none
Need help setting up NAT via RRAS on Windows 2003 server

    Question

  • I have the following setup:

    Server 2003 with RRAS

     - (Nic0: 10.0.0.10/24) --- LAN (10.0.0.0/24)

     - RRAS based DemandDialInterface which connect through L2TP IPSec  to the VPN router in the internet. It is set to persistent connection. Once connection is established I get address 10.0.5.217/32 on this interface.

     - the router that is responsible for internet connection is in the LAN, the address 10.0.0.1/24

    My computer connected to the VPN server from remote location, which gets from the VPN the address 10.0.5.218.

    In the setup above, once I establish VPN connection from my computer and RRAS VPN is established as well I can easily connect to the Server 2003, ping it and e.g. make vnc, rdp connection, whatever, it works fine, so there is in-tunnel  connection between 10.0.5.217 and 10.0.5.218.

    Now, the problem.
    I have devices in the LAN I would like connect to from the remote computer. I guess RRAS with NAT is the service I need for that.

    I need to establish connection between 10.0.5.218 (my machine) and  machine in remote LAN on address 10.0.0.11 on three ports: 23, 80, 9000. I didn't succeed configuring this.

    I tried all the possible options I found and none worked, that's way I am not showing what I have configured already.

    Can somebody please give me advice how to make this working.  Thank you.

    Wednesday, July 24, 2013 12:14 PM

Answers

  • Interesting scenario. All this time, I thought you had a Windows RRAS/VPN setup. I didn't realize you are using a 3G broadband VPN solution.

    What we've mentioned and recommended is all based on Windows RRAS.

    Since that is a third party product, I would highly suggest to contact their support department, or search on the device model# or ISP to see how and if others have done it.

    And note, you mentioned your VPN provided IP is 10.0.5.218, and your server is 10.0.0.1, and the camera system is 10.0.0.10, but you didn't provide the mask. I realize the VPN mask is 255.255.255.255, which is should be (since that says "just me"), but I don't know your internal mask, therefore another issue is there can be a subnet overlap which will prevent you from accessing anything internally. I may suggest to change one subnet or the other, and if you can't change the VPN subnet the 3G device is giving you, then your only choice is change the company network subnet.

    Tell you what, if you set it up with Windows RRAS/VPN on your DSL, making the necessary translations, does it work? If so, then you'll know it works. Then the best thing would be to upgrade your DSL to a faster speed.

    Otherwise, since it's a third party device, I highly recommend contacting them for support or search the vendor's support forum for recommendations.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 29, 2013 3:03 PM

All replies

  • Since 10.0.0.x and 10.0.5.x are different subnets do you have routing between these on the server?

    http://technet.microsoft.com/en-us/library/cc757323(v=ws.10).aspx

    Wednesday, July 24, 2013 3:42 PM
  • Hi

    According to your description, it seems you want to establish connection between your computer (10.0.5.218) and the machine (10.0.0.11) on remote LAN by using a RRAS server, right

    If you have no route between your computer and remote machine, I agree with Graham that you’d better add a static route on your computer.

    Or you can configure the Default Gateway of your computer to the RRAS server’s interface if this won’t make much influence on your computer.

    More information:

    Configure Static Routes

    http://technet.microsoft.com/en-us/library/cc780786(v=ws.10).aspx

    How to Use Static Routes with Routing and Remote Access Service

    http://support.microsoft.com/kb/178993

    I hope this helps!

    Friday, July 26, 2013 9:00 AM
    Moderator
  •  TCP 1723
     GRE

    norbi771pl,

    I'm trying to follow your description of what you're trying to do, but it's a bit confusing.

    I will assume the *remote* computer is a computer at your home office. Based on this assumption, all you need to do is setup L2TP VPN on your 2003 server. However, L2Tp is a bit more difficult to setup, because you have to predetermine whether you want to use a shared key or a certificate. If you decide to keep with L2TP, the instructions are below, but also just as important, you must port translate the following in your router/firewall to the server:

    • TCP 1701
    • UDP 500   - This is for the security association (also called the SA) to negotiate the security method, whether it's a password, certificate or Kerberos.
    • AH  - Also called Authenticated Headers. This is Protocol ID 50 - and like above, this is not a port, and it depends on your firewall on how to configure it.
    • ESP - Encapsulated Secure Payload. This is Protocol ID 51 - and like above, this is not a port, and it depends on your firewall on how to configure it.

