This message brings up a subject I could use some input on.  Here we have
a seperate VPN and firewall setup, and they get confused.  Does a straight
firewall that supports VPN work any better?  Are there disadvantages to
having it all on one box?  I can imagine it being cheaper and easier to
support, but are there any security or managment issues that might make it a
bad idea?

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]]On
Behalf Of Doug Nelson
Sent: Tuesday, November 04, 2003 5:35 PM
To: <a href="/cgi-bin/wa?LOGON=A3%3Dind0311%26L%3DMSUNAG%26E%3D7bit%26P%3D16399%26B%3D--%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" target="_parent" >[log in to unmask]</a>
Subject: Re: DHCP, VPN, and Firewall combination question


>
>  In the library, we're having a combination problem with DHCP, VPN,
> and our building firewall, and are running out of places to look.
>
>  The firewall blocks Windows ports (137-139, 389, 445, and 3389) at
> the boundary of the Library staff physical network.  We have a VPN server
> inside the staff network.  A PC connects using a DHCP connection in the
> Library (or elsewhere on campus) and gets an IP address that is outside
the
> staff network.  It then connects to the VPN, which assigns it an IP
address
> inside the staff network.  Once that is done, Outlook can connect to our
> mail server (which is inside the staff network), but the PC cannot map to
> shared drives inside the staff network.  It also cannot ping into the
staff
> network.  If I change the firewall to allow the Windows ports from the
> DHCP-assigned IP address, the PC can map to shared drives inside the staff
> network.  (Inference: the packets required to map the drive carry the
> DHCP-assigned IP address, not the VPN-assigned IP.)  However, the same PC,
> connecting from home using DHCP through Comcast and the same VPN
connection,
> can map drives.  (Inferen!  ce!  : the drive is mapped using the
> VPN-assigned IP address.)  Ipconfig shows the same information both in the
> Library and over Comcast, except for the DHCP-assigned IP address and its
> subnet mask (255.255.255.0 for Comcast, 255.248.0.0 in the Library).
>
>  Where should we look next?  When using a VPN connection, what
> determines whether packets are sent with the VPN-assigned IP or the
> DHCP-assigned IP?
>
>  Any hints, tips, or outright solutions will be appreciated!
>         --Bill Wheeler

I don't know of a really good (or simple) solution, but as someone else
pointed out, it has to do with the source IP, VPN server, and destination
IP's all living within the same network.  We have noticed this, too, in
our first attempts to set up our central VPN server.

I suspect this works best when the IP addresses behind the VPN server are
in a separate subnet from those on the "public" side.  One way to solve this
would be to use a firewall with NAT, and use private IP's on all local
systems,
or at least all of the VPN target systems.

Part of the problem here is that many campus systems use a wide netmask
(255.248.0.0), including any which use the campus DNS.  Changing that
netmask may help this particular problem, but the wide netmask is there
to solve other problems, so I don't really want to change that.

It may be necessary to play some routing games on the client PC, although
I hope it doesn't come to that, since it's messy.  However, if you want
to try it, take a look at the ROUTE command.  You may have to change some
of the route metrics, or perhaps delete/replace some of the overlapping
routing entries.

Doug


Doug Nelson                     <a href="/cgi-bin/wa?LOGON=A3%3Dind0311%26L%3DMSUNAG%26E%3D7bit%26P%3D16399%26B%3D--%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" target="_parent" >[log in to unmask]</a>
Network Manager                 Ph: (517) 353-2980
Computer Laboratory             http://www.msu.edu/~nelson/
Michigan State University