March 25th, 2013, 09:19 AM
VPN can ping LAN but LAN can't ping VPN
I have a weird situation. I am running Windows Server 2012 RRAS for VPN access. All my servers are running on a 172.16.2.0/24 network. I set the RRAS clients to use a different subnet....between 172.16.5.20 - 172.16.5.29. When VPN clients login, they can ping everything on the LAN. But...NOTHING on the LAN side can ping any VPN clients.
Obviously I have enabled "use default gateway" on the vpn client-side. I have RIP protocol enabled.
What do I need to do so that the LAN can access 172.16.5.20 - 29? Would this be a simply IP route? I've tried a few ip routes to no avail.
FYI - I have even disabled the firewalls on both a VPN client AND LAN client, but the LAN still can't ping VPN client.
March 25th, 2013, 05:36 PM
Just a quick update. I completely removed RRAS from the Windows server and then re-installed it. I installed it with VPN, NAT, and LAN Routing. On my Cisco router I did an IP route:
ip route 172.16.5.0 255.255.255.0 172.16.2.10 (ip address windows server)
ANd still the same thing. The client computer can VPN in and do access everything. But...all LAN clients cannot access VPN client. This is necessary if someone needs to remote into a VPN computer. Does anyone have any further thoughts/suggestions?
March 27th, 2013, 06:36 PM
Can the RRAS server ping the VPN clients at all? Can the Cisco router ping the VPN clients?
Have you tried setting a firewall rule in your router to allow access from 5.0 to 2.0?
March 27th, 2013, 06:43 PM
I appreciate your response, seak79. All my servers are on 172.16.2.0 network. For the Windows VPN server (172.16.2.85) I set a VPN client pool of 172.16.5.20 - 172.16.5.29. When I get a VPN address of 172.16.5.21 for example, ONLY the VPN server can PING 172.16.5.21 and get a response.
On the VPN server, there is an Ethernet adapter, which is the IP address of the VPn server (172.16.2.85) and an internal adapter (with IP 172.16.5.20). I did not set the 172.16.5.20, but assume that's due to the IP pool I set.
I have never been able to PING VPN clients from the cisco router. I've tried the following IP routes on the cisco router:
ip route 172.16.5.0 255.255.255.0 172.16.2.85
ip route 172.16.5.0 255.255.255.0 172.16.5.20
ip route 172.16.5.20 255.255.255.255 172.16.2.85
And the cisco router will not be able to communicate with the 172.16.5.0 network. I have even changed the VPN IP pool to within the 172.16.2.0 network, but it still won't ping.
I've even temporarily turned off the windows firewall on VPN server and still can't communicate.
It sounds like I am not routing it properly on the cisco router. Do you have any suggestions?
March 28th, 2013, 08:11 PM
Can anything talk to the internal adapter? What does the routing table look like on the VPN server?
March 29th, 2013, 08:17 AM
I fixed the issue
If anyone is curious, it was a setting on the server. I had properly routed the 172.16.5.0 network to the VPN server. The VPN server could PING all VPN clients. But...no one else on the network could ping the VPN clients.
I had the VPN RRAS server set up properly. I configured NAT so the VPN clients can communicate with the LAN network.
It was a simple fix. I needed to go into the registry and change the EnableIPRouting value from 0 to 1 and reboot the server. It's nothing I noticed in the configuration of the server, but just in the registry. Once I did this, rebooted the server, and connected to VPN, I could PING the vpn clients from other servers.
March 29th, 2013, 05:42 PM
Glad you got it figured out, sounds like the server wasn't utilizing RIP or actually routing traffic.