How do I forward all traffic coming through an IP to Windows VPN to another IP?

SrSysAdmin

Here is my situation.


Clients connect to a public IP which is redirected to an IP on my Windows VPN server. All the users coming in through that IP then I would like to be immediately forwarded to an IP on one of our internal firewalls.


I have a 2nd IP on the VPN server for other clients which don't need to be forwarded.


How do I go about forwarding the users connecting to the first IP to our internal firewall IP?




I asked on another forum but they weren't able to help. Do any of you guys have any idea?


Thanks in advance.

SrSysAdmin

After doing sufficient research, I think the simple answer is that this isn't possible.

I need a 2nd VPN server to route traffic through to route them to a different subnet.

garv221

Are you talking about Hub and Spoke? I don't follow.

networker050184

Maybe some diagrams or something will help. I'm not really sure what you are trying to do.

SrSysAdmin

networker050184 wrote: »

Maybe some diagrams or something will help. I'm not really sure what you are trying to do.

I think I need two separate VPN servers for what I want to do (I'm using RRAS), but this may help give you an idea of what I'm attempting to do:


User A connects to public IP 1.2.3.4
\/
Firewall redirects 1.2.3.4 to internal IP 10.10.1.1 which is an IP setup on the Windows Server 2003 box running VPN
\/
The 10.10.1.1 VPN server assigns an IP of 10.10.2.x

---

User B connect to public IP 4.3.2.1
\/
Firewall redirects 4.3.2.1 to internal IP 10.10.1.2 which is a 2nd IP setup on the same Server 2003 box running VPN
\/
The 10.10.1.2 VPN server assigns an IP of 10.10.3.x

garv221

SrSysAdmin wrote: »

I think I need two separate VPN servers for what I want to do (I'm using RRAS), but this may help give you an idea of what I'm attempting to do:


User A connects to public IP 1.2.3.4
\/
Firewall redirects 1.2.3.4 to internal IP 10.10.1.1 which is an IP setup on the Windows Server 2003 box running VPN
\/
The 10.10.1.1 VPN server assigns an IP of 10.10.2.x

---

User B connect to public IP 4.3.2.1
\/
Firewall redirects 4.3.2.1 to internal IP 10.10.1.2 which is a 2nd IP setup on the same Server 2003 box running VPN
\/
The 10.10.1.2 VPN server assigns an IP of 10.10.3.x

This is what you want to do? Why do clients need to be forwarded? I'm sorry but still I don't understand.

SrSysAdmin

garv221 wrote: »

This is what you want to do? Why do clients need to be forwarded? I'm sorry but still I don't understand.

Because the users in the 2nd group are vendors that need VPN access to some of our systems that we've placed in an internal DMZ of sorts (they connect to our external firewall > VPN server > internal firewall > internal DMZ).

However, the users in the first group are employees of the company who need to be able to connect to all of the company network.

We're trying to setup what I've explained, but I don't think it can be done with a single RRAS server.

phoeneous

SrSysAdmin wrote: »

Because the users in the 2nd group are vendors that need VPN access to some of our systems that we've placed in an internal DMZ of sorts (they connect to our external firewall > VPN server > internal firewall > internal DMZ).

However, the users in the first group are employees of the company who need to be able to connect to all of the company network.

We're trying to setup what I've explained, but I don't think it can be done with a single RRAS server.

For the record, I hate RRAS.

How many interfaces does the RRAS box have? And what are each of the internal interfaces connected to?

SrSysAdmin

phoeneous wrote: »

For the record, I hate RRAS.

How many interfaces does the RRAS box have? And what are each of the internal interfaces connected to?

RRAS is what we use in our office in Europe and I have to confirm...not much say in the matter really unless I was to push against the grain (and after only a month here, I don't).

There are 4 NICs on the box setup in two teams of two.

The first NIC teaming is used a direct connect to our blade server running ESX.


The second NIC teaming has 3 IPs binded to it. The first IP is used for people to connect to a file share. The second is the first IP I setup for the VPN which I want end users to connect through. And the 3rd is the other VPN interface I want the vendors to connect through.


I'm pretty sure this isn't possible from what I've read elsewhere, but if you could prove me wrong I would be thoroughly impressed and wholly indebted.

undomiel

The method that jumps to my mind is to use packet filters on the RRAS to control which VPN profile is allowed to route to which network.

SrSysAdmin

undomiel wrote: »

The method that jumps to my mind is to use packet filters on the RRAS to control which VPN profile is allowed to route to which network.

Can you provide a link to a page that shows how to setup something like you're referring to? That's not something I have done before.

At my last company our VPN was setup using RSA token authentication and there was no way in hell we would let vendors have a direct VPN connection. That's not the case here obviously, but I'm trying to solve a problem I haven't come across before.


