Static Routes Etc
 

This is begining to severely hack me off :mad:

I have 3 PCs & a W2K server at home

Server runs:

DHCP
DNS
WINS
RAS

All computers are connected to the server by NIC1

NIC2 on the server is connected to my internet router


If I try & VPN to my office from either a PC or a server, it connects but can't access resources etc. I am unable to ping the servers in the office although connected :rolleyes:

Wife has Symantec IPSEC VPN on her PC & that can connect & likewise not access any resources

IF I connect my PCs direct to the internet router, all is hunky dory :rolleyes:

Obviously I want everything going via the server...

I'm sure its a case of entering a static route/dns sh1t but buggered if I can work it out :(

Any help? Route Add or smmat?

:(

Have you tried traceroutes and pings to see how far you are getting ?

How are you routing the PC traffic to the Internet ... default gateway etc ??

Traceroutes get as far as the server

Default gateway is the IP of NIC1 for the clients
Likewise for NIC1 (??)

NIC2 its the internet router

have you turned on packet forwarding for both NIC's in the server?

ip routing is enabled

In this situation you can only have 1 default gateway on the server (internet router on NIC2). Remove the default gateway entry for NIC1 and it will burst into life.....

Agree with Jeff ...

NIC1 doesn't actually need a default gateway as it will forward packets of unknown destination to NIC2 and see the PCs using ARP. However the PCs will need a default gateway entry of NIC1.

I have a similar setup to yours but use a single NIC on the Server and plug all of the hosts into a Netgear Integrated ADSL Modem/Router/Firewall/Wi-Fi ....

If Jeff's suggestion doesn't get you going, post up a print out of your routing tables using the "route print" command in DOS mode.

Hmm

Interesting

I wouldn't quite say that things burst into life but things have moved forward!!

So what's happening now ?

Well...

From a client, I can VPN the office & (the really important bit) use our SQL client to connect to the office SQL server so as I can access our booking program :D

But

I cannot ping the 2 servers in the office by IP addy & netbios is not working for browsing & I can't locate/connect to the Exchange server as a client

&

IF

I do this from my server (VPN etc) it completely knackers ALL internet access for both clients and servers (ie no access) & it requires a re-boot to clear...

Remember, when you ping a host it has to send the packet (reply) back. So not only does your routing have to be setup correctly, but the route back to your network has to be configured on your office LAN too.

DNS would need to be configured for you office servers in order to resolve internet names i.e. ping exchange.myworkdomain.com

WINS would need to be configured for you to resolve Netbios names e.g. ping exchange

OR you could use static Ip mappings from a hosts file.

can you ping your office network (lots of different servers) and internet servers using just the IP addresses. Use Tracert to see where the packets are being directed.

Stefan

The plot thickens .... you have PM

Is it your server or your inet router that is Natting your setup ?

Firstly the problems you describe are pretty much what I would expect...

Your using your Win2K machine as a router which doesn't have any NAT facility. The office network doesn't (probable) know how to get to your new network as it isn't in it's (the office servers) route table. The name resolution issue is probable down to the wrong WINS/DNS information on your clients.

When you use the VPN software on the server it will (probable !) stop any access from any other source for security reasons...

The easy solution is to put a broadband router on your network (assuming you have broadband !) and connect all your devices into that rather than into the Win2k machine. If memory serves you have a SonicWALL device at your main office...if that's the case buying a TZ150 for your home network (£230) will do away with the requirement to use VPN clients.....

Well said Jeff :D

Puff, I told you to stop buggering about with dual-homing the W2K server ages ago :p

Deffo the VPN Client will kill the other network connections, the nortel contivity one definitely does.

Also Is your firewall allowing ICMP for the Ping to return?

Use a virtual machine to run your VPN client, or accept that you will have no access to networks other than the VPN allowswhilst using the VPN client.

If you do a route add whilst using our VPN client.. it disconnects you.

So if I want to surf whilst using VPN I configure my IE to go via works firewall.

Another thing worth checking if you cant access resources is that the VPN client is configuring the WINS and DNS settings.

If you really need to do it, use VMWARE / MS Virtual PC and run the VPN client within that..

David

Thanks for all the help guys

I have access to 1 network via VPN that I can authenticate to, browse, attach to the exchange server, ping any other machine on the network or ping any other machine over their extended network & browse/access all my local resources...

From the same machine @ home, I can just VPN & use the sql client & not browse the internet when I'm connected... to the office one (thats with the use remote gateway option either checked or unchecked) & then it hangs the local machine on disconnect




I do have Broadband ( :D & at long bloody last :D ) & my router is connected to a SoHo3 Firewall which I purchased from eBay but no VPN clients. I also have the luxury of a block of real IP addys. I want to run Exchange, IIS & ISA on either W2K or WS2003. I want to be able to remotely access my server & w/stations for files, admin & OWA. I want to remotely access my office & wifey needs to remotely access hers via IPSEC VPN client.

How would you set this up to be simple, secure & effective?

Sell the Soho3 on ebay (it's no good to you without the site to site VPN). Buy a TZ150 and set up a site to site VPN with your office.

Create a flat network (no dual homed servers) behind the firewall. Set up your Exchange & IIS boxes with one to one NAT rules restricted to specific ports. Buy a 1 concurrent Global VPN client for the TZ150 so you can use the GVC from anywhere other than your work office to access your system.

How much the concurrent licence?

We've a TZ170 lurking around the office being unused atm...

The vastly inflated sum of £34.29 +VAT for a 1 concurrent user license. Check on the TZ170 that you haven't already got a GVC license.....