    Now about how to setup AH and ESP on the firewall would depend on the firewall. The less expensive firewalls, such as Linksys, have a setting to "allow L2TP passthrough." But you still need to open the others. If you have a Cisco or higher end firewall, they allow you to specifically specify ESP and AH.

    Then follow these instructions. And I got this from another website, and I normally post a link to its source and reference the author, but for some reason I did not grab the URL when I saved these instructions. I apologize to the author if he/she were to read this.

    ==================================================================
    ==================================================================
    Configuring L2TP VPN on Windows 2003

    There are a number of details for configuring L2TP/IPSec. Without more
    information, a very basic\short description would be:

    - Under Routing and Remote Access, go to "Ports" to confirm that there
    are L2TP ports configured (this is dependent on how you originally
    setup Routing and Remote Access)
    - On the client side, create a new VPN connection from "Network
    Connections"

    If you want to use IPSec on the L2TP connection, you have two options,
    certificates or pre-shared keys. Certificates are more secure, but
    require more setup where as pre-shared keys are less secure, but are
    easier to setup, it all depends on your remote access needs. Below are
    the instructions for setting up pre-shared keys:

    How to Configure a Preshared Key on a VPN Client

    1. In Control Panel, double-click Network Connections.
    2. Under the Virtual Private Network section, right-click the
    connection for which you want to use a preshared key, and then click
    Properties.
    3. Click the Security tab.
    4. Click IPSec Settings.
    NOTE: IPSec Settings may be shaded if on the Networking tab, Type of
    VPN is set to PPTP VPN. A preshared key can only be configured if this
    option is set to L2TP IPSec VPN or Automatic.
    5. Click to select the Use preshared key for authentication check box.
    6. In the Key box, type the preshared key value. This value must match
    the preshared key value that is entered on the VPN-based server.
    7. Click OK two times.

    How to Configure a Preshared Key on a VPN Server

    1. Start the Routing and Remote Access snap-in. To do this, click
    Start, point to Administrative Tools, and then click Routing and
    Remote Access.
    2. Right-click the server that you will configure with the preshared
    key, and then click Properties.
    3. Click Security.
    4. Click to select the Allow Custom IPSec Policy for L2TP connection
    check box.
    5. In the Preshared key box, type the preshared key value. This value
    must match the preshared key value entered on the VPN-based client.
    6. Click OK.

    There are a number of other considerations you want to think about,
    i.e. firewall rules, remote access policies, etc. but this was as
    short of a description as I could provide.

    ==================================

    -

    If still having problems with L2TP, you may want to try PPTP, which is MUCH simpler. You just turn it on. And open these ports:

    • TCP 1723
    • GRE (Generic Routing Encapsulation) Protocol ID 47

    Same deal with GRE on the less expensive routers - PPTP passthrough. If you have a Cisco or higher end firewall, they allow you to specifically specify GRE.

    -

    Instructions to setup PPTP on 2003 - with some videos that may help:

    Windows 2003 Configure PPTP

    Configure a Windows Server 2003 VPN on the server side (screen shots)
    http://articles.techrepublic.com.com/5100-10878_11-5805260.html

    Configure a Windows Server 2003 VPN on the server side
    http://www.techrepublic.com/article/configure-a-windows-server-2003-vpn-on-the-server-side/5805260

    Remote access/VPN server role: Configuring a remote access/VPN - Windows 2003, Updated: January 21, 2005. (Including NAT)
    http://technet.microsoft.com/en-us/library/cc736357(WS.10).aspx 

    Windows 2000/2003 - How to configure VPN Server with single NIC on Windows Server
    http://blogs.technet.com/b/rrasblog/archive/2006/06/19/437171.aspx

    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC
    http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

    How to configure Network Address Translation in Windows Server 2003
    http://support.microsoft.com/kb/816581

    YouTube Video: NAT Configuration on Windows Server 2003 - Part1
    http://www.youtube.com/watch?v=5RwlHotdzlg

    How To Enable NAT in Windows 2003 Server (easy to follow screenshots)
    http://www.technize.com/how-to-enable-nat-in-windows-2003-server/

    YouTube Video: How To Install and Configure RRAS NAT & VPN -
    How to install routing and remote access server and test the installation with a vpn connection.
    http://www.youtube.com/watch?v=wpt2z3LA0dQ


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, July 27, 2013 2:32 AM
  • Graham, Susie, thank you for both answers.
    Maybe I was not precise. Do I really need routing change?