Thanks for all the help so far guys, there are some great minds on this forum.

phoeneous

It sounds like you just need to configure static routes. I googled "rras configure routes" and a bunch of stuff come up, this stood out. Can you put an additional nic in? Your task sounds possible to me.

SrSysAdmin

phoeneous wrote: »

It sounds like you just need to configure static routes. I googled "rras configure routes" and a bunch of stuff come up, this stood out. Can you put an additional nic in? Your task sounds possible to me.

I'm not sure there is room for another NIC. There are already four NICs in the server and this is one of those HP All-in-One Storage Servers that have a NAS and server all in one small box. I may be able to hook up a USB-attached NIC however which would probably allow for enough traffic for VPN users.

I found the same article you linked me to, but I didn't see where it would allow me to route different traffic based on the IP they were connecting to.

I found this on another forum however, which made me think what I wanted to do wasn't possible with a single RRAS VPN server:

[FONT=&quot]You misunderstand how VPN works. The VPN Router itself *is* the Default[/FONT]
[FONT=&quot]Gateway of the VPN Client and that is not adjustable. You will not get a[/FONT]
[FONT=&quot]VPN Client connected to one subnet while another VPN Client connectes to a[/FONT]
[FONT=&quot]different subnet when they both use the same VPN Server,...it just ain't[/FONT]
[FONT=&quot]gonna happen.[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]You have to have a separate VPN Server for each subnet that you want to[/FONT]
[FONT=&quot]Server they use. The VPN Client is never, ever, ever, ever "aware" of any[/FONT]
[FONT=&quot]LAN side of the VPN Server depends entirely on how the VPN Server[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]It is the way it works,..it is not "flexable". Remote Access VPN is based[/FONT]
[FONT=&quot]on the old Dial-up technology and Dial-up Technology in some ways has its[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]Assuming the VPN Server is a separate machine sitting on the network edge[/FONT]
[FONT=&quot]and it is *not* doubling as the LAN's Firewall or the LAN Router........[/FONT]
[FONT=&quot]Routing problems will be most likely caused by the LAN Routing Scheme, or[/FONT]
[FONT=&quot]the lack there of. If it is a multi-subnet LAN, then there must be a LAN[/FONT]
[FONT=&quot]Router. Every Host on the LAN needs to use the LAN Router as the Default[/FONT]
[FONT=&quot]Gateway. An exception would be the VPN Server which would use a Static route[/FONT]
[FONT=&quot]since its DFG would face the Internet. Then the LAN Router would use the[/FONT]
[FONT=&quot]Firewall as the Default Gateway. You can *not* have the VPN Client use the[/FONT]
[FONT=&quot]Firewall the "get to the net" because the VPN Server doesn't use the[/FONT]
[FONT=&quot]Firewall to get to the Net. Also the VPN Client is already on the Net to[/FONT]
[FONT=&quot]begin with or they couldn't have a VPN Connection,...so they have to[/FONT]
[FONT=&quot]disconnect the VPN to use the Net by their own means.[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]If I still misunderstand your setup, then that just goes to show how complex[/FONT]
[FONT=&quot]this can become and why it is so important to have the "big picture"[/FONT]
[FONT=&quot]properly designed for everthing within the over all system concerning what[/FONT]
[FONT=&quot]it is expected to do and why it is so extremely important to clearly explain[/FONT]
[FONT=&quot]everything when posting a question in cases like this.[/FONT]
[FONT=&quot] [/FONT]
Source: VPN server: routing based on source IP? in Windows Server Networking

SrSysAdmin

Regardless of whether or not this is possible, I really appreciate the help. It is great when IT people work together on forums. Too often people on forums get a smug sense of "I know more than you" and are unwilling to help and/or they act as if you're an idiot for needing help.

laidbackfreak

SrSysAdmin wrote: »

Regardless of whether or not this is possible, I really appreciate the help. It is great when IT people work together on forums. Too often people on forums get a smug sense of "I know more than you" and are unwilling to help and/or they act as if you're an idiot for needing help.

+1 TE is a great forum both for learning for certification and sharing\learning for RL experiences.

phoeneous

I'm sure it is possible, I just don't have an rras box to test it on. And to summarize the article, you cannot have multiple ip's on the same interface for different vpn gateways.

Take this as an example: say you are in a building with 5 rooms and each room has a vpn user that will each connect to a different public ip, but there is only one gateway and one public ip at the building where they are. When one of those users creates a vpn connection, that one public ip will be used in the tunnel and cannot be used by any of the other users. So the vpn gateway will need to have 5 public ip addresses to accomodate each user.

I had to do this for several remote users at a bank I used to work for. We had to create 1:1 nat translations and mac reservations.

The reciprocal applies to your situation. You cannot have multiple public ip's on the same interface for vpn use. Once a vpn user is cnnected to one of those public ip's, the interface won't be able to accept another tunnel. So bottom line is you need to get one nic/interface per public ip for vpn use.

