 |
 |
This message brings up a subject I could use some input on. Here we have a seperate VPN and firewall setup, and they get confused. Does a straight firewall that supports VPN work any better? Are there disadvantages to having it all on one box? I can imagine it being cheaper and easier to support, but are there any security or managment issues that might make it a bad idea? -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]]On Behalf Of Doug Nelson Sent: Tuesday, November 04, 2003 5:35 PM To: [log in to unmask] Subject: Re: DHCP, VPN, and Firewall combination question > > In the library, we're having a combination problem with DHCP, VPN, > and our building firewall, and are running out of places to look. > > The firewall blocks Windows ports (137-139, 389, 445, and 3389) at > the boundary of the Library staff physical network. We have a VPN server > inside the staff network. A PC connects using a DHCP connection in the > Library (or elsewhere on campus) and gets an IP address that is outside the > staff network. It then connects to the VPN, which assigns it an IP address > inside the staff network. Once that is done, Outlook can connect to our > mail server (which is inside the staff network), but the PC cannot map to > shared drives inside the staff network. It also cannot ping into the staff > network. If I change the firewall to allow the Windows ports from the > DHCP-assigned IP address, the PC can map to shared drives inside the staff > network. (Inference: the packets required to map the drive carry the > DHCP-assigned IP address, not the VPN-assigned IP.) However, the same PC, > connecting from home using DHCP through Comcast and the same VPN connection, > can map drives. (Inferen! ce! : the drive is mapped using the > VPN-assigned IP address.) Ipconfig shows the same information both in the > Library and over Comcast, except for the DHCP-assigned IP address and its > subnet mask (255.255.255.0 for Comcast, 255.248.0.0 in the Library). > > Where should we look next? When using a VPN connection, what > determines whether packets are sent with the VPN-assigned IP or the > DHCP-assigned IP? > > Any hints, tips, or outright solutions will be appreciated! > --Bill Wheeler I don't know of a really good (or simple) solution, but as someone else pointed out, it has to do with the source IP, VPN server, and destination IP's all living within the same network. We have noticed this, too, in our first attempts to set up our central VPN server. I suspect this works best when the IP addresses behind the VPN server are in a separate subnet from those on the "public" side. One way to solve this would be to use a firewall with NAT, and use private IP's on all local systems, or at least all of the VPN target systems. Part of the problem here is that many campus systems use a wide netmask (255.248.0.0), including any which use the campus DNS. Changing that netmask may help this particular problem, but the wide netmask is there to solve other problems, so I don't really want to change that. It may be necessary to play some routing games on the client PC, although I hope it doesn't come to that, since it's messy. However, if you want to try it, take a look at the ROUTE command. You may have to change some of the route metrics, or perhaps delete/replace some of the overlapping routing entries. Doug Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University