RRAS Question

I've set up RRAS on my network. I can connect fine from inside on two different domains. But when I try from out on the internet I can not contact the server.

I have opened port 1723 on my router. I have IPSEC, L2TP, and PPTP passthrough enabled. I am not blocking WAN requests.

I installed IIS just to make sure I can actually get to the server, and that works fine.

Any ideas?

Find more posts tagged with

Comments

royal

You need to open the following for RRAS depending on what you want to acheive:

GRE (IP protocol 47)
IPsec AH (IP protocol 51)
IPsec ESP (IP protocol 50)
L2TP - UDP 1701
PPTP - TCP 1723

Make sure you allow for Remote Access on the server properties. Also, if you want to allow internet clients to reach internal machines beyond the RRAS server, make sure you also enable routing on the server properties. Make sure your Inbound and Outbound packet filters are not blocking access. Make sure you have L2TP/PPTP ports available. Also, make sure a user in AD is granted access to dial-up connections (grants access for VPN). If you are in 2k native mode or above and you are using Remote Access Policies, make sure you create a remote access policy that allows them to connect. The 2 default policies will prevent access.

Dionysus

I done everything you suggested... still can't hit the server.

royal

Your internet facing NIC, make sure the firewall is not blocking any connections. I am thinking this might be the cause because internal clients connect fine which might mean the internal nic firewall is functioning fine, but the firewall enabled on the internet facing nic is malfunctioning/blocking.

Dionysus

the firewall has been turned off.

I only have one nic in the pc... now that you mention it... that's probably the problem....

I know, I'm a dumbass... lol

royal

Dionysus wrote:

I know, I'm a dumbass... lol

Definitely not. When I told you to check all that stuff in my first reply, you replied saying you did all that which is definitely great. Most people would most likely have forgotten to do one of those steps. You seem to be doing pretty good so keep up the good work and you'll pass your exam 1st try no problem. Also, you got it working internally which means you got VPN working. So congrats on that.

Good luck with 291, and feel free to ask any more questions.

Also, as a side note, it should still be working. You don't necessarily need 2 nics. An internet facing nic would just mean that your server is directly exposed to the internet. Port forwarding would allow this to work since it'll just forward the traffic to your internal nic. Your server should still see this. I'm thinking it is your firewall or your ISP is blocking those ports (home connection?). Your home router has NAT which should allow internal clients to tunnel vpn traffic to internet hosts since you said it has support enabled for vpn tunneling. I'm thinking it might be your ISP blocking VPN traffic.

Dionysus

Thanks for the kind words!

However, if I think I'm doing good I end up slacking off... So I have to convince myself that what ever I do, it's not good enough. It's just how I work. Therefor... I'm a dumbass...

It's not all bad though. When I pass an exam, the first thing I say is "Damn I'm good!"

lol

I'm wierd and I love it!

dobee doobe dowaa...

Dionysus

icroyal wrote:

Also, as a side note, it should still be working. You don't necessarily need 2 nics. An internet facing nic would just mean that your server is directly exposed to the internet. Port forwarding would allow this to work since it'll just forward the traffic to your internal nic. Your server should still see this. I'm thinking it is your firewall or your ISP is blocking those ports (home connection?). Your home router has NAT which should allow internal clients to tunnel vpn traffic to internet hosts since you said it has support enabled for vpn tunneling. I'm thinking it might be your ISP blocking VPN traffic.

I got comcast.... So it's very possible.

Also, I was remoted into a 2k3 server at a hospital via citrix trying to vpn back to my network (at home). There's ALOT of things going on trying to do it that way...

I'll talk to one of our network admins to see if he has any ideas.