SrSysAdmin

phoeneous wrote: »

I'm sure it is possible, I just don't have an rras box to test it on. And to summarize the article, you cannot have multiple ip's on the same interface for different vpn gateways.

Take this as an example: say you are in a building with 5 rooms and each room has a vpn user that will each connect to a different public ip, but there is only one gateway and one public ip at the building where they are. When one of those users creates a vpn connection, that one public ip will be used in the tunnel and cannot be used by any of the other users. So the vpn gateway will need to have 5 public ip addresses to accomodate each user.

I had to do this for several remote users at a bank I used to work for. We had to create 1:1 nat translations and mac reservations.

The reciprocal applies to your situation. You cannot have multiple public ip's on the same interface for vpn use. Once a vpn user is cnnected to one of those public ip's, the interface won't be able to accept another tunnel. So bottom line is you need to get one nic/interface per public ip for vpn use.

So hang on, you're saying that I shouldn't be able to have more than one VPN tunnel setup at a time per NIC? I will have to go check that, but I'm pretty certain I've had multiple users outside the building connect to the same public IP (which redirects to the VPN server, which then assigns them an internal IP) while others are connected.

As far as the gateway is concerned, I setup the end users so that they use their local gateway for browsing the internet so they don't need to use our gateway for anything.



The problem I'm having is that Windows RRAS doesn't give you the option to try and setup a 2nd VPN connection on a separate NIC. While what you're saying would work in theory, I don't think Windows designed RRAS to be able to do that.

I had no idea setting up a VPN server would be this much of a pain...oh well, once it is setup at least it'll be rewarding!

Devilsbane

SrSysAdmin wrote: »

I'm not sure there is room for another NIC. There are already four NICs in the server and this is one of those HP All-in-One Storage Servers that have a NAS and server all in one small box. I may be able to hook up a USB-attached NIC however which would probably allow for enough traffic for VPN users.

USB NIC, or you could take one of the existing NICs and assign a second IP to it

SrSysAdmin

Devilsbane wrote: »

USB NIC, or you could take one of the existing NICs and assign a second IP to it

That's the setup I'm already using, I have 3 IPs assigned to the single NIC team...but it doesn't appear to be possible to use them both with the same RRAS system.

phoeneous

SrSysAdmin wrote: »

So hang on, you're saying that I shouldn't be able to have more than one VPN tunnel setup at a time per NIC? I will have to go check that, but I'm pretty certain I've had multiple users outside the building connect to the same public IP (which redirects to the VPN server, which then assigns them an internal IP) while others are connected.

No, I'm saying if you use multiple ip's on the same interface you cannot have simultaneous vpn tunnels. If you are using just one public ip then you can have as many users connect as it can support. You are better off getting a dedicated vpn appliance like an ASA 5500 and completely seperating them off.

And why are you teaming the nic's? Unless you have are spanning the port or there is load balancing through windows, teaming the nics only gives you failover if one nic fails. Unless there is some cool nic teaming feature in rras that I'm not aware of which is highly likely since I hate it.

skyline

Ask it nicely?

if not...

Donkey Punch all!

SrSysAdmin wrote: »

Here is my situation.


Clients connect to a public IP which is redirected to an IP on my Windows VPN server. All the users coming in through that IP then I would like to be immediately forwarded to an IP on one of our internal firewalls.


I have a 2nd IP on the VPN server for other clients which don't need to be forwarded.


How do I go about forwarding the users connecting to the first IP to our internal firewall IP?




I asked on another forum but they weren't able to help. Do any of you guys have any idea?


Thanks in advance.

SrSysAdmin

phoeneous wrote: »

No, I'm saying if you use multiple ip's on the same interface you cannot have simultaneous vpn tunnels. If you are using just one public ip then you can have as many users connect as it can support. You are better off getting a dedicated vpn appliance like an ASA 5500 and completely seperating them off.

And why are you teaming the nic's? Unless you have are spanning the port or there is load balancing through windows, teaming the nics only gives you failover if one nic fails. Unless there is some cool nic teaming feature in rras that I'm not aware of which is highly likely since I hate it.

Because the company I work at is frugal with their IT budget. The system I'm setting up as our VPN server is also our file server. The NIC teaming is was put in place for the file share...and they want me to setup the VPN server on the same system rather than having to pay for an additional Windows license.

Obviously not the best way to go about doing things, but you have to made do with what you have available to you.

The sys admin before me seems to have been an idiot. He purchased the most expensive version of vSphere (Enterprise Plus) and doesn't make use of a single one of the features that are exclusive to this version and drive up the price $1,000 per CPU. I think he probably got caught up in what the sales guy said he could do, but then he didn't have the know how to implement any of it.