Ask the Expert

VPN setup nixed Internet access

I've set Microsoft's VPN Server in Windows 2000. I believe I am having problems with static routes. If I follow Microsoft's instructions on how to set up the routes, I can connect to the VPN server, log in and access local machines on the LAN OK -- but I cannot access the Internet (this is a requirement for the server). My static routes are set up as follows:

Dest: 10.1.0.0 (internal LAN class)
Mask:

Requires Free Membership to View

255.255.0.0
Gateway: 10.1.0.1 (LAN Firewall)
Interface: "Intranet" (NIC connected to LAN)
Metric: 1
View: Both

Dest: 0.0.0.0
Mask: 0.0.0.0
Gateway: 10.1.0.1
Interface: "Internet" (NIC Connected to Internet)
Metric: 1
View: Both

Note: I've also yanked the default gateway from the NIC connected to the internal LAN.

If I follow the above configuration I can connect just fine but cannot access the Internet. If I change the second static route's interface to "intranet," certain VPN clients CAN connect.

These clients are ones who are on the same Internet subnet as the VPN server (subnet being public addresses from our ISP). I've tested it and confirmed that the traffic is indeed going through the VPN, then out our firewall.

Any ideas on how to fix this? It is just weird. I go home to my DSL line and it either doesn't connect or tells me I need a certificate. However, if I change the static route (second one) to the MS correct config, I can connect no issues. (So I don't think it's a certificate issue.)

Any ideas would be GREATLY appreciated. I am pulling my hair out over this one.
You can't access the Internet with a 10.x.x.x address, because that's a private non-routable address. Of course you know it's a private address, because that's why you picked it for the VPN. This is good practice. However, to get to the public Internet, you'll need to translate that IP address somehow. The standard ways of doing this are to send requests through a NAT (Network Address Translation) device. Fortunately, Windows 2000 does include NAT capabilities. You should be able to configure NAT so that it translates the source IP address of requests from your 10.x.x.x private network to the public IP address assigned by your ISP. Good luck.

This was first published in October 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: