OT: RRAS doesn't R

Discussion in 'MCSE' started by Briscobar, Oct 13, 2006.

  1. Briscobar

    Briscobar Guest

    A technical question! Which is off-topic in this newsgroup! Let me give you
    a little background here:

    A remote user now needs access to our network. She needs to connect via VPN
    and have DNS work, basically. She needs to run a couple programs that
    require network connectivity, since they access SQL servers located here on
    our network. So here's what I did.

    Our office is only one subnet. 192.168.1.x. It runs fine and everyone's
    happy. The thing is, I want the VPN users to be logically separated from our
    network. So I threw a new NIC into the VPN-server-to-be and put that NIC on
    its own subnet (192.168.0.x).

    For reference, the VPN-server-to-be has 2 IP addresses: 192.168.1.254 (same
    subnet as the rest of our network)
    192.168.0.29 (this is for the VPN subnet)

    Then I installed RRAS. Yay! It installed! I gave the appropriate users
    permissions to dial in. I forwarded ports on the firewall. I connected to
    the VPN from my machine here at work, so I know that I can dial in. I
    connected to my machine from home, so I know the router is forwarding ports.
    The "RAS" part of RRAS is working fine. It's the first R that I'm having
    trouble with.

    When I dial in, I'm assigned an IP address on the 192.168.0.x subnet. Great.
    From the VPN client, I can ping the VPN server at 192.168.0.29. Yay!
    Connectivity! But that's as far as I can go. It's the routing between the
    192.168.0.x and 192.168.1.x subnets that has my panties in a twist.

    Maybe I'm an idiot and don't know how to use static routes. Maybe the darn
    thing just doesn't work. I don't know, and frankly I don't care, as long as
    I can get it to work. I've spent 2 days on this thing, and all my VPN
    clients can do is access the VPN server. They can't access other network
    resources, by IP or by name (obviously, since routing isn't getting done at
    all between the subnets).

    Again, here's my setup:

    Dataman (my VPN Server)
    NIC1:
    IP: 192.168.1.254
    SM: 255.255.255.0
    DG: 192.168.1.2
    DNS: 192.168.1.5

    NIC2:
    IP: 192.168.0.29
    SM: 255.255.255.0
    DG: (none)
    DNS: 192.168.1.5

    VPN Clients get an IP on the 192.168.0.x subnet.

    Here's the routing table from a "route print" done on Dataman, the VPN
    server:

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x10003 ...00 60 67 30 ae cb ...... Intel 21140-Based PCI Fast Ethernet
    Adapter
    (Generic)
    0x10004 ...00 17 31 c3 d5 f4 ...... Marvell Yukon 88E8053 PCI-E Gigabit
    Ethernet
    Controller
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.254 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.0.0 255.255.255.0 192.168.0.29 192.168.0.29 20
    192.168.0.2 255.255.255.255 192.168.0.11 192.168.0.11 1
    192.168.0.11 255.255.255.255 127.0.0.1 127.0.0.1 50
    192.168.0.29 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.0.255 255.255.255.255 192.168.0.29 192.168.0.29 20
    192.168.1.0 255.255.255.0 192.168.1.254 192.168.1.254 1
    192.168.1.254 255.255.255.255 127.0.0.1 127.0.0.1 1
    192.168.1.255 255.255.255.255 192.168.1.254 192.168.1.254 1
    224.0.0.0 240.0.0.0 192.168.0.29 192.168.0.29 20
    224.0.0.0 240.0.0.0 192.168.1.254 192.168.1.254 1
    255.255.255.255 255.255.255.255 192.168.0.29 192.168.0.29 1
    255.255.255.255 255.255.255.255 192.168.1.254 192.168.1.254 1
    Default Gateway: 192.168.1.2
    ===========================================================================
    Persistent Routes:
    None


    Anyone? Slightest hint as to how I can route between the two networks? I
    feel like a total doofus. I tried a "route add", but it didn't seem to work.
    I tried "route add 192.168.1.0 mask 255.255.255.0 192.168.0.29 metric 3 IF
    3" but that didn't work. What I expect that route print to do is add a route
    for all traffic to the 192.168.1.0 subnet from the 192.168.0.0 subnet, via
    the gateway 192.168.0.29 (which is the VPN server itself). But that's a no
    go. Am I wrong in trying that?