    After establishing VPN connections from home computer and server,  since I can then ping the server , then from the home computer I am trying to telnet 10.0.5.217, which should make port redirection to 10.0.0.11 and in effect telnet me to 10.0.0.11 (if RRAS was working properly)

    10.0.5.217 is the VPN address of my Windows 2003 server. From the server itself I can ping 10.0.0.11.
    10.0.5.218 is the VPN address of my home computer. And from home computer I can ping and connect to 10.0.5.217.

    That's way I am confused. I did that kind of port redirection on linux and many routers and it was working fine. I thought it would work the same way on Windows Server 2003 with RRAS.

    Any way, let's assume you are right and I really need routing, how should I configure the routes between these two interfaces VPN and LAN on server.

    Knowing that my VPN IP on the server side is always 10.0.5.217, shall I add route like that?

    route add 10.0.0.0 mask 255.255.255.0 10.0.5.217 ?

    I did, and it doesn't seem to work, I mean route was added but I cant access 10.0.0.11 anyway.

    Hope you can help me more, thank you for your time.


    • Edited by norbi771pl Monday, July 29, 2013 12:23 AM added names
    Sunday, July 28, 2013 11:47 PM
  • Ace, thank you for your time

    I spent some time trying to explain what I am trying to achieve and then browser crashed when I pressed submit button ... arghhh.

    So now in short  ... I do not need VPN server on W2k3.

    In my setup I want W2K3 to be VPN client connecting to remote VPN server.
    My home computer does the same.
    Once both machines connect to the remote VPN server they can "see" each other via the VPN tunnel.

    Now, I want to redirect a few unused ports on the server to the CCTV VCR which is located in the same LAN that server does (server's IP is 10.0.0.10, CCTV's 10.0.0.11).

    If I succeed I will be able to watch the office via CCTV cameras from home, and this is the purpose.

    Why do I connect to remote VPN server?
    Because the office is connected via mobile internet (and the mobile operator blocks the traffic coming from the internet).
    We have DSL as well but it is terribly slow (256kbps) that's way if it is possible, the in-office router establishes mobile connection.
    From the LAN side it is transparent, i.e. the default route 10.0.0.1 is always the same, only internal routing in the in-office router changes.

    Hope you better understand my needs now.

    Once again thank you for your time, and if you have any ideas I will appreciate your comments, thank you (.

    Monday, July 29, 2013 12:21 AM
  • Now, I want to redirect a few unused ports on the server to the CCTV VCR which is located in the same LAN that server does (server's IP is 10.0.0.10, CCTV's 10.0.0.11).

    If I succeed I will be able to watch the office via CCTV cameras from home, and this is the purpose.

    If you want to see the CCTV cameras from home, try considering to do a port forwarding for the IP Addresses of those CCTV cameras.

    Or if you want you can try DynDNS.

    check out links below, it might give you some ideas:

    http://www.cctvcamerapros.com/port-forwarding-s/130.htm

    http://www.youtube.com/watch?v=Np0VeQJwlI0&hl=en-GB&gl=SG


    Every second counts..make use of it.

    Monday, July 29, 2013 1:30 AM
  • norbi771pl,

    I think there's a misconception about what a VPN will do or not do for you. When you connect your laptop or desktop that's sitting at your house, in Starbucks, or wherever, to your VPN at your office, you are essentially making your laptop or desktop *part* of the office network, hence you are part of the private office network, hence the term "virtual private network" or VPN.

    Therefore, you would simple access anything in the office network by simply using the internal private IP without the need to port translate or create static routes or anything, because you are already part of the network. That's what a VPN does for you.

    Does that make sense?

