0

I'm setting up a test lab and here is the current configuration:

  • 192.168.86.201 - a windows 2003 machine acting as PDC with AD/DNS/DHCP/WINS.
  • 192.168.86.62 - windows 2003 machine is the RRAS server with IAS, also a
    file/print server.
  • 192.168.86.6 - gateway/router to internet
  • 192.168.86.21 - Windows XP Workstation

Everything works on the internal network, File/Print/AD etc. Whenever a user connects via vpn to the RRAS server remotely using their domain credentials, they are assigned an ip address from the 192.168.86.201 machine along with the wins server address etc.

The vpn user can then ping/access resources on the RRAS server, but cannot ping/access resources of any other machines by name or ip. However, if I ping by name, it does resolve to the correct ip address, just no replies.

I did notice that on the RRAS server the 'internal' interface gets an ip address of 192.168.86.75 when a remote user connects, and the remote user is assigned, for example 192.168.86.71 . The RRAS server responds on both the .62 and .75 ip addresses.

The client also unchecks the 'use remote default gateway option'.

Also, I tried connecting a laptop to the physical network, joining the domain, then going remote and dialing the connection before domain login, and everything seems to work, e.g. browse-able shares via network neighborhood. But I can't really join the domain remotely if I cannot access any other resources.

I really need to monitor traffic to see whats happening to those packets but won't be able to until this weekend. Any help is appreciated, will provide whatever configurations are needed.

nopsax
  • 1
  • 1

2 Answers2

1

You need to configre the RRAS server for LAN routing. The VPN connection between the server and the client is a separate network from the internal LAN.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thank you thank you. I'll read up on it and add it during downtime. Does it matter that the rras server is using only 1 nic or that the vpn client is getting an ip address from the internal LAN dhcp server. Should I be using a static address pool in a different subnet instead? – nopsax Feb 03 '11 at 17:38
  • It shouldn't matter that the server has only 1 NIC. Even though the VPN server assigns ip addresses to the VPN clients from the internal DHCP server I believe the VPN server considers the VPN connection to be a different network. Any time I've configured RRAS (the same way you have) I've had to enable LAN routing to access internal resources. – joeqwerty Feb 03 '11 at 21:58
  • Also, see here for the same question that came in after yours: http://serverfault.com/questions/231348/server-2003-vpn-can-only-see-server/231440#231440 – joeqwerty Feb 06 '11 at 19:17
  • Thanks joeqwerty, you've made a lot of sense out of what I was having trouble visualizing. I'll give it a go on the weekend hours during maintenance. – nopsax Feb 08 '11 at 12:49
1

There's a check box and that you need to activate in order to enable routing to the rest of the network from the RRAS network provided by the server. Don't have a server handy to validate exact location. Somewhere in the advanced properties of the configured VPN connection. No downtime required for this change.

Vick Vega
  • 2,398
  • 16
  • 22