    I've googled, technetted, tried every combination I could think of. And
    nothing. This VPN sh1t is for the birds, I'll tell you that.

    Break it down for me like I'm an idiot, which I am. Thanks.

    Ken
     
    Briscobar, Oct 13, 2006
    #1
    1. Advertising

  2. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    RRAS: servername(local) - Properties -- IP --
    Enable IP routing
     
    OT-MAN, Oct 13, 2006
    #2
    1. Advertising

  3. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    "OT-MAN" <OTM> wrote in message
    news:%...
    > RRAS: servername(local) - Properties -- IP --
    > Enable IP routing
    >
    >


    Yep, that's enabled. It's set as a router for LAN and Demand-dial. IP
    routing is also enabled.

    Thanks, but anything else?
     
    Briscobar, Oct 13, 2006
    #3
  4. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    Forgot to mention - TrendMicro OfficeScan, which has been known to cause
    problems with RRAS was installed on the VPN Server at one time, but was
    uninstalled before RRAS was installed.
     
    Briscobar, Oct 13, 2006
    #4
  5. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    > Yep, that's enabled. It's set as a router for LAN and Demand-dial. IP
    > routing is also enabled.
    >
    > Thanks, but anything else?


    What about
    --servername(local)
    ---IP Routing:
    ----General -- Interfacename(192.168.0.29)
    Properties -- Enable IP router manager
     
    OT-MAN, Oct 13, 2006
    #5
  6. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    "OT-MAN" <OTM> wrote in message
    news:%...
    >> Yep, that's enabled. It's set as a router for LAN and Demand-dial. IP
    >> routing is also enabled.
    >>
    >> Thanks, but anything else?

    >
    > What about
    > --servername(local)
    > ---IP Routing:
    > ----General -- Interfacename(192.168.0.29)
    > Properties -- Enable IP router manager
    >


    Yeah, that's set too.
     
    Briscobar, Oct 13, 2006
    #6
  7. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    >> What about
    >> --servername(local)
    >> ---IP Routing:
    >> ----General -- Interfacename(192.168.0.29)
    >> Properties -- Enable IP router manager
    >>

    >
    > Yeah, that's set too.


    try to dial in, from the same office, from cleint computer or testing pc.
     
    OT-MAN, Oct 13, 2006
    #7
  8. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    I have configured VPN baed windows and cisco, with out any problem.
     
    OT-MAN, Oct 13, 2006
    #8
  9. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    Try this group:

    microsoft.public.isa.vpn
     
    OT-MAN, Oct 13, 2006
    #9
  10. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    "OT-MAN" <OTM> wrote in message
    news:...
    >>> What about
    >>> --servername(local)
    >>> ---IP Routing:
    >>> ----General -- Interfacename(192.168.0.29)
    >>> Properties -- Enable IP router manager
    >>>

    >>
    >> Yeah, that's set too.

    >
    > try to dial in, from the same office, from cleint computer or testing pc.


    Yeah, I did that, as I mentioned in my original post. I can dial in alright.
    I'm authenticated, registered on the network, all that happy horsesh1t. But
    I CAN see the entire network from here because, well, I'm ON that network.
    This is not a good test of whether the VPN is working. It's only a test as
    to whether RAS is working, not Routing. The routing from a client PC in the
    office is done the way routing would be done if it weren't connected to the
    VPN. Basically, what happens when you dial in from the same subnet is you
    just get another IP address on a different subnet. Thus, I can see both
    subnets.

    Dialing in from off-site allows me to only see the 192.168.0.x subnet. The
    problem is, there's nothing really there except VPN clients. I need them to
    be able to see the 192.168.1.x subnet, which is where all our servers,
    printers, etc live.
     
    Briscobar, Oct 13, 2006
    #10
  11. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    "OT-MAN" <OTM> wrote in message
    news:...
    >I have configured VPN baed windows and cisco, with out any problem.
    >


    Awesome. Too bad I'm the one setting it up, then.
     
