Re: VPN Client hiding Static IP?

KraftyDood wrote: 
Hi,

I have a problem that I just can't solve.  I've contacted my ISP,
NETGEAR, etc., and even brought in someone who claimed to be a
networking expert.  No-one has been able to help me solve or understand
this problem.

I have a static ip addresss from my internet service provider (SHAW),
and on my server I am developing a web application. I can access my web
server via the static ip from an outside computer - up until I start a
VPN client (Nortel) running on my server.  After that I just get
timeouts when trying to access the server from an outside computer.  I
need to run the VPN on my server because it needs to access a database
on a government network.  With the VPN running on my server, I can
still access the server via the static ip address from another computer
on my LAN though (when I am using a router).

This is working properly. The Nortel VPN client is configured to cut off access to external computers when the VPN link is active to prevent your computer from becoming a conduit for a hacker to gain entry to the remote network via your computer. (In a case made public this actually happened to a Microsoft programmer working from home)
The Administrator of the Nortel VPN router would need to change settings to allow "split tunnelling".

I've tried this going directly to the cable modem, or through a router
- same thing happens.

Other strange things:  If I just connect my computer to the cable
modem, the default ip address I am assigned is not the static ip
address I was assigned by shaw - I need to go into my TCP/IP settings
and manually set the static ip address I want.  Is this normal?

Also, even before I run a VPN client on my server, I cannot PING my
static ip address (though shaw says it is working) from my LAN (when I
am using a router) or from an outside computer - I just get timeout.

Shaw static IP's work like this. You manually assign the static IP they give you into your equipment. If you turn on DHCP (automatic) addressing then you will get one of their dynamic IP's. I don't see why you are concerned about it.


When I run the Nortel VPN Client, it shows an Assigned Ip Address.  I
can access my server through this Ip Address from anywhere, but this
doesn't really do me any good - I need to be able to access my server
using my static ip address.

Am I just missing something about how VPN works, or is there a setting
somewhere I am missing, or maybe the cable modem (Motorola Surfboard
SB5100) has limitations I am not aware of.

I really would appreciate any help.


Yes, you are missing something about how VPN works. It is not a problem with your cable modem, with Shaw, or your software. The Nortel VPN client forces your default route to change to become the remote VPN router when you are connected so that ALL traffic to the Internet is sent through the VPN link. In a command prompt type "route print". Try this before and after connecting to the VPN and see the difference.

If you want to connect these two sites you might consider running a branch office style VPN tunnel between a VPN router at your site to the remote VPN router. This will give you more control over routing. The VPN client is not really designed for anything other than remote client access. It's not a way to build interconnected networks on an ad-hoc basis like you seem to be attempting to do. The "government network" would also want to set up appropriate network firewall rules on the remote side so that only connections to the database ports you require will get through and nothing else to prevent the surface area that can be attacked if your machine was compromised.



--
WARNING!  Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
.

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)
  • Re: RRAS as VPN Server Configuration Questions...
    ... Ethernet adapter VPN: ... Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as ... Issue in a VPN client ... ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.win2000.ras_routing)
  • RE: VPN Error 800
    ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
    (microsoft.public.windows.server.sbs)