directing 10.0.0.2
    to the 192.168.20.1. All 10.0.0.X traffic would be routed through the
    VPN tunnel to 192.168.20.250 - we should then have access to 10.0.0.2
    through the VPN tunnel.

    Seems like both of these options should fix our problem. Any help in
    implementing them or do I just need to give up? The CISCO tech says the
    problem is in our SBS 2003 VPN configuration - however, it is working
    perfectly except for this Wireless to VPN connection.

    Thanks, Paul Smedshammer
     
    Paul Smedshammer, Dec 20, 2006
    #1
    1. Advertising

  2. Paul Smedshammer

    Chad Mahoney Guest

    Paul Smedshammer wrote:
    > Solutions?
    >
    > 1. Can we force the 192.168.20.X network to hit the outside WAN
    > interface for VPN to 10.0.0.2? Currently, outside on the internet we
    > make the VPN connection address to the public WAN interface that gets
    > forwarded to 10.0.0.2 through the router - wirelessly on 192.168.20.X that
    > fails and we have to make the VPN connection to 10.0.0.2 directly. CISCO
    > tech support says I can't make this happen. I feel that if we could,
    > everything would work because the VPN link would then be to the WAN
    > address and the route to 10.0.0.2 would then go through the VPN tunnel like
    > it does when connecting from the Internet.
    >
    > 2. Can we make a fake address in the 871W to forward to 10.0.0.2? The
    > idea would be to make a VPN connection to say 192.168.20.250 that would
    > then in the router get forwarded to 10.0.0.2. Result would be there
    > would be no entry in the routing table on workstation directing 10.0.0.2
    > to the 192.168.20.1. All 10.0.0.X traffic would be routed through the
    > VPN tunnel to 192.168.20.250 - we should then have access to 10.0.0.2
    > through the VPN tunnel.
    >
    > Seems like both of these options should fix our problem. Any help in
    > implementing them or do I just need to give up? The CISCO tech says the
    > problem is in our SBS 2003 VPN configuration - however, it is working
    > perfectly except for this Wireless to VPN connection.
    >
    > Thanks, Paul Smedshammer


    How bout a looksie at the NAT and ACL's applied on the router? If you
    can connect from the internet via the VPN and gain access to all
    resources then the issue is most likely in the NAT/ACL's in the router.
    When you connect to the VPN what IP address are you getting from the
    server? Is it on the 10.0.0.X subnet?
     
    Chad Mahoney, Dec 20, 2006
    #2
    1. Advertising

  3. Chad Mahoney <> wrote in
    news::

    > Paul Smedshammer wrote:
    >> Solutions?
    >> - snip -



    I think these are the sections you are wanting to look at. When we make
    a wireless connection we get a 192.168.20.X from the DHCP on the 871W.
    Then we make a VPN connection to

    10.0.0.2 and get another address from the DHCP on the SBServer that is
    in the 10.0.0.X network.

    We can not make a VPN connection using wireless connection to the WAN
    address of the 871 (FastEthernet4). It just times out - no response. If
    we could, I think this would solve our problem.

    I'd be glad to hand off any other sections of our config. We are
    stumped.

    Thanks,

    Paul


    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 10.0.0.2 1723 75.6.40.146 1723
    extendable

    access-list 120 permit tcp 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255 eq
    1723 access-list 120 permit udp 192.168.20.0 0.0.0.255 10.0.0.0
    0.0.0.255 eq 1723 access-list 120 permit gre 192.168.20.0 0.0.0.255
    10.0.0.0 0.0.0.255 access-list 120 deny ip 192.168.20.0 0.0.0.255
    10.0.0.0 0.0.0.255 access-list 120 permit ip host 192.168.20.0 any
     
    Paul Smedshammer, Dec 20, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ernie
    Replies:
    0
    Views:
    1,055
    Ernie
    Sep 14, 2005
  2. =?Utf-8?B?amlsbGJvYg==?=

    SBS 2000 upgrade to SBS std or premium 2003

    =?Utf-8?B?amlsbGJvYg==?=, Apr 19, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    623
    Marlin Munrow
    Apr 19, 2004
  3. Matt Dwyer

    VPN (2003 sbs vs Cisco)

    Matt Dwyer, Nov 4, 2004, in forum: Cisco
    Replies:
    0
    Views:
    563
    Matt Dwyer
    Nov 4, 2004
  4. Zen
    Replies:
    0
    Views:
    620
  5. WCL

    vpn with SBS 2003 RADIUS

    WCL, Jun 16, 2006, in forum: Cisco
    Replies:
    0
    Views:
    4,260
Loading...

Share This Page