871W Wireless VPN to SBS 2003 Routing

Long one - sorry:

We have a CISCO 871W (router/firewall/with wireless). It is working perfectly except for the ability to VPN from the wireless to our inside SBS 2003 server. Here is the setup:

1 Static Internet IP to 871W (WAN).

Hardwired LAN is 10.0.0.X with three servers on, .3, .4. The server on is a Small Business Server 2003 running PPTP VPN, and DHCP for the 10.0.0.X network.

Wireless on 871W is on 192.168.20.X and gets its DHCP from the 871W.

Concept: We want to be able to secure 10.0.0.X from everywhere but the wired LAN. To gain access to the 10.0.0.X network from outside (Internet or Wireless) we want to require a VPN connection to the server.

Configuration: We are forwarding 1723 (pptp) from the WAN interface to and blocking all other traffic. We have blocked all traffic from 192.168.20.X to 10.0.0.X except for 1723 and GRE.

Working: Everything on the 10.0.0.X network is working perfectly. VPN from the outside works perfectly (meaning from any Internet connection we can make a PPTP VPN connection into the server and gain access to all resources). Also with the Wireless we can gain Internet access on the

192.168.20.X network with WEP security. We can make a VPN connection to 10.0.0.X.

Not Working: When wireless we make a VPN connection to, we can gain access to all 10.0.0.X resources EXCEPT - which is critical as it is our Exchange Server, Domain Controller and main file server. Pinging after the VPN connection is made results in not reachable

My Analsys: After making a wireless VPN connection, I can see there is a route entry on the workstation for routing to If I remove this entry, the VPN connection drops.

My thought is that the VPN connection is made directly to from

192.168.20.X and that direct connection of course has to stay up or the VPN will drop. Any other attempt to get to other resources on 10.0.0.X succeeds because it goes through the VPN tunnel. But an attempt to get to resources on fail because the route is through the 871W and not through the VPN tunnel.


  1. Can we force the 192.168.20.X network to hit the outside WAN interface for VPN to Currently, outside on the internet we make the VPN connection address to the public WAN interface that gets forwarded to through the router - wirelessly on 192.168.20.X that fails and we have to make the VPN connection to directly. CISCO tech support says I can't make this happen. I feel that if we could, everything would work because the VPN link would then be to the WAN address and the route to would then go through the VPN tunnel like it does when connecting from the Internet.

  1. Can we make a fake address in the 871W to forward to The idea would be to make a VPN connection to say that would then in the router get forwarded to Result would be there would be no entry in the routing table on workstation directing to the All 10.0.0.X traffic would be routed through the VPN tunnel to - we should then have access to through the VPN tunnel.

Seems like both of these options should fix our problem. Any help in implementing them or do I just need to give up? The CISCO tech says the problem is in our SBS 2003 VPN configuration - however, it is working perfectly except for this Wireless to VPN connection.

Thanks, Paul Smedshammer

Reply to
Paul Smedshammer
Loading thread data ...

How bout a looksie at the NAT and ACL's applied on the router? If you can connect from the internet via the VPN and gain access to all resources then the issue is most likely in the NAT/ACL's in the router. When you connect to the VPN what IP address are you getting from the server? Is it on the 10.0.0.X subnet?

Reply to
Chad Mahoney

Chad Mahoney wrote in news: snipped-for-privacy@news.supernews.com:

I think these are the sections you are wanting to look at. When we make a wireless connection we get a 192.168.20.X from the DHCP on the 871W. Then we make a VPN connection to and get another address from the DHCP on the SBServer that is in the 10.0.0.X network.

We can not make a VPN connection using wireless connection to the WAN address of the 871 (FastEthernet4). It just times out - no response. If we could, I think this would solve our problem.

I'd be glad to hand off any other sections of our config. We are stumped.



ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 1723 1723 extendable

access-list 120 permit tcp eq

1723 access-list 120 permit udp eq 1723 access-list 120 permit gre access-list 120 deny ip access-list 120 permit ip host any
Reply to
Paul Smedshammer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.