    Briscobar, Oct 13, 2006
    #11
  12. Briscobar

    kpg Guest

    I searched google with:

    "routing between two nics on different subnets"

    and got a variety of interesting items, plus some
    newsgroup discussions.

    Didn't see anything that seemed like "the answer" but
    it may point you in a direction.


    kp "glad I'm only a programmer" g
     
    kpg, Oct 13, 2006
    #12
  13. Briscobar

    CBIC Guest

    Re: RRAS doesn't R

    "Briscobar" <> wrote in message
    news:...
    >
    > "OT-MAN" <OTM> wrote in message
    > news:...
    >>I have configured VPN baed windows and cisco, with out any problem.
    >>

    >
    > Awesome. Too bad I'm the one setting it up, then.
    >

    Dude, I'd love to help you but right now I'm setting up a VPN tunnel between
    here and India. It's up for 2 minutes then down for 30 seconds. Repeat til
    I'm insane. I'm sure you'll figure it out just like I'll figure this out.
    After all, we are MCNGP.
     
    CBIC, Oct 13, 2006
    #13
  14. Briscobar

    OT-MAN Guest

    Re: RRAS doesn't R

    "Briscobar" <> wrote in message
    news:...
    >
    > "OT-MAN" <OTM> wrote in message
    > news:...
    >>>> What about
    >>>> --servername(local)
    >>>> ---IP Routing:
    >>>> ----General -- Interfacename(192.168.0.29)
    >>>> Properties -- Enable IP router manager
    >>>>
    >>>
    >>> Yeah, that's set too.

    >>
    >> try to dial in, from the same office, from cleint computer or testing pc.

    >
    > Yeah, I did that, as I mentioned in my original post. I can dial in
    > alright. I'm authenticated, registered on the network, all that happy
    > horsesh1t. But I CAN see the entire network from here because, well, I'm
    > ON that network. This is not a good test of whether the VPN is working.
    > It's only a test as to whether RAS is working, not Routing. The routing
    > from a client PC in the office is done the way routing would be done if it
    > weren't connected to the VPN. Basically, what happens when you dial in
    > from the same subnet is you just get another IP address on a different
    > subnet. Thus, I can see both subnets.
    >
    > Dialing in from off-site allows me to only see the 192.168.0.x subnet. The
    > problem is, there's nothing really there except VPN clients. I need them
    > to be able to see the 192.168.1.x subnet, which is where all our servers,
    > printers, etc live.


    I had the same problem in 2004, I don't remember what I did.
    or maybe there are some reg keys need to be edit. because you were using
    TrendMicro OfficeScan.
     
    OT-MAN, Oct 13, 2006
    #14
  15. Briscobar

    kpg Guest

    Re: RRAS doesn't R

    > or maybe there are some reg keys need to be edit. because you were
    > using TrendMicro OfficeScan.


    Well Ken...do you know what about TrendMicro breaks it? Reg keys
    are often left behind after an uninstall, and there is a reg key
    for just about every MS functionality (so it seems).
     
    kpg, Oct 13, 2006
    #15
  16. Briscobar

    lowdes Guest

    Re: RRAS doesn't R

    Any MCZEE would be able to do this without any issues, sorry Ken your MCNGP
    brain dump doesn't help huh?

