Long one - sorry:
We have a CISCO 871W (router/firewall/with wireless). It is working perfectly except for the ability to VPN from the wireless to our inside SBS 2003 server. Here is the setup:
1 Static Internet IP to 871W (WAN).Hardwired LAN is 10.0.0.X with three servers on 10.0.0.2, .3, .4. The server on 10.0.0.2 is a Small Business Server 2003 running PPTP VPN, and DHCP for the 10.0.0.X network.
Wireless on 871W is on 192.168.20.X and gets its DHCP from the 871W.
Concept: We want to be able to secure 10.0.0.X from everywhere but the wired LAN. To gain access to the 10.0.0.X network from outside (Internet or Wireless) we want to require a VPN connection to the
10.0.0.2 server.Configuration: We are forwarding 1723 (pptp) from the WAN interface to
10.0.0.2 and blocking all other traffic. We have blocked all traffic from 192.168.20.X to 10.0.0.X except for 1723 and GRE.Working: Everything on the 10.0.0.X network is working perfectly. VPN from the outside works perfectly (meaning from any Internet connection we can make a PPTP VPN connection into the server and gain access to all resources). Also with the Wireless we can gain Internet access on the
192.168.20.X network with WEP security. We can make a VPN connection to 10.0.0.X.Not Working: When wireless we make a VPN connection to 10.0.0.2, we can gain access to all 10.0.0.X resources EXCEPT 10.0.0.2 - which is critical as it is our Exchange Server, Domain Controller and main file server. Pinging 10.0.0.2 after the VPN connection is made results in not reachable 192.168.20.1.
My Analsys: After making a wireless VPN connection, I can see there is a route entry on the workstation for 10.0.0.2 routing to 192.168.20.1. If I remove this entry, the VPN connection drops.
My thought is that the VPN connection is made directly to 10.0.0.2 from
192.168.20.X and that direct connection of course has to stay up or the VPN will drop. Any other attempt to get to other resources on 10.0.0.X succeeds because it goes through the VPN tunnel. But an attempt to get to resources on 10.0.0.2 fail because the route is through the 871W and not through the VPN tunnel.Solutions?
- Can we force the 192.168.20.X network to hit the outside WAN interface for VPN to 10.0.0.2? Currently, outside on the internet we make the VPN connection address to the public WAN interface that gets forwarded to 10.0.0.2 through the router - wirelessly on 192.168.20.X that fails and we have to make the VPN connection to 10.0.0.2 directly. CISCO tech support says I can't make this happen. I feel that if we could, everything would work because the VPN link would then be to the WAN address and the route to 10.0.0.2 would then go through the VPN tunnel like it does when connecting from the Internet.
- Can we make a fake address in the 871W to forward to 10.0.0.2? The idea would be to make a VPN connection to say 192.168.20.250 that would then in the router get forwarded to 10.0.0.2. Result would be there would be no entry in the routing table on workstation directing 10.0.0.2 to the 192.168.20.1. All 10.0.0.X traffic would be routed through the VPN tunnel to 192.168.20.250 - we should then have access to 10.0.0.2 through the VPN tunnel.
Seems like both of these options should fix our problem. Any help in implementing them or do I just need to give up? The CISCO tech says the problem is in our SBS 2003 VPN configuration - however, it is working perfectly except for this Wireless to VPN connection.
Thanks, Paul Smedshammer