VPN Client hiding Static IP?

Hi,

I have a problem that I just can't solve. I've contacted my ISP, NETGEAR, etc., and even brought in someone who claimed to be a networking expert. No-one has been able to help me solve or understand this problem.

I have a static ip addresss from my internet service provider (SHAW), and on my server I am developing a web application. I can access my web server via the static ip from an outside computer - up until I start a VPN client (Nortel) running on my server. After that I just get timeouts when trying to access the server from an outside computer. I need to run the VPN on my server because it needs to access a database on a government network. With the VPN running on my server, I can still access the server via the static ip address from another computer on my LAN though (when I am using a router).

I've tried this going directly to the cable modem, or through a router

- same thing happens.

Other strange things: If I just connect my computer to the cable modem, the default ip address I am assigned is not the static ip address I was assigned by shaw - I need to go into my TCP/IP settings and manually set the static ip address I want. Is this normal?

Also, even before I run a VPN client on my server, I cannot PING my static ip address (though shaw says it is working) from my LAN (when I am using a router) or from an outside computer - I just get timeout.

When I run the Nortel VPN Client, it shows an Assigned Ip Address. I can access my server through this Ip Address from anywhere, but this doesn't really do me any good - I need to be able to access my server using my static ip address.

Am I just missing something about how VPN works, or is there a setting somewhere I am missing, or maybe the cable modem (Motorola Surfboard SB5100) has limitations I am not aware of.

I really would appreciate any help.

Reply to
KraftyDood
Loading thread data ...

This is working properly. The Nortel VPN client is configured to cut off access to external computers when the VPN link is active to prevent your computer from becoming a conduit for a hacker to gain entry to the remote network via your computer. (In a case made public this actually happened to a Microsoft programmer working from home) The Administrator of the Nortel VPN router would need to change settings to allow "split tunnelling".

Shaw static IP's work like this. You manually assign the static IP they give you into your equipment. If you turn on DHCP (automatic) addressing then you will get one of their dynamic IP's. I don't see why you are concerned about it.

Yes, you are missing something about how VPN works. It is not a problem with your cable modem, with Shaw, or your software. The Nortel VPN client forces your default route to change to become the remote VPN router when you are connected so that ALL traffic to the Internet is sent through the VPN link. In a command prompt type "route print". Try this before and after connecting to the VPN and see the difference.

If you want to connect these two sites you might consider running a branch office style VPN tunnel between a VPN router at your site to the remote VPN router. This will give you more control over routing. The VPN client is not really designed for anything other than remote client access. It's not a way to build interconnected networks on an ad-hoc basis like you seem to be attempting to do. The "government network" would also want to set up appropriate network firewall rules on the remote side so that only connections to the database ports you require will get through and nothing else to prevent the surface area that can be attacked if your machine was compromised.

Reply to
Mike Drechsler - SPAM PROTECTE

Thanks Mike,

What you are saying about how the VPN Client work sounds right, and is sort of what I thought must be the case. I am just surprised that none of the tecnical people I have spoken with at Shaw or at the Government technical support unit didn't see to have this answer.

The only mystery left I guess, is why I can't PING my static ip address from within my own network (with no VPN running)- not that it really matters. Shaw tells me they are able to PING the static ip address. Also VPN-unreleated, I am wondering why I am on my server I can only browse http://localhost/ and not http://, when I can browse http:// from other computers on my network and outside my network.

Kent.

Reply to
KraftyDood

If the static IP is on a firewall device then there may be an easy explanation why you cannot connect directly to the static IP. Many firewalls do not handle connections to it's public interface from inside the private network. You must connect using the internal IP. Companies often need to create an internal replica of the external DNS entries but point the hostnames to the internal IP on their internal dns servers. ie: External www.domain.example->1.2.3.4 Internal www.domain.example->192.168.0.101

I can understand Shaw not being able to figure this out. They don't support your VPN, so why should they have any idea how it works. The people who are responsible for the VPN should have had a better idea about this. Nortel's VPN management interface makes it very easy to find this option. It's in Profiles->Groups. It's the very first option in the IPSec section.

Reply to
Mike Drechsler - SPAM PROTECTE

Thanks again for your help. The odds of getting the government group that manage the vpn I am accessing to make any changes to accomodate me in a reasonable amount of time are very slim.

I think my best route is probably to eliminate the need for a VPN client running on my server. This is a development system, so I don't really need to access the live government database. WIth a bit of effort I can create a replication of the government database (oracle) on my development system and use that instead. Not a perfect solution, but it should work.

Reply to
KraftyDood

KraftyDood schrieb:

This is an issue that comes up here regularly.

The keyword here is "Split Tunneling".

Reply to
Martin Bodenstedt

KraftyDood schrieb:

How about setting up an SSL connection instead of a VPN?

Reply to
Martin Bodenstedt

Split Tunneling might be what I need, but the government agency I am dealing with is very security concious and would not be interested in configuring their side to allow this feature (which I assume would be necessary). I am just an independent consultant and must work within their guidelines and framework. Basically I can only make changes on my side.

Is there another VPN Client that would work better for me. I had a look at the builtin VPN Client in Windows XP which is supposed to support split tunneling, but couldn't see how to configure it the same way I do my Nortel VPN Client - I couldn't see anyplace to specify the Group Security Credentials (group id and group password for Group Password Authentication).

Sorry for what probably look like pretty stupid questions. I really am quite in the dark about how VPN works, as I've never had to deal with it before other than configuring and launching my Nortel VPN client.

Reply to
KraftyDood

It's likely that they have turned on the feature that only allows the nortel client to connect so that they can manage these features.

If you are just doing development work, you could likely create a sample database on your side to test with. When you want to test against the full database you can do it on the local machine while connected to the VPN

Reply to
Mike Drechsler - SPAM PROTECTE

KraftyDood schrieb:

Which is good common sense...

Reply to
Martin Bodenstedt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.