    "Briscobar" <> wrote in message
    news:%...
    >A technical question! Which is off-topic in this newsgroup! Let me give you
    >a little background here:
    >
    > A remote user now needs access to our network. She needs to connect via
    > VPN and have DNS work, basically. She needs to run a couple programs that
    > require network connectivity, since they access SQL servers located here
    > on our network. So here's what I did.
    >
    > Our office is only one subnet. 192.168.1.x. It runs fine and everyone's
    > happy. The thing is, I want the VPN users to be logically separated from
    > our network. So I threw a new NIC into the VPN-server-to-be and put that
    > NIC on its own subnet (192.168.0.x).
    >
    > For reference, the VPN-server-to-be has 2 IP addresses: 192.168.1.254
    > (same subnet as the rest of our network)
    > 192.168.0.29 (this is for the VPN subnet)
    >
    > Then I installed RRAS. Yay! It installed! I gave the appropriate users
    > permissions to dial in. I forwarded ports on the firewall. I connected to
    > the VPN from my machine here at work, so I know that I can dial in. I
    > connected to my machine from home, so I know the router is forwarding
    > ports. The "RAS" part of RRAS is working fine. It's the first R that I'm
    > having trouble with.
    >
    > When I dial in, I'm assigned an IP address on the 192.168.0.x subnet.
    > Great. From the VPN client, I can ping the VPN server at 192.168.0.29.
    > Yay! Connectivity! But that's as far as I can go. It's the routing between
    > the 192.168.0.x and 192.168.1.x subnets that has my panties in a twist.
    >
    > Maybe I'm an idiot and don't know how to use static routes. Maybe the darn
    > thing just doesn't work. I don't know, and frankly I don't care, as long
    > as I can get it to work. I've spent 2 days on this thing, and all my VPN
    > clients can do is access the VPN server. They can't access other network
    > resources, by IP or by name (obviously, since routing isn't getting done
    > at all between the subnets).
    >
    > Again, here's my setup:
    >
    > Dataman (my VPN Server)
    > NIC1:
    > IP: 192.168.1.254
    > SM: 255.255.255.0
    > DG: 192.168.1.2
    > DNS: 192.168.1.5
    >
    > NIC2:
    > IP: 192.168.0.29
    > SM: 255.255.255.0
    > DG: (none)
    > DNS: 192.168.1.5
    >
    > VPN Clients get an IP on the 192.168.0.x subnet.
    >
    > Here's the routing table from a "route print" done on Dataman, the VPN
    > server:
    >
    > IPv4 Route Table
    > ===========================================================================
    > Interface List
    > 0x1 ........................... MS TCP Loopback interface
    > 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    > 0x10003 ...00 60 67 30 ae cb ...... Intel 21140-Based PCI Fast Ethernet
    > Adapter
    > (Generic)
    > 0x10004 ...00 17 31 c3 d5 f4 ...... Marvell Yukon 88E8053 PCI-E Gigabit
    > Ethernet
    > Controller
    > ===========================================================================
    > ===========================================================================
    > Active Routes:
    > Network Destination Netmask Gateway Interface
    > Metric
    > 0.0.0.0 0.0.0.0 192.168.1.2 192.168.1.254 10
    > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    > 192.168.0.0 255.255.255.0 192.168.0.29 192.168.0.29 20
    > 192.168.0.2 255.255.255.255 192.168.0.11 192.168.0.11 1
    > 192.168.0.11 255.255.255.255 127.0.0.1 127.0.0.1 50
    > 192.168.0.29 255.255.255.255 127.0.0.1 127.0.0.1 20
    > 192.168.0.255 255.255.255.255 192.168.0.29 192.168.0.29 20
    > 192.168.1.0 255.255.255.0 192.168.1.254 192.168.1.254 1
    > 192.168.1.254 255.255.255.255 127.0.0.1 127.0.0.1 1
    > 192.168.1.255 255.255.255.255 192.168.1.254 192.168.1.254 1
    > 224.0.0.0 240.0.0.0 192.168.0.29 192.168.0.29 20
    > 224.0.0.0 240.0.0.0 192.168.1.254 192.168.1.254 1
    > 255.255.255.255 255.255.255.255 192.168.0.29 192.168.0.29 1
    > 255.255.255.255 255.255.255.255 192.168.1.254 192.168.1.254 1
    > Default Gateway: 192.168.1.2
    > ===========================================================================
    > Persistent Routes:
    > None
    >
    >
    > Anyone? Slightest hint as to how I can route between the two networks? I
    > feel like a total doofus. I tried a "route add", but it didn't seem to
    > work. I tried "route add 192.168.1.0 mask 255.255.255.0 192.168.0.29
    > metric 3 IF 3" but that didn't work. What I expect that route print to do
    > is add a route for all traffic to the 192.168.1.0 subnet from the
    > 192.168.0.0 subnet, via the gateway 192.168.0.29 (which is the VPN server
    > itself). But that's a no go. Am I wrong in trying that?
    >
    > I've googled, technetted, tried every combination I could think of. And
    > nothing. This VPN sh1t is for the birds, I'll tell you that.
    >
    > Break it down for me like I'm an idiot, which I am. Thanks.
    >
    > Ken
    >
     
    lowdes, Oct 13, 2006
    #16
  17. Briscobar

    lowdes Guest

    Re: RRAS doesn't R

    MCNGP is not equal to MCSE as we can tell in this post from 2 MCNGP who
    don't have their MCSE. . .

