VPN Problems (PPTP), DHCP?, HELP!!!

[tsap]

I really don’t know what category to put this in, since I don’t know where the problem is exactly. Ok this is the full story…

Are current ISP gives us an static fake ip address that’s re-directed to an static real address (for what ever reason). So for example my fake static ip for an external address on my wg2500 box is 10.251.2.X (fake static). But if you want to connect from outside the network via VPN you connect with 129.132.X.X (real static) address.

The SOHO WG2500 box is plugged into are windows 2000 server computer (192.168.111.100) and does the DHCP for the local network and for the remote access users(VPN). So the DHCP scope looks at the SOHO WG2500 box’s IP which is 192.168.111.1, then the DHCP address assigned are 192.168.111.33 to 192.168.111.88, then the DHCP servers are 192.168.111.100 and 192.168.111.101 (other server).

So my problem is the new ISP has no funny fake static ip’s or anything. It’s a plan jane no restriction real static ip. So when I unplug the current ISP and plug in are new ISP is just changed the external address info on the SOHO box to new information. Once I did that the internet works great. So really, the only thing I need to change is the IP address that my remote user login with. So I changed the IP for the clients to the new static IP. Once I did that, I could not connect to the server. It never said denied access or anything. It just was not there. But on the client computers I can ping the external address fine.

Once I had that problem, I plugged my old ISP box back in the SOHO and everything started to work fine. I just can’t find the problem stopping me from fixing this for my new ISP. One thing I should mention, the old did setup the windows 2000 server’s. So I guess it is possible they have hidden settings some where. But I can’t find them!!!!



Any Idea’s would really help.

 

[DG659]

what your previous ISP gave you was a NAT service. Thats where the Router hides many IPs (192.x.x.1-192.x.x.255 on the internal network) behind 1 Real IP as you call it. so you can have may Clients and only one real IP ,then the router would port forward your VPN thru to the correct internal IP (this would be set inside the router).

your new ISP router will have an ip address of say 81.x.x.1 on the isp side and your server NIC will have an ip of 81.x.x.3
you need to connect to the Server NIC IP not the Router IP.
sorry im not to good at explianing stuff .

 

[tsap]

I don't understand what your saying.

my isp router ip is a static (8.x.x.1) (the isp side)

my server nic is 192.168.111.100 (the DHCP server)

my server nic does not have an 8.x.x.x address

 

[tsap]

When I connect to the VPN, I always connect outside the network on the new ISP's external static IP. Which is 8.x.x.1. That IP is the external address on the SOHO box.., then the soho box is plugged into the Windows 2000 server nic, then that computer sends out DHCP address.

I'm I missing somthing here?

 

[JimWells]

tsapara,

Is the VPN service that your users connect to on the WatchGuard SOHO, or is it running on the Windows server itself?

 

[tsap]

The SOHO is just passing the PPTP to the win2k server box that's running the remote access server, which is 192.168.111.100.

 

[JimWells]

Do you have any filters or other RRAS setup on the Windows 2000 box that might have only allowed connections passed through your old ISP?

 

[tsap]

I'm looking at my RRAS now and it has no info that's related to my old ISP config..,filters, forwarding nothing.

 

[JimWells]

Seems pretty strange, then. Who is the new ISP? Have you checked with their tech support, just to make sure they aren't blocking any VPN ports (unlikely).

You've tested the VPN on the new ISP from multiple offsite clients too, right?

 

[tsap]

I have called my new ISP, and they have tols me I have nothing blocked at all. It's a wide open address. I have tested the VPN on the new ISP with remote clients and it does not work.

 

[JimWells]

I don't have a SOHO in front of me, so I don't recall the interface -- but are there policy controls (like IP filters or anything of that nature) on the VPN policies?

 

[tsap]

The SOHO I have is a WG2500 and it has no policies at all. The only thing is has is "Incoming filters rules" on the firewall. It has quick filters listed such as PPTP. That you can allow or deny that setting. I have it allowed, and then I have the local address listed so the request is forwarded to that address(192.168.111.100)

There are no routes or other config's setup.

 

[JimWells]

Do you have LiveSecurity support for your WatchGuard product(s)?

 

[tsap]

I don't have a support contract anymore with them anymore. With the change of are ISP, we are also changing out all are hardware as well. We just want to see if we could do a temp fix untill the new hardware is installed.

One thing to note.., I did replaced the SOHO box with just a run of the mill home grade d-link box that has PPTP filters on it. Once I put that in, I had the same problem as the SOHO box...., Which is making me think that the RRAS on the win2k server box has somthing fishing happening on it.

 

[JimWells]

Do you have any VPN licenses for the SOHO that you can try out? That would at least tell you if it was specific to the server...but yeah, that's my guess too.

 

[tsap]

We have 5 VPN licenses for IPSEC, but that's a diff setup all together. But ya, worth it's a try for testing anyways. I'll have to try a rebuild of the RRAS and see what happens.

 

[tsap]

I wounder if I need to add a new interface, like NAT to RRAS?...

Since are old ISP used fake static ip's and had them forwarded them to a real static address..., he was doing that for a NAT fuction for us. I'm thinking If I add a NAT interface to RRAS that should fix it?

 

[JimWells]

I'm not sure...don't really deal with VPN on Windows2000/2003 much. I prefer FireboxX for that.

The SOHO doesn't have PPTP VPN builtin, does it? I seem to remember the older models not...big limitation...

 

[tsap]

ya, the soho box just does a pass through function for pptp. No hardware fuctions for PPTP.

 

[JimWells]

Might try the WatchGuard forum on this site - maybe someone there has seen this before with SOHO config...