    Now if the device or resource (web server, cameras, whatever) are on a different internal subnet, such as a different office or other part of the campus, then internally static routes would need to be configured so anyone in the main office or any office can connect to anything in any other subnet.

    Make sense so far?

    So if you are already VPN'd in, then simply access the cameras or whatever as you would when you are sitting in the office.

    And of course all the above is based on if you've properly configured RRAS for VPN services. The links I previously provided help with that.

    -

    And don't get hung up on the VPN connection IP. If you setup RRAS/VPN to get and assign all VPN connections an IP address from the internal DHCP Server (assuming it's a Windows DHCP - ideally and if not I suggest it), then you don't have to worry about routing. The VPN server handles that.

    -

    Now as for cguan's suggestions to port translate, then that will work, too, but if you are going to do that, then you will NOT need to VPN, because then you would connect to the PUBLIC WAN IP that your ISP gave you. That's why he's suggesting DynDNS if you do not have a static IP.

    HOWEVER, since your mobile line doesn't allow inbound traffic, then I assume it will more than likely be a different IP, then DynIP may be helpful so you always connect to the same name, that is assuming you will create a name, such as myoffice.dynip.com or vpn.mycompany.dynip.com, or whatever you want to call it.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 29, 2013 3:03 AM
  • Thanks,

    The point is that I can't redirect ports on my router since when it establishes the 3G link I can't access its interface even if I know its address, it is not the DDNS issue.

    The only option is to have VPN tunnel that let's me connect home computer and server, it is also more secure as I don't have to expose CCTV web interface to the whole internet but only to the authorized staff who have VPN access.

    So the question is how to configure RRAS or whatever on server (10.0.0.10 -LAN and 10.0.5.217 - VPN) to let me route or redirect (it doesn't  really matter which option I use) to the 10.0.0.11 from the home computer that has VPN IP 10.0.5.217

    Brgs

    Norbert

    Monday, July 29, 2013 9:25 AM
  • I understand benefits of your solution, but it is not applicable here.

    If I set up VPN server on Windows Server machine it would be useless, as I would be unable to connect and use it.
    I can't reach that server unless it establishes VPN client link to the router located in the internet.

    The 3G provider does not limit traffic going out to the internet, thus I can establish VPN connection as a client to the router placed in the Internet. I can't do opposite that's way I have to use that weird setup.

    Brgs

    Norbert

    Monday, July 29, 2013 9:31 AM
  • I've done a couple  of times this CCTV setup, as long as the link is available on the internet or the port is properly forwarded.

    It can be access anywhere, either using 3G or any type of internet connection.

    When you have done the port forwarding, check whether port is properly forwarded or open.

    There's a couple of sites on internet which offers this kind of service to check whether port is open or not.


    Every second counts..make use of it.



    • Edited by cguan Monday, July 29, 2013 12:30 PM edit
    Monday, July 29, 2013 12:27 PM
  • Interesting scenario. All this time, I thought you had a Windows RRAS/VPN setup. I didn't realize you are using a 3G broadband VPN solution.

    What we've mentioned and recommended is all based on Windows RRAS.

    Since that is a third party product, I would highly suggest to contact their support department, or search on the device model# or ISP to see how and if others have done it.

    And note, you mentioned your VPN provided IP is 10.0.5.218, and your server is 10.0.0.1, and the camera system is 10.0.0.10, but you didn't provide the mask. I realize the VPN mask is 255.255.255.255, which is should be (since that says "just me"), but I don't know your internal mask, therefore another issue is there can be a subnet overlap which will prevent you from accessing anything internally. I may suggest to change one subnet or the other, and if you can't change the VPN subnet the 3G device is giving you, then your only choice is change the company network subnet.

    Tell you what, if you set it up with Windows RRAS/VPN on your DSL, making the necessary translations, does it work? If so, then you'll know it works. Then the best thing would be to upgrade your DSL to a faster speed.

    Otherwise, since it's a third party device, I highly recommend contacting them for support or search the vendor's support forum for recommendations.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 29, 2013 3:03 PM
  • If 3G provider allowed port forwarding it would be piece of cake. But they do block that kind of traffic and do not offer the option to pay for having port forwarding possible. Can't use other provider neither.

    Brgs

    Norbert

    Tuesday, July 30, 2013 9:17 AM