    "CBIC" <> wrote in message
    news:%...
    >
    > "Briscobar" <> wrote in message
    > news:...
    >>
    >> "OT-MAN" <OTM> wrote in message
    >> news:...
    >>>I have configured VPN baed windows and cisco, with out any problem.
    >>>

    >>
    >> Awesome. Too bad I'm the one setting it up, then.
    >>

    > Dude, I'd love to help you but right now I'm setting up a VPN tunnel
    > between here and India. It's up for 2 minutes then down for 30 seconds.
    > Repeat til I'm insane. I'm sure you'll figure it out just like I'll figure
    > this out. After all, we are MCNGP.
    >
     
    lowdes, Oct 13, 2006
    #17
  18. Briscobar

    CBIC Guest

    Re: RRAS doesn't R

    "lowdes" <> wrote in message
    news:JLOXg.16472$-kc.rr.com...
    > MCNGP is not equal to MCSE as we can tell in this post from 2 MCNGP who
    > don't have their MCSE. . .


    Whatever you say lowbrow. Mine is up and running. Downstream router was
    having fits. Gotta love tracert.
     
    CBIC, Oct 13, 2006
    #18
  19. Briscobar

    Briscobar Guest

    Re: RRAS doesn't R

    OK, breakthrough. After messing around with gateways and whatnot, I'm able
    to dial in, get an IP on the 192.168.0.x subnet, and ping the VPN server at
    192.168.0.29. What's new is that I can now ping 192.168.1.254, which is the
    IP address of the same server's other NIC.

    Of course, to do this, I had to use the default gateway of the remote
    network, which I really wanted to avoid so that my users could keep their
    internet connection alive while they VPN'ed in, but that's a minor detail
    that I'll work out later.

    Now, as for moving beyond Dataman (the VPN server)....it's like the server
    is set to not allow clients to access the entire network. I've been through
    the whole thing (or so I think, but I'm obviously missing something), and
    can't find any setting that might do this.

    Anyone care to list for me where I'd go about changing this?

    Thanks everyone, especially OT-MAN. Never thought I'd say that. Wow!

    Ken
     
    Briscobar, Oct 13, 2006
    #19
  20. Briscobar

    kpg Guest

    Re: RRAS doesn't R

    As CBIC once said in microsoft.public.cert.exam.mcse

    > Whatever you say lowbrow. Mine is up and running. Downstream router
    > was having fits. Gotta love tracert.


    Was that the router in India?


    just saying
     
    kpg, Oct 13, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Moody Marco

    RRAS problem - may be wireless network related?

    Moody Marco, Mar 20, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    672
    Moody Marco
    Mar 20, 2005
  2. Miha

    use certificates on RRAS server

    Miha, May 30, 2005, in forum: Microsoft Certification
    Replies:
    4
    Views:
    933
  3. Sean McGrath
    Replies:
    0
    Views:
    1,981
    Sean McGrath
    Dec 29, 2003
  4. Maciej_R

    ISDN DDR -> RRAS

    Maciej_R, Sep 28, 2004, in forum: Cisco
    Replies:
    2
    Views:
    532
  5. =?Utf-8?B?Q2hyaXN0b3BoZXIgSg==?=

    RRAS / NAT / IP Routing Help

    =?Utf-8?B?Q2hyaXN0b3BoZXIgSg==?=, Feb 21, 2004, in forum: MCSE
    Replies:
    5
    Views:
    5,763
    Jesse PH
    Feb 23, 2004
Loading...

Share This Page